200,000 Devices Wiped: Handala Iranian Group Breaches Stryker

March 30, 2026

On March 11, 2026, the medical technology giant Stryker fell victim to a massive, geopolitically motivated cyberattack that paralyzed its global operations. Claimed by the Iran-linked group Handala. The incident stands as a landmark case of a corporation’s own administrative tools being turned into a weapon.

On March 11, 2026, the medical technology giant Stryker fell victim to a massive, geopolitically motivated cyberattack that paralyzed its global operations. Claimed by the Iran-linked group Handala. The incident stands as a landmark case of a corporation’s own administrative tools being turned into a weapon.

Technical Breakdown: The Intune "Kill Switch"

While many cyberattacks rely on traditional ransomware, this incident was a destructive wiper attack that utilized legitimate infrastructure to achieve its goals. Multiple sources confirm the following technical details:

Weaponization of Microsoft Intune: Attackers gained administrative access to Stryker's Microsoft Intune environment, a cloud-based mobile device management (MDM) platform. They abused the platform's legitimate "remote wipe" capability to issue factory reset commands to approximately 200,000 devices, including servers, laptops, and mobile phones, across 79 countries.
Initial Access via AiTM Phishing: Technical consensus suggests the breach likely began with Adversary-in-the-Middle (AiTM) phishing. This sophisticated method bypasses standard Multi-Factor Authentication (MFA) by stealing session tokens in real-time, allowing attackers to hijack highly privileged Global Administrator accounts.
Malware for Concealment: Although Stryker initially reported no evidence of malware, further investigation revealed the use of a malicious file designed to run commands and hide the threat actor's activity within the system. This file was reportedly not capable of spreading outside the internal environment.
The Scope of Destruction: The attack resulted in the exfiltration of a claimed 50 terabytes of data before the systems were wiped.

The Human Cost: Sentiment from the Front Lines

A Reddit discussion among employees during the onset of the attack revealed a mixture of confusion, anxiety, and deep frustration.

Loss of Personal Data: Employees expressed distress over the wiping of personal devices enrolled in the company’s BYOD (Bring Your Own Device) program. Many lost personal photos and critical data, as well as access to eSIMs and MFA apps required for personal banking.
Career Fears: Some users reported initial panic, wondering if they had been suddenly fired when they found themselves locked out of emails with invalid credentials before noticing the Handala logo on their login screens.
Operational "Nightmare": Employees described the situation as a "nightmare" and a "PITA" (pain in the a**), particularly as they struggled to regain access to cell plans and basic communication.

Financial Impact

The disruption caused significant financial turbulence. Within the first few days of the attack, reports indicated that Stryker (SYK) lost nearly $6 billion in market value. Company shares were noted to have fallen approximately 4% shortly after the incident became public knowledge.

Recommendations for Defenders

Industry experts and security researchers have highlighted several critical recommendations. The following controls are repetitively emphasized across multiple sources as essential for preventing similar MDM-based attacks:

Privileged Access Workstations (PAWS): Admins must be allowed login strictly from security compliant workstations and from pre-approved locations.
Least Privileges: Privileged accounts should be given just the right amount of access to get the job done. This helps reduce the blast radius should an account get compromised.
Phishing-Resistant MFA: Admins and privileged accounts must be moved away from SMS or push-based notifications to FIDO2 hardware keys (e.g., YubiKeys) or Windows Hello for Business.
Just-in-Time (JIT) Access & PIM: Implementing Privileged Identity Management (PIM) ensures that no account has permanent administrative rights. Access should be granted only when needed, for a limited time, and require formal approval.
Multi-Admin Approval (MAA): For high-impact actions like "bulk wipe" or "delete," systems should be configured to require a second, independent administrator to approve the command before execution. Although this can be circumvented by a threat actor with Global Admin, creating another admins and approving their actions.
Anomalous Activity Alerts: Configure specific alerts for bulk device actions. For example, any attempt to wipe more than five devices in a short window should trigger an immediate automated lockout and investigation.

How Can Astra Help

Astra customers can use the built in use cases to identify any users that might have fallen to Device Code Phishing. In addition, Astra's use cases can identity gaps in your Azure Conditional Access Policies that might allow for users to be compromised.