Early Wednesday morning, employees at Stryker Corporation began noticing something wrong. Laptops wouldn't boot. Their phones had been reset to factory settings. The login screens that greeted the few systems still responding reportedly displayed a single image: the Handala logo, an Iran-linked group with a well-documented appetite for highly destructive attacks.
"It's obvious that this is a geopolitically driven attack," said Allie Mellen, principal analyst at Forrester Research and author of the book "Code War, How Nations Hack, Spy, and Shape the Digital Battlefield."
The attack against Stryker, a Michigan-based Fortune 500 manufacturer of surgical equipment, orthopedic implants, neurotechnology devices, and hospital beds, represents a substantial Iranian cyber operation against a U.S. medical technology company. Device wipes reportedly began just after midnight, U.S. Eastern Time. Stryker's Portage, Michigan, world headquarters was closed for the day by morning, its doors bearing handwritten instructions telling employees to stay off the network, avoid their computers, and disconnect from WiFi. The company's Cork, Ireland, facility, its largest international operation, with roughly 4,000 employees, went dark as manufacturing systems were shut down.
The scale of the damage is staggering. Handala claims to have wiped more than 200,000 systems, servers, and mobile devices and exfiltrated 50 terabytes of sensitive corporate data. Operations were disrupted across 79 countries. Multiple facilities were forced onto pen-and-paper workflows. While the attack is not confirmed to have been carried out by Handala, Mellen says it did follow their methods. "Much of their modus operandi has been focused on wiper malware, and while this attack didn't most likely use wiper malware, the attack is very aligned with what they prefer to do and how they prefer to attack," she says.
Stryker filed an 8-K with the Securities and Exchange Commission on Wednesday morning, confirming "a global disruption to the Company's Microsoft environment" and stating that the company had activated its cybersecurity response plan. In a statement that raised immediate questions, Stryker said it found "no indication of ransomware or malware." That's because the attackers turned Stryker's own mobile device management tools against the company.
The Attack Vector
Evidence strongly suggests that Handala compromised access to Microsoft Intune, Stryker's enterprise mobile device management (MDM) platform, and then used Intune's built-in remote wipe functionality to wipe device data at scale. Rather than deploying malicious code, the attackers appear to have seized control of the administrative layer, the cloud-based management plane through which Stryker's IT staff remotely oversee tens of thousands of their devices worldwide, and issued "legitimate" wipe commands.
The consequences were swift. Managed Windows laptops, corporate phones, and servers were wiped simultaneously across time zones and continents. Critically, personal devices enrolled in Stryker's MDM program were also wiped out, taking employee personal data down with them during the attack. Staff were directed to immediately remove the Intune Company Portal, Microsoft Teams, and corporate VPN applications from any personal device.
Mellen notes that the bring-your-own-device (BYOD) dimension carries implications well beyond Stryker. "It's not just a risk for the company to allow BYOD," Mellen said. "It's also now clearly a risk for the employee to bring a device and use it for their work-related things, instead of having a completely distinct device," she says.
The attack chain, if later confirmed, follows a now-recognizable pattern for sophisticated threat actors: compromise privileged credentials, ascend to the management plane, and use the organization's own trusted infrastructure as the weapon. Traditional endpoint security tools — antivirus, EDR, and network detection are effectively blind to an attack that originates from the administration layer itself.
Who is Handala?
Handala is a widely tracked group by major threat intelligence firms under aliases including Void Manticore, Storm-842, and BANISHED KITTEN. And the group is assessed with high confidence by Check Point Research, CrowdStrike, IBM X-Force, and Palo Alto Networks Unit 42 to be a front operation for Iran's Ministry of Intelligence and Security. It emerged in December 2023 following the October 7 Hamas attacks, operating publicly as a pro-Palestinian hacktivist collective while executing objectives that serve Iranian state intelligence.
The group's toolkit combines custom wiper malware, commercial infostealers acquired from criminal markets, phishing campaigns impersonating trusted vendors, and hack-and-leak operations timed to inflict maximum political damage. Its previous targets were concentrated in Israel and the Middle East — the Israeli Defense Forces, Israeli energy companies, satellite communications firms, defense contractors including Elbit Systems and NSO Group, and Israeli hospitals. The Stryker attack represents a stark geographic escalation: Handala's first major strike against a U.S. Fortune 500 company.
Mellen says Stryker proved to be close to a perfect target. "They're really the perfect target for this type of attack. They're a large, publicly traded U.S. company with offices globally and owns a company that they acquired in Israel. They're also a big supplier for the U.S. military for medical devices. All that comes together as an ideal target in this situation," she says.
Iran War Updates:
George V. Hulme
Bill Brenner
Bill Brenner
George V. Hulme
Bill Brenner
The group claimed the attack as retaliation for U.S. military airstrikes on a girls' school in Minab, which it says killed more than 175 children. With that claim in mind, the targeting logic is clear. Stryker holds a $450 million Department of Defense contract to supply medical devices to the U.S. military and maintains operations in Israel.
As of Friday, March 13, the company has provided no timeline for full restoration of its systems. In a message to customers, the company confirmed that order processing, manufacturing, and shipping remain disrupted, while its investigation remains in its early stages. Stryker has said its connected medical products — including its Mako surgical robots, Vocera communication platform, and LIFEPAK devices — are unaffected and safe to use. Markets have not been forgiving in the interim. Stryker shares have shed approximately 9% since the attack was disclosed, with losses extending into Friday as investors weighed the scope of a recovery that, by most expert accounts, will be measured in months.
The attack is part of a broader Iranian cyber offensive. Palo Alto Networks Unit 42 documented a dramatic escalation in Iran-linked operations against Western targets throughout early March. MuddyWater, another MOIS affiliate, was simultaneously compromising U.S. banks, airports, and software companies using newly developed DinDoor backdoor malware.
Retired Brig. Gen. Michael McDaniel, former deputy assistant secretary for Homeland Defense, says cyber offensives are one of the few effective ways Iran has to project power globally: "Right now, the Iranian missiles and drones obviously can't reach us. So how do you inflict pain? This is the best way to do it."
