Handala Wiper Attack Takes Stryker Offline Across 79 Countries

On the morning of March 11, 2026, employees at Stryker offices around the world switched on their computers and found them wiped. Login screens were replaced with the logo of Handala, an Iran-linked hacktivist group, and corporate systems across dozens of countries went dark simultaneously. One of the largest medical technology companies on the planet had just been hit by a Handala wiper attack on a scale the healthcare sector has rarely seen.

Stryker, a Fortune 500 company headquartered in Kalamazoo, Michigan, manufactures surgical equipment, orthopedic implants, neurotechnology, and a broad range of hospital devices. The company reported $25 billion in revenue in 2025 and employs roughly 56,000 people globally, with its products embedded in hospital supply chains worldwide.

What Happened

Handala claimed responsibility via a statement posted to social media, asserting that Stryker's offices in 79 countries had been forced offline after the group erased data from more than 200,000 systems, servers, and mobile devices. The attackers also claimed to have extracted 50 terabytes of data before the wipe, describing the operation as "an unprecedented blow."

Those claims appear at least partly credible. Employees in the United States, Ireland, Australia, Costa Rica, and other countries reported that managed Windows laptops and mobile devices had been remotely wiped. Some login screens displayed the Handala logo before devices lost all data, suggesting the attackers had established deep access to internal systems well before the wipe commands were executed.

Stryker confirmed the incident, describing "a global network disruption to our Microsoft environment as a result of a cyberattack." The company said it had no indication of ransomware or malware and believed the incident was contained. In Ireland, Stryker's largest hub outside the United States, approximately 5,500 employees were sent home as internal networks went offline.

How the Attack Was Carried Out

The mechanism behind the Handala wiper attack appears to involve the abuse of a legitimate enterprise IT tool rather than custom malware. Investigators have focused on Microsoft Intune, a cloud-based device management platform that large organizations use to enforce security policies and manage endpoints from a central console. Evidence suggests attackers gained administrative access to Stryker's Intune environment and used it to issue a remote wipe command across all enrolled devices simultaneously.

Intune sits at the heart of how enterprises manage their global device fleets. An attacker with admin-level access has a kill switch for every enrolled endpoint in the organization, with no custom malware required. The Handala branding that appeared on screens before the wipe confirms that access had been established and held well before the destructive phase began. This was a deliberate, staged operation.

Who Is Handala

Handala emerged in late 2023 as a hacktivist group initially focused on Israeli targets, deploying destructive malware against Windows and Linux systems. Multiple threat intelligence firms have assessed the group as a front for Void Manticore, a threat actor sponsored by Iran's Ministry of Intelligence and Security (MOIS).

The group's toolkit spans phishing, data theft, ransomware-style extortion, and hack-and-leak operations. Its campaigns consistently pair technical action with ideological messaging, with deliberate targeting of life-critical sectors including healthcare and energy. Handala maintains data leak portals where stolen material is published as part of broader pressure campaigns, consistent with its claim to have exfiltrated data from Stryker before the wipe.

The Stated Motive

Handala stated the attack was carried out in retaliation for a missile strike on a school in Minab, Iran, which reportedly killed more than 175 people, most of them children. The Pentagon has confirmed an investigation into that incident is underway.

Stryker has no direct connection to military operations. The company was targeted for the scale of disruption its compromise would create, consistent with how Handala has operated before: maximum impact, prominent targets, high media visibility.

Healthcare Supply Chain Risk

The American Hospital Association confirmed it was actively monitoring the situation and exchanging information with federal authorities. As of Wednesday, no direct disruptions to US hospitals had been confirmed, though the picture could change depending on how long Stryker's recovery takes and which product lines are affected.

Wiper attacks carry a specific risk that ransomware does not. Encrypted data can theoretically be recovered if a decryption key is obtained. Wiped data cannot. Recovery depends entirely on the integrity of backups and the speed at which full operations can be restored. For a company whose devices are used in surgical settings and emergency departments worldwide, every day of disruption carries consequences beyond the balance sheet.

A Calculated Escalation

Iranian threat groups had been largely quiet on US commercial targets since the current conflict began. The Stryker attack marks a significant shift in that posture. Analysts have described it as the most aggressive deployment of Iran's state-directed cyber campaign to date, and it signals that critical infrastructure in non-combatant jurisdictions is firmly within scope.

For organizations managing large workforces through cloud-based device platforms, the Handala wiper attack on Stryker is a concrete illustration of the risk. Privileged access to endpoint management tools deserves the same security controls as any critical system: strict access policies, multi-factor authentication on administrative consoles, and monitoring for anomalous bulk actions. An adversary who reaches that layer does not need to be sophisticated. They just need to press a button.