Handala Hackers Wiped Thousands of Stryker Devices Using Microsoft's Own Tools

Hackers claiming affiliation with the Iran-linked group Handala destroyed tens of thousands of devices at medical technology giant Stryker Corporation on March 11 by exploiting a legitimate Microsoft cloud management tool, triggering federal law enforcement action, a joint CISA advisory, and a race to restore factory operations across three continents.

The attack stands out for its method: no ransomware, no malware. According to a source familiar with the incident, the attackers compromised an administrator account, created a new Global Administrator account, and then used Microsoft Intune's built-in wipe command to remotely destroy devices at scale. Stryker filed a compliance report with the U.S. Securities and Exchange Commission on the day of the attack stating it had "no indication of ransomware or malware and believes the incident is contained."

The scale of destruction remains disputed. The Record reported more than 200,000 company devices were wiped. Handala claimed, in posts reviewed by BleepingComputer, that it wiped nearly 80,000 devices and stole 50 terabytes of data before doing so. Neither the 50-terabyte theft claim nor the precise device count has been independently confirmed by Stryker, CISA, or federal law enforcement in publicly available statements.

Whatever the true figure, the operational fallout was severe. The Kalamazoo, Michigan-based company saw employees locked out of critical systems and factory operations disrupted across the U.S., Ireland, India and other countries. Some workers reported on social media that personal devices enrolled in Intune were wiped alongside company hardware, erasing private data with no warning.

Federal agencies moved quickly. CISA, citing "malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment," released an alert on March 18. The agency said it is "conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions." Microsoft and Stryker both contributed to the advisory.

The FBI also took direct enforcement action, seizing at least one website connected to Handala. The group acknowledged the takedown on Telegram: "In light of recent events and the need to establish secure and resilient infrastructure, we inform you that building a new digital base is a complex and time-consuming process."

CISA's guidance targets the specific failure mode the attack exploited: unchecked administrative power over endpoint management systems. The agency urged organizations to enforce phishing-resistant multi-factor authentication, apply least-privilege principles to administrator roles, and require a second administrator's approval before executing high-impact actions. Its direct language: "Set up policies that require a second administrative account's approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc." Microsoft published its own Intune hardening guidance in the days following the breach; CISA explicitly recommended organizations implement it.

The incident crystallizes a growing threat category: attackers who bypass traditional security tools entirely by turning legitimate administrative software into a weapon. For the healthcare sector, which depends heavily on cloud-managed device fleets, the Stryker attack illustrates how a single compromised privileged account, without any malware attached, can disable an entire enterprise.

Handala has been described by multiple outlets as an Iran-linked, pro-Palestinian hacktivist group, though no U.S. federal agency has issued a formal public attribution to a state actor as of this reporting.