Written by In what marks a significant escalation in digital warfare, a major American medical technology company has been hit by a massive cyberattack.
The Iran-linked hacking group known as Handala has claimed responsibility for the breach, describing it as a direct response to the ongoing military conflict between the United States and Iran.
The victim, Stryker, is a Michigan-based Fortune 500 company that manufactures hospital equipment, surgical robots, and orthopedic implants.
This incident is being closely watched by national security experts as it appears to be the first major instance of Iranian-linked actors successfully targeting a large U.S. corporation since hostilities began earlier this year.
The Nature of the Attack
The attack was both sudden and destructive, occurring shortly after midnight on March 11, 2026.
Unlike typical “ransomware” attacks where hackers lock files to demand payment, this was a “wiper” attack designed to permanently erase data.
• Real-time Wiping: Employees at Stryker locations globally reported seeing their laptops and smartphones go blank in real time as the operating systems were decommissioned.
• The Handala Signature: Many workstations displayed the “Handala” logo—a symbol of Palestinian resistance adopted by the group—just before the systems failed.
• Massive Scale: The hackers claim to have wiped more than 200,000 systems, including servers and mobile devices, and stole 50 terabytes of sensitive company data.
In response, Stryker was forced to shut down its global network to contain the damage.
This led to the temporary closure of its headquarters in Portage, Michigan, and its largest international manufacturing hub in Ireland.
Motivations and Military Ties
The hackers were explicit about their motivations, labeling the attack “retribution.”
They cited recent military strikes, including the bombing of a school in Minab, Iran, as the catalyst.
Security analysts point to Stryker’s strategic importance as a primary reason for the target:
• Military Contracts: Stryker recently signed a $450 million contract to provide medical devices to the U.S. military.
• Infrastructure Disruption: By targeting a company that supplies hospital systems, the group can cause widespread anxiety and supply chain issues without directly striking a government building.
Technical Deep Dive: Weaponizing Enterprise Tools
For the IT professionals at Marion Watch Investigates, the anatomy of this strike reveals a sophisticated “living off the land” (LotL) strategy.
Instead of relying on custom malware that security tools might detect, Handala weaponized the same enterprise tools Stryker used to manage its global workforce.
Initial Access and Persistence
• Credential Harvesting: The group used the Rhadamanthys infostealer—delivered via targeted phishing emails—to capture administrative credentials and session cookies.
• VPN Exploitation: Using these stolen credentials, the attackers entered the network through legitimate VPN accounts, allowing them to blend in as authorized remote employees.
• NetBird for Lateral Movement: The attackers deployed NetBird, an open‑source overlay network tool, to create a private mesh VPN inside Stryker’s environment, enabling movement between servers without passing through monitored gateways.
Execution via Microsoft Intune
The most alarming aspect was the weaponization of Microsoft Intune, Stryker’s cloud-based Mobile Device Management (MDM) platform.
• Administrative Takeover: After escalating privileges to “Global Admin,” the attackers gained full control of the Intune tenant.
• The Remote Wipe Command: They issued a legitimate Remote Wipe command.
Because this is a built‑in feature for decommissioning devices, Windows executed it without triggering antivirus or EDR alerts.
• Simultaneous Destruction: Over 200,000 enrolled devices were factory‑reset within minutes, erasing operating systems and data.
Strategic Infrastructure
A unique signature of the Handala group is their use of non‑traditional infrastructure to maintain Command & Control (C2):
• Starlink Integration: Researchers observed the group routing traffic through Starlink IP ranges.
By using satellite internet, they bypassed domestic restrictions in Iran and avoided detection by intelligence agencies monitoring known Iranian data centers.
Conclusion and Outlook
The attack on Stryker represents a “new chapter” in cyber warfare, where private American companies—especially those tied to the defense sector—are now on the front lines.
While Stryker says it has “business continuity measures” to support hospitals, the full impact on the medical supply chain remains uncertain.
For organizations monitoring these developments, the breach highlights a critical vulnerability:
the “Master Key” of administrative access to MDM and cloud consoles.
Securing these platforms with hardware‑based MFA and setting threshold alerts for mass‑wipe events are now essential defenses against state‑sponsored actors.