Stryker Confirms Massive Wiper Attack on Devices

Global medical technology company Stryker has confirmed a major cyberattack that led to the remote wiping of tens of thousands of corporate devices worldwide. The incident stands out as one of the most disruptive enterprise breaches involving the misuse of legitimate cloud-based management tools rather than traditional malware.

The attack began on March 11, 2026, and severely disrupted Stryker’s internal IT environment, including Microsoft services, manufacturing processes, and shipping operations. A pro-Iranian hacktivist group known as Handala has claimed responsibility, describing the attack as politically motivated. The group alleges it wiped over 200,000 systems and exfiltrated around 50 TB of sensitive data, though these figures remain unverified. Still, the scale of disruption indicates a highly coordinated operation.

Instead of deploying ransomware or destructive malware, attackers exploited Microsoft Intune, a legitimate enterprise tool used for device management and security enforcement. After gaining administrative access, they used Intune’s remote wipe feature to trigger factory resets across thousands of Windows devices globally. This allowed them to erase systems without introducing malicious files, effectively evading traditional endpoint detection and response (EDR) systems.

Reports indicate that administrative credentials were compromised, giving attackers full control over the Intune environment. Remote wipe commands were executed across operations in 79 countries, with some offices losing up to 95% of their endpoints before containment measures were implemented. The absence of malware artifacts highlights a “living-off-the-land” technique, where attackers weaponize trusted tools instead of deploying custom code.

Cybersecurity researchers, including those from Palo Alto Networks, suggest that Handala may have links to Iran’s Ministry of Intelligence and Security (MOIS), pointing to possible state-backed involvement. This aligns with a broader trend of identity-based attacks targeting centralized cloud management systems to maximize disruption while minimizing detection.

Despite the widespread IT impact, Stryker confirmed that its medical devices and healthcare platforms remain unaffected. Critical systems are segmented from corporate infrastructure, ensuring continued operation of platforms like Vocera, care.ai, and surgical technologies such as Mako Robotics and LIFEPAK devices.

In response, Stryker activated its incident response protocols, working with cybersecurity experts and government authorities. Immediate actions included disconnecting devices, shifting to manual operations, increasing monitoring, and conducting credential resets. This incident highlights a significant evolution in cyber threats, where attackers increasingly target identity and access controls within cloud environments to carry out large-scale, stealthy attacks without relying on traditional malware.