Disruptive Iran-nexus hacktivist operation claims large-scale data destruction as Stryker restores services and CISA investigates.
Handala | Wiper activity | Microsoft Entra | Device management | Healthcare supply chain | Iran-nexus
Affected vendor / organisation: Stryker (global enterprise IT)
Primary issue: Destructive disruption, reported remote wiping of managed endpoints; Entra login defacement
Exploitation status: Observed in the wild (enterprise disruption confirmed); actor claims unverified
Confidence level: Medium (incident confirmed; scale and data theft claims unconfirmed)
Severity: High (global business disruption; downstream healthcare supply risk)
Patch / mitigation status: Incident response and restoration ongoing; no vendor “patch” context applicable
Sectors at risk: Healthcare providers relying on Stryker ordering/support; medtech manufacturing and distribution
Regions at risk: Global (employee reports from multiple countries)
Executive Summary
Stryker has confirmed a cybersecurity incident causing a “global disruption” to its Microsoft environment, with an unknown timeline for full restoration. (SEC)
BleepingComputer reports the Iran-linked, pro-Palestinian “Handala” persona claimed responsibility, alleging data theft and widespread wiping of systems, while employees in multiple regions reported managed Windows and mobile devices being remotely wiped and an Entra login page defacement. (BleepingComputer)
Stryker states it has “no indication of ransomware or malware” and believes the incident is contained, which is consistent with a destructive operation executed through compromised management tooling or identity controls rather than a conventional endpoint wiper. (SEC)
CISA has said it launched an investigation and is providing technical assistance, elevating this from a corporate incident to a critical infrastructure-adjacent response due to healthcare supply dependencies. (Nextgov/FCW)
Context
Stryker disclosed via SEC Form 8-K that it activated its cybersecurity response plan and engaged external advisors after identifying the incident on 11 March 2026. (SEC)
The activity has been publicly claimed by “Handala”, a persona assessed by multiple CTI teams as Iran Ministry of Intelligence and Security (MOIS)-aligned and associated with destructive “hack-and-leak” operations. Unit 42 describes Handala as linked to MOIS, and Check Point assesses the Handala persona as maintained by the MOIS-affiliated “Void Manticore” cluster. (Unit 42)
Handala emerged in late 2023 and has prior public reporting tied to destructive tooling, including Windows and Linux wipers (“Hatef” and “Hamsa”) documented by Intezer during campaigns targeting Israeli infrastructure. (Intezer)
Technical Analysis
What is confirmed
Stryker has confirmed a cybersecurity incident resulting in global disruption to its Microsoft environment, ongoing access limitations to IT systems and business applications, and an unknown restoration timeline. (SEC)
Stryker’s customer updates state there is no indication of ransomware or malware and that the incident is believed contained to its internal Microsoft environment. The company also stated certain products (including Mako, Vocera and LIFEPAK35) are safe to use and that it is working to restore electronic ordering. (stryker.com)
What is credibly reported
BleepingComputer reports employees in multiple countries said managed Windows and mobile devices were remotely wiped, including cases where personal phones enrolled for work access were reset. It also reports instructions to remove corporate management and applications from personal devices, including the Intune Company Portal, Teams, and VPN clients. (BleepingComputer)
The same reporting states attackers defaced Stryker’s Entra login page to display a Handala logo. (BleepingComputer)
Separately, SecurityWeek and Cybersecurity Dive (citing The Wall Street Journal) report guidance circulated to staff to disconnect from networks and not power on company devices, consistent with containment steps during a rapidly evolving identity or management-plane compromise. (SecurityWeek)
What remains unconfirmed
Handala claims it extracted “50TB” and wiped “over 200,000” systems across “79 countries”. These claims have not been independently verified in Stryker’s filings or statements, and should be treated as unconfirmed until corroborated. (BleepingComputer)
Analytical assessment (clearly labelled)
Likely: The combination of reported remote wipes across managed endpoints and Stryker’s statement that it has no indication of malware suggests destructive actions executed via compromised identity and enterprise management controls (for example Entra administrative access and device management capabilities), rather than malware deployed endpoint-by-endpoint. This remains an inference pending Stryker or responder confirmation of root cause. (BleepingComputer)
Impact Assessment
Operational disruption is the primary confirmed impact: Stryker reported limitations affecting information systems and business applications supporting operations and corporate functions, with business continuity measures invoked. (SEC)
Downstream healthcare risk is concentrated in ordering, support workflows, and logistics. Stryker’s customer updates reference efforts to restore electronic ordering and handling of orders entered before and after the event. (stryker.com)
If remote wiping of BYOD-enrolled devices occurred as reported, this expands the incident impact into personal data loss for staff and complicates recovery due to re-enrolment and trust re-establishment across the device estate. (BleepingComputer)
Threat Intelligence Context
Handala is widely described as a “hacktivist” brand used for disruptive, psychological, and data-leak operations, with credible reporting tying the persona to MOIS-linked activity. (Unit 42)
CISA has stated it opened an investigation and is coordinating with partners to provide technical assistance to Stryker. (Nextgov/FCW)
MITRE ATT&CK mapping (observed and assessed)
| Tactic | Technique ID | Technique Name | Observed behaviour |
|---|---|---|---|
| Impact | T1485 | Data Destruction | Reported remote wiping of managed endpoints (Windows and mobile), causing loss of availability and potential data loss (reported; not formally confirmed by Stryker). (BleepingComputer) |
| Impact | T1491.001 | Defacement: Internal Defacement | Reported Entra login page defacement showing Handala branding. (BleepingComputer) |
| Defence Evasion / Persistence (assessed) | T1078 | Valid Accounts | Possible use of compromised privileged identities to execute destructive actions through management tooling (inferred from “no malware” plus management-plane symptoms). (SEC) |
Incident Response Guidance
For organisations with similar Microsoft-centric estates (Entra ID, M365, Intune/MDM), the defensive priority is to treat this class of incident as identity and management-plane compromise until proven otherwise:
- Containment (priority):
- Revoke sessions and rotate credentials for privileged accounts; review role assignments and emergency access accounts.
- Audit Entra sign-in activity and administrative actions for anomalous geographies, new devices, token replays, and privileged role grants.
- Review device-management audit logs for bulk actions (wipe/retire), policy changes, and newly created admin connectors.
- Eradication and recovery:
- Rebuild trust in device enrolment: re-enrol endpoints only after privileged identity controls are re-secured.
- Validate backup integrity and restoration paths for identity, endpoint configuration, and critical business applications affected by the outage.
- Preserve evidence before reimaging, especially on management servers, identity administration workstations, and endpoints that initiated high-impact actions.
- Forensic artefacts to prioritise:
- Entra ID sign-in and audit logs; M365 unified audit logs; Intune/MDM administrative action logs.
- Conditional Access and authentication method change history.
- Endpoint telemetry around reset/wipe events and device compliance/enrolment changes.
Mitigation Recommendations
- Enforce phishing-resistant MFA for administrators and high-risk roles, and adopt Privileged Identity Management with just-in-time role elevation.
- Restrict device wipe capability via least privilege, approvals where feasible, and privileged access workstations for admin activity.
- Increase logging retention for Entra/M365/Intune to support retroactive investigation, and ensure centralised alerting on privileged role changes and mass device actions.
- Segment and harden business-critical workflows (ordering, logistics, customer support) with offline continuity playbooks tested beyond “pen and paper”.
Further Reading
- BleepingComputer coverage of the Stryker disruption and Handala claim (BleepingComputer)
- Stryker customer updates on the network disruption (stryker.com)
- Stryker SEC Form 8-K disclosure (11 March 2026) (SEC)
- CISA statement and investigation reporting (Nextgov/FCW) (Nextgov/FCW)
- Unit 42 threat brief discussing Handala and Iran-nexus activity (Unit 42)
- Check Point research on Handala as a Void Manticore persona (Check Point Blog)
- Intezer analysis of Handala-associated wipers (“Hatef” and “Hamsa”) (Intezer)