Executive Summary
On March 11, 2026, Stryker Corporation, a Fortune 500 medical device manufacturer with operations in 79 countries, suffered an enterprise-wide destructive cyberattack that wiped more than 200,000 devices in a single overnight event. Employees saw login screens showing Handala Hack Team's logo. Hospitals disconnected. Stryker filed an 8-K with the SEC before the business day was over.
The group claiming responsibility, Handala Hack Team (Void Manticore), affiliated with Iran's Ministry of Intelligence and Security (MOIS), did not use ransomware and made no demand for payment. The goal was data destruction. The attack weaponized Microsoft Intune, a legitimate enterprise device management platform, issuing authenticated mass wipe commands from a single compromised administrator account. No malware was required on individual endpoints. Traditional endpoint security had no role to play. This bulletin covers what happened, how it was done, who is behind it, and the six actions your team should take in the next 48 hours.
Timeline of Events
When | Event |
Feb 28, 2026 | U.S. missile strike kills 175+ at Minab girls' school in Iran - Handala's stated trigger for retaliation against U.S. organizations |
Mar 11 - Overnight | Stryker systems go dark globally; employees arrive to black screens displaying the Handala logo; 200,000+ devices wipe to factory settings across 79 countries |
Mar 11 - Morning | Handala posts manifesto on Telegram claiming responsibility: 200K+ devices wiped, 50TB exfiltrated, data release promised |
Mar 11 - 12, 2026 | Stryker files 8-K with SEC; CISA opens active investigation; 5,000+ Irish employees sent home; European hospitals disconnect Stryker-connected services |
Attack Overview
Handala obtained administrator-level credentials for Stryker's Microsoft Intune tenant, possibly through the compromise of a cloud administrator account and then exploited native Intune functionality to execute remote wipe commands across every enrolled device globally. No malware was distributed and no endpoint was individually targeted. The attack relied on the same device management platform Stryker's IT team uses for routine operations.
Employees who had Microsoft Outlook configured on personal devices experienced wipes on those devices as well because Intune enrollment follows the email account rather than only corporate hardware. Stryker confirmed that no ransomware was involved and described the incident as a destructive wiper operation. The group also claims it exfiltrated 50 terabytes of data before the wipe and has threatened to release the information publicly.
In addition to the exploitation of Microsoft Intune, Handala's established playbook includes a custom wiper executable called handala.exe deployed through Group Policy with Master Boot Record overwrite capability, a PowerShell-based wiper distributed domain-wide through GPO logon scripts, and deletion of Volume Shadow Copies to prevent local backup restoration. These techniques are designed to run simultaneously and overwhelm defender response efforts.
Threat Actor Overview
Handala Hack Team presents itself as a pro-Palestinian hacktivist group, but its operational sophistication, including manual intrusions, weeks-long pre-positioning, Active Directory enumeration, and coordinated multi-vector destructive activity, aligns with state-directed capabilities. Security researchers at Check Point Research and Unit 42 assess Handala as a front for Void Manticore, which has been attributed to the Iranian Ministry of Intelligence and Security.
The group selects targets based on geopolitical alignment rather than purely technical weaknesses. In this case, Stryker Corporation was reportedly targeted due to its Israeli acquisition activity, its contract relationships with the U.S. Department of Defense, and what the attackers perceive as alignment with U.S. and Israeli operations, rather than because of specific security deficiencies.
Who Is at Risk
Handala primarily focuses attacks against the Israeli Government, officials, and allies in the Middle East and beyond. However, the recent retaliatory cyberattack on Stryker, a U.S. organization, suggests expanded targeting to any entity it perceives as aligned with U.S. or Israeli interests, or anti-Palestine. Your organization is at elevated risk if any or all of the following apply:
- Israeli subsidiaries, acquired companies, or joint ventures.
- Active U.S. Department of Defense contracts or subcontracts.
- Business relationships with Israeli vendors, partners, or suppliers.
- Operations in healthcare, defense supply chain, energy, or critical infrastructure.
- IT/MSP providers whose downstream clients match any of the above.
Organizations relying on Microsoft Intune, Azure AD / Entra ID, or any cloud device management platform should treat the Stryker attack as a direct cautionary example – regardless of Israeli or DoD ties. The attack class exploited credential compromise of a cloud administrator account, not a software flaw. Standard patch management and antivirus are not defenses against this technique.
What to Do Next
The following activities reflect the types of operations Iranian‑aligned threat actors are likely to pursue in the current environment. Organizations should monitor these behaviors closely to identify potential threats early and guide defensive actions:
Immediate Action | Why It Matters |
Audit cloud admin access | Remove unnecessary Global Administrator and Intune Device Administrator roles. Enable Privileged Identity Management (PIM) for just-in-time elevation. Any account that can issue a device wipe must be treated as your highest-risk credential. |
Review Intune audit logs | Search for bulk wipe commands and anomalous admin sign-ins. Correlate against Azure AD / Entra ID sign-in logs. If you find activity you cannot explain, escalate immediately. |
Enforce MFA everywhere | Validate MFA is active on all VPN, remote access, and M365 admin accounts. Disable legacy authentication protocols that bypass MFA. Password alone is insufficient against this actor's credential abuse techniques. |
Block reported Handala infrastructure | Alert on or block authentication attempts from commercial VPN ranges (169.150.227.x, 149.88.26.x) and Starlink ranges (188.92.255.x, 209.198.131.x) — confirmed Handala egress infrastructure. |
Validate offline backups | Confirm at least one fully air-gapped backup copy exists. Handala deploys four simultaneous wiping methods specifically designed to defeat partial backup strategies. Test recoverability now, not during an incident. |
Audit Group Policy | Alert on any new GPO logon scripts or scheduled task additions outside change management. This is Handala's primary domain-wide wiper distribution method in prior operations. |
What Critical Start Is Doing
The Critical Start Cyber Research Unit is actively monitoring Handala and the broader Iranian threat actor ecosystem. If you are a Critical Start MDR customer, our SOC is positioned to hunt for Handala IOCs across your environment, validate your Intune and Azure AD administrator controls, identify exposure to confirmed Handala network indicators, and provide tailored briefings for your security leadership or board.
For the comprehensive Handala Threat Actor Advisory – including complete IOC tables, MITRE ATT&CK mapping, and mitigation strategies – visit Critical Start's Intel Hub. If you are not yet a Critical Start customer and want to understand your exposure, visit criticalstart.com.