On March 11, 2026, employees at Stryker Corporation arrived at work to find their login screens replaced by a hacker's manifesto. Phones had been wiped. Servers had been erased. More than 5,500 workers at Stryker's largest international hub in Cork, Ireland, were sent home. Across the Atlantic, NHS hospitals began receiving alerts that defibrillator electrode orders could no longer be processed. What had just happened was not ransomware. It was something more deliberate, and more destructive.
Stryker is a Fortune 500 medical technology company headquartered in Portage, Michigan, with roughly 56,000 employees and operations spanning 61 countries. In 2025, the company reported revenues of $25.1 billion. Its products reach more than 150 million patients annually and include surgical robots, orthopedic implants, defibrillators, hospital beds, ambulance cots, and neurotechnology systems. It holds a $450 million Department of Defense contract to supply medical devices to the US military. This is the organization that Handala chose to target.
Who Is Handala, and Why Stryker?
Handala is not a new actor. It surfaced in late 2023 in the aftermath of Hamas's October 7 attack on Israel and has since built a documented track record of destructive operations against Israeli civilian infrastructure, Gulf energy companies, and Western organizations. It presents itself publicly as a pro-Palestinian hacktivist collective, but cybersecurity researchers have consistently identified it as something more operationally sophisticated than that framing suggests.
Palo Alto Networks has linked Handala to Void Manticore, a threat actor assessed to be operating under the direction of Iran's Ministry of Intelligence and Security (MOIS). IBM X-Force describes its toolkit as broad and evolving, encompassing phishing campaigns, custom wiper malware, ransomware-style extortion, data theft, and hack-and-leak activity, with a consistent emphasis on generating disruptive and psychological impact rather than financial gain.
"Its operations focus on generating disruptive and psychological impact." — IBM X-Force Exchange on Handala
Void Manticore operates at least three distinct public-facing personas. Homeland Justice was the initial persona, used from mid-2022 for a series of destructive attacks against government, telecommunications, and other sectors in Albania — culminating in Albania severing diplomatic relations with Iran, the first time a NATO member expelled Iranian diplomats over a cyberattack. Karma is a secondary persona documented in operations targeting Israel. Handala became the dominant public face from late 2023 onward, operating globally and effectively absorbing much of what Karma had done previously. Check Point Research has documented code-level overlaps in the wipers used across all three personas and has observed cross-persona data flows, including incidents where wiper messages appeared under the Karma brand while the stolen data was published through Handala channels.
In March 2026, public reporting from Void Manticore's Counter-Terrorism Division — specifically its leadership under Seyed Yahya Hosseini Panjakit — became relevant context: Israeli strikes on Iranian intelligence figures earlier in 2026 reportedly impacted that leadership tier, adding personal motivation to the operational calculus of those executing these campaigns.
Handala's stated justification for the Stryker attack was retaliation for a US missile strike on a school in Minab, a city in southern Iran, on the first day of the US-Israeli military campaign against Iran in late February 2026. Iranian state media and Handala's own Telegram statement reported the strike killed 168 children. Some broader reporting cited a total casualty count exceeding 175, with the majority being children; those figures were not independently verified at the time of publication. The New York Times reported that an ongoing US military investigation had determined American forces were responsible for the strike. Six Democratic senators publicly called for a congressional investigation into the incident. Handala posted its claim on Telegram, stating the operation was conducted in retaliation for that strike and in response to what it characterized as ongoing cyberattacks against Iranian infrastructure.
Stryker, for its part, has no direct connection to the US-Iran military conflict. The company does have operations in Israel and holds that DoD supply contract. Handala's Telegram manifesto explicitly referred to Stryker as a "Zionist-rooted corporation," citing the company's 2019 acquisition of Israeli medical technology company OrthoSpace as the primary targeting rationale. The message is operationally significant: any company with material business ties to Israel — acquisitions, partnerships, shared customers, or investment relationships — may be within scope for future Handala operations. Check Point Research noted that the Stryker attack marked the first time Handala had targeted a major US business.
"The fact that they've set their sights on a major medical device company is particularly alarming. Critical healthcare infrastructure represents a high-value, high-impact target: disruption doesn't just mean data loss, it can mean patient safety." — Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research (via MedTech Dive)
How the Attack Was Executed
The initial public characterization of the Stryker attack described it as a wiper attack, a category of destructive intrusion in which data is erased rather than encrypted for ransom. Iran has a long operational history with wipers. The 2012 Shamoon attack against Saudi Aramco erased data from more than 30,000 systems belonging to the world's largest oil company. Wipers have also been deployed extensively by Russian threat actors in Ukraine, and North Korea used one in its 2014 attack on Sony. For Iran, these weapons are proven and familiar.
What makes the Stryker incident technically notable is emerging evidence about the specific delivery mechanism. According to SecurityWeek and reporting from KrebsOnSecurity, investigators and individuals claiming inside knowledge of the incident suggest the attackers used Microsoft Intune to remotely wipe corporate and personal devices at scale. Intune is Microsoft's cloud-based unified endpoint management (UEM) platform, designed to allow organizations to manage and secure Windows, macOS, iOS, Android, and Linux devices from a central console. If attackers gain access to an Intune administrator account with sufficient privileges, they can issue remote wipe commands to every enrolled device across an organization's global fleet — simultaneously.
Check Point Research documented Handala's pre-attack reconnaissance in detail, identifying hundreds of logon and brute-force attempts against VPN infrastructure in the months before the destructive phase. That activity typically originated from commercial VPN nodes with default Windows hostnames in the format DESKTOP-XXXXXX or WIN-XXXXXX. After Iran's nationwide internet shutdown in January 2026, the same activity shifted to Starlink IP ranges, as the group adapted to route traffic through satellite internet infrastructure to evade geolocation-based blocking. Check Point also noted a parallel deterioration in operational security: by March 2026, the group was making direct connections from Iranian IP addresses — a departure from its previously careful use of commercial VPN infrastructure. Check Point assessed that initial access had been established well before the March 11 destructive phase, with dwell time likely spanning several months.
One hypothesis documented by multiple threat intelligence firms involves the path from initial credential compromise to Intune admin access through Active Directory Connect (AD Connect) — the tool many organizations use to synchronize their on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). When password synchronization is enabled, compromised on-premises credentials work in both environments. An attacker who acquires a privileged on-premises account through VPN access and lateral movement may then be able to escalate into a cloud-based Intune administrator role, inheriting the ability to issue wipe commands to every enrolled device in the organization without touching a single endpoint directly.
Handala's destructive toolkit extends beyond Intune abuse. Check Point Research documented that the group's traditional wiper operations deploy multiple techniques in parallel, typically distributed via Group Policy Objects (GPOs): a custom executable wiper (sometimes named handala.exe, deployed via a batch file called handala.bat) that overwrites file contents and attacks the Master Boot Record; an AI-assisted PowerShell wiper that enumerates and deletes all files in user directories and drops a propaganda image (handala.gif) across logical drives; and, in some incidents, the legitimate disk encryption tool VeraCrypt, used to encrypt system drives as an additional destructive layer. Whether these supplementary tools were deployed in the Stryker attack alongside the Intune wipe has not been publicly confirmed, but the presence of this full toolkit is documented across Handala's prior operations.
Stryker itself confirmed in formal statements that the intrusion disrupted its global Microsoft environment, caused disruption to order processing, manufacturing, and shipping, and resulted in no detected ransomware or malware. That last point is significant: the absence of malware signatures is consistent with a living-off-the-land technique, where attackers abuse legitimate administrative tools rather than deploying custom malicious code. Using Intune's own remote wipe capability requires no malware at all.
The blast radius was extraordinary. Handala claimed on Telegram that it had erased data from over 200,000 systems, servers, and mobile devices, and extracted 50 terabytes of internal corporate data. Devices enrolled in Stryker's Intune environment — including personal smartphones belonging to employees who had set up corporate email or authentication apps — were among those wiped. Reports from Reddit, corroborated by the Irish Examiner, described employees unable to access accounts because their phones, which they relied on for two-factor authentication, had been erased. Login screens across the organization were replaced with Handala's logo. Stryker's Michigan headquarters recorded an outgoing voicemail message stating that the building was experiencing an emergency.
"Anyone with Microsoft Outlook on their personal phones had their devices wiped." — Unnamed Stryker employee, quoted by the Irish Examiner
By Thursday, March 13, Stryker had issued a public update stating the incident was contained to its internal Microsoft environment, that its products — including Mako surgical robots, Vocera communication systems, and the LIFEPAK35 defibrillator — remained safe to use, and that previously downloaded procedure plans for the Mako robotic surgery system could still be accessed locally. The company confirmed it was collaborating with law enforcement and government agency partners. By March 15, Stryker reported that the restoration process was "progressing steadily."
Maryland's Institute for Emergency Medical Services Systems reported on March 11 that Stryker's LIFENET electrocardiogram transmission system — used by EMS providers to transmit patient cardiac data to hospitals ahead of arrival — was non-functional in many parts of the state. Some EMS providers temporarily paused its use as a precaution. Stryker later clarified to CNN that LIFENET remained fully functional and was not directly disrupted by the cyberattack, attributing the interruption to precautionary decisions made by individual providers.
The 2024 Prior Breach: A Possible Foothold
The March 2026 attack does not exist in isolation. Stryker disclosed in December 2024 that its systems had been subject to unauthorized access between May 14 and June 10, 2024 — a period of nearly a month during which an unknown party exfiltrated data including names, medical information, and dates of birth belonging to individuals associated with Stryker's healthcare customers, including patients and providers at hospitals. Stryker discovered the intrusion on June 10, 2024, completed its data review on September 25, 2024, and began notifying affected individuals in late October and early November 2024 after receiving permission from impacted healthcare customers.
The six-month gap between breach discovery and public notification drew scrutiny, and the question of whether persistent access established in that 2024 intrusion contributed to the March 2026 attack remains under active investigation. Multiple security researchers have noted that the timeline is consistent with how Void Manticore has operated in other campaigns: establishing initial access through a long-dwell operation and waiting for a geopolitically significant moment to execute the destructive phase. Whether the 2024 breach and the March 2026 wiper attack share an access chain is unconfirmed, but the pattern is documented and the question is being investigated by authorities.
The NHS Impact: When Supply Chains Become Casualties
The attack crossed the Atlantic with immediate effect. NHS Supply Chain, the organization responsible for procuring and delivering goods and services to NHS trusts and health boards across England, published an Integrated Care Notice confirming that the Stryker cyberattack had triggered a supply disruption requiring active management.
Seven Stryker product lines were placed under Control Demand Management, a formal NHS Supply Chain process activated when supply is severely restricted and allocation decisions must be centrally controlled. The affected products included four defibrillator electrode products — specifically LIFEPAK-compatible pacing and defibrillation electrodes for adult and pediatric use — along with three oral swab products used for infection diagnosis and sample collection. Hospitals wishing to order these items were directed to submit an escalation form to NHS Supply Chain's Customer Services Team.
NHS Supply Chain confirmed it had activated an incident team and was working in coordination with NHS England, the Department of Health and Social Care, and the National Supply Disruption Response team. The British Orthopaedic Association (BOA) issued its own statement advising that trauma and elective orthopaedic procedures could continue as planned, that Stryker representatives were introducing temporary alternative ordering systems to facilitate access to existing NHS stock, and that identifiable patient information stored in Mako robotic surgery systems had not been compromised.
NHS England issued a formal letter to the NHS system on March 18, 2026, and launched a systemwide data collection exercise through the Strategic Data Collection System (SDCS), requiring all acute, community, mental health, and ambulance trusts to report their current stock positions and dependency on Stryker products. Nil returns were required even from trusts unaffected by the disruption. NHS Supply Chain also jointly developed an interim ordering solution with Stryker and DHL — whose logistics systems were unaffected by the cyberattack — enabling orders to be placed through the NHS Supply Chain eDirect platform even for products that trusts would normally order directly from Stryker.
The oral swab products affected by Control Demand Management were used across healthcare settings beyond acute hospitals, extending to dental practices and community providers. NHS Supply Chain advised organizations in those settings to begin planning to reduce reliance on Stryker products for the coming weeks and to order essential items only.
"Critical suppliers to the NHS are collateral damage as a part of modern warfare." — Dr. Saif Abed, Founding Partner and Director, The AbedGraham Group (via Digital Health)
Dr. Abed's framing captures something important about this incident's significance. Stryker was not targeted because of anything the NHS did or any vulnerability the NHS created. The NHS became a downstream casualty of an attack motivated by geopolitical grievance and executed against a US corporation. The supply of cardiac emergency equipment to UK hospitals was disrupted not by a direct attack on the NHS, but because a single supplier's ordering infrastructure was destroyed.
That dynamic — a geopolitical conflict producing supply chain consequences for healthcare systems in uninvolved countries — is what distinguishes this incident from a conventional data breach or ransomware attack. It is closer in character to a kinetic supply chain interdiction than to a typical cybercrime event.
The US Government Response: FBI Domain Seizures and DOJ Attribution
On March 19–20, 2026, the FBI and Department of Justice seized four internet domains linked to the Handala Hack Team: handala-hack.to, justicehomeland.org, karmabelow80.org, and handala-redwanted.to. The seizure was executed under a court-authorized warrant issued by the US District Court for the District of Maryland. FBI Director Kash Patel announced the action publicly.
"Iran thought they could hide behind fake websites and keyboard threats to terrorize Americans and silence dissidents. This FBI will hunt down every actor behind these cowardly death threats and cyberattacks." — FBI Director Kash Patel
The DOJ stated that the seized infrastructure was used for a coordinated campaign of destructive cyberattacks, hack-and-leak operations, psychological operations using stolen data, and threats against dissidents, journalists, and Israeli-linked individuals — including, according to the FBI affidavit, an offer of a $250,000 bounty to a Mexican cartel for violence against two named individuals. The DOJ formally accused MOIS of operating the Handala group, connecting all three personas — Handala, Karma, and Homeland Justice — to a single ongoing conspiracy. The FBI affidavit disclosed that a recent Handala cyberattack had disrupted hospital systems in Maryland, with healthcare providers proactively suspending connections to tools used to analyze patient data and vital signs, and that at least one employee's computer was wiped during active clinical use. The affidavit redacted the company name, but Handala had publicly claimed the Stryker attack.
The domain seizures had limited operational impact on the group. Handala restored its online presence within approximately 24 hours, migrating to new infrastructure and posting a defiant statement on its Telegram channel — by that point on its 41st iteration after 40 prior suspensions. That rapid reconstitution reflects the structural resilience of groups that operate with disposable web infrastructure and Telegram-based distribution networks rather than centralized websites. A domain seizure removes a content surface. It does not remove the audience, the tooling, or the communications chain.
The March 20 seizure also established documented linkage between the three Void Manticore personas and a common conspiracy, which carries forward-looking significance for attribution and enforcement. The DOJ's tying of Homeland Justice, Karma, and Handala to a single operational framework — confirmed by shared infrastructure, overlapping TTPs, and code-level wiper similarities — means that future destructive operations conducted under any of those brands can be attributed to the same underlying state actor with the same level of legal confidence.
What This Means for Healthcare Cybersecurity
Several threads from the Stryker incident deserve attention from security practitioners and healthcare organizations.
Endpoint management platforms as attack surfaces
If the Intune-based wipe hypothesis holds, it identifies a category of risk that organizations have underweighted. Unified endpoint management platforms are, by design, privileged systems capable of touching every enrolled device in an environment. Their administrative consoles are high-value targets. An attacker with Intune admin access does not need to deploy malware, move laterally through a network, or exploit individual system vulnerabilities. The legitimate tooling does the destruction. Forrester analysts noted in their post-incident commentary that the Stryker attack exposed a critical blind spot: the outsized impact of compromised endpoint management platforms in enterprise resilience strategies.
Bring-your-own-device policies and personal device exposure
CEPA fellow Emily Otto, a former Cyber Operations Officer with the US Cyber National Mission Force, highlighted in analysis published after the incident that the attack appears to have spread through personal devices enrolled in Stryker's corporate environment. Employees who connected personal smartphones or laptops to corporate infrastructure through Intune or similar device management tools lost personal data when those devices were wiped alongside corporate equipment. This is not a new risk — but it is one that many organizations have not fully addressed in their incident response planning or their BYOD policy communications.
"Companies and organizations must wake up to the dangers. They should take measures to block destructive malware not only from their corporate systems but also to prevent the attacker reaching into their employees' personal devices." — Emily Otto, Fellow, Center for European Policy Analysis
Iran's cyber capability remains operational
Email security firm Proofpoint noted in the days after the Stryker attack that known Iranian threat groups had been relatively quiet since the US-Israel military campaign against Iran began in late February 2026, having conducted only one tracked campaign — an attempted intrusion against a US think tank employee — in that period. The Stryker attack demonstrated that despite the intensity of the military conflict and the pressure Iranian government infrastructure was under, threat actors aligned with MOIS retained the capability and the organizational coherence to plan and execute a large-scale destructive operation against a major Western target.
Alex Rose, global head of government partnerships at Sophos, put the point plainly in comments to CNN: cyber operations require minimal infrastructure. A group that has lost physical facilities and communications infrastructure can still conduct wiper attacks from a laptop and an internet connection.
"Cyber operations don't require much infrastructure. A laptop and an internet connection can be enough to reach out and wreak havoc." — Alex Rose, Global Head of Government Partnerships, Sophos (via CNN)
Healthcare supply chains lack resilience to single-supplier disruptions
One healthcare professional at a major US university medical system told KrebsOnSecurity they were unable to order surgical supplies during the disruption. Their comment — that nearly every US hospital performing surgery relies on Stryker products — illustrates the concentration risk embedded in healthcare supply chains. The NHS Supply Chain response, activating Control Demand Management for defibrillator electrodes within days of the attack, confirms that even a temporary disruption to a single supplier can produce real-world constraints on life-critical equipment availability.
John Riggi, national advisor for the American Hospital Association, confirmed the AHA was actively exchanging information with hospitals and the federal government to assess the impact on hospital operations. Joshua Corman, a cybersecurity expert with long-standing focus on health sector security, described the broader pattern to CNN: too much of cybersecurity attention remains focused on financially motivated adversaries and lower-consequence breaches, while exposure to nation-state actors capable of disruption and destruction continues to grow.
"Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we're increasing our exposures to nation states and other enemies who seek to disrupt and destroy." — Joshua Corman, cybersecurity expert (via CNN)
Key Takeaways
- Wiper attacks don't need malware: The Stryker incident illustrates how attackers can achieve mass destructive effect by abusing legitimate endpoint management platforms like Microsoft Intune, leaving no malware signature and bypassing conventional detection approaches.
- BYOD policies create device exposure that extends beyond corporate data: Employees who enroll personal devices in corporate management systems may lose personal data when those systems are targeted. Organizations should communicate this risk clearly and evaluate whether personal device enrollment is operationally necessary.
- Supply chain disruptions cross borders without deliberate targeting: The NHS was not attacked. It was affected because it depends on a supplier that was. Healthcare organizations in the UK and elsewhere need contingency plans for scenarios where key suppliers face operational disruptions of any kind, including cyberattacks.
- Iran-aligned threat actors retain capability under military pressure: The Stryker attack is one of the first significant Iran-linked cyber operations against US infrastructure since the military campaign began. It signals that the threat environment will not diminish as geopolitical tensions persist.
- Concentration risk in medical supply chains is a patient safety issue: When a single supplier provides products used in nearly every hospital performing surgery in the US, a single cyberattack against that supplier becomes a systemic risk. Procurement strategy and supplier diversity are cybersecurity concerns, not just commercial ones.
- Domain seizures disrupt but do not defeat resilient threat actors: The FBI's seizure of four Handala domains within nine days of the Stryker attack — and Handala's restoration within 24 hours — illustrates the limits of infrastructure-focused enforcement against actors that operate on Telegram, use disposable hosting, and treat individual domains as interchangeable surfaces rather than critical nodes.
The Stryker attack will be studied as a case study in how nation-state-aligned threat actors adapt their operations for maximum disruption, how living-off-the-land techniques weaponize organizational infrastructure against itself, and how cyberattacks initiated for geopolitical reasons produce cascading consequences for healthcare systems that had nothing to do with the conflict that motivated them. The US government's attribution of Handala to MOIS — now confirmed in federal court filings — closes a gap that existed in public discourse for over two years, and it raises the legal and diplomatic stakes for future Iranian cyber operations against US targets. For organizations operating in or supplying to critical healthcare infrastructure, the lesson is direct: third-party risk is your risk, supply chain resilience planning cannot wait for the next incident, and endpoint management platforms require the same privileged-access controls as any other critical administrative system.
Sources: KrebsOnSecurity • SecurityWeek • TechCrunch • TechCrunch — FBI seizure • CNN • MedTech Dive • Digital Health • NHS Supply Chain • NHS England • British Orthopaedic Association • CEPA • Industrial Cyber • Check Point Research • Axios • Cybersecurity Dive
Frequently Asked Questions
Who is responsible for the Stryker cyberattack in March 2026?
The Iran-linked group Handala claimed responsibility. Handala is assessed by Palo Alto Networks, Check Point Research, and the US Department of Justice to be a public-facing persona of Void Manticore, a threat actor operating under the direction of Iran's Ministry of Intelligence and Security (MOIS). The FBI confirmed Handala's responsibility in court filings supporting the March 19, 2026 seizure of four Handala-linked domains.
How did Handala wipe 200,000 Stryker devices without deploying malware?
Investigators and sources cited by KrebsOnSecurity and SecurityWeek indicate the attackers gained administrative access to Stryker's Microsoft Intune environment — a cloud-based unified endpoint management platform. Using Intune's native remote wipe capability, they issued a simultaneous wipe command to all enrolled devices across the global fleet. Because this method uses a legitimate system function rather than custom malicious code, it leaves no malware signature and bypasses conventional endpoint detection.
How did the Stryker cyberattack affect the NHS?
NHS Supply Chain activated Control Demand Management for seven Stryker product lines — four defibrillator electrode products compatible with the LIFEPAK system and three oral swab products — restricting standard ordering and requiring hospitals to submit escalation forms. NHS England conducted a systemwide data collection exercise across all acute, community, mental health, and ambulance trusts to assess stock positions and dependency on Stryker products.
Why did Handala target Stryker Corporation?
Handala's Telegram statement cited two justifications: retaliation for a US missile strike on a school in Minab, southern Iran, and Stryker's business ties to Israel, including its 2019 acquisition of Israeli medical technology company OrthoSpace and its $450 million Department of Defense supply contract. Handala described Stryker as a "Zionist-rooted corporation" in its public manifesto.
What action did the US government take against Handala after the Stryker attack?
On March 19–20, 2026, the FBI and Department of Justice seized four domains linked to Handala, including handala-hack.to and justicehomeland.org. The DOJ formally accused MOIS of operating the Handala group and cited the Stryker attack, threats against dissidents, and cyberattacks on Maryland hospital systems as grounds for the seizure. Handala restored its online presence within roughly 24 hours on new infrastructure.
Did the Stryker cyberattack affect patient safety?
Stryker confirmed that all medical products, including the Mako surgical robot, Vocera systems, and LIFEPAK defibrillators, remained safe to use. However, some patient-specific surgical cases were rescheduled due to shipping delays. The FBI's court filings confirmed that hospital systems in Maryland were disrupted, with providers proactively suspending connections to Stryker tools used to analyze patient data and vital signs, and that at least one employee's computer was wiped during active clinical use.