Prepared by: Matt Veall, SOC Lead Victoria | Latest updates: 18 March 2026
In March 2026, Stryker Corporation, a global medical technology company headquartered in the United States, was hit by a large-scale destructive cyber-attack that resulted in the wiping of more than 200,000 devices across its global environment.
The attack was claimed by Handala, an Iran-linked hacktivist group associated with Void Manticore and assessed to have links to Iran’s Ministry of Intelligence and Security (MOIS).
Stryker operates across 61 countries, employs approximately 56,000 people, and reported annual revenue of around US$25 billion.
Handala is known for conducting hack-and-leak and destructive cyber operations, primarily targeting Israeli organisations, but has demonstrated a willingness to target other entities aligned with broader geopolitical objectives.
The group framed the attack as retaliation for a missile strike on an Iranian school in late February 2026, which reportedly resulted in significant casualties. Stryker was also described by the group as a “Zionist-rooted corporation”, likely referencing its acquisition of Israeli company OrthoSpace in 2019.
Heightened media attention surrounding geopolitical events increases the likelihood of opportunistic targeting, particularly phishing, credential theft attempts, website disruption, and ransomware-style intrusion activity. Our existing 24/7 MDR monitoring posture is designed to detect and alert on this type of activity as standard.
In response to the current escalation, our SOC has implemented several proactive measures aligned to the tactics, techniques, and procedures associated with Iranian-aligned threat groups.
The attack was first publicly reported in March 2026 and impacted Stryker’s global operations.
Significant disruption was reported in Ireland, where more than 5,000 employees at Stryker’s Cork facilities were sent home. The company’s US headquarters also declared a building emergency during the incident.
Healthcare providers across the United States reported being unable to order surgical supplies from Stryker, indicating a direct impact on hospital operations and patient care supply chains.
The attackers are assessed to have gained access to highly privileged administrative accounts, likely through a supply chain or trusted relationship compromise, although the exact initial access vector has not been publicly confirmed.
Rather than deploying traditional malware, the attackers abused Microsoft Intune, a legitimate Mobile Device Management (MDM) platform used by Stryker to manage its global device fleet.
Using this access, they issued remote wipe commands across enrolled devices, resulting in:
This approach is notable because it leverages native administrative functionality rather than malicious code, allowing the activity to bypass traditional endpoint detection and response controls.
Reports also indicate that personal devices connected to corporate services, such as Microsoft Outlook, were impacted.
This incident highlights a growing shift towards the abuse of identity and management platforms as a primary attack vector.
By compromising administrative access to MDM infrastructure, attackers can:
The real-world consequences were immediate. Hospitals across the United States experienced supply chain disruption, demonstrating how cyber-attacks on corporate IT environments can directly affect critical services.
The incident also reinforces the risk associated with over-privileged accounts and insufficient segmentation of administrative access.
Organisations using MDM and cloud-based identity platforms should review controls across identity, access, and device management.
Key focus areas include:
This attack demonstrates that security controls must extend beyond endpoint protection to include the platforms used to manage and control those endpoints.
Disclaimer: This content is based on open-source reporting and assessed intelligence available as of March 2026. The situation is evolving and details may change. This document is for informational purposes only and does not constitute legal advice.
