In March 2026, cybersecurity teams around the world began tracking reports of a destructive cyber incident impacting Stryker Corporation, a global medical technology company. The attack was attributed to the Iran-linked hacktivist group Handala. Early reports suggested that nearly 200,000 managed devices across 79 countries were affected after attackers abused legitimate enterprise management tools to execute a large-scale device wipe.

What makes this attack particularly significant is not only the scale of disruption, but the technique used. Instead of spreading traditional destructive malware across the network, the attackers leveraged legitimate enterprise administration tools to trigger device wipe commands. This approach allowed them to bypass many traditional endpoint protections.

Attack Overview

Employees across the United States, Ireland, Australia, and Costa Rica began reporting unusual behavior on managed corporate laptops and mobile devices. In several cases, users briefly saw the Handala logo on login screens before their systems were rendered unusable.

The attackers combined custom destructive tooling with abuse of Microsoft Intune, a widely used cloud-based endpoint management platform. Because Intune is designed to remotely manage and control enterprise devices, attackers who gain administrative access can execute commands such as remote device wipes at scale.

Stryker Handala Wipeout Attack flow illustration

Figure 1: Attack flow illustration — from phishing to large-scale device wipe via Intune abuse.

How the Attackers Gained Access

Security analysis indicates the attack followed a structured multi-stage intrusion pattern commonly used by advanced threat actors:

  1. Initial Access via Phishing — The attack likely began with carefully crafted phishing emails disguised as communications from trusted organizations. These emails contained links or attachments designed to capture user credentials.
  2. Session Hijacking and MFA Bypass — After stealing credentials, attackers used adversary-in-the-middle techniques to intercept authentication sessions. By capturing session tokens, they were able to bypass traditional MFA protections and access cloud services as authenticated users.
  3. Valid Account Abuse — Once authenticated, attackers leveraged legitimate accounts to move laterally through the environment until they reached high-privilege administrative roles with access to device management infrastructure.
  4. Preparation and Execution — Threat actors often remain inside networks for extended periods while studying infrastructure and establishing persistence. When the destructive phase began, they used administrative capabilities within Intune to issue large-scale wipe commands.

“Instead of relying solely on malware, threat actors increasingly weaponize legitimate administrative tools to execute destructive actions.”

Security Measures Organizations Should Implement

  • Strengthen Privileged Access Controls — Administrative accounts should be tightly controlled using conditional access policies, just-in-time privileges, and phishing-resistant authentication such as FIDO2 security keys.
  • Protect Device Management Platforms — Endpoint management systems should be treated as critical infrastructure. Enable detailed audit logging for device wipe commands, require approvals for bulk administrative actions, and restrict admin access to trusted networks or managed devices.
  • Harden Identity Security — Organizations should disable legacy authentication protocols, deploy phishing-resistant MFA mechanisms, and monitor authentication logs for unusual sign-in behavior such as impossible travel or abnormal session activity.
  • Improve Email Security — Implement strong anti-phishing protections, enforce DMARC, SPF, and DKIM policies, and conduct regular phishing awareness training for employees.
  • Maintain Reliable Backups — A resilient backup strategy is critical for recovery from destructive attacks. Organizations should follow the 3-2-1 rule and maintain immutable or offline backups that cannot be modified by attackers.

Key Takeaways

The Stryker incident highlights a major shift in modern cyberattacks. Instead of relying solely on malware, threat actors increasingly weaponize legitimate administrative tools to execute destructive actions.

This means organizations must move beyond traditional perimeter security and adopt an assume-breach mindset. Identity protection, administrative activity monitoring, and incident response readiness are now essential components of enterprise security.

For security teams, the lesson is clear: protecting privileged access and monitoring administrative actions within cloud management platforms is just as critical as detecting malware.