Stryker Cyberattack: Hackers Wipe 200,000 Devices Worldwide

At 3:30 AM on March 11, 2026, the global IT infrastructure of Stryker Corporation suddenly went dark. Employees across 61 countries woke up to wiped laptops and factory-reset phones — including personal iPhones and Android devices. Login screens showed one thing: the logo of a hacker group called Handala. One employee described it on Reddit: "The entire company is at a complete stop." Another wrote: "Woke up to wiped computer and phone, low key thought they finally fired me."

This wasn’t ransomware. There was no demand and no negotiation. 56,000 employees across 61 countries at the world’s third-largest medical device manufacturer were suddenly unable to work. The goal was destruction, and it worked.

Stryker Cyberattack — Key Facts and Impact

• Date: March 11, 2026 — approximately 3:30 AM EDT
• Target: Stryker Corporation — Fortune 500 medical device manufacturer, $25B+ revenue, 56,000 employees
• Attack type: Destructive wiper — NOT ransomware, no payment demand
• Attack vector: Microsoft Intune device management platform weaponised to trigger a mass remote wipe
• Devices wiped: 200,000+ claimed (servers, laptops, personal mobile phones)
• Countries impacted: 61–79 (all Stryker global offices)
• Data stolen: 50 TB claimed (unverified)
• Hardest hit: Cork, Ireland — Stryker's largest facility outside the US, 4,000–5,500 employees
• Stock impact: Shares of Stryker (NYSE: SYK) fell roughly 4% within hours of the attack becoming public
• Claiming group: Handala — Iran-linked, active since December 2023
• Stated motive: Retaliation for the bombing of the Minab girls school in Iran, March 3, 2026

Who Is Handala — And Why They Targeted Stryker

Handala is not a typical criminal group seeking financial gain. It is a state-linked hacking operation connected to Iran's intelligence services, active since December 2023 — weeks after the Hamas-Israel war began.

The name originates from a well-known Palestinian political cartoon: a small, defiant child with his back turned to the viewer. Every attack the group launches is framed not as cybercrime, but as political resistance.

Before hitting Stryker, Handala had already claimed attacks on Israeli radar systems, telecom providers, energy companies, and healthcare organisations. In July 2025, the group leaked personal documents and home addresses of journalists and activists. This is not a hobby operation. Security researchers describe it as a serious, state-backed group with real resources and strategic direction.

Handala's pattern is consistent: steal data first, destroy systems second, then use leaked information for maximum public impact. Stryker was no different.

Why Stryker specifically? Two reasons. First, Stryker holds contracts with the US Department of Defense. Second, in 2019 the company acquired an Israeli medical technology firm. To Handala, those two facts made Stryker a target linked to US-Israeli military interests.

The stated trigger was the bombing of an all-girls school in the Iranian city of Minab on March 3, 2026 — a US-Israeli strike that killed more than 175 people, most of them children. Handala framed the Stryker attack as direct retaliation.

The broader context matters. On February 28, 2026, the US and Israel launched joint military strikes on Iran. Within hours, Handala's activity surged and the group published a hit list of Western companies. The Stryker attack — 11 days later — is the first confirmed major destructive cyberattack against a US corporation in this conflict. Healthcare, banking, and energy have been named as next.

One warning sign was missed beforehand: Handala's public communications had gone quiet since January 2026. In this group's history, silence means preparation.

How They Did It — Without Any Malware

This is where the attack gets technically significant — and deeply uncomfortable for the security industry.

Large organizations use centralized software platforms to manage employee devices at scale. IT teams can push software, enforce settings, and — if a laptop is lost or stolen — erase it remotely with a single command. Stryker used Microsoft’s enterprise device management platform, Intune, for this purpose.

What Handala did was steal the login credentials of someone with administrator access to that platform. Once inside, they didn't plant any malware. They didn't hack individual devices. They simply selected every device in the company and issued the same "erase everything" command that IT would use for a lost laptop — except they ran it on all 200,000 devices at once.

From Microsoft's perspective, a legitimate admin account issued a legitimate command. No security alarm fired. Every security tool Stryker had was looking for suspicious software on devices — but the attack came from above, through the management layer those tools never see.

It gets worse. Many Stryker employees had their personal phones connected to the company system — so they could check work email or use Teams. Those personal phones were wiped too. Personal photos gone. Contacts gone. In some cases, employees were locked out of the apps they use for their own bank accounts. The attack didn't stop at company property. It reached into people's personal lives.

Stryker's official statement noted they found "no indication of ransomware or malware." That's technically accurate — and that's exactly what makes this attack different.

The Operational Impact

Stryker's Cork, Ireland facility — its largest outside the United States, with up to 5,500 employees — was described internally as completely incapacitated. Staff stood on factory floors with no access to any systems. Manufacturing, quality control, supply chain software: all offline.

Calls to Stryker's Michigan headquarters were met with a recorded message saying the company was dealing with "a building emergency."

Stryker makes surgical drills, joint implants, hospital beds, and robotic surgery platforms used in operating rooms worldwide. When a company like that goes dark, the knock-on effects extend into hospitals waiting on deliveries. Stryker’s stock price dropped roughly 4% before trading closed that day.

Why Wiper Attacks Instead of Ransomware

Ransomware typically encrypts data and demands payment for the decryption key, creating a negotiation and potential recovery path. Wiper attacks offer no such recovery path. Data is destroyed, not locked. No key exists. The goal is damage and a public message. Iran used this same approach against Saudi Aramco in 2012. Russia used it against Ukraine in 2022. These are not crimes of opportunity — they are deliberate acts of digital warfare, and wiping personal employee phones is part of that deliberateness. The message is personal: working for the wrong company has real consequences.

MITRE ATT&CK Mapping

Indicators of Compromise (IOCs)

Specific IOCs for the Stryker attack remain under active investigation. The following behavioral indicators are based on Handala's documented attack methods and the Stryker attack pattern:

# Handala / Void Manticore — Behavioral Indicators

# Admin account compromise indicators
Alert: Cloud admin account accessed from unrecognised location or IP
  outside business hours or without prior MFA challenge
Alert: New admin account created or admin role assigned
  outside approved change management process
Alert: MFA bypass event on any privileged account

# Device management weaponisation — highest priority
Alert: Bulk remote wipe command issued to more than 3-5 devices
  in a short window (ANY unscheduled bulk wipe = immediate investigation)
Alert: Device management policy change affecting all enrolled devices simultaneously
Alert: Device compliance policy disabled or scope changed to all devices

# Pre-wipe data theft indicators
Alert: Large-volume outbound data transfer exceeding normal baseline
  especially from file storage or email platforms
Alert: Outbound connections to Telegram API endpoints (api.telegram.org)
  from servers or admin workstations — documented Handala exfiltration method
Alert: Bulk download of user or device inventory from admin consoles

# Initial access indicators consistent with Handala TTPs
Alert: Authentication attempts against admin accounts from Starlink IP ranges
  (Check Point observed Handala using Starlink to probe external-facing apps)
Alert: Probing of internet-facing admin portals and VPN gateways
Alert: Credential stuffing activity against Microsoft 365 admin accounts

# Post-compromise indicators
Alert: Service account with device management permissions accessing admin console
  outside normal workflow or outside business hours
Alert: Changes to security policies removing device compliance requirements
  for administrative access

SOC Alert Priorities

Alert Priority 1 — Protect cloud admin accounts above everything else: The entire Stryker attack succeeded through one stolen admin password. No malware. No hack of individual devices. Just a login. All admin accounts for cloud management platforms must have the strongest available login protection — hardware security keys, not just SMS codes. If only one thing changes after reading this post, it should be this.

Alert Priority 2 — Alert on bulk device wipe commands immediately: By default, Microsoft Intune does not raise an alarm when a mass wipe command is issued. This gap needs to be closed manually. Set up an alert that fires the moment a wipe is issued to more than a handful of devices at once. Any legitimate bulk IT action is planned and scheduled in advance — an unplanned bulk wipe in the middle of the night is an emergency, not a morning notification.

Alert Priority 3 — Watch for large data transfers before a destructive attack: Handala's pattern is to steal data first, then destroy. The theft phase is the window where detection is possible. Monitor for unusually large outbound data transfers from file storage and email systems, and for connections to Telegram from servers or admin computers — a documented Handala method for moving stolen data.

Alert Priority 4 — Review who has admin access to your management platforms: Handala is known to gain access through IT service providers and third-party vendors who have admin access to their clients' systems. Audit every external account with access to your cloud management consoles. If access can't be immediately justified, revoke it.

Alert Priority 5 — Understand your personal device risk: The Stryker attack wiped employees' personal phones because those phones were connected to the company's device management system. Review whether personal device enrollment is necessary for all roles. There are solutions that give employees access to work apps without giving the company the ability to wipe personal data — consider whether they're appropriate for your environment.

What Organisations Should Do Now

Within 24 hours: Review who has admin access to your device management and cloud identity platforms. Remove any accounts that don't need permanent admin access. Enforce the strongest available login protection on every remaining admin account. Create an alert for any bulk remote wipe activity. If a third-party IT provider has admin access to your systems, verify their access scope today.

Within one week: Set up time-limited admin access — administrators should only have elevated permissions when they specifically need them, not permanently. Ensure that admin console access requires a company-managed, secure device. Review security policies for any recent unauthorised changes. Check every third-party integration with admin-level access and restrict to minimum required permissions.

Ongoing: Treat cloud admin credentials as your most critical security asset — more important than any individual device or server. The attack surface has shifted. The most dangerous thing an attacker can hold is a valid admin login to your cloud management platform.

This attack is part of a pattern we've been tracking — attackers gaining access through legitimate credentials and using trusted tools against their owners. We covered the same dynamic last week:

→ CVE-2026-27944: Nginx UI Backup Exposure — How Valid Credentials Enable Silent Data Theft

And the preferred method of getting those credentials in the first place remains a phone call or an email:

→ No Malware. No Exploit. Just a Phone Call — The Ericsson Breach Explained

The ZyberWalls Perspective

Something important happened on March 11 beyond one company's systems going offline.

Handala wiped the devices of a $100 billion medical company using nothing but an admin password and a built-in management feature designed to protect lost laptops. No exotic hacking. No sophisticated malware. The weapon was a tool Stryker's own IT team used every day.

The security industry has spent years focused on protecting individual devices — antivirus software, behaviour monitoring, endpoint detection tools. The Stryker attack walked straight past all of it. Not because those tools failed. Because the attack happened at a level above them, through the platform that controls the devices, where those tools have no visibility.

This is the gap that the Stryker attack exposes. Protecting individual computers matters. But if an attacker can log into the system that manages all your computers and wipe them in a single command, the protection on each individual device is irrelevant.

The geopolitical context makes this urgent. Handala is not finished. Around 60 hacker groups are active in the current conflict, with healthcare, banking, and energy explicitly named as targets. The Stryker attack was a demonstration. The message to every Western company with perceived ties to US or Israeli interests: this can happen to you too.

One question is worth sitting with: if an attacker got hold of an admin login to your device management system right now, how quickly would your team know? And how quickly could everything be gone?

If that doesn't have a fast answer, today is the right time to change it.