On March 11, employees at Stryker, one of the world’s largest medical device companies, started noticing something wrong with their computers.
Workers in the US, Australia, Ireland, India were logging into their systems and finding the Handala logo on their screens instead of the usual login page.
Phones were dead. Laptops were blank. A message had gone out from Stryker’s IT department: do not turn on your devices, do not connect to any Stryker apps, disconnect from everything immediately.
By the time the dust settled, an Iranian-linked hacker group called Handala had wiped more than 200,000 servers, systems and employee devices across 79 countries, stolen 50 terabytes of data, and shut down one of the world’s most critical healthcare supply chains.
Manufacturing was down. Order processing was down. Shipping was down. Personal phones belonging to employees who had simply enrolled their devices in Stryker’s mobile management system had been reset to factory settings, taking every photo, contact, and file with them.
Stryker had a $450 million contract to supply medical devices to the US military. It employs 56,000 people in 61 countries. And it just became the most significant corporate victim of the Iran war’s cyber front.
How They Did It
The attack was not technically sophisticated. That’s the part worth understanding.
Handala didn’t break through Stryker’s firewalls with cutting-edge exploits.
Security researchers at Palo Alto Networks believe they got in the old-fashioned way, through phishing, or possibly through infostealer malware that had already collected login credentials from Stryker employees months or years earlier.
Once inside, they found something that turned a routine breach into a catastrophe: administrator access to Stryker’s Microsoft Intune dashboard.
Intune is a corporate device management tool. Companies use it to manage employee laptops and phones remotely.
One of its features, designed for situations where a device is lost or stolen, is the ability to remotely wipe any enrolled device back to factory settings.
Handala triggered that feature. For all 200,000 enrolled devices. Simultaneously. Offices in 79 countries went dark at once.
Rafe Pilling, director of threat intelligence at Sophos, described it simply: “They seem to have obtained access to the Microsoft Intune management console. One of the features is the ability to remotely wipe a device if it’s lost or stolen. Looks like they triggered that for some or all of the enrolled devices.”
One cybersecurity researcher on LinkedIn was more blunt: “Handala really aren’t sophisticated and likely just used infostealer logs for the Stryker breach. Most of these credentials are months if not years old, which would have given Stryker more than enough time to reset and avoid a breach.”
That’s the most uncomfortable part. This wasn’t a nation-state operation deploying zero-day exploits. It was a group with old stolen passwords and a working knowledge of corporate IT tools. And it worked.
Why Stryker
Handala’s stated justification was retaliation for a US missile strike on a school in Minab, Iran, on February 28, the first day of the war, that killed at least 175 people, most of them children.
Stryker isn’t a defense contractor in the traditional sense. It makes surgical equipment, orthopedic implants, neurotechnology.
But it has operations in Israel, that $450 million DoD contract, and a 2019 acquisition of Israeli medical company OrthoSpace that Handala cited in their manifesto. NBC News called it the first significant Iranian cyberattack on a US company since the war began.
Healthcare, historically, has been treated as off-limits even in wartime. Not anymore.
And the fact that the attack disrupted Stryker’s ability to supply hospitals, not just its corporate IT, is not incidental. That’s the point.
Pressure on the medical system translates to pressure on the American public in a way that taking down a government website simply doesn’t.
The FBI Struck Back This Morning
Early Thursday, the FBI and the Department of Justice seized and took down two websites linked to Handala, replacing their contents with law enforcement seizure banners.
One was the site where Handala publicized its hacks. The other was a site the group used to dox Israeli military personnel and defense contractors.
The seizure notice said the domains “were used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor.” That language matters. It’s the US government formally linking Handala to the Iranian state on the record.
Handala’s X account had already been suspended earlier this week.
The group responded to the website seizures on Telegram, calling it “a desperate attempt to silence our voice” and claiming the action only confirms “the fear and anxiety our actions have instilled.” They said they would persist.
They probably will. Taking down a website doesn’t neutralize a hacking group.
It inconveniences them. Two of the leaders of Iranian cyber operations were reportedly killed in recent US airstrikes, including Mohammad Mehdi Farhadi Ramin, charged by the US in 2020 for state-sponsored hacking, and Yahya Hosseiny Panjaki, who oversaw the MOIS unit that controlled Handala. That’s a more significant blow. But there are others waiting to fill those roles.
The Warning Every Business Should Have Heard by Now
CISA and the FBI have both engaged directly with Stryker executives. Joint advisories have been issued.
The warnings have been loud and consistent: rotate your credentials, audit your admin access, check which personal devices are enrolled in your corporate device management systems, and remove access for anything that shouldn’t have it.
The Stryker attack wasn’t sophisticated. It was patient. And the gap between a group that got in with old stolen passwords and a company with 56,000 employees across 61 countries is a gap that exists in a lot of organizations right now.
Cybersecurity Dive reported this week that the Stryker attack has raised urgent questions across the industry about how many companies have given Microsoft Intune, or similar device management tools, administrator privileges without fully accounting for what happens if those credentials are compromised. The answer, in most cases, appears to be: they haven’t thought about it nearly enough.
As of Thursday, Stryker’s electronic ordering systems were still unavailable.
Recovery is ongoing. The company says all its medical products are safe to use and that staff representatives in hospitals pose no risk.
But 200,000 wiped devices don’t come back in a week. And whatever data Handala says it took is already wherever it’s going. The attack is over. The consequences aren’t.
About the Author
