Iran-Linked Hackers Weaponise Stryker's Own IT Tools in Devastating Global Wiper Attack

A New Kind of Cyber Weapon

Medical technology giant Stryker, a Fortune five hundred company with over twenty-five billion dollars in annual revenue, found itself at the centre of one of the most significant cyberattacks in recent memory this week. On March eleventh, employees across the globe turned on their computers to find them completely blank, their login screens replaced by the logo of Handala, an Iran-linked hacking group.

Turning Tools Against Their Owners

What makes this attack particularly alarming is the method used. Rather than deploying traditional malware or ransomware, the attackers compromised administrator credentials for Microsoft Intune, Stryker's cloud-based device management platform. They then used the platform's own legitimate remote wipe capability to issue factory-reset commands to all enrolled devices simultaneously. This so-called living off the land technique required no custom malware and no zero-day exploits, just administrative access to a tool that already had permission to wipe every device in the organisation.

The Scale of Disruption

Handala claimed to have wiped more than two hundred thousand systems across seventy-nine countries and exfiltrated fifty terabytes of data, though these figures have not been independently verified. Employees in the United States, Ireland, Costa Rica, and Australia reported that managed laptops and mobile devices, including personal phones enrolled for corporate email, were remotely wiped overnight. Some employees were sent home, and production at facilities in Cork, Ireland was halted.

Motivation and Attribution

The group said the attack was retaliation for a military strike on a school in Minab, Iran, and also cited Stryker's twenty nineteen acquisition of OrthoSpace, an Israeli medical technology company. Cybersecurity researchers at Check Point and Palo Alto Networks have linked Handala to Void Manticore, an Iranian threat actor connected to Iran's Ministry of Intelligence and Security.

Recovery and Response

Stryker CEO Kevin Lobo said the attack had been fully contained and the company found no indication of ransomware or malware. The company has entered its restoration phase, with employees bringing laptops in for repair. Stryker's shares fell over three consecutive trading sessions following the disclosure.