Key Takeaway
The Iranian-linked hacktivist group Handala launched a global data-wiping attack on medical device maker Stryker using Microsoft Intune's remote wipe capabilities. The attack disrupted operations in 79 countries, wiping over 200,000 devices and impacting healthcare supply chains. Detection involves monitoring unusual Intune activity, and remediation includes revoking credentials and restoring from backups.
Overview
The Iranian-affiliated hacktivist group Handala, linked to Iran's Ministry of Intelligence and Security (MOIS), claimed responsibility for a widespread data-wiping attack on Stryker Corporation, a global medical technology company headquartered in Kalamazoo, Michigan. The attack reportedly impacted Stryker's operations in 79 countries, including its largest hub in Ireland, forcing the company to send home over 5,000 employees.
Attack Delivery and Capabilities
Handala's attack leveraged Microsoft Intune, a cloud-based endpoint management service, to issue remote wipe commands across more than 200,000 devices including servers, workstations, and mobile devices. Unlike typical wiper malware that overwrites local data, the attackers exploited Intune's legitimate remote management functions to trigger device wipes remotely.
This method allowed persistent disruption of Stryker's IT infrastructure globally, resulting in the shutdown of internal networks and wiping of user devices, including those with Microsoft Outlook installed on personal phones. Defacement of login pages with the Handala logo was also observed.
Handala publicly justified the attack as retaliation for a U.S. Tomahawk missile strike on an Iranian school on February 28, 2026, which resulted in at least 175 fatalities, mostly children. The group posted a manifesto on Telegram asserting control over exfiltrated data, although no independent confirmation of data exfiltration has surfaced.
Affected Platforms
- Windows and mobile devices managed via Microsoft Intune.
- Stryker's global IT infrastructure spanning 79 countries.
- Corporate networks and user endpoints connected to Intune.
Organizational Impact
Stryker, with approximately 56,000 employees worldwide and $25 billion in annual sales, experienced significant operational disruption. Staff in Ireland reported complete network outages and were forced to communicate via WhatsApp. Hospitals relying on Stryker's surgical supplies and services faced supply chain impediments, with some disconnecting from Stryker's LifeNet system used for emergency medical data transmission.
The American Hospital Association (AHA) stated no confirmed supply chain disruptions had been reported as of the attack date but acknowledged ongoing assessments. Maryland's Institute for Emergency Medical Services Systems alerted hospitals to the disruption, noting some had suspended LifeNet connectivity as a precaution.
Attribution
Palo Alto Networks linked Handala to MOIS and associated it with the broader threat actor group Void Manticore. Handala has previously targeted Israeli infrastructure and energy sectors, focusing on opportunistic supply chain exploitation. Their attacks typically combine rapid destructive actions with public leaks to amplify impact and intimidation.
Detection Signatures
- Unusual remote wipe commands initiated via Microsoft Intune administrative consoles.
- Defacement of login portals displaying Handala branding.
- Sudden mass device wipe events correlating with Intune policy changes.
- Network outages and loss of access to corporate resources across multiple global locations.
- Alerts from endpoint detection and response (EDR) systems identifying anomalous administrative actions in Intune.
Removal and Mitigation Guidance
- Immediately review and revoke compromised Microsoft Intune administrative credentials.
- Conduct forensic analysis to identify unauthorized Intune policy changes and roll back remote wipe commands if possible.
- Restore affected devices from verified backups.
- Implement multi-factor authentication (MFA) for all Intune and cloud management accounts.
- Monitor Intune audit logs for anomalous activity.
- Coordinate with Microsoft Support and incident response teams to secure cloud management environments.
- Update and enforce endpoint security policies to prevent unauthorized remote management.
References
- Palo Alto Networks Unit 42 report on Iranian cyber operations.
- Maryland Institute for Emergency Medical Services Systems advisory.
- New York Times coverage of the February 2026 missile strike.
Handala's use of legitimate cloud management tools to conduct a destructive global campaign against a critical medical technology supplier underscores the evolving tactics employed by state-affiliated hacktivist groups.
Original Source
Krebs on Security
Related Articles
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.