Hacking Healthcare / Medical Devices · United States · March 2026

Stryker Corporation

Analysis of the Handala group’s destructive wiper attack on Stryker Corporation, which reportedly wiped up to 200,000 devices across 79 countries using the company’s own Microsoft Intune platform.

Records Affected

80,000 to 200,000 devices reportedly wiped across 79 countries

Attack Type

Hacking

Location

United States

Data types exposed

Internal systems manufacturing data ordering systems shipping records corporate Microsoft environment

What Happened

On March 11, 2026, an Iran-linked hacking group known as Handala launched a destructive wiper attack against Stryker Corporation’s global Microsoft environment. According to multiple reports, the attackers compromised Stryker’s Microsoft Intune device management tool and used it to remotely wipe between 80,000 and 200,000 devices across the company’s operations in 79 countries.
This was not a ransomware attack. The attackers reportedly chose destruction over extortion, wiping devices rather than encrypting them and demanding payment. Manufacturing operations stopped, offices shut down, and Stryker’s stock reportedly dropped approximately 9% following the disclosure.
On March 19, the FBI seized two websites linked to the Handala group, determining that the domains were used to support cyber activities on behalf of a foreign state actor. CISA subsequently issued urgent guidance for all US organisations to review and harden their Microsoft Intune configurations.
As of March 20, 2026, Stryker’s ordering, manufacturing, and shipping systems remain partially disrupted, though the company has stated the restoration process is progressing steadily. Some patients have reportedly experienced delays in surgeries due to shipping disruptions for medical devices.

Timeline

  • March 11, 2026 — Handala reportedly launches destructive wiper attack against Stryker’s global Microsoft environment
  • March 11, 2026 — Stryker’s manufacturing and operations reportedly shut down across multiple countries
  • March 12, 2026 — Stryker’s stock reportedly drops approximately 9%
  • March 19, 2026 — FBI seizes two Handala-linked websites
  • March 20, 2026 — Stryker reports restoration is progressing; operations remain partially disrupted

Threat Actor Profile

Handala is an Iran-linked hacking group that has been associated with geopolitically motivated cyberattacks. The FBI’s seizure of Handala-linked domains, citing their use to support cyber activities on behalf of a foreign state actor, suggests a state-sponsored or state-directed operation.
The choice of a destructive wiper attack over ransomware is consistent with geopolitically motivated operations, where the objective is disruption and damage rather than financial gain. Security experts have warned this could signal an increase in geopolitically motivated attacks on US healthcare infrastructure.

Impact and Risk Assessment

For Individuals

Patients requiring Stryker medical devices, including surgical implants and orthopaedic equipment, may face delays in scheduled procedures due to shipping and manufacturing disruptions.

For Organisations

Stryker faces significant operational disruption across its global operations, with manufacturing, ordering, and shipping systems affected in 79 countries. The approximately 9% stock price drop reportedly represents billions of dollars in market capitalisation loss.
Hospitals and healthcare providers relying on Stryker products face potential supply chain disruptions. The attack demonstrates the fragility of healthcare supply chains and the downstream patient impact of cyber incidents targeting medical device manufacturers.
The use of Microsoft Intune as an attack vector raises urgent questions for any organisation using mobile device management (MDM) or unified endpoint management (UEM) platforms, as these tools inherently have privileged access to wipe and reconfigure devices at scale.

Regulatory Context

CISA issued urgent guidance for US organisations to harden their Microsoft Intune environments in response to this attack. The incident may accelerate regulatory focus on supply chain cybersecurity for medical device manufacturers.
As a publicly traded company, Stryker is subject to SEC cybersecurity incident disclosure requirements. The incident also implicates healthcare sector regulations around operational resilience and patient safety.

What Should You Do?

For Individuals

  • If you have a scheduled medical procedure involving Stryker products, contact your healthcare provider to confirm whether there are any supply-related delays.

For Security Professionals

  • Immediately audit your Microsoft Intune and MDM/UEM configurations. Ensure conditional access policies, role-based access controls, and multi-factor authentication are enforced for all administrative actions.
  • Review whether your MDM platform could be used as a destructive tool if compromised. Consider implementing additional safeguards such as approval workflows for mass device wipe commands.
  • Assess your medical device supply chain dependencies. Identify critical single-supplier relationships and develop contingency plans for extended disruptions.
  • Monitor CISA guidance on Intune hardening and implement recommended controls as a priority.

Learnings and Recommendations

Device management platforms like Microsoft Intune have inherent destructive capabilities by design. Organisations must treat MDM/UEM administrative access as critical infrastructure, applying the same rigour as domain admin or cloud root access.
Destructive wiper attacks differ fundamentally from ransomware. There is no negotiation, no decryption key, and no recovery path other than rebuilding from backups. Organisations must ensure offline, immutable backups exist for critical systems.
The healthcare supply chain is deeply interconnected. A cyberattack on a single medical device manufacturer can cascade into surgical delays and patient safety risks across thousands of healthcare providers globally.
Geopolitically motivated cyberattacks may increasingly target healthcare and critical infrastructure. Organisations in these sectors should factor nation-state threat actors into their risk assessments.

References

[1] TechCrunch – Stryker wiper attack and FBI seizure of Handala websites — https://techcrunch.com/
[2] Zeron – Analysis of Stryker destructive wiper attack — https://www.zeron.tech/
[3] Bleeping Computer – CISA guidance on Intune hardening following Stryker attack — https://www.bleepingcomputer.com/
[4] Healthcare Brew – Continued Stryker fallout and patient impact — https://www.healthcare-brew.com/

Source

https://techcrunch.com/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories