Stryker Corporation
Analysis of the Handala group’s destructive wiper attack on Stryker Corporation, which reportedly wiped up to 200,000 devices across 79 countries using the company’s own Microsoft Intune platform.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Stryker Corporation
American multinational medical technologies corporation headquartered in Kalamazoo, Michigan. Stryker is one of the world's largest medical device companies, operating across 79 countries with products spanning orthopaedics, surgical equipment, and neurotechnology.
Sector
Healthcare / Medical Devices
Region
United States
Date of Incident
March 11, 2026
Date Disclosed
March 11, 2026
Estimated Impact
80,000 to 200,000 devices reportedly wiped across 79 countries
Data Types Exposed
Internal systems, manufacturing data, ordering systems, shipping records, corporate Microsoft environment
Attack Type
Hacking
Attack Vector
Destructive wiper attack leveraging Stryker’s own Microsoft Intune device management tool to remotely wipe enrolled devices
Threat Actor
Handala (Iran-linked)
Current Status
Stryker has stated it is in the restoration process, which is progressing steadily. The FBI seized two Handala-linked websites on March 19, 2026. Manufacturing, ordering, and shipping remain partially disrupted as of March 20, 2026. CISA issued urgent guidance for US organisations to harden Intune environments.
Severity Assessment
Critical. This was not ransomware but a destructive wiper attack, meaning data and systems were wiped rather than encrypted for ransom. The use of an organisation’s own device management infrastructure as a weapon represents a significant escalation in attack methodology. The impact on manufacturing, ordering, and shipping across a global medical device company has direct patient safety implications, with reports of surgical delays.
What Happened
On March 11, 2026, an Iran-linked hacking group known as Handala launched a destructive wiper attack against Stryker Corporation’s global Microsoft environment. According to multiple reports, the attackers compromised Stryker’s Microsoft Intune device management tool and used it to remotely wipe between 80,000 and 200,000 devices across the company’s operations in 79 countries.
This was not a ransomware attack. The attackers reportedly chose destruction over extortion, wiping devices rather than encrypting them and demanding payment. Manufacturing operations stopped, offices shut down, and Stryker’s stock reportedly dropped approximately 9% following the disclosure.
On March 19, the FBI seized two websites linked to the Handala group, determining that the domains were used to support cyber activities on behalf of a foreign state actor. CISA subsequently issued urgent guidance for all US organisations to review and harden their Microsoft Intune configurations.
As of March 20, 2026, Stryker’s ordering, manufacturing, and shipping systems remain partially disrupted, though the company has stated the restoration process is progressing steadily. Some patients have reportedly experienced delays in surgeries due to shipping disruptions for medical devices.
Timeline
March 11, 2026
Handala reportedly launches destructive wiper attack against Stryker’s global Microsoft environment
March 11, 2026
Stryker’s manufacturing and operations reportedly shut down across multiple countries
March 12, 2026
Stryker’s stock reportedly drops approximately 9%
March 19, 2026
FBI seizes two Handala-linked websites
March 20, 2026
Stryker reports restoration is progressing; operations remain partially disrupted
Threat Actor Profile
Handala is an Iran-linked hacking group that has been associated with geopolitically motivated cyberattacks. The FBI’s seizure of Handala-linked domains, citing their use to support cyber activities on behalf of a foreign state actor, suggests a state-sponsored or state-directed operation.
The choice of a destructive wiper attack over ransomware is consistent with geopolitically motivated operations, where the objective is disruption and damage rather than financial gain. Security experts have warned this could signal an increase in geopolitically motivated attacks on US healthcare infrastructure.
Impact and Risk Assessment
For Affected Individuals
Patients requiring Stryker medical devices, including surgical implants and orthopaedic equipment, may face delays in scheduled procedures due to shipping and manufacturing disruptions.
For Organisations
Stryker faces significant operational disruption across its global operations, with manufacturing, ordering, and shipping systems affected in 79 countries. The approximately 9% stock price drop reportedly represents billions of dollars in market capitalisation loss.
Hospitals and healthcare providers relying on Stryker products face potential supply chain disruptions. The attack demonstrates the fragility of healthcare supply chains and the downstream patient impact of cyber incidents targeting medical device manufacturers.
The use of Microsoft Intune as an attack vector raises urgent questions for any organisation using mobile device management (MDM) or unified endpoint management (UEM) platforms, as these tools inherently have privileged access to wipe and reconfigure devices at scale.
Regulatory Context
CISA issued urgent guidance for US organisations to harden their Microsoft Intune environments in response to this attack. The incident may accelerate regulatory focus on supply chain cybersecurity for medical device manufacturers.
As a publicly traded company, Stryker is subject to SEC cybersecurity incident disclosure requirements. The incident also implicates healthcare sector regulations around operational resilience and patient safety.
What Should You Do?
If You Are a Potentially Affected Individual
If you have a scheduled medical procedure involving Stryker products, contact your healthcare provider to confirm whether there are any supply-related delays.
If You Are a Security or Risk Professional
Immediately audit your Microsoft Intune and MDM/UEM configurations. Ensure conditional access policies, role-based access controls, and multi-factor authentication are enforced for all administrative actions.
Review whether your MDM platform could be used as a destructive tool if compromised. Consider implementing additional safeguards such as approval workflows for mass device wipe commands.
Assess your medical device supply chain dependencies. Identify critical single-supplier relationships and develop contingency plans for extended disruptions.
Monitor CISA guidance on Intune hardening and implement recommended controls as a priority.
Learnings and Recommendations
Device management platforms like Microsoft Intune have inherent destructive capabilities by design. Organisations must treat MDM/UEM administrative access as critical infrastructure, applying the same rigour as domain admin or cloud root access.
Destructive wiper attacks differ fundamentally from ransomware. There is no negotiation, no decryption key, and no recovery path other than rebuilding from backups. Organisations must ensure offline, immutable backups exist for critical systems.
The healthcare supply chain is deeply interconnected. A cyberattack on a single medical device manufacturer can cascade into surgical delays and patient safety risks across thousands of healthcare providers globally.
Geopolitically motivated cyberattacks may increasingly target healthcare and critical infrastructure. Organisations in these sectors should factor nation-state threat actors into their risk assessments.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.