Wiper attacks from Iran-affiliated actors have intensified since late 2023, but the claimed operation against Stryker represents a significant escalation in both scale and sector.
A hacktivist group known as Handala — assessed by Palo Alto Networks as an online persona operated by Void Manticore, an actor linked to Iran’s Ministry of Intelligence and Security — has claimed responsibility for a mass data-wiping attack against Stryker, the Kalamazoo, Michigan-based medical technology company that reported $25 billion in global sales last year. According to the announcement, the group claims to have erased data from more than 200,000 systems, servers, and mobile devices, forcing office shutdowns across 79 countries.
The operational picture on the ground aligns with those claims. Irish news reports Wednesday morning stated the company sent home more than 5,000 workers from its largest hub outside the United States. The Irish Examiner cited unnamed employees saying anything connected to the network is down and that login pages on employee devices have been defaced with the Handala logo. Staff are reportedly coordinating via WhatsApp. A voicemail at Stryker’s Michigan headquarters states, “We are currently experiencing a building emergency. Please try your call again later.” The company’s own website lists 56,000 employees across 61 countries.
Intune as the Attack Vector
The mechanism behind the wipe appears to diverge from conventional malware. A source with direct knowledge of the incident, speaking anonymously, told the report that attackers used Microsoft Intune — a cloud-based device management platform — to issue remote wipe commands across connected devices. The claim is consistent with activity observed in a Reddit thread on the outage, where users identifying themselves as Stryker employees said they had been instructed to uninstall Intune urgently. The approach suggests the attackers gained administrative access to the company’s endpoint management infrastructure rather than deploying traditional destructive software.
One detail reported by employees adds to the severity: individuals who had Microsoft Outlook configured on personal phones reportedly had those personal devices wiped as well, indicating the Intune environment extended to employee-owned hardware enrolled in the company’s mobile device management system.
Stated Motive and Broader Pattern
Handala’s Telegram manifesto frames the attack as retaliation for a February 28 missile strike it says killed at least 175 people, most of them children, at an Iranian school. The New York Times reported Wednesday that a military investigation has determined the United States is responsible for that Tomahawk missile strike. The group labeled Stryker a “Zionist-rooted corporation,” a characterization that appears to reference the company’s 2019 acquisition of Israeli firm OrthoSpace.
More Read
Palo Alto’s profile of Handala describes its activity as “opportunistic and ‘quick and dirty,'” with a particular focus on supply-chain footholds through IT and service providers to reach downstream targets, followed by public posts designed to amplify credibility and intimidate. The group has previously claimed attacks on fuel systems in Jordan and an Israeli energy exploration company. Its primary targeting focus is Israel, with broader operations taken when a specific agenda is served.
The downstream consequences for healthcare are already materializing. Stryker is a major supplier of medical devices, and at least one healthcare professional at a major university medical system has reported operational impact — a direct consequence of an attack on a vendor embedded throughout the medical supply chain.
Photo by Tima Miroshnichenko on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
