Iran-Backed Handala Group Claims Wiper Attack on Medtech Giant Stryker, Disrupting Global Operations
Iran-linked hacktivist group Handala claims to have wiped data from over 200,000 systems at medical technology firm Stryker, forcing the company to send home 5,000 workers in Ireland and disrupting hospital supply chains.
A hacktivist group with ties to Iran's intelligence apparatus has claimed responsibility for a devastating wiper attack against Stryker, a global medical technology company headquartered in Kalamazoo, Michigan. The group, known as Handala (also tracked as Void Manticore), posted a manifesto on Telegram stating that it erased data from more than 200,000 systems, servers, and mobile devices across Stryker's offices in 79 countries. The attack forced Stryker to send home over 5,000 employees at its Cork, Ireland hub — the company's largest base outside the U.S. — and left a voicemail at its Michigan headquarters citing a "building emergency."
According to a trusted source with knowledge of the incident who spoke to Krebs on Security, the attackers appear to have abused Microsoft Intune, a cloud-based device management service, to issue a remote wipe command against all connected devices. This technique allowed the threat actors to erase data at scale without deploying traditional malware. Multiple Stryker employees reported that their personal phones with Microsoft Outlook installed were wiped, and login pages on company devices were defaced with the Handala logo. A Reddit discussion among Stryker staff indicated that employees were urgently told to uninstall Intune.
Handala stated that the attack was retaliation for a U.S. missile strike on an Iranian school on February 28 that hit an Iranian school, killing at least 175 people, most of them children. The New York Times reported that an ongoing military investigation has determined the United States was responsible for the strike. Handala referred to Stryker as a "Zionist-rooted corporation," likely referencing the company's 2019 acquisition of the Israeli firm OrthoSpace. Palo Alto Networks, which has profiled Handala, assesses the group as a persona of Void Manticore, an actor affiliated with Iran's Ministry of Intelligence and Security (MOIS).
The attack is already causing real-world supply chain disruptions. A healthcare professional at a major U.S. university medical system told KrebsOnSecurity that they are currently unable to order surgical supplies normally sourced through Stryker. "Pretty much every hospital in the U.S. that performs surgeries uses their supplies," the expert said. John Riggi, national advisor for the American Hospital Association (AHA), stated that the AHA is not yet aware of direct impacts to U.S. hospitals but noted that the situation could change if the outage persists. The state of Maryland's Institute for Emergency Medical Services Systems issued a memo on March 11 indicating that Stryker had reported a "global network disruption."
Stryker, which reported $25 billion in global sales last year and employs 56,000 people across 61 countries, has not yet issued a public statement confirming the attack or detailing remediation efforts. The company's website and media lines remained non-operational as of Wednesday morning. The incident underscores the growing threat of hacktivist groups leveraging legitimate enterprise tools like Microsoft Intune to conduct destructive attacks, and highlights the vulnerability of critical medical supply chains to cyber operations. Palo Alto researchers noted that Handala's recent activities are "opportunistic and 'quick and dirty,'" with a focus on supply-chain footholds to reach downstream victims.