Handala Weaponizes Microsoft Intune to Wipe 200,000 Stryker Devices Across 79 Countries
On March 11, 2026, the Iran-linked hacktivist group Handala claimed responsibility for remotely wiping more than 200,000 systems, servers, and mobile devices belonging to Stryker Corporation, the Fortune 500 medical technology company [5]. The attackers compromised administrator accounts and used Stryker's own Microsoft Intune device management console to issue factory-reset commands at scale, forcing operations across 79 countries to shut down [1][7]. Over 5,000 workers were sent home from Stryker's Cork, Ireland facility alone [1]. CISA acting director Nick Andersen confirmed the agency launched a federal investigation, calling it a coordinated effort with public and private sector partners [3].
This attack is the first confirmed major cyber disruption of a U.S. corporation since joint U.S.-Israeli military operations ("Epic Fury" and "Roaring Lion") against Iran commenced on February 28, 2026 [7]. NBC News described it as the first significant instance of Iran hacking an American company since the start of the U.S.-Israel-Iran war [2]. The real-world consequences extended beyond wiped laptops: Stryker's Lifenet electrocardiogram transmission platform, used by EMS teams to send cardiac data to hospitals, went offline. Maryland's Institute for Emergency Medical Services Systems notified hospitals statewide that Lifenet was non-functional [1].
Who Is Handala?
Handala (also tracked as Handala Hack Team, Hatef, and Hamsa) first surfaced in December 2023 as a hacktivist operation [6]. Multiple intelligence vendors assess the group as a state-directed front for Iran's Ministry of Intelligence and Security (MOIS), not the IRGC Cyber-Electronic Command [4][5]. Palo Alto Networks' Unit 42 tracks Handala as one of several online personas maintained by Void Manticore (also known as COBALT MYSTIQUE and Storm-1084/Storm-0842) [4]. This MOIS attribution is significant. MOIS-affiliated actors have historically prioritized espionage and destructive operations, a pattern that aligns with Handala's known tactics.
Handala claimed the Stryker attack was retaliation for a February 28 U.S. missile strike on a school in Minab, Iran, that reportedly killed at least 175 people, mostly children [5]. Stryker's 2019 acquisition of the Israeli medical technology company OrthoSpace almost certainly factored into target selection [3][7]. The company also holds major contracts with the U.S. Department of Defense and the Department of Veterans Affairs, making it a high-profile symbolic target [3].
On its Telegram channel, Handala stated it extracted 50 terabytes of data, posting: "All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption" [5]. After the wipe, affected devices displayed the Handala logo on their login screens [1].
Attack Vector: Intune as a Weapon
The attackers did not deploy traditional wiper malware to each endpoint. Instead, they compromised Stryker administrator accounts and gained access to the Microsoft Intune management console, the same platform IT administrators use to manage, configure, and wipe corporate devices when they are lost or stolen [1][2]. From that console, the attackers issued legitimate remote-wipe commands across the entire managed device fleet [1][7].
This is a textbook living-off-the-land approach. Intune is purpose-built to push configuration changes and wipe commands to tens of thousands of endpoints simultaneously. A single compromised admin account with sufficient privileges can trigger factory resets across an entire global device fleet in minutes. Windows systems, phones, laptops, and other managed devices were all affected [2].
Unit 42 confirmed that the primary vector for recent Handala destructive operations "involves the exploitation of identity through phishing and administrative access through Microsoft Intune" [4]. The technique is brutally efficient: no custom malware needs to reach endpoints, no antivirus evasion is required, and no lateral movement to individual machines is necessary. The management plane itself becomes the weapon.
Initial Access: Credential Compromise
Available evidence suggests the attackers gained their initial foothold through compromised credentials, consistent with Handala's established modus operandi [4][6]. In prior campaigns, the group targeted IT and service providers specifically to harvest credentials that could be reused against downstream targets [4]. Unit 42 explicitly calls out phishing as the primary identity exploitation vector [4].
In previous operations against Israeli entities, Handala used phishing emails written in perfect Hebrew to deliver malicious payloads [8]. The group has paired the commercially available infostealer Rhadamanthys (sold openly on darknet forums) with custom wiper malware, often disguising lures as software updates [6]. Whether Rhadamanthys or a similar credential-harvesting tool was used in the Stryker operation remains unconfirmed, but the group's reliance on credential theft as an initial access method is well documented.
Stryker filed a Form 8-K with the SEC acknowledging a cybersecurity incident affecting its Microsoft environment and activated its cybersecurity response plan [3].
Handala's Wiper Arsenal: Hatef and Hamsa
Handala maintains a custom wiper toolkit that has been deployed in prior campaigns against Israeli infrastructure. Cyble has observed the group using two distinct data wipers: Hamsa (targeting Linux systems) and Hatef (targeting Windows systems) [6]. Intezer's analysis of a previous Handala campaign ("Operation HamsaUpdate") confirmed that the Windows wiper is internally identified by the Persian name "Hatef," while the Linux variant carries the name "Hamsa" [8]. The campaign also used a second-stage loader coded in Delphi, internally named "Handala" [8].
These wipers are designed to be destructive, not to enable persistence or exfiltration. They overwrite data on targeted systems. In the Stryker operation, however, the attackers likely did not need to deploy Hatef or Hamsa at all. The Intune-based wipe commands achieved the same destructive outcome through legitimate administrative functionality.
This represents a tactical evolution. We assess that Handala's operators recognized the opportunity to achieve mass destruction through the management plane without the operational risk of deploying custom malware to 200,000 endpoints. The group retains its wiper capability for targets that lack centralized device management, but against organizations running Intune (or similar MDM platforms), the management console itself is the more efficient weapon.
IOC Table
| Type | Value | Context | Source |
|---|---|---|---|
| Malware | Hamsa | Linux data wiper used by Handala | [6] |
| Malware | Hatef | Windows data wiper used by Handala (Persian name) | [6][8] |
| Malware | Rhadamanthys | Commercial infostealer used by Handala for credential theft | [6] |
| Filename | Hatef.exe | Windows wiper binary | [8] |
| Filename | Handala.exe | Delphi-coded second-stage loader | [8] |
Note: No network-level IOCs (IPs, domains, URLs) were identified in available source material for this specific operation. The attack's reliance on legitimate Intune administrative commands means traditional network IOCs are unlikely to surface. The malware and filenames above are from prior Handala campaigns and are included for historical context.
MITRE ATT&CK Mapping
Securonix's analysis of the Stryker attack maps directly to three core techniques [7]:
| Technique ID | Name | Context |
|---|---|---|
| T1078 | Valid Accounts | Compromised administrator credentials used to access Intune console [4][7] |
| T1072 | Software Deployment Tools | Microsoft Intune abused to push remote wipe commands to managed devices [1][7] |
| T1485 | Data Destruction | Factory-reset wipe commands destroyed data across 200,000+ devices [5][7] |
Additional techniques consistent with Handala's documented TTPs from prior campaigns:
| Technique ID | Name | Context |
|---|---|---|
| T1566 | Phishing | Primary initial access vector for credential harvesting [4][8] |
| T1078.004 | Valid Accounts: Cloud Accounts | Cloud-based Intune admin access compromised [1][4] |
Detection and Hunting Guidance
This attack exploited legitimate administrative functionality, which makes detection significantly harder than a traditional malware-based wiper. Defenders should focus on several areas.
Intune and MDM Audit Logs
Monitor Microsoft Intune audit logs for mass wipe or retire commands. Any single account issuing wipe commands to more than a handful of devices in a short window should trigger an immediate alert. Baseline normal wipe activity (typically a few per week for lost/stolen devices) and flag statistical outliers.
Key log sources in Microsoft Endpoint Manager:
DeviceManagementManagedDevicesaudit category- Wipe, Retire, and Fresh Start action types
- Filter for bulk operations or rapid sequential wipe commands from a single identity
Azure AD / Entra ID Sign-In Anomalies
Look for suspicious sign-ins to Intune admin accounts. Focus on:
- Sign-ins from unexpected geographies, particularly from VPN exit nodes or hosting providers
- Impossible travel scenarios (same account authenticating from two distant locations in a short window)
- Sign-ins that bypass MFA or use legacy authentication protocols
- New admin account creation followed by immediate privileged actions
Conditional Access and Privileged Identity Management
Organizations that have not implemented Privileged Identity Management (PIM) for Intune admin roles should treat this as an urgent gap. Just-in-time access elevation with approval workflows would have forced the attackers to clear an additional barrier. Conditional Access policies should restrict Intune admin access to compliant, managed devices from known network locations.
Credential Theft Indicators
Given Handala's reliance on phishing and infostealers like Rhadamanthys [6], monitor for:
- Rhadamanthys C2 traffic patterns (typically HTTPS to dynamic DNS domains)
- Suspicious email attachments or links disguised as software updates [8]
- Credential dumps or token theft from endpoint detection tools
Network Segmentation of Management Planes
The management plane (Intune, SCCM, other MDM solutions) should be treated as a Tier 0 asset. Access to these consoles warrants the same protections as domain controller access: separate admin workstations, phishing-resistant MFA, and aggressive session timeout policies.
Analysis
This operation represents a significant tactical shift for Handala. Prior campaigns relied on deploying custom wiper malware (Hatef, Hamsa) to individual endpoints [6][8]. The Stryker attack achieved the same destructive outcome, at far greater scale, by compromising the management plane rather than the endpoints themselves. We assess with moderate confidence that this technique will be replicated by other destructive threat actors, both state-sponsored and criminal, in the near term. The efficiency is too attractive to ignore.
The real-world impact on medical infrastructure is particularly concerning. The disruption of Stryker's Lifenet EMS platform, which transmits electrocardiogram data from ambulances to hospitals, created a direct patient safety risk [1]. This moves the attack beyond corporate IT disruption into the realm of attacks on critical healthcare infrastructure.
Handala's target selection almost certainly reflects a deliberate escalation tied to the ongoing U.S.-Israel-Iran conflict. Stryker's OrthoSpace acquisition and its Defense Department contracts made it a symbolically rich target [3][7]. We assess with high confidence that additional U.S. companies with Israeli business ties or U.S. defense contracts are at elevated risk of similar targeting in the coming weeks, particularly those using centralized device management platforms.
The broader lesson for defenders is stark: cloud-based device management platforms are single points of catastrophic failure. An Intune admin account with global wipe permissions is, functionally, a weapon of mass disruption. Organizations should immediately review their MDM admin account security posture, implement phishing-resistant MFA (FIDO2 or certificate-based), enforce PIM for all MDM admin roles, and establish behavioral alerting on bulk device management actions.
CISA's investigation is ongoing [3]. Given the scale of this incident and its connection to an active military conflict, additional technical details and attribution analysis will likely emerge in the coming days.
References
- SecureWorld. "Iran-Linked Hacktivist Group Hits Stryker in Destructive Wiper Attack." https://www.secureworld.io/industry-news/iran-linked-hacktivist-group-weaponizes-microsoft-intune-in-destructive-wiper-attack-on-stryker
- NBC News. "Iran appears to have conducted a significant cyberattack against a U.S. company, a first since the war started." https://www.nbcnews.com/world/iran/iran-appears-conducted-significant-cyberattack-us-company-first-war-st-rcna263084
- Nextgov. "CISA launches investigation into Stryker cyberattack." https://www.nextgov.com/cybersecurity/2026/03/cisa-launches-investigation-stryker-cyberattack/412079/
- Palo Alto Networks Unit 42. "Insights: Increased Risk of Wiper Attacks." https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/
- Krebs on Security. "Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker." https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/
- The Cyber Express. "Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K Stryker Devices." https://thecyberexpress.com/who-is-handala-hackers-in-stryker-cyberattack/
- Securonix. "Iran-backed Handala wiper attack devastates Stryker globally." https://connect.securonix.com/threat-research-intelligence-62/iran-backed-handala-wiper-attack-devastates-stryker-globally-230
- Intezer. "Operation HamsaUpdate: A Sophisticated Campaign Delivering Wipers Puts Israeli Infrastructure at Risk." https://intezer.com/blog/stealth-wiper-israeli-infrastructure/