Iran-Linked Handala Hackers Wipe 200K Stryker Devices via Microsoft Intune

A MOIS-affiliated hacktivist group called Handala claimed a destructive wiper attack against medical device giant Stryker, forcing the company to send home over 5,000 workers in Ireland and triggering a building emergency declaration at its Michigan headquarters. The group claims to have erased data from more than 200,000 systems across 79 countries, with employees reporting that devices with Microsoft Outlook installed were remotely wiped — including personal phones.

The attack vector appears to be Microsoft Intune, the cloud-based device management platform. Rather than deploying custom malware, the attackers likely obtained admin credentials to Intune’s management console and issued a legitimate remote-wipe command fleet-wide. Stryker employees were reportedly told to uninstall Intune urgently, corroborating this vector. Handala framed the attack as retaliation for a Tomahawk missile strike on an Iranian school that killed 175 people, and justified targeting Stryker partly through its 2019 acquisition of Israeli firm OrthoSpace.

The downstream healthcare impact is already materializing. At least one major U.S. university hospital reported inability to order surgical supplies through Stryker, and several hospitals proactively disconnected from Stryker’s LifeNet system — which enables paramedic-to-ER EKG transmission for cardiac patients. Maryland’s EMS director issued guidance for field protocols if ECG transmission remains unavailable. With Stryker supplying surgical equipment to virtually every U.S. hospital that performs operations, the attack has real potential to cascade into a broader healthcare supply chain disruption.