Iran-Backed Hackers Wipe 200,000 Stryker Devices Using Microsoft Intune

Stryker medical technology company hit by Iran-backed wiper cyberattack using Microsoft Intune

An Iran-backed hacktivist group called Handala is claiming responsibility for a devastating wiper attack against Stryker, a $25 billion medical technology company based in Michigan. The group says it erased data from more than 200,000 systems, servers, and mobile devices across Stryker's offices in 79 countries. More than 5,000 workers in Ireland, Stryker's largest hub outside the U.S., were sent home.

How They Did It: Microsoft Intune as a Weapon

According to Krebs on Security, the attackers appear to have used Microsoft Intune, a cloud-based IT management tool, to issue a "remote wipe" command against all connected devices. Intune is designed to let IT teams enforce security policies and remotely manage devices. In this case, the attackers turned it into their weapon, wiping employee devices including personal phones that had Microsoft Outlook installed.

Stryker employees reported being told to uninstall Intune urgently. Staff are now communicating via WhatsApp, and login pages on wiped devices have been defaced with the Handala logo.

Real-World Supply Chain Impact

Stryker is a major supplier of surgical equipment to hospitals across the United States. Healthcare professionals report being unable to order surgical supplies through Stryker. Several hospitals have disconnected from Stryker's online services, including LifeNet, which paramedics use to transmit EKGs to emergency physicians.

The American Hospital Association says it is monitoring the situation but has not yet confirmed direct impacts to U.S. hospitals.

Who Is Handala?

Palo Alto Networks links Handala to Iran's Ministry of Intelligence and Security (MOIS). The group said the attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports that a military investigation has determined the U.S. is responsible for the strike.

The Bottom Line

This is not a typical ransomware attack where data is encrypted for a payout. This is a wiper attack designed to destroy, not extort. The fact that the attackers used Microsoft's own device management tool to execute the wipe raises serious questions about how organizations secure their cloud management platforms. When the tool designed to protect your devices is the same tool used to destroy them, your security model has a fundamental problem.