The Stryker Wiper Attack: What Every SMB Must Do About Microsoft Intune
By Paul Nieto IIIMar 17, 20269 min read
On March 11, 2026, Stryker Corporation — a Fortune 500 medical device maker that reported roughly $25 billion in 2025 revenue and employs about 56,000 people, operating in 61 countries — went dark. Workers around the world found their screens replaced by the logo of an Iranian hacktivist group called Handala. No malware. No ransomware. Nothing traditional antivirus would catch.
Instead, the attackers compromised Stryker's Microsoft Intune environment — the cloud tool companies use to manage and enforce policy on devices — and issued a remote wipe command against connected devices. Stryker confirmed "a global network disruption to our Microsoft environment as a result of a cyberattack," with "no indication of ransomware or malware." Handala claimed it wiped more than 200,000 systems, servers, and mobile devices, exfiltrated 50 terabytes of data, and forced offices in 79 countries offline — figures that are the attacker's own claims and remain unverified. Employees were sent home and updated over WhatsApp; anyone with Stryker's Outlook on a personal phone had that device wiped too.
Who is Handala
Handala presents as a grassroots pro-Palestinian movement. Don't be fooled by the branding. Multiple threat-intelligence firms assess it as an online persona of Void Manticore, a destructive-operations unit tied to Iran's Ministry of Intelligence and Security. Its toolkit spans phishing, custom wiper malware, ransomware-style extortion, data theft, and hack-and-leak activity. Palo Alto Networks Unit 42 describes Handala's recent activity as "opportunistic and 'quick and dirty,'" with a focus on supply-chain footholds through IT and service providers to reach downstream victims. Opportunistic means they aren't only hunting specific companies with months of recon — they're scanning for open doors, and small businesses leave a lot of them open.
Why your SMB is now a target
Per the Verizon 2025 DBIR, SMBs are breached roughly 4× as often as large organizations, 46% of all breaches hit organizations under 1,000 employees, and 88% of SMB breaches involve ransomware. Large enterprises have SOC teams and rehearsed IR plans; many SMBs have a part-time IT contractor and a Microsoft 365 subscription on default settings. There's also a supply-chain multiplier — compromising one small business can provide access to its larger clients. And the vector used against Stryker, Microsoft Intune, is one of the most common endpoint-management tools in SMB Microsoft 365 environments. Because Intune is a trusted native Microsoft tool, an attacker weaponizing it to issue mass wipes wouldn't trigger traditional endpoint detection. Your antivirus sees nothing. Your SIEM sees nothing. Then everything is gone.
The geopolitical context
This isn't just hacktivism noise. Iran's IRGC has publicly warned that US- and Israeli-linked economic centers and banks are now considered legitimate targets, and analysts assess that recent escalations more likely mark the beginning of a new phase of cyber escalation than its end. CISA is actively investigating the Stryker incident. The conflict is ongoing; this wave is not over.
What you need to do this week
Lock down Microsoft admin credentials — today. Every Global Admin and Intune Admin account needs phishing-resistant MFA (hardware keys or passkeys, not SMS). One compromised credential is all it takes.
Restrict who can issue remote wipes. Review Intune permissions, require a second administrator's approval for mass device actions, and flag anomalous admin behavior with conditional access.
Verify backups actually restore. Follow 3-2-1 (3 copies, 2 media types, 1 offsite) and test your recovery time.
Run phishing-awareness training now. Credential phishing is the access vector. One click can hand over the keys to your Microsoft environment.
Build an offline communication plan. If systems went dark today, how would your team communicate and serve customers?
Audit vendor and third-party access. Every vendor login is exposure. Segment so a compromised vendor doesn't get the keys to the whole house.
Deploy EDR. Traditional AV won't catch living-off-the-land attacks; EDR watches for unusual admin commands, mass device actions, and lateral movement.
The bottom line
The Stryker attack wasn't an exotic nation-state exploit. It was a compromised cloud admin credential plus a legitimate Microsoft feature. If that can take down a $25 billion corporation, your business isn't too small to be hit — you're just easier to hit. Geopolitical conflict is now your cybersecurity problem whether you engaged with it or not.
Is your Microsoft environment hardened against this attack pattern? If you're not sure whether your Intune and admin access could be abused this way, we'll tell you — and help you fix it.