← back to blog
Threat Intel

The Stryker Wiper Attack: What Every SMB Must Do About Microsoft Intune

0x3 Security threat brief — Iran-linked Handala wiper attack on Stryker via Microsoft Intune

On March 11, 2026, Stryker Corporation — a Fortune 500 medical device maker that reported roughly $25 billion in 2025 revenue and employs about 56,000 people, operating in 61 countries — went dark. Workers around the world found their screens replaced by the logo of an Iranian hacktivist group called Handala. No malware. No ransomware. Nothing traditional antivirus would catch.

Instead, the attackers compromised Stryker's Microsoft Intune environment — the cloud tool companies use to manage and enforce policy on devices — and issued a remote wipe command against connected devices. Stryker confirmed "a global network disruption to our Microsoft environment as a result of a cyberattack," with "no indication of ransomware or malware." Handala claimed it wiped more than 200,000 systems, servers, and mobile devices, exfiltrated 50 terabytes of data, and forced offices in 79 countries offline — figures that are the attacker's own claims and remain unverified. Employees were sent home and updated over WhatsApp; anyone with Stryker's Outlook on a personal phone had that device wiped too.

Who is Handala

Handala presents as a grassroots pro-Palestinian movement. Don't be fooled by the branding. Multiple threat-intelligence firms assess it as an online persona of Void Manticore, a destructive-operations unit tied to Iran's Ministry of Intelligence and Security. Its toolkit spans phishing, custom wiper malware, ransomware-style extortion, data theft, and hack-and-leak activity. Palo Alto Networks Unit 42 describes Handala's recent activity as "opportunistic and 'quick and dirty,'" with a focus on supply-chain footholds through IT and service providers to reach downstream victims. Opportunistic means they aren't only hunting specific companies with months of recon — they're scanning for open doors, and small businesses leave a lot of them open.

Why your SMB is now a target

Per the Verizon 2025 DBIR, SMBs are breached roughly 4× as often as large organizations, 46% of all breaches hit organizations under 1,000 employees, and 88% of SMB breaches involve ransomware. Large enterprises have SOC teams and rehearsed IR plans; many SMBs have a part-time IT contractor and a Microsoft 365 subscription on default settings. There's also a supply-chain multiplier — compromising one small business can provide access to its larger clients. And the vector used against Stryker, Microsoft Intune, is one of the most common endpoint-management tools in SMB Microsoft 365 environments. Because Intune is a trusted native Microsoft tool, an attacker weaponizing it to issue mass wipes wouldn't trigger traditional endpoint detection. Your antivirus sees nothing. Your SIEM sees nothing. Then everything is gone.

The geopolitical context

This isn't just hacktivism noise. Iran's IRGC has publicly warned that US- and Israeli-linked economic centers and banks are now considered legitimate targets, and analysts assess that recent escalations more likely mark the beginning of a new phase of cyber escalation than its end. CISA is actively investigating the Stryker incident. The conflict is ongoing; this wave is not over.

What you need to do this week

  1. Lock down Microsoft admin credentials — today. Every Global Admin and Intune Admin account needs phishing-resistant MFA (hardware keys or passkeys, not SMS). One compromised credential is all it takes.
  2. Restrict who can issue remote wipes. Review Intune permissions, require a second administrator's approval for mass device actions, and flag anomalous admin behavior with conditional access.
  3. Verify backups actually restore. Follow 3-2-1 (3 copies, 2 media types, 1 offsite) and test your recovery time.
  4. Run phishing-awareness training now. Credential phishing is the access vector. One click can hand over the keys to your Microsoft environment.
  5. Build an offline communication plan. If systems went dark today, how would your team communicate and serve customers?
  6. Audit vendor and third-party access. Every vendor login is exposure. Segment so a compromised vendor doesn't get the keys to the whole house.
  7. Deploy EDR. Traditional AV won't catch living-off-the-land attacks; EDR watches for unusual admin commands, mass device actions, and lateral movement.

The bottom line

The Stryker attack wasn't an exotic nation-state exploit. It was a compromised cloud admin credential plus a legitimate Microsoft feature. If that can take down a $25 billion corporation, your business isn't too small to be hit — you're just easier to hit. Geopolitical conflict is now your cybersecurity problem whether you engaged with it or not.

Is your Microsoft environment hardened against this attack pattern? If you're not sure whether your Intune and admin access could be abused this way, we'll tell you — and help you fix it.

References & further reading

  1. Krebs on Security — Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker.
  2. TechCrunch — Stryker restoring systems after pro-Iran hackers wiped employee devices; CISA urges Intune hardening.
  3. Cybersecurity Dive — Stryker attack raises concerns about Microsoft Intune.
  4. Palo Alto Networks Unit 42 — Handala / Void Manticore assessment.
$ ./read_next
Managed Defense

Best EDR for Small Business in 2026: A Pentester's Honest Comparison

I've used all of them — and broken through networks protected by all of them. An honest pentester's comparison of Defender, Huntress, SentinelOne, and CrowdStrike for small business.