Iran-linked hacktivist group Handala has claimed responsibility for a devastating wiper malware attack against Stryker Corporation, a Fortune 500 medical technology company with over 53,000 employees and $22.6 billion in annual sales.
Attack Scale and Impact
According to Handala’s claims and corroborating employee reports, the attack resulted in:
- 50 terabytes of critical data exfiltrated
- 200,000+ systems, servers, and mobile devices wiped
- Offices in 79 countries forced to shut down
- Company’s Entra login page defaced with Handala logo
The attack began in the early morning hours when devices enrolled in Stryker’s mobile device management (MDM) system were remotely wiped. Employees reported that personal phones enrolled for corporate access also had their data erased during the device resets.
Operational Disruption
Staff were instructed to remove all corporate management applications from personal devices, including:
- Microsoft Intune Company Portal
- Microsoft Teams
- VPN clients
The disruption forced some locations to revert to “pen and paper” workflows after internal systems became unavailable. Stryker confirmed to employees in Cork, Ireland: “We are experiencing a severe, global disruption impacting all Stryker laptops and systems that connect to our network.”
Handala: MOIS-Linked Threat Actor
Handala (also known as Handala Hack Team, Hatef, Hamsa) is a hacktivist operation linked to Iran’s Ministry of Intelligence and Security (MOIS) that emerged in December 2023. The group primarily targets Israeli organizations with destructive malware designed to wipe Windows and Linux systems.
The group is known for:
- Deploying wiper malware against perceived adversaries
- Exfiltrating sensitive data before destruction
- Publishing stolen data on their leak portals
- Operating with apparent state sponsorship from Iranian intelligence
Why This Matters
This attack demonstrates the expanding scope of Iranian cyber operations against Western critical infrastructure. Targeting a major medical device manufacturer—whose products are used in surgical and neurotechnology applications globally—represents a significant escalation beyond traditional targets.
Organizations should be aware that:
- MDM compromise can enable mass device wiping
- Iranian threat actors are increasingly targeting healthcare sector organizations
- Wiper attacks aim for maximum disruption rather than financial gain
- BYOD policies can expose personal devices to enterprise-level attacks
Stryker is currently working with Microsoft to investigate and restore systems amid the ongoing global outage.
