On March 11, 2026, an Iran-linked hacktivist group operating under the name Handala executed a devastating wiper attack against Stryker Corporation, one of the world's largest medical device manufacturers, headquartered in Portage, Michigan. The attack exploited a native feature within Microsoft Intune — the enterprise device management platform — specifically its remote device wipe capability, allowing the threat actors to remotely erase data from more than 200,000 employee devices including servers, laptops, and mobile phones across Stryker's operations in 79 countries without deploying traditional malware or ransomware.
Handala, which U.S. cybersecurity firm Palo Alto Networks has assessed is a persona maintained by Void Manticore, a group affiliated with Iran's Ministry of Intelligence and Security (MOIS), claimed the attack was retaliation for a February 28 U.S. airstrike on an elementary school in Minab, Iran. The group also alleged theft of 50 terabytes of sensitive corporate data prior to the wipe operation.
The attack triggered immediate downstream consequences for U.S. healthcare infrastructure. Maryland's Institute for Emergency Medical Services Systems issued an urgent notice to hospitals statewide after Stryker's Lifenet electrocardiogram transmission platform became non-functional across most of the state. Emergency medical clinicians were directed to revert to radio consultation and verbal communication with receiving hospitals. Court documents filed in a subsequent DOJ affidavit described the attack as having "a direct impact on emergency medical services and hospitals within Maryland." Some hospitals temporarily severed connections to Stryker systems out of caution. Stryker's manufacturing and global distribution operations were also disrupted, prompting supply shortages that led to surgical cancellations at multiple facilities.
The company engaged Palo Alto Networks Unit 42 for incident response and coordinated with the FBI, CISA, HHS, and the White House National Cyber Director. By late March, Stryker had restored core manufacturing and order-fulfillment systems. The incident represents the first confirmed major Iranian-linked destructive cyberattack on a U.S. critical supply chain entity since the commencement of Operation Epic Fury on February 28, 2026.
// Source
📰 Krebs on Security Read Full Story →ThreatMap USA summarizes publicly available reports for informational purposes. See our disclaimer.
// Incident Details
| Incident Date | 2026-03-11 |
| County | Kalamazoo County |
| State | Michigan |
| Severity | Critical |
| Incident Type | Cyberattack, International, Mass Casualty |
| Published | April 5, 2026 |
| Source | Krebs on Security |