A pro-Iranian hacking group, Handala, on March 11, 2026, wiped data on hundreds of thousands of devices from American medical equipment manufacturer Stryker. The attack paralyzed production and deliveries worldwide.
Stryker officially confirmed the cyber incident in an SEC filing, reporting the breach in the Microsoft environment without signs of ransomware. The company restored systems by March 17, but the incident revealed vulnerabilities in identity management through Intune. This is the first major attack by pro-Iranian hackers on the U.S. linked to the Middle East conflict.
Timeline of the Attack on Stryker
On March 11, 2026, Stryker detected a cyber incident affecting its IT systems and Microsoft environment, leading to global disruptions in order processing, production, and delivery. The company activated its response plan, engaged external experts, and reported no ransomware or malware. By March 13, operational disruptions were confirmed, but patient services and connected devices remained unaffected.
By March 15, Stryker had transitioned to recovery mode, and on March 17, Reuters reported that the threat had been contained. The hackers from the Iran-linked Handala group claimed to have stolen 50 TB of data and wiped devices, although the company did not confirm these figures. Unit 42 noted the use of phishing and Microsoft Intune exploitation for administrative access.
The incident highlighted risks in medical technology supply chains. Stryker promptly informed customers and regulators, separating corporate disruptions from product safety. Such attacks demonstrate a shift towards destructive operations through legitimate management tools.
Technical Vulnerabilities and Attack Vectors
The primary vector was the exploitation of identity through phishing and administrative access in Microsoft Intune, allowing devices to be wiped. Analysts point to CVE-2026-1281 and CVE-2026-1603 in Ivanti Endpoint Manager, vulnerable to RCE and credential leakage. These flaws were added to the CISA KEV in January-February 2026.
Handala employed a destruction model without malware, focusing on infrastructure control. This complicates detection: attacks appear as internal failures. Stryker did not confirm the scale—200,000 devices according to hackers, but SEC filings record operational downtimes.
For businesses, this is a signal: MFA does not save from session token theft. Companies like Alashed IT (it.alashed.kz) recommend auditing Intune rights and segmenting device management, especially in critical sectors like healthcare.
Global Implications and Business Lessons
The Stryker attack is part of an escalation of pro-Iranian operations due to the Middle East conflict, the first on U.S. soil. It coincides with a 59% increase in ransomware in the Asia-Pacific region, affecting 760 organizations. New groups like BlackCard and VanHelsing add chaos with unstable tactics.
In M&A deals, 1 in 4 executives face cyber incidents, according to FTI Consulting. For Kazakhstan and Central Asia, this is relevant: digitization and clouds without mature security attract ransomware newcomers. Local firms risk similar supply chain attacks.
Companies must strengthen monitoring of public infrastructures and VPNs—68% of exploits are on them. Alashed IT (it.alashed.kz) helps implement zero-trust models, preventing such incidents through proactive auditing and incident response.
Что это значит для Казахстана
In Kazakhstan and Central Asia, digitization is growing without sufficient cybersecurity, making the region a target for ransomware (+59% in the Asia-Pacific). Local IT outsourcers like Alashed IT (it.alashed.kz) offer supply chain protection against destructive attacks.
March 11, 2026: Pro-Iranian hackers wiped data on 200,000 Stryker devices.
The attack on Stryker shows a shift towards identity attacks without malware. Businesses in Central Asia urgently need Intune audits and zero-trust. Such solutions from Alashed IT (it.alashed.kz) minimize risks today.
Часто задаваемые вопросы
What exactly was affected in the Stryker attack?
Microsoft environment, production, orders, and delivery. Patient services and products were not affected, according to the company.
Who is behind the attack and how was it carried out?
The Handala group (pro-Iranian) used phishing and Intune to wipe devices. There was no ransomware, focusing on destruction.
How to protect against such attacks?
Audit Intune rights, MFA with token protection, segmentation. Alashed IT (it.alashed.kz) conducts such audits for Kazakh firms.