Full Report
Leading medical technology company Stryker has been hit by a wiper malware attack claimed by Handala, an Iranian-linked and pro-Palestinian hacktivist group. [...]
Analysis Summary
# Incident Report: Stryker Global Wiper Malware Attack
## Executive Summary
Stryker, a Fortune 500 medical technology giant, suffered a massive destructive cyberattack orchestrated by the Iranian-linked hacktivist group Handala. The attackers claim to have exfiltrated 50 terabytes of sensitive data before deploying wiper malware that neutralized approximately 200,000 systems, servers, and mobile devices globally. The incident has caused a total operational shutdown across 79 countries, forcing the company into a manual restoration phase.
## Incident Details
- **Discovery Date:** March 11, 2026
- **Incident Date:** March 2026 (Ongoing)
- **Affected Organization:** Stryker Corporation
- **Sector:** Healthcare / Medical Technology
- **Geography:** Global (Impact reported in US, Ireland, Costa Rica, Australia, and Asia)
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2026 (Specific timestamp undisclosed; occurred "in the middle of the night" for many regions).
- **Vector:** Undisclosed (Likely credential compromise or vulnerability exploitation).
- **Details:** Attackers gained high-level access to the enterprise environment, including Microsoft Entra (formerly Azure AD).
### Lateral Movement
- **Details:** Attackers moved across the global network, reaching servers and managed endpoints in 79 different countries.
### Data Exfiltration/Impact
- **Exfiltration:** Attackers claim to have extracted 50 TB of "critical data."
- **Impact:** Deployment of wiper malware targeting Windows and Linux systems. Over 200,000 devices, including mobile devices and servers, were wiped.
- **Defacement:** The company’s Entra login page was modified to display the Handala logo.
### Detection & Response
- **Discovery:** Detected via immediate and widespread system failures and device wipes.
- **Response Actions:** Stryker initiated a global shutdown of all laptops and systems connecting to the corporate network. Engagement with Microsoft for incident response is ongoing.
## Attack Methodology
- **Initial Access:** Not fully confirmed, but the defacement of Entra suggests identity provider compromise.
- **Persistence:** Likely via compromised administrative accounts.
- **Defense Evasion:** Use of wiper malware instead of ransomware (no decryption possible; focused on destruction).
- **Discovery:** Global network reconnaissance to identify 200,000+ endpoints.
- **Lateral Movement:** Automated deployment of wiping scripts/payloads across the global infrastructure.
- **Exfiltration:** 50 TB of data transferred to Handala's leak portals.
- **Impact:** Wiper malware used to render systems unbootable; remote wiping of mobile devices through MDM (Mobile Device Management) or similar hooks.
## Impact Assessment
- **Financial:** Global sales of $22.6B (2024) suggest significant daily revenue loss during the outage.
- **Data Breach:** High risk; 50 TB of sensitive data allegedly stolen.
- **Operational:** Severe disruption; offices in 79 countries closed; global manufacturing and administrative systems offline.
- **Reputational:** High-profile breach of a leading medical manufacturer; potential impact on healthcare providers relying on Stryker equipment.
## Indicators of Compromise
- **Network indicators:** handala-hack[.]to (Data leak site - defanged)
- **File indicators:** Destructive wiper malware (Windows and Linux variants).
- **Behavioral indicators:** Mass remote wiping of managed Windows and mobile devices; Entra ID login page defacement.
## Response Actions
- **Containment:** Intentional global network shutdown to prevent further spreading of the wiper.
- **Eradication:** Active engagement with Microsoft to identify and remove the root cause.
- **Recovery:** Restoration of tens of thousands of systems from backups (process ongoing).
## Lessons Learned
- **MDM/Identity Vulnerability:** The ability to wipe 200,000 devices simultaneously suggests the attackers gained "God Mode" access through centralized Identity (Entra) or Device Management (Intune/SCCM) platforms.
- **Hacktivism Evolution:** Pro-Palestinian/Iranian-linked groups (Handala) are shifting from simple defacement to massive, destructive data-wiping operations.
- **Backup Criticality:** When 200,000 devices are wiped, recovery speed depends entirely on the integrity and availability of offline/immutable backups.
## Recommendations
- **Immutable Backups:** Ensure all critical data is stored in a format that cannot be deleted or modified by compromised admin credentials.
- **Identity Security:** Implement strict Conditional Access policies and FIDO2-based MFA to protect Identity Providers (Entra ID).
- **Privileged Access Management (PAM):** Restrict "Global Admin" roles and use Just-In-Time (JIT) access to prevent a "single point of failure" for the entire global fleet.
- **Egress Monitoring:** Implement alerts for massive data transfers (e.g., TB-scale) to detect exfiltration before the final wiper payload is deployed.