On March 11, 2026, U.S. medical technology company Stryker Corporation disclosed a cyber attack that disrupted its global internal networks and Microsoft systems, leaving thousands of employees unable to access corporate systems and devices inoperable. In its SEC filing, Stryker stated it has no indication of ransomware or malware, considers the incident contained, and is assessing the full impact, with no timeline provided for full restoration.
Before the filing, employees reported some managed devices were wiped or rendered unusable, and certain login pages were defaced with threat actor logos. Open-source reporting indicates the perpetrators may have used Microsoft Intune to issue a remote wipe command against connected devices.
Handala, an Iran‑linked threat persona, claimed responsibility for the incident, alleging a destructive wiper‑style operation with system wipes and data exfiltration tied to recent geopolitical events; Stryker has not verified these claims, confirmed any method of compromise, or observed impact beyond its own systems, and their investigation continues.
Handala
Handala is an Iran‑linked threat persona first reported in late 2023. Handala has conducted politically motivated cyber operations, including system wiping and disruptive attacks against targets in Israel, Gulf states, and Western organizations, often framed as retaliation for military or geopolitical events. Since the recent Iran/Israel/US escalation, Handala has claimed attacks like the Stryker outage and activity against Israeli entities. Its campaigns frequently blend destructive tactics with ideological messaging.
Recommendations
Enforce Multi‑Admin Approval for High-Impact Intune Operations
While the root cause of the Stryker incident has not been confirmed, requiring a second approver introduces a critical human checkpoint that can prevent misconfigured, malicious, or erroneous changes from propagating across an organization. Configure Microsoft Intune’s access policies to require a second authorized administrator to approve high-impact Intune operations, such as remote wipe, bulk policy deployments, or compliance policy changes. (Microsoft Intune Documentation)
Monitor Stryker Updates
Details of the incident remain limited, and currently there is no indication of impact beyond Stryker. However, Arctic Wolf strongly recommends monitoring official updates from Stryker, as new information may emerge over time, potentially revealing changes in scope, additional affected systems, or further operational impacts.
