HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔓 Breach

Hacktivist Group Handala Wipes Tens of Thousands of Stryker Employee Devices via Microsoft Intune

A hacktivist group linked to Iran breached Stryker’s Microsoft Intune environment, using a stolen Global Administrator account to remotely wipe roughly 80,000 employee devices and claim the exfiltration of 50 TB of corporate data. The attack halted electronic ordering systems across 79 countries, underscoring critical third‑party cloud‑admin risks for healthcare manufacturers.

🛡️ LiveThreat™ Intelligence · 📅 March 17, 2026· 📰 securityaffairs.com
🟠
Severity
High
🔓
Type
Breach
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Hacktivist Group Handala Wipes Tens of Thousands of Stryker Employee Devices via Microsoft Intune, Disrupting Global Operations

What Happened – A pro‑Palestinian hacktivist group identified as Handala (linked to Iran‑backed Void Manticore) compromised a privileged Global Administrator account in Stryker’s Microsoft Intune environment. Using the native “wipe” command, the attackers remotely erased data on roughly 80,000 employee devices and forced the shutdown of electronic ordering systems across 79 countries. The group also claims to have exfiltrated ~50 TB of corporate data, though verification is pending.

Why It Matters for TPRM

  • A single compromised cloud admin can disable an entire workforce, highlighting the need for strict privileged‑access controls on third‑party SaaS platforms.
  • Potential data exfiltration of massive volumes raises concerns about downstream supply‑chain exposure and regulatory breach reporting.
  • The incident shows that hacktivist actors can weaponize legitimate cloud management tools, bypassing traditional malware detection.

Who Is Affected – Healthcare‑technology manufacturers, hospitals and clinics that source devices or services from Stryker; any organization that relies on Microsoft Intune or similar MDM solutions for device management.

Recommended Actions

  • Review and tighten privileged‑access management (PAM) for all cloud‑based admin accounts, enforcing MFA and just‑in‑time elevation.
  • Conduct an audit of Microsoft Intune configurations and enable audit‑logging for admin actions.
  • Verify that no patient‑related data or connected medical devices were accessed; if any, initiate breach‑notification procedures.
  • Re‑evaluate third‑party risk contracts with Stryker and Microsoft, ensuring clauses for rapid incident response and data‑loss protection.

Technical Notes – The attackers leveraged stolen credentials to create a new Global Administrator account, then issued the Intune “wipe” command across the tenant. No malware or ransomware was deployed. Reported impact: ~80 k devices wiped, electronic ordering systems offline, claimed 50 TB data exfiltration. Investigation led by Microsoft DART with support from Palo Alto Unit 42. Source: Security Affairs

📰 Original Source
https://securityaffairs.com/189535/hacking/attack-on-stryker-s-microsoft-environment-wiped-employee-devices-without-malware.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →