HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔓 Breach

Iran MOIS Leak Sites Used to Wipe 200K Stryker Devices, Disrupt Hospital Care – FBI Takedown

The FBI seized four domains linked to Iran’s Ministry of Intelligence and Security that were used by the Handala group to exfiltrate data and execute a destructive wiper campaign against Stryker, a medical‑technology vendor. Over 200,000 devices were remotely erased via Microsoft Intune, causing temporary shutdowns at Maryland hospitals and exposing sensitive information on multiple governments and corporations.

🛡️ LiveThreat™ Intelligence · 📅 March 20, 2026· 📰 therecord.media
🟠
Severity
High
🔓
Type
Breach
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Iran MOIS Leak Sites Used to Wipe 200K Stryker Devices, Disrupt Hospital Care – FBI Takedown

What Happened — The FBI seized four domains operated by Iran’s Ministry of Intelligence and Security (MOIS) that were used by the “Handala” group to publish stolen data and to launch a destructive wiper campaign against Stryker, a medical‑technology vendor. The attackers leveraged Microsoft Intune’s native device‑wipe function to erase data on more than 200,000 Stryker devices across the U.S., Ireland, India and other regions, causing temporary suspension of connections at several Maryland hospitals.

Why It Matters for TPRM

  • State‑sponsored actors are targeting third‑party medical‑technology providers, exposing downstream healthcare customers to operational risk.
  • The abuse of a legitimate cloud‑management tool (Microsoft Intune) demonstrates how trusted services can become attack vectors.
  • Data exfiltration and device destruction can lead to regulatory fallout, liability, and loss of trust for any organization that relies on the compromised vendor.

Who Is Affected — Healthcare providers, hospital IT departments, medical‑device manufacturers, and any organization that integrates Stryker’s communication or sensor technology.

Recommended Actions

  • Verify that your organization’s contracts with Stryker (or similar medical‑tech vendors) include breach‑notification and incident‑response clauses.
  • Review and harden Microsoft Intune configurations; enforce least‑privilege policies for remote‑wipe capabilities.
  • Conduct a rapid risk assessment of any devices or data that may have been exposed or wiped, and prepare contingency communication plans for clinical operations.

Technical Notes — The campaign exploited a native Microsoft Intune feature (device‑wipe) to remotely erase corporate data, a classic “living‑off‑the‑land” technique. Stolen data (≈ 851 GB) was hosted on the seized domains and included information on Albanian officials, Iranian dissidents, Israeli defense personnel, and U.S. companies. No public CVE is associated, but the incident underscores the danger of mis‑used cloud‑service APIs. Source: The Record

📰 Original Source
https://therecord.media/fbi-takes-down-leak-sites-iran-mois

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →