Iranian State‑Linked Wiper Campaign Destroys Devices at Stryker, Disrupting Operations in 79 Countries
What Happened – In March 2026 the Iran‑aligned group Handala (also known as Void Manticore) breached Stryker, a Fortune 500 medical‑technology manufacturer, using stolen VPN credentials. The attackers moved laterally with native admin tools (RDP, PowerShell, WMI, SMB, SSH) and deployed multiple wiping mechanisms that erased tens of thousands of endpoints across 79 countries, halting manufacturing, order processing and logistics.
Why It Matters for TPRM –
- Destructive wiper attacks target critical‑supply‑chain and healthcare vendors, creating real‑world operational risk for downstream customers.
- The reliance on stolen legitimate credentials bypasses many traditional malware‑centric controls, exposing gaps in third‑party access management.
- Prolonged service disruption can trigger contractual penalties, regulatory scrutiny, and reputational damage for both the vendor and its clients.
Who Is Affected – Healthcare‑technology manufacturers, broader medical‑device supply chain, any organization that integrates Stryker’s products or services.
Recommended Actions –
- Review and tighten VPN and remote‑access controls for all third‑party connections.
- Enforce least‑privilege administration and monitor native tool usage (RDP, PowerShell, WMI) for anomalous activity.
- Incorporate destructive‑malware detection and response playbooks into third‑party risk assessments.
Technical Notes – Attack vector began with stolen VPN credentials, followed by lateral movement using legitimate admin utilities (RDP, PowerShell remoting, WMI, SMB, SSH). No novel malware was used; instead, the threat actors leveraged existing tools and custom wiping scripts. Source: BleepingComputer