Iran-Backed Handala Hackers Just Wiped 200,000 Stryker Devices in a Single Night — A Threat Intelligence Breakdown

I was sitting in my home office at 6:47 AM on a Wednesday, nursing a $5.90 oat milk latte and scrolling through my usual morning feeds, when the first reports started coming in. Stryker — the $25 billion medical technology giant — had been hit by what appears to be one of the most devastating wiper attacks in recent corporate history. And the group claiming responsibility has direct links to Iran's intelligence apparatus.

My colleague Sandra called me 14 minutes later. She'd already been monitoring the Telegram channels where a hacktivist group known as Handala (also called Handala Hack Team) posted a lengthy manifesto claiming they had erased data from more than 200,000 systems, servers, and mobile devices across Stryker's global operations.

What the Handala Wiper Attack on Stryker Actually Looks Like

Let me be clear about the scale here: Stryker [NYSE: SYK] employs 56,000 people across 61 countries. They make surgical equipment, orthopedic implants, and medical devices that hospitals worldwide depend on every single day. According to Krebs on Security, the company's main US headquarters in Kalamazoo, Michigan had an automated voicemail message stating they were "currently experiencing a building emergency."

The Irish Examiner reported that more than 5,000 workers in Ireland — Stryker's largest hub outside the United States — were sent home. Staff were reduced to communicating via WhatsApp because every corporate system connected to the network was down. One unnamed employee told the Examiner that "anyone with Microsoft Outlook on their personal phones had their devices wiped."

Think about that for a moment. Personal phones. Wiped. If your company's MDM solution means a nation-state actor can reach into your pocket and nuke your personal device, that's a conversation every CISO should be having with their board right now.

Who Is Handala and Why Should You Care

Handala is not some random script-kiddie collective. Palo Alto Networks Unit 42 recently profiled the group, linking it directly to Iran's Ministry of Intelligence and Security (MOIS). The group surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated threat actor.

My friend Derek — who spent 11 years at a three-letter agency before moving to private sector threat intelligence — had a 38-minute call with me about this. His take: "This is not hacktivism. This is state-sponsored destruction wearing a political mask. The tradecraft is too clean, the targeting too precise."

The group's manifesto claimed the attack was retaliation for a February 28 missile strike that hit an Iranian school, killing at least 175 people — most of them children. The New York Times has reported that a military investigation determined the United States was responsible for the strike.

The Wiper Malware Playbook You Need to Understand

Wiper attacks are fundamentally different from ransomware. With ransomware, there's a negotiation, a business model, sometimes even customer support from the attackers. Wiper malware exists for one purpose: total destruction. There's no decryption key. There's no paying your way out.

Tom, our threat analyst, spent about 4 hours dissecting the indicators of compromise (IoCs) that researchers have started sharing. Based on what's publicly available, the attack appears to have involved:

• Initial access through compromised credentials or a supply chain vector
• Lateral movement across the corporate network spanning 61 countries
• Deployment of wiper payloads to endpoints, servers, and mobile devices via MDM
• Simultaneous detonation designed to maximize damage before containment

The login pages on wiped devices were reportedly defaced with the Handala logo — a signature move that mirrors previous Void Manticore operations.

What This Means for Your Wiper Defense Strategy

I sat down with Rachel from our incident response team and we mapped out the key takeaways. She'd just come back from a 3-day tabletop exercise at a Fortune 500 company that cost them $47,000 — and none of their scenarios included a wiper hitting their MDM-enrolled personal devices.

1. Audit your MDM blast radius immediately. If your mobile device management solution can push a factory reset to personal phones, you need to understand exactly who has that capability and what safeguards exist. The Stryker incident suggests the attackers used MDM to extend the wiper's reach to personal devices.

2. Air-gapped backups are not optional. When a wiper hits 200,000 devices, your cloud backups connected to the same identity system are potentially compromised too. Greg, who runs backup operations for a major healthcare organization we covered recently, told me he's adding a third backup tier this week — fully air-gapped, rotated monthly.

3. Geopolitical threat modeling needs to be standard. This attack was explicitly retaliatory. If your organization does business with governments involved in active conflicts, or supplies equipment used in military contexts, you are a target. Stryker makes medical devices, but their products are used in military hospitals and VA facilities.

4. Practice your offline communication plan. When every corporate system goes down, including email and Teams, how does your organization actually communicate? Stryker's employees fell back to WhatsApp. Your plan should be more deliberate than that.

The Bigger Picture for Cybersecurity in 2026

I've been covering nation-state cyber operations for years now, and what strikes me about the Stryker incident is the target selection. This is not a defense contractor. This is not a government agency. This is a medical device company whose products help surgeons reconstruct broken bones and replace worn-out joints.

The message is unmistakable: in the current geopolitical climate, the definition of a "legitimate target" for state-sponsored hackers has expanded to include any organization with ties to nations involved in active conflicts. That includes hospitals, manufacturers, logistics companies, and yes — the companies that make the equipment those institutions rely on.

Sandra summed it up best during our 22-minute debrief on Thursday: "We've been telling clients for years that they need to plan for wiper attacks, not just ransomware. Stryker is the case study that makes that conversation real."

If you haven't run a wiper-specific tabletop exercise in 2026, this is your wake-up call. And if your MDM solution can reach personal devices, that conversation with your legal team and your employees should have happened yesterday.

Protecting your digital infrastructure starts with the right partner. Wardigi offers full-spectrum cybersecurity and IT solutions for businesses.

More threat intelligence: See the 5 patterns from 500 data breaches in 2025, learn how multi-vector attacks exploit dashboard gaps, and check if your home router is part of a botnet.

More threat intelligence: See the 5 patterns from 500 data breaches in 2025, learn how multi-vector attacks exploit dashboard gaps, and check if your home router is part of a botnet.