Executive Summary
On the night of March 11, 2026, an Iranian state-linked hacker group known as Handala executed the most destructive cyberattack against a US corporation since the start of the US-Israel war on Iran. The target was Stryker Corporation, a $131B medical device manufacturer with 56,000 employees across 61 countries. The attack wiped 200,000 devices, exfiltrated 50 terabytes of data, and shut down operations in 79 countries overnight. This was not an isolated event. It is the opening operation of a declared, escalating cyber warfare campaign against American and Western organizations.
Attack Timeline
| Time (EDT) |
Event |
| 12:30–3:30 AM, Mar 11 |
Attack initiates. Devices begin wiping across global network. |
| 3:30 AM |
Employees in US, Ireland, Australia, India locked out. Personal phones wiped. |
| Morning, Mar 11 |
Stryker HQ in Portage, MI physically closes. Phone system replaced with “building emergency” message. |
| Mar 11 daytime |
Stryker confirms “global network disruption to Microsoft environment” to CNN, WSJ, Bloomberg. |
| Mar 11 evening |
Stryker files with SEC. Full restoration timeline unknown. |
| Mar 12 |
Systems remain offline. FBI and CISA have not publicly commented. |
Attack Vector: How They Did It
Handala compromised Stryker’s Microsoft Intune environment — a cloud-based Mobile Device Management platform. By gaining administrative access, they:
1. Pushed a mass wipe command to all enrolled devices — corporate and personal
2. Defaced all login pages with the Handala logo
3. Exfiltrated 50TB of data prior to destruction
4. Sent emails directly to Stryker executives claiming ownership of the attack
Any organization using cloud-based MDM — whether Intune, Jamf, or Workspace ONE — has this same attack surface. An attacker with admin credentials can turn your device management platform into a remote kill switch. This is not a theoretical risk anymore.
Patient Safety Impact: The Lifenet Situation
Stryker’s subsidiary Physio-Control operates Lifenet, the system US paramedics use to transmit EKG data from ambulances to hospital emergency departments before a patient arrives.
Maryland’s Institute for Emergency Medical Services issued an alert to all hospitals in the state on March 11. Lifenet was non-functional in most parts of the state. EMS clinicians were instructed to revert to radio communication.
When a cyberattack disrupts pre-hospital cardiac care, it has crossed from operational disruption into potential patient harm. Every healthcare-adjacent organization should be taking note.
Why Stryker Was Targeted
| Israeli acquisition: Stryker acquired OrthoSpace in Israel in 2019, still an active subsidiary per current SEC filings. |
| US DoD contract: Stryker secured a $450 million contract to supply medical devices to the Department of Defense in 2025. |
| VA contracts: Additional contracts with the Department of Veterans Affairs. |
| Critical infrastructure role: Physio-Control and Lifenet are embedded in US emergency response systems nationwide. |
The Broader 48-Hour Campaign
Stryker was one strike in a coordinated multi-front offensive. Here is what else happened in the same 48-hour window:
| Target |
Attack Type |
Status |
| Stryker (US, $131B) |
Wiper + 50TB data theft |
CONFIRMED |
| Verifone (US payment) |
Data breach claimed |
DISPUTED |
| Academy of Hebrew Language |
Defacement + psyop |
CONFIRMED |
| Israeli financial sector |
DDoS — 1.2M req/sec |
CONFIRMED |
| Jordan fuel systems |
Infrastructure sabotage |
CLAIMED |
| Bank of Jordan, UAE & Saudi airports |
Disruption |
CLAIMED |
| Iranian-American/Canadian influencers |
Death threats + dox |
CONFIRMED |
“RedWanted”: The Public Target List
On March 1, 2026, Handala launched RedWanted — a public hit list naming individuals and organizations designated as supporters of Israel, with an explicit declaration that they will hunt every listed target. If your organization has Israeli business ties, US government contracts, or operates in healthcare, energy, financial services, or technology, assume you may be on or near this list.
Declared Future Targets
The IRGC formally declared US and Israeli-linked banks and economic centers as legitimate military targets. Iranian state media named the following American companies:
Handala’s own statement following the Stryker attack: "This is only the beginning of a new chapter in cyber warfare."
Active Secondary Threat: CrowdStrike Phishing Lures
Handala has a documented pattern of deploying fake CrowdStrike security alert emails immediately following high-profile security events — sending spoofed remediation emails that deliver wiper malware to targets who click.
Immediate action required: Instruct all staff that any unexpected email from CrowdStrike, Microsoft, or any security vendor requesting a download or remediation action must be verified by calling the vendor directly at a known, pre-existing number. Do not click links. Do not download attachments. The more urgent it feels, the more suspicious you should be.
Recommended Actions
Immediate — Next 24 to 48 Hours
| 1. Audit MDM admin access. Review who holds Intune or MDM administrative credentials. Apply least-privilege immediately. Enable MFA on all admin accounts if not already active. |
| 2. Verify CrowdStrike communications. Brief your security team and IT helpdesk. No vendor-sourced instructions should be acted upon without out-of-band verification. |
| 3. Assess Stryker device exposure. If your organization uses any Stryker or Physio-Control connected equipment, determine current connectivity status and isolation posture. |
| 4. Review DoD and Israeli contractor relationships. If you are a vendor or subcontractor in either of these supply chains, elevate your threat posture now. |
Near-Term — Next 30 Days
| 5. Wiper resilience audit. Validate offline backup integrity. Wiper attacks leave no recovery path without clean, air-gapped backups. |
| 6. Phishing simulation using security vendor themes. Run a targeted test using CrowdStrike and Microsoft-themed lures to identify vulnerable personnel before Handala does. |
| 7. Incident response plan review. Does your IR plan account for MDM compromise as an initial attack vector? If not, it needs to. |
How Vigilant Addresses This Threat
The Stryker attack succeeded for one fundamental reason: nobody saw it happening in real time. By the time employees watched their screens go dark, the wipe command had already executed across 200,000 devices.
Perimeter defenses and endpoint agents alone do not catch MDM-layer administrative abuse. Vigilant’s sensor technology is deployed deep inside client environments, monitoring not just endpoints but the management planes, authentication layers, and administrative tooling that Handala specifically targeted:
Anomalous MDM policy push activity, including bulk enrollment changes or device wipe commands outside of normal administrative patterns
Aligned Service: Managed Defender |
| |
Credential abuse at the management layer — privileged account activity inconsistent with established baselines
Aligned Service: Managed Defender |
| |
Mass authentication events at a scale that generates detectable signals well before execution
Aligned Service: Managed Defender |
| |
Suspicious Microsoft 365 activity — including anomalous OAuth application consent grants, mail forwarding rule changes, and administrative role escalation events outside of authorized change windows
Aligned Service: V365 |
| |
Lateral movement through Microsoft cloud management infrastructure and Organization Network — a monitored vector in our CyberDNA Platform
Aligned Service: Managed Defender & CyberDNA MNDR |
The difference between a detection event and a disaster is visibility. That is what we provide.
