Iran‑Linked ‘Handala’ Hackers Use Microsoft Intune in Destructive Cyberattack on Stryker Medical Tech Network
Stryker said in an SEC filing that a cyberattack, claimed by the Iran‑linked pro‑Iranian/pro‑Palestinian group Handala and briefly displaying the group’s logo on login pages, caused a temporary global disruption to parts of its Microsoft environment. Reporting and investigator accounts indicate the attackers targeted the Microsoft Intune management console, triggering remote‑wipe actions that reset numerous company‑issued phones and laptops to factory settings; analysts tracking Handala say the group appears focused on destructive data‑wiping rather than financial extortion, and Stryker says the incident is now believed contained as assessments continue.
📌 Key Facts
- Stryker disclosed in an SEC filing that a cyberattack caused a temporary global network disruption to parts of its Microsoft environment; the company says the situation is now believed contained while investigators assess the scope.
- The pro‑Iranian, pro‑Palestinian hacker group 'Handala' claimed responsibility; the group's logo appeared on Stryker login pages and boasting social posts were later deleted — its stated motive (retaliation for a bombing in Minab that killed schoolchildren) is unverified.
- Reporting and technical analysis indicate attackers targeted Stryker’s Microsoft Intune management console and abused remote‑wipe features to reset many company‑issued phones and laptops to factory settings, producing employee outages that began shortly after midnight ET.
- Threat intelligence firms (e.g., Arctic Wolf) say Handala is focused on data destruction rather than financial extortion typical of ransomware groups; Palo Alto Networks profiles the group as linked to Iran, though former CISA director Chris Krebs warned the exact ties remain 'blurry.'
- The Stryker incident is part of a broader wave of pro‑Iranian hacking since Feb. 28 that has attempted to penetrate cameras to support missile targeting and targeted data centers, industrial sites, a school, an airport, and — under investigation — a Polish nuclear research facility.
- Iran‑linked outlets and pro‑Iranian channels have explicitly framed U.S. tech firms and critical infrastructure as legitimate targets (Tasnim named Amazon, Microsoft, Palantir, Oracle), and Telegram chatter has urged strikes on data centers hosting U.S. military communications and targeting systems.
- Concurrently, Amazon Web Services confirmed Iranian drone strikes damaged two of its UAE data‑center facilities and threatened a Bahrain site, underscoring parallel kinetic threats to regional tech infrastructure.
- U.S. officials say they are aware of potential Iranian targets and prepared for operations such as 'Operation Epic Fury,' while observers note the ongoing partial U.S. government shutdown is hampering federal cyber‑response capacity.
- Stryker is a Michigan‑based medical‑technology company with roughly 56,000 employees operating in more than 60 countries, and the attack highlights elevated cyber risk to healthcare and medical supply networks.
📊 Relevant Data
The bombing of Shajareh Tayyebeh girls' elementary school in Minab, Iran, on February 28, 2026, resulted in a death toll of 165, primarily schoolgirls, and was part of a US-Israeli military strike on an adjacent naval base.
Death toll in Israeli strike on southern Iran school rises to 165 — Al Jazeera
Over 3 million people have been displaced within Iran since the US and Israel launched attacks in late February 2026, with estimates up to 3.2 million internally displaced due to the conflict.
Up to 3.2 million people displaced across Iran amid US-Israeli attacks — Al Jazeera
Black service members in the U.S. military face disparities in discipline and promotion, with a 2020 Air Force review confirming racial disparities for Black airmen, and Black Americans historically overrepresented in combat roles relative to their population percentage (13.6% of U.S. population but higher in some deployments).
Celebrating Black Military Service Is Not “DEI Woke” Propaganda — Mother Jones
The US-Iran conflict has led to surges in energy prices, increasing household energy burdens in the U.S., with projections of cumulative economic burdens reaching trillions over a decade due to disrupted global supplies.
Iran War Will Lower Energy Prices — The Wall Street Journal
Racial and ethnic minorities in the U.S., particularly Black and Hispanic individuals, face disparities in access to novel drug therapies and medical technologies, with lower clinical trial participation and barriers to advanced treatments compared to White individuals.
Racial and Ethnic Disparities in Access to Medical Advancements — KFF
📰 Source Timeline (5)
Follow how coverage of this story developed over time
- Identifies Stryker, a Michigan-based medical technology company with about 56,000 employees operating in more than 60 countries, as the U.S. firm hit in the Handala-attributed cyberattack.
- Confirms that Stryker disclosed the incident in a Securities and Exchange Commission filing, stating that parts of its Microsoft environment and global network were disrupted while investigators assess scope.
- Reports that the attack apparently targeted Stryker’s Microsoft Intune management console, triggering remote wipe features that reset many company-connected phones and laptops to factory settings.
- Provides temporal detail that outages began shortly after midnight Wednesday on the East Coast, with employees abruptly losing functionality on work-issued phones and internal communications stalling.
- Notes that some employees saw the Handala logo on login pages during the incident and that the group claims the attack was retaliation for a bombing at a school in Minab, Iran, though that retaliation claim is unverified.
- Tasnim News Agency, linked to Iran’s IRGC, published a graphic naming Amazon, Microsoft, Palantir, and Oracle as “enemy’s technological infrastructure” and “Iran’s new goals in the region,” explicitly framing these U.S. tech firms as legitimate targets.
- Amazon Web Services confirmed that Iranian drone strikes damaged two of its data-center facilities in the UAE and that another drone landed near its Bahrain site, causing structural, power, and water-damage impacts.
- Stryker disclosed via an SEC filing that a cyberattack caused a temporary “global network disruption” to its Microsoft environment; the Handala group’s logo reportedly appeared on login pages, and Handala claimed a “major cyber operation” before its posts were removed.
- White House Deputy Press Secretary Anna Kelly told CBS that the U.S. has been prepared for Operation Epic Fury and is “aware of all potential Iranian targets,” claiming Iranian ballistic-missile attacks are down 90% and drone attacks down 83%, numbers that haven’t appeared in the prior summary.
- Cybersecurity analyst Brian Krebs reported that Handala’s now-deleted social posts boasted of successfully executing the Stryker hack, while Palo Alto Networks profiles the group as directly linked to Iran, though Chris Krebs cautioned that the exact ties remain “blurry.”
- Identifies the pro-Iranian, pro-Palestinian hacker group 'Handala' as claiming responsibility for the Stryker cyberattack and states the group’s stated motive was retaliation for suspected U.S. strikes that killed Iranian schoolchildren.
- Cites threat-intelligence analysis (Arctic Wolf’s Ismael Valenzuela) that Handala is focused on data destruction rather than financial extortion, distinguishing it from typical ransomware actors.
- Reports that since the war began Feb. 28, pro-Iranian hackers have tried to penetrate cameras in Middle Eastern countries to improve Iran’s missile targeting, and have targeted data centers, industrial facilities in Israel, a school in Saudi Arabia, and an airport in Kuwait.
- Notes that Polish authorities are investigating a cyberattack on a nuclear research facility that may have ties to Iran, while acknowledging it could also be a false-flag operation using the war as cover.
- Quotes chatter from pro-Iranian hacker channels on Telegram, including calls to 'take out' data centers that 'host the brains of USA’s military communication and targeting systems.'
- CBS reports that Stryker attributes its recent network disruption to a cyberattack for which hackers with ties to Iran have claimed responsibility.
- Stryker says the incident disrupted its global Microsoft networks but that the situation is now believed to be contained.
- Cybersecurity expert and former CISA director Chris Krebs tells CBS that the attack illustrates how the Iran war could be expanding into the cyber domain and notes that the ongoing partial U.S. government shutdown is affecting the federal government’s ability to respond.