In a significant escalation of cyber warfare, an Iran-linked hacking group has claimed responsibility for a disruptive attack on Michigan-based medical technology giant Stryker. The breach, which utilized corporate management tools to remotely wipe employee devices, marks the first major successful Iranian cyber operation against a U.S. firm since the recent outbreak of regional conflict.
The group, known as Handala, announced the exploit via Telegram and X (formerly Twitter). Cybersecurity experts at Sophos have tied Handala to Iran’s Ministry of Intelligence, noting a shift from previous “hacktivism”—which largely focused on website defacement—to more destructive “wiper” tactics designed to paralyze corporate infrastructure.
The “Intune” Infiltration
Evidence suggests the attackers gained unauthorized access to Stryker’s Microsoft Intune account, a cloud-based endpoint management solution used to oversee corporate mobile devices and laptops. Once inside the console, the hackers reportedly triggered a “remote wipe” command—a security feature typically reserved for lost or stolen hardware—effectively resetting employee phones and computers to factory settings.
“They seem to have obtained access to the Microsoft Intune management console,” said Rafe Pilling, Director of Threat Intelligence at Sophos. “Looks like they triggered [the remote wipe] for some or all of the enrolled devices.”
One Stryker employee, speaking on the condition of anonymity, confirmed that work-issued phones ceased functioning Wednesday, bringing internal communications and operations to a sudden standstill.
Stryker Responds to Network Disruption
In a statement released Wednesday, Stryker acknowledged a “global network disruption” within its Microsoft environment. However, the company clarified that its core internal systems remained uncompromised and denied the involvement of ransomware.
“We have no indication of ransomware or malware and believe the incident is contained,” the company stated.
Neither Stryker nor Microsoft have responded to requests for further technical details regarding how the Intune credentials were compromised.
A Pattern of Destructive Cyber Ops
Historically, Iranian state-sponsored actors have favored “wiper” attacks to inflict maximum damage on geopolitical rivals. Notable past targets include Saudi Aramco in 2012 and the Sands Casino in 2014.
Until this week, firms like Google and Proofpoint had observed Iranian hackers primarily engaged in espionage related to the ongoing war. This attack on a critical medical technology provider signals a more aggressive posture, moving beyond intelligence gathering to active operational sabotage.
Stryker, a Fortune 500 company, is a global leader in medical equipment, including surgical robotics and neurosurgical devices. While the company claims the incident is contained, the exploitation of trusted administrative tools like Microsoft Intune raises urgent questions for U.S. cybersecurity officials regarding the vulnerability of cloud-based management platforms.
