It was shortly after midnight on March 11.
Dave Nathans, Chief Information Security Officer (CISO) of the massive medical technology company Stryker, awakened to bone-chilling news. It wasn’t your traditional ransomware, where the attacker demands a payout. This was no “transaction.” In fact, there was no malware detected at all. Its connected medical products weren’t impacted and were safe to use.
Rather, Stryker employee devices running Microsoft Windows – including employee cellphones and laptops – were committing seppuku, disemboweling themselves, spilling data like so many clumps of intestine. The “global network disruption to our Microsoft environment as a result of a cyber attack,” the company said. As of Monday, March 15, it was still performing CPR on its customer-facing systems.
Five days after the attack, Wall Street is fairly sanguine about the company’s future. Overall, its value dropped as much as 7.6% following the incident. That drop was fueled by a viral Reddit thread – titled “Stryker (SYK) has lost almost $6 Billion since Iranian-linked hacker group Handala halted their operations globally.”
Act II: The Third-party Betrayal
As Stryker’s incident response team scrambled to identify the intrusion vector, they realized that the attackers didn’t use complex malware. This was no fancy Artificial Intelligence (AI) dark magic. This was far more banal. Namely, Handala simply abused Stryker’s own third-party, cloud-based device management service, Microsoft InTune.
“What they did is, they basically just pushed the ‘wipe” button,” explained Contrast Security Inc. CISO David Lindner. “They got access to InTune, and they pushed the button for all the devices. ‘Wipe it out,’” he explained.
Act III: The Geopolitical Crossfire
The adversary revealed itself as “Handala,” an Iran-backed hacktivist group linked to Iran’s Ministry of Intelligence and Security (MOIS). The attackers claim to have erased over 200,000 systems across 79 countries in retaliation for the U.S. missile strike on the Shajareh Tayyebeh girls’ elementary school in Minab, Iran, during the opening hours of the US-Israel military offensive against Iran. The attack killed between 168 and 180 people, mostly schoolgirls aged 7 to 12, with 95 injured, making it the deadliest civilian casualty event in the conflict.
Handala leaves its logo on wiped devices to maximize terror.
Stryker CISO Nathans could read the signal loud and clear: They weren’t after money. Their only goal was to destroy Stryler and inflict maximum pain.
Handala’s Previous Sabotage
Handala is known for its frequent, “quick and dirty” attacks that exploit supply-chain footholds (like IT providers or, in this case, InTune) to reach downstream victims.
Palo Alto Networks’ Unit 42 says Handala, aka Handala Hack or Handala Hack Team, is a “hacktivist persona linked to Iran’s Ministry of Intelligence and Security (MOIS)” that “mixes data exfiltration with cyber operations against the Israeli political and defense establishment.”
In the past, Handala has claimed responsibility for compromising an Israeli energy exploration company as well asJordan’s fuel systems. It also claimed to target Israeli civilian healthcare to create domestic pressure just days before the current, on-the-ground war broke out.
“Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote.
A Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace.
Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.
“This is a real-world supply chain attack,” said the expert, who requested anonymity. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”
John Riggi, national advisor for the American Hospital Association (AHA), has noted that the AHA is not aware of any supply-chain disruptions as of yet.
A CISO’s Chilling Insights
Every CISO knows ransomware. Every CISO, one hopes and assumes, knows about ransomware insurance. About backups. About how to drag a business back if you do have backups. But this? This is another matter entirely.
“The Stryker thing is different,” said Contrast Security’s Lindner. “They’re not trying to get money. They’re literally just trying to wipe out a business, like, ‘Go away.’”
Where this exploit is truly terrifying is its simplicity, he said. It simply relies on attackers grabbing at low-hanging fruit.
“Once you have access to InTune or Jamf [the Apple mobile device management [MDM] equivalent of InTune], heck, you could even script it, push a button and wipe everything within seconds.
“That’s chilling. Bone chilling,” Lindner said.
Same Old, Aame Old: Yet Another Third-party IT Exploit
It’s both bone-chilling and business as usual.
The entry point for many of the major breaches over the last few years has been a third party, Lindner noted.
Supply chain risk is as old as the hills. In 2023, Sonatype found that open-source software supply chain attacks had tripled in a year: One in eight open-source downloads were found to have known risk, and 245,000 malicious packages were discovered — twice as much as all previous years combined.
Three years later, Sonatype’s 2026 State of the Software Supply Chain report finds the situation worse than ever.
Beyond poisoned GitHub code libraries, we have these managed IT services, including InTune and Jamf. These services entail “a lot of access to just be handing out to a third party,” Lindner said. “If you look at a lot of the major breaches over the last few years, the entry point is always some third party that may be like a managed service for managing IT.”
Lindner compared the likely vector of the Stryker attack to the 2022 Okta breach.
In that earlier incident, attackers successfully breached the authentication firm by exploiting a third-party vendor—Sitel, a customer support subcontractor that had acquired Sykes Enterprises. Sitel was managing IT help desk support.
The incident began on Jan. 20, 2022, when Okta detected an unauthorized attempt to add a new authentication factor to a Sitel employee’s Okta account. Although the attack was blocked due to multifactor authentication, Okta later admitted it “made a mistake” by not fully investigating the incident and failing to notify customers in a timely manner …
Trust but Verify!
… and by trusting Sitel’s initial assessment that the breach was contained. Yea, um… oops. About that. Actually, the attackers, linked to the group Lapsus$, claimed to have gained “superuser” access to Okta’s internal systems, and evidence surfaced in late March showing access from Jan. 16–21, 2022.
So. Yes. Trust, but verify. Did we already say that? It’s worth repeating. Furthermore, here are some other things that CISOs need to keep in mind, Lindner suggested.
How a CISO Should Keep Their Business from Being Strykerized
First off, accept that compromises will happen, Lindner said. In light of that reality, rapid detection is critical. The CISO’s specific recommendations to his peers:
- Focus on Management Systems and Third-Party Access. CISOs should closely monitor who has access to device and IT management systems (like InTune, Jamf, or AWS). Because companies rely heavily on third parties, monitoring this access is critical even if only one or two people have it.
- Beef Up Monitoring over Adding Controls. Lindner argues that there are not many new preventative controls you can add to stop account compromises entirely. Instead, the focus should be on “beefing up” monitoring to detect compromises as fast as possible so you can stop access immediately.
- Watch for “Impossible Logins”. A key part of this enhanced monitoring is looking out for impossible logins, such as an employee’s account logging in from New York City when the employee is known to be in Arizona.
- Ensure “Table Stakes” Security is Enforced. Basic security practices are still essential. Lindner emphasizes that turning on Multi-Factor Authentication (MFA) for all accounts is a “huge help,” alongside requiring strong passwords. He notes that while these are “table stakes” from a CISO perspective, not everyone is actually doing them right. As Palo Alto Networks reported last year, many companies rely on insecure MFA methods like SMS, email, or push notifications, which are vulnerable to phishing, SIM swapping, and “channel jacking” attacks. These weak implementations create a false sense of security and can be bypassed by determined attackers, making them nearly as risky as having no MFA at all.
- Monitor High-Risk Partnerships Closely. If your company does business with major targets that threat actors have specifically named (such as Google or IBM), you should implement tighter monitoring around the data and interactions associated with those specific partnerships.
The Last Word
The TL;DR version: Ultimately, CISOs must have some faith that user accounts won’t be compromised. But they must operate under the assumption that if controls like MFA fail, the right monitoring is in place to catch the breach.
Instantly.
Lisa Vaas is a seasoned freelance journalist and content marketing professional with over 25 years of experience writing about technology, cybersecurity, careers, science, and health. She can be reached at lisavaas@lisavaas.com, lisavaas@securitypointbreak.com or via LinkedIn.
