Active Incident – March 11, 2026

Iran-linked threat actor Handala weaponized Stryker’s mobile device management (MDM) platform to execute a mass device wipe across 79 countries. This bulletin provides an impact assessment and response playbook for healthcare organizations using Stryker-manufactured devices.

Executive Summary

On March 11, 2026, Stryker Corporation, a global manufacturer of orthopedic implants, surgical equipment, hospital beds, and robotic-assisted surgery systems, was struck by a large-scale cyberattack that disrupted operations worldwide.

The attack shut down operations across 79 countries and idled approximately 56,000 employees. The Iran-linked hacktivist group Handala claimed responsibility and framed the attack as retaliation related to geopolitical tensions.

This was a destructive wiper attack, meaning data was permanently erased rather than encrypted for ransom. Attackers used Stryker’s own endpoint management infrastructure to wipe devices across the organization. ordr-stryker-security-bulletin

Key Facts

  • Threat Actor: Handala (Iran-linked)
  • Attack Vector: Compromised MDM admin console
  • Malware Type: Wiper (destructive)
  • Devices Wiped: 200,000+
  • Data Exfiltrated: Approximately 50 TB
  • Employees Idled: 56,000
  • Countries Impacted: 79
  • Estimated Recovery Time: Weeks or longer

Attack Analysis

Phase 1: Pre-Positioning and Reconnaissance

Attackers likely infiltrated Stryker’s environment before February 28. Nation-state actors often conduct extended reconnaissance operations, mapping infrastructure and harvesting credentials before executing destructive payloads.

Activities likely included:

  • Credential harvesting
  • Network reconnaissance
  • Lateral movement across network segments

Indicators may include unusual device behaviors and anomalous network scanning patterns.

Phase 2: Admin Account Compromise

Attackers gained access to privileged administrative accounts within Stryker’s Microsoft environment, specifically Entra ID and Intune administrative consoles.

This access granted unrestricted control over the global device fleet managed through the company’s mobile device management platform.

Indicators include:

  • Unauthorized admin console access
  • Authentication attempts from unusual devices or locations
  • Privilege escalation anomalies

Phase 3: Data Exfiltration

Before executing the destructive phase of the attack, attackers exfiltrated approximately 50 terabytes of data.

This data may include:

  • Device blueprints
  • Manufacturing data
  • Intellectual property
  • Partner or patient information

Indicators include abnormal outbound traffic and large-scale data transfers exceeding normal baselines.

Phase 4: MDM Weaponized – Mass Remote Wipe

Attackers used Stryker’s own MDM platform to issue a mass remote wipe command to all enrolled devices globally.

The endpoint management system designed to protect the fleet was weaponized to destroy it.

More than 200,000 devices were wiped in the process.

Indicators include:

  • Fleet-wide device state changes
  • Large-scale policy pushes
  • Abnormal MDM command volume

Phase 5: BYOD Personal Device Wipe

Employees with personal phones enrolled in corporate MDM work profiles experienced device wipes that destroyed personal data.

This included:

  • Photos
  • Contacts
  • Personal applications
  • Multi-factor authentication apps

In many cases, employees were locked out of corporate accounts as a result.

Phase 6: Defacement and Attribution

Following the attack, login screens were replaced with the Handala logo and messages claiming responsibility.

Emails were reportedly sent to executives confirming the attack and framing it as geopolitical retaliation.

Global Healthcare Supply Chain Impact

Stryker’s manufacturing, logistics, and communications infrastructure were heavily disrupted.

This has created immediate risks across global healthcare supply chains.

Impacts include:

  • Global manufacturing disruption
  • Surgical equipment shortages
  • Delays in orthopedic and trauma procedures
  • Logistics and distribution outages

Hospitals worldwide rely on Stryker for surgical implants, instruments, and clinical equipment, making this disruption significant.

Critical Takeaway

The attackers did not deploy custom malware on every endpoint.

Instead, they compromised administrative credentials and used the organization’s own endpoint management infrastructure to wipe devices at scale.

Any organization using MDM or unified endpoint management platforms faces the same risk: if attackers gain admin access, they can destroy an entire device fleet within minutes. ordr-stryker-security-bulletin

Healthcare Impact Assessment

Healthcare organizations relying on Stryker equipment face several operational risks.

Supply Chain Disruption

Just-in-time delivery of surgical equipment and implants may be interrupted while manufacturing and logistics systems remain offline.

Surgical Procedure Delays

Procedures such as:

  • Hip replacements
  • Knee replacements
  • Spinal surgeries
  • Neurosurgical procedures

may face delays if device inventory becomes depleted.

Trauma and Emergency Equipment Risk

Critical equipment including surgical drills and hemorrhage control tools may become unavailable if supply chains remain disrupted.

Data Exposure Risk

Approximately 50 TB of data was reportedly exfiltrated during the attack.

Healthcare organizations that share data with Stryker should evaluate potential exposure of sensitive information.

Connected Device Risk

Connected medical devices such as surgical robots, smart beds, and other network-connected equipment should be monitored closely for anomalous behavior.

Unknown Recovery Timeline

Because the attack used destructive wiper malware, recovery depends entirely on available backups.

Experts estimate that full operational restoration could take weeks or longer.

Incident Response Playbook

Phase 1: Immediate Actions (0–48 Hours)

  1. Inventory all Stryker-manufactured devices in your environment.
  2. Segment or isolate devices communicating with Stryker infrastructure.
  3. Monitor network traffic for anomalous communications from Stryker devices.
  4. Contact your Stryker representative regarding continuity plans.
  5. Review surgical schedules and identify procedures dependent on Stryker equipment.

Phase 2: Short-Term Actions (1–2 Weeks)

  1. Validate inventory levels for implants, instruments, and disposables.
  2. Engage alternate suppliers for critical surgical materials.
  3. Document offline procedures for Stryker devices that rely on cloud services.
  4. Brief clinical leadership and develop surgical prioritization plans.
  5. Review Stryker contracts and data-sharing agreements for potential exposure risks.

Phase 3: Ongoing Security Hardening

  1. Audit administrative access to internal MDM or UEM platforms.
  2. Implement phishing-resistant multi-factor authentication such as FIDO2.
  3. Deploy privileged access management for MDM administrative actions.
  4. Configure alerts for mass device wipe commands and bulk policy changes.
  5. Strengthen network segmentation for medical IoT and OT devices.
  6. Conduct tabletop exercises simulating medical device supply chain cyberattacks.

How ORDR Enables Rapid Response

The ORDR AI Protect Platform is designed specifically for healthcare environments.

Capabilities include:

Device Discovery and Classification

Automatically identify every connected device across hospital networks including manufacturer, model, operating system, and behavior baseline.

Behavioral Monitoring and Anomaly Detection

AI-driven analysis identifies abnormal network traffic, device behavior changes, and potential exfiltration attempts.

Automated Zero Trust Segmentation

Pre-built segmentation policies allow compromised devices to be isolated instantly without disrupting clinical operations.

Supply Chain Risk Monitoring

Continuous vulnerability tracking identifies devices affected by manufacturer vulnerabilities, recalls, or supply chain risks.

References

  1. KrebsOnSecurity — MDM remote wipe confirmation
  2. GovInfoSecurity — Stryker disrupted by pro-Iran hackers
  3. Zetter Zero Day — Iranian hacktivists strike Stryker
  4. Nextgov / FCW — Pro-Iran group tied to Stryker attack
  5. Cyber Security News — Stryker system breach and device wipe
  6. Newsweek — Handala causes global outage
  7. Bloomberg — Pro-Iran group claims credit
  8. Security Magazine — Iranian cyberattack targets Stryker
  9. National CIO Review — Iranian-linked malware hits Stryker
  10. Irish Examiner — Cork-based Stryker hit by cyberattack
  11. Crain’s Grand Rapids — 56,000 workers idled
  12. IBTimes AU — Global outage details

Interested in
Learning More?

Subscribe today to stay informed and get
regular updates from ORDR Cloud

You Might Also Be Interested in

/
Jan 28, 2026

ORDR expands ecosystem partnership by adding critical integrations in Q4, 2025

Read More
/
Jan 2, 2026

When Security Learned to Speak Human: The Year Intelligence Became Accessible to Everyone

Read More
/
Dec 31, 2025

The ContextGraph Revolution: When Risk Finally Reflected Reality

Read More

Ready to Get Started?

REQUEST A DEMO