BLOG ◆ MAR 17, 2026

Exposure Brief: Iranian-Linked Wiper Attack on Global Medtech Firm Stryker

Healthcare, Research, Threat Intelligence

Executive Summary

  • On March 11, 2026, Stryker Corporation was hit with a wiper cyberattack by Handala, a group linked to the Iranian government, destroying data across its global Windows environment with no possibility of recovery.
  • The likely attack vector was Microsoft Intune, a mobile device management platform that, if compromised at the admin level, allows an attacker to wipe an organization’s entire device fleet simultaneously.
  • Stryker was apparently targeted based on its business relationships with an Israeli company and a $450 million U.S. Department of Defense contract. 
  • Censys identified nearly 2,000 Internet-facing hosts attributable to Stryker following the attack, over 150 with active login interfaces, which makes it clear how difficult it is for large organizations to maintain visibility into their full external attack surface.

What Happened?

On March 11, 2026, Stryker Corporation, a Michigan-headquartered medical device manufacturer with employees worldwide, was hit with a wiper cyberattack attributed to Handala, a hacking group with known ties to the Iranian government. Unlike ransomware, a wiper attack is designed purely to destroy data, with no ransom negotiation and no possibility of recovery. The attack took down Stryker’s Windows environment globally, halted manufacturing at its Ireland facilities, and wiped laptops, servers, and corporate mobile devices. Handala cited Stryker’s acquisition of an Israeli medical technology company and its $450 million U.S. Department of Defense contract as reasons for targeting the company.

How Did It Happen?

While neither Stryker nor Microsoft has confirmed the initial access vector, KrebsOnSecurity reported that attackers may have abused Microsoft Intune, a cloud-based MDM service that allows administrators to manage and remotely wipe every enrolled corporate device from a single console. An attacker with access to an Intune administrator account could wipe an entire device fleet simultaneously, which is consistent with the scale and speed of what was reported. Unverified posts from apparent Stryker employees describing urgent instructions to uninstall Intune from personal devices further support this theory, though it’s still unconfirmed.

What Can Organizations Do?

If the Intune vector is confirmed, it points to a class of risk that many organizations share and that has mitigations. Requiring phishing-resistant multi-factor authentication on privileged accounts, applying conditional access controls to device management systems, and monitoring for anomalous bulk actions within MDM platforms are all measures that can meaningfully reduce both the likelihood and the potential impact of this kind of attack.

That said, this type of attack is a useful reminder that detection and containment matter as much as prevention. No security program can guarantee that a motivated, state-linked threat actor will never find a way in, but organizations can reduce their exposure through phishing-resistant multi-factor authentication on privileged accounts, limiting the blast radius of any single compromised credential, and maintaining tested incident response plans. The goal is to limit how much damage can be done before unusual activity is identified and stopped.

Censys Perspective

Censys data from the aftermath of the attack identified nearly 2,000 Internet-facing hosts attributable to Stryker exposed online, with over 150 exposing login-capable interfaces including hospital cardiac monitoring systems, VPN gateways, and manufacturing order systems. This is less a reflection on Stryker specifically than it is an illustration of how complex large organizations’ external footprints tend to be, particularly after years of acquisitions, cloud migrations, and the organic accumulation of systems that weren’t always built with visibility in mind.

Censys continuously maps and monitors Internet-facing infrastructure, giving security teams an ongoing, accurate picture of what they have exposed to the Internet and where potential weaknesses exist. The goal is to surface that information to the people who can act on it before an attacker finds it first. In a threat environment where groups like Handala are actively looking for ways into organizations that fit their targeting criteria, understanding your external attack surface is a practical and proactive step that any organization can take regardless of where they are in their broader security journey.

For more Censys ARC research and insights, sign up for the Censys ARC newsletter.

References

A young woman with long black hair, wearing a white shirt and black blazer, smiling confidently.
AUTHOR
Himaja Motheram
Himaja Motheram is a Senior Security Researcher with Censys ARC, who is passionate about continuous learning and tackling complex challenges in vulnerability measurement. As a co-host of the Storm⚡️Watch podcast, she discusses emerging threats, industry trends, and new research. As a proud University of Michigan graduate, she values sharing knowledge and tools to help the security community.
Back to resource hub
Related Content
View all
A digital illustration of a server or data storage device with connected lines on a dark background.
Blog
Exposure Brief: Iranian-Linked Wiper Attack on Global Medtech Firm Stryker
A stylized infographic with a central box featuring a star symbol and connected bullet points on an orange background.
Blog
What AI Is Missing in the Modern SOC 
A bar chart with a star icon in the center on a light blue background.
Blog
NetSupport Manager: Tracking Dual-Use Remote Administration Infrastructure

US: +1-888-985-5547

Intl: +1-877-438-9159

connect@censys.com

Subscribe to our newsletter

Subscribe to our newsletter

Copyright © 2026 Censys  |  Data Retention Policy  |  Terms & Conditions  |  Privacy Policy