## The Coffee Was Still Brewing When the Alerts Fired.

On March 11, 2026, employees at medical technology firm Stryker were sent home not by a fire drill, but by a digital inferno. A hacktivist group known as Handala, which Palo Alto Networks has linked to Iran's Ministry of Intelligence and Security (MOIS), unleashed a devastating wiper attack that crippled the company's global operations.

The attackers didn't just steal data; they annihilated it. In a bold proclamation, Handala claimed to have erased data from over 200,000 systems, servers, and mobile devices. The attack vector was brutally simple and effective: a 'remote wipe' command issued through Microsoft Intune, turning Stryker's own management tools into weapons of mass digital destruction.

The fallout was immediate and widespread. Operations in 61 countries ground to a halt. In Ireland alone, over 5,000 workers were idled. The disruption cascaded through the company’s Microsoft environment, paralyzing order processing, shipping, and distribution. For a company whose products are integral to surgical procedures in countless U.S. hospitals, this was more than a corporate crisis—it was a direct hit on the healthcare supply chain.

Handala framed the attack as retaliation for a missile strike that reportedly hit an Iranian school. But for security executives, the motive is secondary to the method. The Stryker attack is a terrifying case study in how state-affiliated actors can leverage basic administrative tools to execute highly disruptive campaigns. It's a wake-up call for every CISO whose organization relies on cloud-based device management: your keys to the kingdom can be used to burn it down.