Stryker, a global leader in medical technology, has confirmed a large-scale cyberattack that wiped out tens of thousands of corporate devices around the world This article explores destructive cyberattacks threat. . This is one of the most disruptive business incidents involving legitimate cloud management tools.

Attack Summary The event, which started on March 11, 2026, had a big effect on Stryker's corporate IT infrastructure, stopping Microsoft services, manufacturing processes, and shipping operations. Handala, a hacktivist group that supports Iran, has taken credit for the attack and said it was politically motivated. The group says that the attackers wiped out more than 200,000 systems and stole about 50 TB of sensitive corporate data before they started the destructive phase.

While these numbers haven't been checked by anyone else, the amount of operational disruption suggests a well-planned and harmful intrusion. Misuse of Microsoft Intune This attack used real enterprise tools instead of custom wiper malware or ransomware payloads like most other destructive cyberattacks do. Threat actors were able to get administrative access to Stryker's Microsoft Intune environment, which is a cloud-based platform for managing endpoints that is commonly used for setting up devices and enforcing security.

Once they got in, the attackers used Intune's built-in remote wipe feature to send factory reset commands to a large number of Windows endpoints. This let them wipe a lot of devices without installing any harmful binaries, which got around traditional endpoint detection and response (EDR) systems.

Compromising an administrative credential gave full control of Intune Commands for remote wipe ran at the same time in 79 countries. Before containment, up to 95% of endpoints in some offices were wiped. There were no signs of malware or ransomware on the affected systems.

This "living off the land" method shows how identity-based attacks are becoming more likely to target cloud management planes instead of endpoints directly. Handala, the group that says they are responsible, has been linked to politically motivated cyber operations in the past. Researchers at Palo Alto Networks think that the group is probably run by Iran's Ministry of Intelligence and Security (MOIS), even though it claims to be an independent hacktivist group. The attack fits with a larger trend of state-linked operations using access-based methods and trusted business tools to cause as much trouble as possible while leaving as few forensic traces as possible.

Even though there was a lot of IT trouble, Stryker stressed that its medical devices and healthcare platforms are still safe and working. The business confirmed that its important systems are set up in a way that keeps them separate from its corporate Microsoft environment. The following systems were not affected: Vocera and care.Windows-based controls don't affect AI platforms that run on AWS and Google Cloud Linux-based systems, like Vocera Edge.

Mako Surgical Robotics uses localized planning environments to do its work. LIFEPAK and SurgiCount devices work on their own with their own security models. This segmentation kept the attack from affecting patient care, hospital networks, or the way medical devices worked. As soon as Stryker noticed strange behavior, it put its incident response plan into action.

The company is working closely with outside cybersecurity experts and government agencies to look into the breach and fix it.

Because the attack didn't use traditional malware, detection and containment focused on controlling identities and revoking access instead of fixing endpoints. To keep things running and limit more damage, Stryker put in place a number of emergency measures: Told workers to unplug devices and turn off systems Moved to manual ordering and logistics processes More security monitoring in places that weren't affected Did thorough access reviews and credential resets The incident shows a major change in the threat landscape: attackers are increasingly going after centralized management systems to cause big problems without using malicious code. Set ZeroOwl as your preferred source in Google