Living Off the Land: How Iran Turned Stryker's Security Tools Into a Weapon

On March 9, 2026, Stryker announced its new SmartHospital Platform ahead of the HIMSS Global Conference. The press release described it as "a digital foundation designed to connect devices, data and care teams across the hospital into one intelligent, adaptive ecosystem." Executives were in Orlando. Analysts were watching. The company's future, it seemed, was connectivity.

Forty-eight hours later, that same connected ecosystem was the reason employees in Ireland were heading home by the thousands.

On March 11, Iran-linked hackers from the group Handala used Stryker's Microsoft Intune management console to simultaneously wipe more than 200,000 corporate devices across 79 countries. No malware. No ransomware. No sophisticated exploit chain. Just a single compromised administrator account and a legitimate "remote wipe" button that Stryker's own IT team uses to secure lost or stolen devices.

For OT security professionals, this is not a cybersecurity story. This is a supply chain story, a patient safety story and a reminder that the path from corporate IT to operational disruption is far shorter than most organizations want to believe.

Microsoft Intune is a cloud-based Unified Endpoint Management platform. When an organization's IT team needs to protect sensitive corporate data on a lost phone, they log into Intune and issue a remote wipe. It's the kind of tool that's supposed to protect you.

According to Krebs on Security, Handala gained administrative access to Stryker's Intune management console and used that same feature to wipe every enrolled device in the company's global fleet simultaneously. Rafe Pilling, Director of Threat Intelligence at Sophos, confirmed the mechanism: "They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices."

The result was categorical and nearly instant. Employees across the U.S., Europe and Asia arrived at work to find their screens blank. Stryker's headquarters in Portage, Michigan recorded a voicemail informing callers the company was "experiencing a building emergency." The Entra ID login page was defaced with Handala's logo. Personal devices enrolled in the company portal, including employees' own phones and laptops, were also wiped. Workers were instructed to immediately uninstall Teams, VPN clients and the Intune Company Portal from any personal device they owned.

Stryker filed an SEC Form 8-K the same day, confirming "a global disruption to the Company's Microsoft environment" and noting the timeline for full restoration "is not yet known."

The core mechanism, documented in MITRE ATT&CK as technique T1072 (Software Deployment Tools), requires no malware and triggers no endpoint detection alerts. It looks, to every security tool in the stack, like a legitimate administrative action. Because it is one.

Most coverage of the Stryker attack has focused on the scale of the IT disruption. What gets less attention is what stopped working downstream.

Stryker manufactures orthopedic implants, neurovascular devices, surgical robots and defibrillators across a global network of highly automated facilities. In Ireland alone, approximately 5,500 employees work across eight sites in Cork, Limerick and Belfast. Cork's Anngrove facility is the world's largest 3D printing facility for medical devices. The Limerick site runs what Stryker calls a "centre of automation excellence." These are not offices that can fall back to pen and paper without consequence. They are precision manufacturing environments where production systems, quality control, logistics ordering and engineering data are all networked and interdependent.

According to the International Business Times, the attack brought manufacturing to a standstill: "The halt in production means no new medical devices are currently being manufactured."

Then there is LifeNet. Stryker's LifeNet clinical communication system, which enables emergency medical services to transmit patient data including EKG readings to hospitals ahead of arrival, went offline during the attack. According to CNN, emergency medical services in Maryland sent an internal memo warning crews that LifeNet was unavailable. When an ambulance crew can't transmit a heart attack patient's EKG to the emergency physician before arrival, the physician cannot prepare. That is not a data disruption. That is a patient outcome disruption.

As Joshua Corman, a health sector cybersecurity expert, told CNN: "Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we're increasing our exposures to nation states and other enemies who seek to disrupt and destroy."

Stryker has noted that its Mako robotic surgery platform, Vocera communication tools and LIFEPAK 35 defibrillators were not directly impacted. Those OT devices survived because they were isolated from the IT environment that Intune managed. This time. But the LifeNet system, which sits at the boundary between OT and clinical delivery, did not.

Handala, also identified as Void Manticore by Palo Alto Networks Unit 42, is an Iranian Ministry of Intelligence and Security-affiliated threat actor that first surfaced publicly in late 2023. Its prior operations targeted industrial control systems in Israel, energy companies and government ministries across the Middle East and Europe.

The group doesn't typically handle initial access itself. According to Check Point Research, Void Manticore operates via a "tag-team" model: a separate MOIS affiliate, Scarred Manticore, conducts extended infiltration, sometimes for over a year, before handing access to Void Manticore for the final destructive act. In the Stryker case, researchers at Symantec documented that MuddyWater, another MOIS affiliate, had pre-positioned access inside U.S. networks weeks before Operation Epic Fury on Feb. 28, 2026, when U.S. and Israeli forces launched large-scale strikes against Iran. By the time the conflict became public, the attackers were already holding the keys.

The targeting logic is explicit. Handala targeted Stryker, in part, because of its 2019 acquisition of OrthoSpace, an Israeli medical technology company. Stryker also holds a $450 million contract to supply medical devices to the U.S. Department of Defense. Any company with business ties to Israel, or whose technology has been used to support military operations, is in scope.

Check Point's threat intelligence manager Sergey Shykevich called it a significant escalation, noting it was "the first time this Iranian-backed threat actor has disruptively targeted a major US enterprise."

Handala called it "only the beginning of a new chapter in the cyber war."

For organizations trying to understand their own exposure, the NotPetya recovery at Maersk provides the most instructive parallel. In 2017, a Russian state-sponsored wiper attack crippled Maersk's global shipping network: 45,000 PCs, 4,000 servers, 76 ports. According to Maersk's own leadership, the company's Active Directory was destroyed in minutes. It took nine days to restore it, and roughly two months to fully rebuild the network. The entire recovery was saved by a single offline backup in a powered-down office in Ghana. The total cost was $250 million to $300 million.

Stryker is facing a comparable scenario with approximately 4.4 times as many devices across a similarly global footprint. Cybersecurity experts quoted by multiple outlets have estimated that rebuilding 200,000 wiped devices could take several months.

The critical difference between wiper attacks and ransomware attacks is that there is no negotiation possible with a wiper. Ransomware leaves at least a theoretical path to restoration through decryption. A wiped device is a blank. Recovery depends entirely on whether clean, tested, offline backups exist, and for OT environments, whether those backups include industrial configurations, historian data, SCADA interface settings and PLC ladder logic. Those files rarely get the same backup attention as corporate data.

Maersk's CISO Andy Powell captured the broader dynamic accurately: "Nation state weapons are even more widespread. What's worrying is those nation state weapons, which are high end, are moving into the hands of proxies: criminal gangs acting on their behalf." That is precisely the Void Manticore/Handala model in 2026.

The Stryker attack is not a story about a sophisticated zero-day exploit. It is a story about what happens when a powerful administrative tool has no guardrails, when IT and OT environments are not meaningfully segmented, and when threat intelligence exists but isn't connected to the right operational response.

• 1. Treat your MDM/UEM console as OT-critical infrastructure.

  Intune, SCCM and similar platforms are master keys to every enrolled endpoint in the organization. If any of those endpoints touch manufacturing systems, quality control networks or clinical communications, the MDM console is an OT risk, not just an IT risk. Apply the same access controls you would use for a SCADA system: dedicated admin accounts, hardware-enforced multi-factor authentication and role separation. Microsoft's own guidance for Entra ID recommends time-limited privileged role activation through Privileged Identity Management, what the industry calls just-in-time access. A compromised account that only has admin rights for four approved hours cannot be used to issue a bulk wipe at 3 a.m.

• 2. Segment OT endpoints out of your enterprise MDM scope.

  Industrial workstations, engineering systems, historian servers and any device that touches a control network should not be enrolled in the same Intune instance as corporate laptops and employee phones. Separation is not just a segmentation question; it is a blast radius question. When an attacker gets admin access to an enterprise MDM, every enrolled device is exposed. OT devices require separate management planes with separate credential stores.

• 3. Build and test your wiper recovery plan before you need it.

  Offline, air-gapped backups are not optional for environments where recovery from a wiper attack is a possibility. For OT specifically, this means backing up not just data but configurations: PLC programs, historian schemas, HMI display files, calibration data and any industrial-specific settings that a vendor technician would otherwise need weeks to restore on-site. The backup that saves your manufacturing line may not be in your IT backup system at all.

• 4. Run a red team assessment against your IT-OT boundary, including your cloud management plane.

  Most penetration tests stop at the firewall. What they often don't test is what happens when an attacker compromises a cloud administrative tool that sits above the network entirely. A properly scoped red team would ask: if we obtain Intune Global Admin credentials, what can we wipe, modify or deny? If we compromise an RMM tool installed by a third-party IT integrator, what OT-adjacent systems become reachable? These are the documented attack paths used against Stryker. A red team assessment that surfaces those paths on your schedule is the difference between discovering your blast radius and discovering it on theirs.

• 5. Build a Cyber Fusion Center capability, or connect to one.

  The intelligence to anticipate the Stryker attack existed before March 11. Handala's track record, Void Manticore's documented tag-team architecture, MuddyWater's pre-positioning activity and IRGC threat advisories were all public or semi-public before the wiper ran. A Cyber Fusion Center integrates threat intelligence analysts and detection/response teams working from a shared operational picture. If a fusion capability had been correlating Void Manticore's targeting patterns with unusual Intune admin sign-ins from unexpected geolocations, the bulk wipe command might have triggered a human review before it executed. No single security tool catches a living-off-the-land attack. But a team fusing external threat intelligence with internal telemetry has a fighting chance.

The FDA issued updated cybersecurity guidance for medical device manufacturers in June 2025 specifically addressing OT security in manufacturing environments. The guidance existed before the Stryker attack. The question was never whether the risks were documented. The question is always whether the work gets done before the attack or after.