On March 11, 2026, Handala, an Iran-linked threat group attributed to the Ministry of Intelligence and Security (MOIS) carried out a destructive cyberattack against global medical device company Stryker. Unlike typical ransomware incidents driven by financial gain, this “wiper” attack appears to have been politically motivated, aimed less at extortion and more at disruption. 

While several details, such as scale of impact and data exfiltration, are based on attacker claims and ongoing investigations, the incident clearly represents one of the most significant identity-driven attacks seen to date.

The Core Threat: "Living-off-the-Cloud"

While many cyberattacks rely on deploying malicious code, the Handala attack took a different path. It followed a "Living-off-the-Cloud" approach, using Stryker’s own administrative capabilities against it. By compromising the identity layer, the attackers didn’t need to introduce malware; they were able to carry out large-scale deletion and wipe actions using the same native controls designed for legitimate administrative use.

This reflects a broader trend seen throughout 2025, where threat actors increasingly relied on abusing built-in infrastructure and tooling. By operating within normal systems and workflows, these “Living-off-the-Cloud" techniques can be highly effective and make malicious activity harder to distinguish from everyday operations.

1. The Breach: Identity Hijack

The attack appears to have started at the Microsoft Entra ID (Azure AD) layer. Although the exact entry point has yet to be confirmed, it likely involved techniques such as adversary-in-the-middle (AiTM) phishing, token or session theft, or the compromise of privileged credentials methods that can bypass multi-factor authentication and provide elevated access.

Another possible scenario is that the attackers obtained administrative credentials from an underground market. If so, bad actors may have entered the environment with Global Admin–level access, significantly accelerating the attack by eliminating the need for privilege escalation and reducing the number of detectable steps before execution.

2. The Weapon: Microsoft Native Controls

With privileged access in hand, Handala moved to the management plane to execute a global "wipe" by weaponizing trusted administrative controls:

The Intune Kill-Switch (Likely Scenario):
While not officially confirmed, the scale and pattern of the disruption strongly suggest abuse of the enterprise mobile device management (MDM) platform Microsoft Intune. Using built-in capabilities such as “Remote Wipe” or “Factory Reset,” attackers could have issued commands across large numbers of managed devices simultaneously.

M365 Paralysis:
The disruption wasn't just limited to endpoints. Reports state that the incident extended to the Microsoft 365 control plane, impacting Exchange, Teams, and SharePoint, cutting off communication and access to critical business and R&D systems.

The Stealth Factor:
Because adversary actions were legitimate functions executed within trusted control planes:

• No malware signatures were triggered
• EDR and antivirus tools remained largely ineffective
• Activity blended into normal administrative operations

This highlights a fundamental challenge: security systems are designed to trust identity-driven actions within the control plane, which can create blind spots when those same mechanisms are misused.

3. The Impact: Data Exfiltration & Destruction

Before executing destructive actions, the group claimed to have exfiltrated roughly 50 TB of data. While this figure has not been verified, it aligns with typical attacker behavior: exfiltrate first, destroy later. It also aligns with recent Mandiant reporting, which found that 59% of cloud-related compromises in 2025 involved evidence of data theft.

By the time wipe commands were executed, critical data may already have been compromised, while forensic evidence was simultaneously erased through device resets and system destruction.

Claims vs Confirmed Reality 

Adversarial groups like Handala often amplify or selectively present details to increase psychological impact. That makes it increasingly important to separate which claims have been independently validated from those still undergoing investigation.

• ~200,000 devices wiped → Partially confirmed, but primarily attacker-claimed
• ~50 TB data exfiltration → Unverified claim
• Global admin-level compromise → Highly likely, but not officially confirmed

Backup systems accessed or compromised → Attacker-claimed not independently verified. If accurate, it would suggest that backup infrastructure was within the same trust boundary as production environments and may have been exposed to the same identity-driven control plane risks.

MITRE ATT&CK Mapping

MITRE Tactic	Technique Name	Technique ID	Explanation
Initial Access	Phishing	T1566	Likely entry vector via credential harvesting
Credential Access	Adversary-in-the-Middle (AiTM)	T1557	Possible session/token interception
Credential Access	Steal Web Session Cookie	T1539	Enables MFA bypass via token reuse
Persistence	Account Manipulation	T1098	Modification of cloud identities
Privilege Escalation	Additional Cloud Roles	T1098.003	Assignment of Global Admin or equivalent roles
Lateral Movement	Remote Services	T1021	Movement across enterprise systems
Lateral Movement	Software Deployment Tools	T1072	Abuse of MDM/control plane for execution
Command and Control	Protocol Tunneling	T1572	Covert communication channels
Impact	Data Destruction	T1485	Mass wipe of endpoints and systems

Why Traditional Security Approaches Failed

This incident underscores a limitation in traditional security models: they are designed to detect malicious code and actions, not the misuse of legitimate access. In this case, the attackers didn’t need to evade security measures they operated within them:

• Actions executed via legitimate cloud APIs and admin tools
• No malicious binaries or signature-based detection
• Activity logged as valid administrative behavior
• Detection signals buried in audit logs rather than real-time alerts

Recovery & Remediation

Recovering from an identity-driven attack is less about removing malware and more about re-establishing trust across systems and access layers. Recovery from an identity-led attack like this would likely require:

• Resetting trust in identity: Revoking sessions, securing privileged accounts, and rebuilding access in Microsoft Entra ID
• Regaining control of the management plane: Auditing and locking down tools like Microsoft Intune
• Restoring from clean backups: Recovering data and systems from immutable, isolated copies outside the compromised environment
• Re-establishing secure access: Re-enrolling devices, rotating credentials, and enforcing strong access controls

Building Resilience Against Identity-Driven Attacks

As adversaries evolve and the presence identity-based attacks increases, industry best practices offer organizations a proactive strategy to minimize the blast radius and drive effective recoverability:

• Enforce Immutability and Policy Control: Ensure backups are immutable and cannot be modified, deleted, or tampered with–including by privileged accounts. Apply strict policy controls with separation of duties and governed change management to reduce the risk of unauthorized changes, destructive actions, or abuse of administrative access.

• Maintain Backups in a Separate Trust Boundary: Logically isolate backup infrastructure from production and identity environments. Keeping backups in a separate security domain limits the ability of compromised credentials to access critical backup systems or recoverable data.

• Continuously Monitor for Threats: Go beyond infrastructure and identity logs by monitoring for unusual behaviors that may indicate misuse of legitimate credentials. The ability to search, scan, and analyze backup data for indicators of compromise (IOCs) can help identify when data was affected and the scope of impact before initiating recovery. 

• Isolate and Validate Before Recovery: Prioritize restoring a known-good state, not just the most recent state. Before recovering systems, validate that backup data is free from compromise, quarantine suspicious data sets, and ensure that only clean, verified, and trustworthy data is used for recovery to avoid reinfection or persistence.

In Summary: Cyber Resilience Starts with Identity

The Stryker attack is a stark reminder: Identity is now a primary attack vector. With an estimated 65% of intrusions starting at the identity layer and 90% of breaches involving compromised credentials, bad actors are increasingly bypassing traditional defenses altogether not by breaking in, but by logging in.

In a "Living-off-the-Cloud" scenario, perimeter defenses and firewalls offer little resistance. When identity is abused, and trusted native tools are weaponized against the organization, resilience must go beyond prevention. It depends on:

• Strong identity governance (PIM, least privilege, conditional access)
• Behavioral monitoring of control plane activity
• And critically, a recovery strategy that sits outside the blast radius

Security controls can be bypassed, but the ability to recover through independent, immutable, and isolated systems remains a critical last line of defense.

Appendix: Technical Summary

Date: 11 March 2026

Threat actor: Handala (linked to Iran’s Ministry of Intelligence)

Attack type: Destructive wiper attack + cloud admin takeover

Primary target: Stryker’s Microsoft enterprise environment

Impact (based on reports and attacker claims):

• ~200,000 endpoints wiped (servers, laptops, mobile devices)
• ~50 TB of data allegedly exfiltrated (unverified)
• 79 countries impacted
• Manufacturing, shipping, and internal systems disrupted

Unlike ransomware, the attackers did not request payment. This differs from the 30% of global investigations where Mandiant observed monetization techniques. The operation appears aligned with geopolitical objectives, focused on disruption, signaling, and psychological impact rather than financial gain.

Sources and References

1. https://cloud.google.com/security/resources/m-trends 
2. https://securityaffairs.com/189304/hacktivism/pro-palestinian-hacktivist-group-handala-targets-stryker-in-global-disruption.html
3. https://techcrunch.com/2026/03/11/stryker-hack-pro-iran-hacktivist-group-handala-says-it-is-behind-attack
4. https://therecord.media/stryker-cyberattack-iran-hackers
5. https://www.bleepingcomputer.com/news/security/medtech-giant-stryker-offline-after-iran-linked-wiper-malware-attack
6. https://www.itnews.com.au/news/us-medical-device-maker-strykers-microsoft-environment-attacked-624212
7. https://www.paloaltonetworks.com/resources/research/unit-42-incident-response-report

Appendix: Technical Summary

Date: 11 March 2026
Threat actor: Handala (linked to Iran’s Ministry of Intelligence)
Attack type: Destructive wiper attack + cloud admin takeover
Primary target: Stryker’s Microsoft enterprise environment

Impact (based on reports and attacker claims):

• ~200,000 endpoints wiped (servers, laptops, mobile devices)

• ~50 TB of data allegedly exfiltrated (unverified)

• 79 countries impacted

• Manufacturing, shipping, and internal systems disrupted

Unlike ransomware, the attackers did not request payment. The operation appears aligned with geopolitical objectives, focused on disruption, signaling, and psychological impact rather than financial gain.

References

1. https://securityaffairs.com/189304/hacktivism/pro-palestinian-hacktivist-group-handala-targets-stryker-in-global-disruption.html

2. https://techcrunch.com/2026/03/11/stryker-hack-pro-iran-hacktivist-group-handala-says-it-is-behind-attack

3. https://therecord.media/stryker-cyberattack-iran-hackers

4. https://www.bleepingcomputer.com/news/security/medtech-giant-stryker-offline-after-iran-linked-wiper-malware-attack

5. https://www.itnews.com.au/news/us-medical-device-maker-strykers-microsoft-environment-attacked-624212