On March 11, 2026, medical technology company Stryker disclosed a cybersecurity incident after detecting a disruption affecting parts of its internal Microsoft environment. In its SEC Form 8-K filing, the company stated it activated its incident response plan and engaged external responders. At the time of disclosure, Stryker reported no evidence of ransomware or malware and said the incident appeared contained.
Subsequent reports from employees and security researchers indicated that devices across the environment were remotely wiped and login screens were defaced with the Handala logo. Investigations suggest the attackers may have abused Microsoft Intune to issue remote wipe commands to managed devices, causing factory resets on corporate laptops and mobile devices. Some personally owned phones enrolled with Intune work profiles were reportedly affected as well.
The attackers have also made claims about the scale of the incident. Through their own channels they have stated that more than 200,000 devices were impacted and that large volumes of data were exfiltrated, initially claiming 50 TB and later escalating the figure to 12 PB. These numbers remain unverified and should be treated cautiously, as threat actors frequently exaggerate impact during disruptive operations.
What is clear is that incidents of this scale require sustained activity inside an environment. Even when the initial intrusion vector is unknown, attackers typically leave observable identity and network behavior along the way.
The Threat Actor: Handala / Void Manticore
The group claiming responsibility for the incident is Handala, also tracked by some researchers as Void Manticore, an Iranian-aligned threat actor known for disruptive operations combined with propaganda messaging.
The group has previously targeted organizations with strategic or symbolic relevance, including IT providers, infrastructure operators, and companies tied to sensitive supply chains. Medical technology companies occupy a particularly sensitive position in this ecosystem because they connect healthcare providers, research environments, and manufacturing systems.
Unlike many financially motivated groups, Handala campaigns often emphasize operational disruption and psychological impact. The group frequently publishes screenshots of compromised systems, exaggerates claims of stolen data, and defaces systems with propaganda imagery such as the Handala logo. The device wipes and defaced login screens reported in the Stryker incident align with this pattern.
Operationally, the group tends to run hands-on intrusions rather than automated malware campaigns. Operators interact directly with compromised systems, moving through the environment using legitimate services and administrative tools. This approach allows activity to blend into normal operations while attackers map the environment and expand their access.
Reconstructing the Attack
The exact intrusion path used in the Stryker incident has not been publicly confirmed. The reconstruction below combines available reporting with known Handala tradecraft and includes informed assumptions based on the group’s past operations.
1. Initial access through identity compromise
MITRE ATT&CK: T1078 – Valid Accounts | T1110 – Brute Force | T1566 – Phishing
Intrusions of this type frequently begin with compromised credentials obtained through phishing, credential reuse, or compromised third-party accounts. Iranian threat groups have also targeted VPN infrastructure as an entry point.
Once attackers possess valid credentials, they can authenticate to VPN or Microsoft 365 services without triggering many traditional security controls.
Security teams often see early signals such as unusual authentication locations or login patterns inconsistent with the user’s normal behavior.
2. Privilege escalation
MITRE ATT&CK: T1098 – Account Manipulation | T1484.001 – Domain Policy Modification
After gaining access, attackers typically attempt to expand privileges so they can access additional systems and sensitive data.
In Microsoft environments this often involves modifying group memberships, assigning roles, or changing directory permissions. These operations allow the attacker to move beyond the initially compromised account and gain broader administrative capabilities.
Unusual administrative actions performed by a previously normal user account often provide the first clear indicator of compromise.
3. Reconnaissance and lateral movement
MITRE ATT&CK: T1018 – Remote System Discovery | T1087 – Account Discovery | T1021.001 – Remote Desktop Protocol | T1090 – Proxy / Tunneling
Once privileges expand, attackers begin mapping the environment.
Handala activity documented in previous incidents includes manual RDP movement between systems and the use of tunneling tools to reach internal hosts. During this stage, attackers typically enumerate accounts, systems, and network resources to identify where valuable data is stored.
Because these actions occur through legitimate administrative protocols, they can blend into normal operational traffic unless behavioral monitoring highlights the anomalies.
4. Credential theft and directory enumeration
MITRE ATT&CK: T1003.001 – LSASS Memory | T1003.002 – Registry Hive Dumping | T1087.002 – Domain Account Discovery
Threat reporting on Handala operations shows repeated use of credential harvesting techniques.
Investigators have observed the group dumping credentials from LSASS memory using comsvcs.dll via ランドル32.exe, exporting registry hives, and running ADRecon scripts to enumerate Active Directory environments.
These steps allow attackers to identify privileged accounts and expand their access across the domain.
5. Automated data collection and scripting
MITRE ATT&CK: T1059 – Command and Scripting Interpreter | T1059.001 – PowerShell | T1005 – Data from Local System
Large-scale data collection rarely happens manually. Attackers typically rely on scripting tools to search for files, gather sensitive data, and stage it for transfer.
PowerShell and command-line automation are commonly used for this purpose. When scripting activity appears on systems where it has not historically been used, it often signals data collection or staging operations.
6. Data staging and exfiltration
MITRE ATT&CK: T1041 – Exfiltration Over C2 Channel | T1567 – Exfiltration to Cloud Storage
The attackers claim that large volumes of data were stolen from the environment. Even if those numbers are exaggerated, any large-scale data transfer requires staging, compression, and sustained outbound traffic.
Such activity usually produces observable anomalies in data transfer patterns, particularly when large volumes of data leave systems that do not normally generate that level of outbound traffic.
7. Destructive actions via device management
MITRE ATT&CK: T1485 – Data Destruction | T1562 – Impair Defenses
One of the most disruptive aspects of the Stryker incident appears to have been the use of device management infrastructure to wipe endpoints.
Reports suggest the attackers abused Microsoft Intune remote wipe capabilities to trigger factory resets across managed devices. This technique allows an attacker with sufficient administrative privileges to cause widespread operational disruption without deploying traditional malware.
It also complicates incident response by erasing forensic evidence on affected endpoints.
Why This Incident Matters
The Stryker incident highlights an increasingly common pattern in modern intrusions. Attackers do not necessarily rely on sophisticated exploits. Instead, they focus on identity access and administrative control planes.
Once attackers gain access to identity systems, they can:
- expand privileges
- access sensitive data
- move laterally through administrative protocols
- disrupt operations through management infrastructure
In environments built around cloud identity and centralized management platforms, control of these systems can effectively translate into control of the entire enterprise.
What Security Teams Should Watch For
Incidents like this rarely begin with destructive activity. Attackers typically spend time inside the environment expanding access and collecting information before causing disruption.
Security teams investigating similar scenarios should pay close attention to:
- authentication from unusual geographic locations
- privilege changes in identity systems
- unusual PowerShell or scripting activity
- abnormal data transfer volumes
- abnormal activity within device management platforms
The behaviors leading up to an incident often provide the best opportunity to detect and contain the intrusion before it escalates into operational disruption.
To see how these behaviors surface in real environments and how security teams can investigate them quickly, watch a self-guided demo of the Vectra AI Platform.