Major Cyber Incident Impacting Stryker Corporation Claimed by Handala Threat Group
The Health-ISAC has released an advisory on the Iranian attacks against Stryker Corporation claimed by the Handala Group.
The attack appears to be isolated. Early reports suggested wiper malware was involved, but the company has reported no evidence of malware or ransomware. It is more likely the adversary gained access to the organizations Microsoft Intune and Entra systems and were able to remotely wipe thousands of devices.
You can find the H-ISAC's TLP: GREEN report by using the download button above.
--
Unvetted technical narratives from community sources suggest:
- Initial Access:
- Suspected compromise of a Global Administrator account, potentially via:
- Phishing leading to credential harvesting, or Compromise of credentials reused or obtained from another source.
- Suspected compromise of a Global Administrator account, potentially via:
- Privilege Abuse:
- Once authenticated as a Global Admin, the threat actor allegedly gained control over:
- Microsoft Intune (endpoint management)
- Microsoft Entra / Azure AD (identity & access management)
- Once authenticated as a Global Admin, the threat actor allegedly gained control over:
Impact:
- The attacker issued global wipe commands to thousands of Intune-managed devices worldwide.
- Factory resets of Intune‑managed corporate laptops and workstations
- Factory resets of personal/BYOD phones where employees used Intune Work Profiles
- Permanent loss of personal content on BYOD devices (photos, data, and eSIM details) for many employees
Microsoft Entra
- Handala allegedly defaced the Microsoft Entra login page with their artwork/logo.
- This defacement reportedly locked out cloud tenant users, preventing sign‑in to Microsoft 365 and other Entra‑integrated apps.
- Threat actor emails to Stryker executives allegedly include:
- Claims of responsibility
- Handala branding / imagery