On March 1, I wrote that the U.S. strikes on Iran put every American enterprise on the battlefield. On March 3, I warned that healthcare was the sector most exposed to Iranian proxy groups because hospitals can't simply go offline. On March 6, Symantec confirmed that Iranian intelligence was already pre-positioned inside a U.S. bank before the strikes even began.
Those were warnings. Stryker is what happens when the warnings are ignored.
On March 11, the Iran-backed hacking group Handala claimed responsibility for a wiper attack on Stryker Corporation, the $25 billion medical device manufacturer that supplies virtually every hospital in the United States. Over 200,000 systems, servers, and mobile devices were wiped across 79 countries. 5,000 workers were sent home from Stryker's Cork, Ireland facility alone. Stryker's headquarters voicemail stated simply: "We are currently experiencing a building emergency."
Then Stryker released the most dangerous sentence in the entire incident response: "We have no indication of ransomware or malware."
They meant it as reassurance. It was the opposite.
No Ransomware Is Worse Than Ransomware
Here's what actually happened. Handala didn't deploy malware to Stryker's network. According to Krebs on Security, the attackers compromised Stryker's Microsoft Intune console, the cloud-based device management platform the company uses to manage endpoints across its global infrastructure, and issued remote wipe commands against connected devices.
Read that again. The attackers used Stryker's own management tools to destroy Stryker's own systems.
No custom malware. No zero-day exploit. No ransomware payload. They hijacked the administrative console that Stryker's IT team uses every day to manage 200,000+ devices, and they told it to erase everything. Microsoft Outlook was wiped from employees' personal phones. Login pages were defaced with the Handala logo. The company's Microsoft environment was gutted from the inside out.
This is technically not a malware attack. It is also technically catastrophic.
When ransomware encrypts your systems, you have options. You can negotiate. You can pay. You can restore from backups while the decryption discussion happens. The data still exists somewhere, locked behind a key. A wiper attack using your own device management tools offers none of those options. There is no key. There is no negotiation. The data is gone. This is the most extreme version of the exfiltration-over-encryption pivot that's been reshaping the threat landscape: attackers who skip encryption entirely and go straight to destruction.
Stryker's "no ransomware" statement was accurate. It was also the clearest signal that this attack was more destructive, not less, than a typical ransomware incident.
The Blueprint Every CISO Should Lose Sleep Over
The Intune vector is the detail that should change how every enterprise thinks about their management plane.
Microsoft Intune, Jamf, VMware Workspace ONE, Google Endpoint Management: these platforms exist to give IT administrators centralized control over thousands of devices. They can push software updates, enforce security policies, and yes, remotely wipe devices. That capability is a feature. It's designed for when a laptop is stolen or an employee leaves the company.
It's also, apparently, a loaded weapon.
If an attacker compromises the administrative credentials for your MDM platform, they don't need to develop malware. They don't need to exploit vulnerabilities in individual endpoints. They don't need to move laterally through your network, device by device. They press one button and every managed device obeys the command it was designed to obey.
Palo Alto Networks Unit 42 described the current pattern of Iranian cyber operations as "opportunistic and 'quick and dirty,' with a noticeable focus on supply-chain footholds." The Intune vector fits that description perfectly. Why spend months developing custom malware when you can compromise a single administrative console and leverage the target's own infrastructure to execute the attack?
Every organization that uses centralized device management, which is every enterprise of meaningful size, needs to treat MDM admin access as the single highest-value credential in the environment. Not email admin. Not domain admin. The MDM admin, because that's the one credential that can brick every device in your fleet with a single command. It's the same identity centralization problem that ShinyHunters exploited with SSO: one compromised identity, total organizational impact.
Paramedics in Maryland Lost Their Cardiac Alert System
While the cybersecurity industry dissected attack vectors, something far more urgent was happening on the ground.
Stryker's LifeNet system, which allows paramedics to transmit electrocardiogram readings to emergency physicians while en route to the hospital, went non-functional across most of Maryland. Timothy Chizmar, State EMS Medical Director for the Maryland Institute for Emergency Medical Services Systems, confirmed the outage. Some hospitals temporarily suspended their connection to Stryker systems as a precaution.
This is the scenario I described on March 3 when I wrote that hospitals can't "go dark" the way a bank can. LifeNet exists because time kills in cardiac emergencies. When a paramedic identifies a potential STEMI (ST-elevation myocardial infarction) in the field and transmits the EKG ahead of arrival, the receiving hospital activates the catheterization lab before the ambulance pulls up. That process saves minutes. In cardiac care, minutes are the difference between full recovery and permanent heart damage. Or death.
When LifeNet goes down, paramedics can still recognize a heart attack. But the hospital doesn't get the advance warning. The cath lab isn't pre-activated. The patient arrives cold, and the clock starts from zero.
No one has yet reported whether any patients experienced adverse outcomes from the LifeNet outage. That's the question every reporter should be asking. Nobody is.
At least one university medical system was unable to order surgical supplies from Stryker during the outage. As one anonymous healthcare professional told Krebs on Security: "This is a real-world supply chain attack. Pretty much every hospital in the U.S. that performs surgeries uses their supplies."
Handala Isn't a Hacktivist Group. It's a State Intelligence Operation.
The coverage of this attack has largely framed Handala as a "pro-Iran hacktivist group" retaliating for the Minab school strike that killed over 175 people. Handala's own messaging reinforces this framing, calling Stryker a "Zionist-rooted corporation" and referencing the company's 2019 acquisition of Israeli medical technology firm OrthoSpace.
That narrative is operationally useful for Iran. It's also misleading.
Palo Alto Networks Unit 42 assesses Handala as a persona of Void Manticore, an actor affiliated with Iran's Ministry of Intelligence and Security. Microsoft tracks the same entity as Storm-0842. CrowdStrike calls them BANISHED KITTEN. This isn't a loosely organized group of ideologically motivated activists. This is a state intelligence operation using hacktivist branding for deniability.
The distinction matters. When a hacktivist group attacks a corporation, the policy response is law enforcement. When a state intelligence service destroys 200,000 systems belonging to a company that holds U.S. military contracts and reaches 150 million patients annually, the policy response should be proportional to the actor, not the branding.
And the timing reveals something Unit 42 flagged that deserves more attention: with Iran's internet at 1-4% capacity, cells operating outside Iran may be functioning with "tactical autonomy." Decentralized operations without centralized oversight. In my time in EOD, decentralized cells with tactical autonomy were always more dangerous than centrally commanded units, because nobody was reviewing their target lists.
The Questions Nobody Is Asking
Handala claims to have exfiltrated 50 terabytes of data from Stryker before the wipe. That claim deserves scrutiny, but also concern.
Stryker holds contracts with multiple U.S. armed forces branches. If the exfiltrated data includes information about military healthcare supply chains, equipment configurations for military hospitals, or personnel medical records, this isn't just a corporate breach. It's a defense intelligence compromise.
This attack also landed days after the White House released "President Trump's Cyber Strategy for America." The strategy document was meant to signal strength. Stryker's smoking servers signal something else entirely.
Healthcare breaches have been accelerating independently of the Iran conflict. Health-ISAC reported a 55% surge in healthcare cyber incidents in 2025, with 8,903 incidents logged. 605 breaches affected 44.3 million Americans last year. The average cost of a healthcare breach reached $9.8 million in 2024 and is projected to exceed $12 million by end of 2026.
Iran didn't create the healthcare cybersecurity crisis. But state-backed wiper operations against the industry's largest device manufacturers represent a qualitative escalation that the existing statistics don't capture. There's a difference between criminal ransomware gangs seeking payment and an intelligence service seeking destruction.
The Series Prediction Scorecard
When I started writing about the Iran cyber threat on March 1, the conventional wisdom was that Iran's degraded internet meant degraded cyber capability. Three posts and eleven days later, here's where the predictions stand.
March 1: "Your enterprise is now on the battlefield." Confirmed. Stryker, a $25B enterprise, had 200,000 systems destroyed.
March 3: "Healthcare can't go dark." Confirmed. LifeNet went down. Hospitals disconnected from Stryker. Surgical supply chains were disrupted.
March 3: "Wiper malware disguised as ransomware." Exceeded. They didn't even need malware. They used Stryker's own management console.
March 3: "Supply chain compromise through third-party vendors." Confirmed. Stryker IS the supply chain. Every hospital using Stryker products was affected downstream.
March 3: "Proxy groups operate independently of Iranian domestic infrastructure." Confirmed. Handala executed the attack while Iran's internet sat at 1-4%.
March 6: "The five networks Symantec found are almost certainly not the only ones." Increasingly obvious. If Void Manticore had access to Stryker's Intune console, the reconnaissance phase was extensive and likely touched other targets.
I don't say this to claim prescience. The threat intelligence was publicly available. Unit 42, CrowdStrike, Health-ISAC, and CISA all published warnings. The information was there. The problem was never a lack of intelligence. It was a lack of action.
What Needs to Change
Lock down your device management platform. Treat MDM admin credentials with the same rigor you apply to domain controllers. Require hardware-based MFA for all administrative access. Monitor for anomalous wipe commands. Set alerts for bulk operations that exceed normal thresholds. If someone tries to wipe 200,000 devices at once, that should trigger an automatic lockout, not compliance.
Audit your "trusted tools." The Stryker attack inverts the traditional threat model. The weapon wasn't malware that needed to be detected; it was a legitimate platform doing exactly what it was designed to do. Your security stack is built to detect anomalous behavior. It's not built to detect your own management tools being used as intended by the wrong person. That gap needs to close.
Prepare for wiper scenarios, not just ransomware. Most incident response plans assume data recovery is possible. Wiper attacks, especially those executed through legitimate management channels, may leave nothing to recover. Your DR plan needs a "total loss" scenario: what happens when every managed device is simultaneously bricked? If the answer is "we don't know," you have your weekend project.
Segment patient-critical systems. LifeNet, EHR integrations, medication dispensing, patient monitoring: these systems cannot share failure domains with general IT infrastructure. The fact that a wipe of Stryker's Microsoft environment took down an EKG transmission system used by paramedics points to insufficient isolation between enterprise IT and clinical operations.
The CISA/FBI advisory warned months ago that Iranian actors were targeting healthcare using brute force and MFA push bombing. The HIPAA Security Rule overhaul mandated controls that would have mitigated this exact attack vector. The intelligence was there. The regulations were there. The attack happened anyway.
On March 1, I said the strikes didn't destroy Iran's proxy networks. On March 3, I said those networks were pointed at American hospitals. On March 6, I said Iranian intelligence was already inside.
On March 11, Stryker proved all of it. Not with sophisticated malware or novel exploits, but by having its own tools turned against it. The most destructive cyberattack in the Iran series didn't require a single line of malicious code.
That's the part that should keep you up tonight.
