Iranian hackers just used Stryker’s own security tools to delete itself
Shortly after midnight Eastern Time on March 11, 2026, the global IT infrastructure of medical technology giant Stryker Corporation [NYSE: SYK] began to systematically dismantle itself. The incident, which cybersecurity analysts have identified as a sophisticated wiper attack, resulted in the simultaneous factory reset of more than 200,000 company-managed devices, including a significant number of personal smartphones. From servers in Michigan to the personal devices of employees in Ireland, the digital footprint of the Fortune 500 firm vanished in a matter of hours, accompanied by the alleged theft of 50 terabytes of sensitive corporate data.
The disruption targeted the Microsoft environment of Stryker [NYSE: SYK] with surgical precision. Unlike typical malware that propagates through local networks, the attackers exploited administrative access to Microsoft Intune, the company’s primary mobile device management (MDM) platform. According to Krebs on Security, a trusted source confirmed that the perpetrators used Intune to issue a legitimate remote wipe command against the entire global fleet.
The security implications of this "living off the land" technique are profound, as noted by this X user:
If you use a personal phone/laptop for your work, pay very close attention to this little detail.
— MG (@_MG_) March 12, 2026
Iran attackers wipe 200k devices at a company called Stryker. Within those devices appears to be employees PERSONAL devices.
The attackers used the company’s MDM software, which… https://t.co/oPcLv5HUAr pic.twitter.com/z5XlsTECbI
Because the wipe commands originated from a trusted administrative tool, they bypassed standard antivirus and Endpoint Detection and Response signatures. The attack was so thorough that staff reported anyone with Microsoft Outlook installed on their personal phones saw those devices wiped instantly, effectively erasing personal photos and private data alongside corporate emails.
The scale of the devastation spans 79 countries. Major operational hubs, including the extensive manufacturing and R&D facilities in Cork, Ireland, and the corporate offices in Portage, Michigan, reported a total loss of workstation access. Reports from the Irish Examiner indicated that over 5,000 workers in Cork were sent home as internal systems failed, forcing employees to communicate via WhatsApp for updates. While the stock price of Stryker [NYSE: SYK] saw an immediate decline of over 5.3% following the disclosure, the operational toll remains critical.
Responsibility for the attack was claimed by Handala, a pro-Iranian hacktivist collective linked by researchers at Palo Alto Networks to Void Manticore, an influence persona maintained by Iran’s Ministry of Intelligence and Security. The group characterized the operation as retribution for a February 28 missile strike on a school in Minab, Iran. The New York Times recently confirmed that a U.S. Tomahawk missile was responsible for that strike. Handala’s messaging specifically highlighted the 2019 acquisition of the Israeli firm OrthoSpace by Stryker [NYSE: SYK] as a justification for the targeting.
In a recent regulatory filing with the Securities and Exchange Commission, Stryker [NYSE: SYK] confirmed that while its life-saving products like Mako and LIFEPAK remain safe for clinical use, the timeline for a full recovery of internal systems remains unknown. Investing.com noted the company has "no indication of ransomware or malware," emphasizing that the "kill switch" was triggered via legitimate administrative channels.
The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) are treating the event as a significant escalation in state-sponsored cyber sabotage. The incident serves as a stark technical case study in the risks of centralized cloud management: when the tool used to manage every device becomes a weapon, the entire enterprise can be deleted with a single click.
