Iran-Linked Handala Wipes 56,000-Employee Medical Device Giant. Here's the Detection Pack.

On the night of March 11, 2026, a Fortune 500 company with 56,000 employees across 61 countries went dark. Not ransomware. Not a data breach in the traditional sense. A wiper. And the delivery mechanism was not custom malware dropped on endpoints. It was the company's own IT management platform.

That is what makes the Stryker Corporation attack different. And that is why we built a detection pack for it today.

What Happened

Handala, a pro-Palestinian hacktivist group assessed by Palo Alto Unit 42 as a persona operated by Iran's Ministry of Intelligence and Security (MOIS), executed a mass data destruction operation against Stryker Corporation starting just after midnight EDT on March 11. Stryker manufactures orthopedic implants, robotic surgery systems, and hospital equipment. It has approximately $25 billion in annual revenue and DoD/VA contracts.

The attackers compromised Stryker's Microsoft Entra ID environment and obtained Global Administrator credentials. From there they issued bulk remote wipe commands through Microsoft Intune, the company's cloud-based mobile device management platform. Intune is designed to let IT teams manage and, when necessary, remotely wipe devices. The attackers turned that capability into the weapon itself.

The wipe hit corporate laptops, servers, and personal devices that employees had enrolled in Intune for BYOD access to corporate email and Teams. Employees in Australia reported losing all personal data. Login screens were replaced with the Handala logo. Emails were sent directly to executives claiming ownership of the attack. Stryker sent more than 5,000 employees home from its Cork, Ireland headquarters and filed an 8-K with the SEC confirming a global disruption to its entire Microsoft environment.

The group also claimed 50 terabytes of data exfiltrated prior to the wipe. Based on any realistic transfer rate, that exfil was happening for days or weeks before the destructive payload triggered. The wipe was the finale, not the operation itself.

Why This Attack Is a Category Shift

This is not a sophisticated zero-day campaign. There is no novel malware to reverse engineer here. That is the point.

The Intune wipe technique is a living-off-the-land attack against the cloud management plane. The attacker needed two things: valid Global Admin credentials and network access to the Intune admin console. Once they had those, every enrolled device in the organization was reachable with a single API call. No lateral movement through the network. No EDR to bypass. No payload to detonate.

This attack pattern scales infinitely. The same technique that wiped a 56,000-person company works equally well against a 500-person company. The blast radius scales with enrollment scope, not with attacker sophistication.

There is a second evasion layer that most defenders are not accounting for: Starlink. Check Point Research confirmed in January 2026 that Handala campaigns during Iran's internet blackout originated from SpaceX Starlink IP ranges (AS14593). Starlink terminals are illegal in Iran but are widely smuggled in. An operator in Tehran with a black-market dish shows up in your logs as a US-based SpaceX IP. Geographic blocking and country-code-based detection rules do not touch this.

We do not have confirmed source IPs from the Stryker attack. We do not know whether Starlink was used in this specific operation. But based on the January reporting, it is a known part of Handala's operational infrastructure, and the detection logic stands on its own merits regardless of attribution: privileged cloud admin authentication originating from Starlink ASN space is anomalous in virtually every enterprise environment. Legitimate Global Admins do not authenticate from satellite internet terminals. If that shows up in your sign-in logs, it warrants investigation whether the actor is Iranian, criminal, or otherwise.

The Geopolitical Context

This attack did not come out of nowhere. The U.S. and Israel launched military strikes against Iran on February 28, 2026. Eleven days later, Handala executed the Stryker operation and cited the U.S. Tomahawk missile strike on a school in Minab, Iran that killed approximately 170 people as the direct trigger.

Stryker was selected deliberately. The company acquired Israeli medical technology company OrthoSpace in 2019 and holds significant DoD and VA contracts. Iran's IRGC has publicly stated that U.S. companies with Israeli ties and military contracts are valid targets for both physical and cyber operations.

This is not background noise. It is the opening move of a sustained campaign. Handala also claimed a simultaneous breach of Verifone, an Israeli-origin payment systems provider, on the same day. The IRGC has separately declared Amazon AWS, Google, Microsoft, IBM, Nvidia, Oracle, and Palantir as targets.

Every organization with Israeli business ties, federal contracts, or cloud-managed endpoints needs to be hunting in their MDM audit logs right now.

The Detection Pack

We built a set of Sigma rules this morning that cover the full Handala attack chain mapped to MITRE ATT&CK. The pack includes:

10 Sigma rules covering:

• Mass remote wipe commands via Intune (T1485, T1072) — fires on 5+ wipes in a 15-minute window
• Privileged Entra ID authentication from Starlink AS14593 (T1078.004) — ASN-level, not geo-based
• Privileged Entra ID authentication from Iranian ASN space with the 15 major Iranian provider ASNs
• Intune admin console access outside business hours (T1072) — Stryker hit at midnight EDT
• Entra ID login page defacement and branding modification (T1491)
• High-volume M365 data exfiltration prior to wipe (T1005, T1567)
• Unexpected Global Admin role assignment (T1098.003)
• Bulk Intune compliance policy modification as a pre-wipe gate-clearing step
• Executive-targeted emails claiming attack ownership (psyop delivery vector)
• Composite Starlink-to-cloud-admin-plane detection combining the highest-fidelity indicators into a single critical-tier rule

KQL hunting queries for Microsoft Sentinel covering Intune wipe volume spikes, AS14593 sign-in analysis, admin role grants, and Iranian ASN authentication.

OpenSearch/Elasticsearch queries for organizations running OpenSearch-based SIEM infrastructure.

The rules are production-ready with false positive guidance, field mappings, and inline tuning notes. You will need to populate your own admin account allowlists and adjust the off-hours UTC window to match your timezone before deploying to production.

What to Do Right Now

If you are running Microsoft Intune and Entra ID, these are your immediate actions:

1. Pull your Intune audit logs for the past 30 days and look for any wipe or retire operations outside of business hours or from unrecognized source IPs
2. Review Entra ID sign-in logs for Global Admin and Intune Admin authentication from AS14593 or any of the Iranian ASNs listed in the detection pack
3. Verify that your Global Admin accounts have phishing-resistant MFA (hardware keys or passkeys, not TOTP or SMS)
4. Audit which accounts hold Intune Administrator and Cloud Device Administrator roles and confirm all of them are expected
5. If you have any Israeli business ties, DoD or VA contracts, or aerospace/medical device operations, elevate your threat posture now

The detection pack is available below. If you want our team to deploy these rules into your environment, tune them against your baseline, or run a retrospective hunt across your Entra and Intune logs, reach out.

ThreatHunter.ai is an 18-year SDVOSB cybersecurity company. Our MILBERT identity threat detection platform and ARGOS managed detection and response service are built to find exactly this class of threat: identity-based, living-off-the-land attacks against cloud management infrastructure.