AI Autopsy: What Stryker’s Wiper Attack Says About Geopolitical Risk in 2026

CISOs had been bracing for cyber retaliation from the moment US and Israeli bombs started falling on Iran. But when it came, it was arguably worse than many feared. Medical technology provider Stryker was the target, and destruction was the goal. Likely state-sponsored attackers claimed to have wiped as many as 200,000 “systems, servers, and mobile devices” and stolen 50TB of internal data from the firm.

The question is whether this will be the first of many attacks, or a lucky early blow for Tehran. Either way, CISOs should be on notice. Critical national infrastructure (CNI) sectors and little-known supply chain players are now fair game. Resilience can’t wait.

Peering through the fog of war

Reports started filtering through about the attack on March 11. The group behind it, ostensibly a pro-Iran hacktivist collective known as Handala, claimed it was launched in response to the bombing of the Minab primary school, in which over 100 children are said to have lost their lives. It also cited “ongoing cyber assaults” by presumably US and Israeli hackers. Promising “the beginning of a new chapter in cyber warfare”, it boasted that Stryker offices in scores of countries had been forced to shut down.

“All the acquired data is now in the hands of the free people of the world, ready to be used for true advancement of humanity and the exposure of injustice and corruption,” it added.

It will take time to corroborate whether all of these claims are true. What we do know from an SEC Form 8-K filing by Stryker is that it identified an incident “that has resulted in a global disruption to the company’s Microsoft environment” on March 11. It added that the company has “no indication of ransomware or malware and believes the incident is contained”. This would seem to corroborate reports that the threat actors had compromised a Microsoft Intune admin account and used it to perform a company-wide wipe of endpoints. A CISA report also seems to confirm this.

“The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the company’s information systems and business applications supporting aspects of the company’s operations and corporate functions,” the notice continued.

“While the company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known. The company has business continuity measures in place to continue to support its customers and partners.”

Later reports suggested the total number of devices wiped was 80,000 and that there were no signs of mass data exfiltration. However, the impact could still be significant. Thousands of workers at the firm’s offices in Ireland were initially sent home, and its HQ in Michigan was shuttered. Staff were apparently forced to use non-Microsoft/networked workarounds, including WhatsApp and personal email, although some had their personal data wiped as they were using BYOD handsets.

Huntress EMEA vCISO, Muhammad Yahya Patel, tells Assured Intelligence that “initial stabilisation” could take weeks, while it may be another 3–6 months before “full operational normalcy” is resumed.

“Even with strong automation, restoring a very large global fleet can take weeks to stabilise core operations and months to complete full trust restoration and forensic review,” he adds. “This isn’t a ransomware recovery where you enter a key and decrypt. A remote wipe is a complete factory reset of applications, settings and data. Every single one of those devices is now a brick. Recovery will have to be staggered, site-by-site, and likely handled via regional hubs for employees to walk in with their devices”

Appetite for destruction

Staff report seeing a Handala logo on the Entra ID login page before their devices were wiped. But this wasn’t a defacement campaign: the aim was clearly to cause as much chaos within the company as possible. Why Stryker? Handala’s post describes it as a “Zionist-rooted corporation”, which may be a reference to its 2019 acquisition of Israeli company OrthoSpace.

“Most senior executives and even IT leaders are not familiar with what it means to be a victim. They are too fanciful and far out for risk managers to get adequate investment and buy-in for viable defences and resilience”Kevin McDonald

Another reason is its key role in the US healthcare supply chain. Stryker is a significant producer of surgical and orthopaedic devices and neurotechnology. According to journalist Brian Krebs, the attack is already affecting hospitals, leaving them unable to order surgical supplies. That would seem to align with the aims of a regime currently engaged in an existential struggle.

“There’s a very real possibility of life-impacting consequences for patients who need surgery,” warns Corsica Technologies CISO Ross Filipek. “If Stryker’s competitors cannot adequately meet the demand, hospitals will not be able to procure the materials they need, meaning surgeries will not be performed, and patients will suffer.”

Handala itself has been assessed as a front for the Iranian Ministry of Intelligence and Security (MOIS) group Void Manticore. The apparent scale and sophistication of the attack would support this view.

Alvaka CISO, Kevin McDonald, argues that the relative rarity of wiper incidents makes them more dangerous. “Most senior executives and even IT leaders are not familiar with what it means to be a victim. They are too fanciful and far out for risk managers to get adequate investment and buy-in for viable defences and resilience,” he tells Assured Intelligence.

“But the effort to address the wiper class of attacks is much greater because it must assume total data loss, lost systems access, communications, documentation and potentially unrecoverable hardware with no way to buy your way back. The planning and implementation efforts and dollar investment are more than a rare few organisations are willing or able to complete.”

Assume failure, practise recovery

The security experts Assured Intelligence spoke to warned that an event this significant will cause major downtime, lost productivity, delayed operations and possible regulatory action – depending on what data was taken and how. “The takeaway for the rest of us is that nobody is ‘off-limits’ anymore,” argues Skip Sorrels, field CISO at Claroty. “If you’re providing critical gear to essential sectors like healthcare, you’re on the front lines of global tension whether you signed up for it or not.”

In that context, it should be concerning that the Iranian APT group Seedworm may have pre-positioned itself within the networks of other companies. So what can CISOs do now to build resilience?

Security leaders must start by assuming “your primary cloud control plane will fail”, according to Keepit group CISO, Kim Larsen.

“This attack wiped personal phones because they were ‘enrolled’ in the company MDM”Muhammad Yahya Patel

“Design recovery paths that do not depend on the same identities, permissions, or platforms that run your production environment. If you cannot recover when identity is compromised, you cannot recover at all,” he tells Assured Intelligence. “Recovery is a corporate issue. Ensure that every part of the organisation understands its responsibilities – across management, communication, operations, and supporting functions. Recovery periods can last for months, so the human factor matters: no team can operate at full intensity 24/7 for extended periods.”

Next comes backup and recovery; the latter should be rehearsed regularly via tabletop exercises and live simulations, and kept on the agenda of senior leadership.

“Finally, take data sovereignty seriously, not rhetorically. Knowing where your data lives, who controls access, and which jurisdiction ultimately applies is not a compliance exercise – it is a resilience strategy,” says Larsen. “The real lesson is this: resilience is not about preventing every incident. It’s about ensuring that when everything fails at once, your recovery does not fail with it.”

Locking down risk

There are more immediate things that CISOs running Intune can and should do, according to Huntress’s Patel. This starts with enforcing multi-admin approval (MAA). “Microsoft introduced MAA for Intune for a reason. Configure it now so that a ‘wipe’ command on more than, say, 10 devices requires a second, independent administrator to authorise it,” he explains. “No single person should be able to delete the company.”

“Recovery is a corporate issue. Ensure that every part of the organisation understands its responsibilities” Kim Larsen

CISOs should also review all identities in the enterprise and ensure just-in-time elevation and conditional access are enabled for privileged accounts. And for Intune or Entra ID admins, nothing short of FIDO2 phishing-resistant hardware keys will do. “Standard SMS or app-based MFA is no longer enough to stop state-sponsored session hijacking,” Patel argues.

Finally, audit BYOD and Intune profiles. “This attack wiped personal phones because they were ‘enrolled’ in the company MDM,” says Patel. “This is a massive legal and HR liability. Shift to ‘MAM (mobile application management) for personal devices so you can wipe work data without factory-resetting an employee’s personal life.”

Claroty’s Sorrels adds that detection and response systems should also be fine-tuned to make sure they spot unusual activity. “Most SOCs look for malware, but we need to watch for weirdness,” he argues. “If a ‘trusted’ admin account starts performing high-volume actions at lightning speed, your alerts should be screaming.”

Everyone’s a target

For UK CISOs, the best-case scenario would be a swift end to hostilities in the Middle East. But the geopolitical landscape is such these days that the next crisis may be just around the corner. In that context, perhaps the most important lesson to be learnt from the past few weeks is that, in the words of Keepit’s Larsen, “neutrality and geography no longer reduce exposure”.

State-sponsored attacks are nothing new. But as superpowers throw their weight around, they’re becoming increasingly unpredictable. The good news is that, for most UK security leaders, there’s still time to build resilience.