On March 11, 2026, Handala, an Iran-backed hacktivist group tied to Iran's Ministry of Intelligence and Security, wiped more than 200,000 systems at Stryker Corporation. Devices in 79 countries. Office shutdowns. Surgical supply chains disrupted. Hospitals disconnecting LifeNet EKG monitoring as a precaution. Employees sent home.
The weapon was not a custom exploit. It was not a zero-day. It was Microsoft Intune, the same cloud-based device management platform Stryker used to manage its own endpoints.
The warning signs were in the advisory record before this happened. The threat research was published before this happened. What changed on March 11 is that the warnings became an incident report.
TL;DR
Iran-backed Handala weaponized Microsoft Intune to remote-wipe 200,000+ systems across 79 countries. No novel exploit required. Just administrative access to the management plane.
Iranian actors have been systematically harvesting credentials and pre-positioning inside Microsoft 365, Entra ID, and remote access systems since at least 2023. CISA has been warning about this for two years. That access is what makes this scale of attack possible.
Iran's cyber tempo tracks geopolitical escalation within 72-96 hours. The Stryker attack came after U.S.-Israeli military strikes. That timing was not accidental. Your elevated alerting window needs to be longer than four days.
What Happened and How
Iranian actors do not typically kick in the front door. They find credentials. They find remote access systems with unpatched vulnerabilities. They find MFA configurations that can be bypassed. Then they wait.
CISA's October 2024 advisory (AA24-290A), issued jointly with the FBI and NSA, documented exactly this pattern: Iranian cyber actors using password spraying, MFA push bombing, and Active Directory enumeration to compromise Microsoft 365 accounts, Azure environments, Citrix remote access systems, and enterprise Active Directory at organizations across healthcare, energy, government, and IT sectors. Many of those compromises were not immediately exploited. They were sold. Access to U.S. critical infrastructure as a commodity, available to whoever paid for it.
A joint CISA, FBI, DC3, and NSA fact sheet from June 2025 extended the warning: Iranian state-sponsored and affiliated actors were actively targeting vulnerable U.S. networks, with critical infrastructure sectors at elevated risk. The advisories named the targets, the techniques, and the sectors. The pattern was documented.
That access is the doorway. What happened at Stryker is what happens when someone walks through it.
Once inside a Microsoft 365 environment, the path to Intune is short. Microsoft Intune is a cloud-managed device management platform. Four roles carry the authority to remotely wipe every enrolled device in the enterprise: Global Administrator, Intune Administrator, Help Desk Operator, and School Administrator. If any of those accounts are compromised, every device in scope is one command away from a complete wipe.
No custom malware. No ransomware detonation. Just a legitimate administrative function, executed at scale.
The 72-Hour Window Was Not a Prediction. It Was a Pattern.
In January 2026, Aviatrix published the Iran APT Playbook, a research analysis of Iranian cyber actor tactics developed over the prior five years. One finding stood out: Iran's cyber tempo now tracks geopolitical escalation within 72-96 hours.
The Stryker attack came after U.S. and Israeli forces executed joint strikes on Iranian targets on February 28. In the immediate window following those strikes, CISA issued elevated threat warnings to critical infrastructure operators. Security teams heightened monitoring. Most treated it as a four-day window.
Stryker learned the window was longer, and that the attack, when it came, did not look like the threat most teams were watching for. There was no unusual network traffic. No suspicious lateral movement alerts. The actor was already inside, using authorized credentials, executing authorized functions. The attack was effectively invisible until 200,000 devices were already wiped.
CISOs need to reframe how they think about this timeline. The 72-96 hour surge window is real, but heightened alertness for four days is not a strategy against an actor who has had persistent access to your Microsoft 365 environment for months. The access that enabled this attack was not established in response to the February 28 strikes. It was already there.
Why Healthcare and Medtech
Healthcare is not a target of convenience. Aviatrix research identifies healthcare and critical infrastructure as deliberate Tier 2 priorities for Iranian state-sponsored operations, behind only Israeli defense and U.S. military contractors.
The targeting logic is straightforward. Disrupting surgical supply chains, disconnecting hospital monitoring systems, and grounding medical device field representatives creates visible, measurable civilian harm. That harm is the message. Iranian cyber operations increasingly use civilian disruption as a geopolitical pressure lever, and healthcare delivers that signal clearly. It also offers a security posture that is hard to defend: complex, distributed environments with significant third-party connectivity, legacy systems that cannot be patched on normal schedules, and OT networks that were never designed for modern security controls. Iranian actors have been documenting and pre-positioning inside that environment for years.
Medtech compounds the exposure. These organizations run both enterprise IT and operational technology with direct patient care dependencies. The blast radius of a wiper attack is not measured only in systems down. It is measured in clinical disruption.
What the Access Looks Like Once They're In
The perimeter is not where the access is coming from. The access is coming from the management plane. These are the systems Iranian actors have been actively targeting to get there.
Identity and access infrastructure. Microsoft 365 accounts, Entra ID, Active Directory, and MFA registration systems. Password spraying and push bombing are the documented entry techniques. The goal is persistent access, used directly or sold to other actors.
Remote access infrastructure. VPN appliances and Citrix remote access systems are primary initial access vectors. Pioneer Kitten, an Iran-linked initial access broker, has made a practice of identifying organizations with unpatched edge devices and selling that access into Iranian state operations. Unpatched remote access infrastructure remains the most reliable way into enterprise networks.
Cloud management platforms. Intune is now a case study. Any platform with administrative authority over enterprise endpoints, including device management, configuration management, and endpoint security consoles, is a high-value target. Compromise of the management plane gives access to everything it manages.
OT and ICS systems. IRGC-affiliated actors have targeted industrial control systems in water, energy, healthcare, and manufacturing. Internet-exposed PLCs and HMIs remain active targets. In a hospital environment, these include building automation, medical devices, and life safety systems.
Four Priorities for Your Next CISO Briefing
1. Audit Your Management Plane Before Someone Else Does
Pull every account with Global Administrator, Intune Administrator, Help Desk Operator, or equivalent MDM administrative rights. How many hold those roles as permanent assignments? How many use phishing-resistant MFA (FIDO2 or certificate-based)? How many are enrolled in Privileged Identity Management with just-in-time activation and approval workflows?
If any are permanent assignments protected only by standard TOTP authenticator codes, you are one compromised credential away from the scenario Stryker just lived through.
2. Phishing-Resistant MFA Is Not Optional Anymore
The credential access pattern documented in AA24-290A is systematic: password spraying, MFA push bombing, attacker device enrollment, session token theft. Standard TOTP codes cannot withstand adversary-in-the-middle attacks like EvilGinx2, which Iranian actors have deployed for credential and session harvesting.
FIDO2 hardware keys or device-certificate-based authentication are the baseline. The path from a compromised email account to an Intune administrative role is not a long one, and standard MFA does not stop it.
3. Apply the 72-Hour Concept to Detection Logic, Not Just Posture
Geopolitical escalation events should trigger specific elevated detection rules, not just a general directive to be vigilant. Define the behaviors in advance: unusual sign-ins to administrative consoles, new MFA device registrations for administrative accounts, bulk device queries in Intune or similar platforms, remote access from atypical geolocations against service accounts.
These signals exist in your logs today. The question is whether your detection logic is looking for them and whether your SOC has a defined response for each.
4. Know Your OT Exposure Before the Next Event
If your organization runs operational technology, including building systems, medical devices, diagnostic equipment, or industrial control systems, your attack surface extends well beyond the enterprise IT boundary. Map your internet-exposed OT assets. If you do not know what is exposed, start with a network-layer assessment.
The Stryker impact was an enterprise IT wipe. An actor with OT access at a healthcare organization has a shorter path to patient care systems.
The Bottom Line
The Stryker attack did not require a novel capability. It required persistent access to an enterprise identity environment and knowledge of what that access made possible. Both of those conditions exist in organizations right now.
The threat was documented. CISA published credential access warnings in 2024 and elevated the threat posture in June 2025. The Aviatrix Iran APT Playbook identified the 72-96 hour kinetic-to-cyber correlation and the management plane as an emerging attack vector before this incident happened. The pattern was visible. The question is whether your defensive posture matches what the pattern requires.
The management plane is now part of the attack surface. The actor who compromised Stryker was not sophisticated. They were patient. They had access, they understood what it enabled, and they used it when the moment came. That combination is available to every Iran-linked actor who has been harvesting credentials from U.S. enterprise environments for the past two years.
Assume the access exists. Build your program around that assumption.
If you want to understand where your cloud workloads have network paths they should not have, start with a free Workload Attack Path Assessment. For the research behind Iranian APT tactics and the threat intelligence informing these findings, the Aviatrix Threat Research Center is where we publish the work.
