Medical technology company Stryker disclosed a cyberattack on March 11th that disrupted portions of its global network infrastructure. Flashpoint analysts assess the attack may be linked to the Handala threat persona, believed to be connected to Iranian state actors. A notable aspect of the incident is the potential abuse of Microsoft Intune, a legitimate enterprise device management tool, to issue mass remote wipe commands across managed devices — a living-off-the-land (LotL) technique that bypasses traditional EDR and antivirus detection. The attack highlights a broader trend of state-linked actors targeting healthcare supply chain nodes rather than hospitals directly, enabling cascading disruption across the sector with reduced scrutiny.
Table of contents
Observed Activity Linked to the Handala PersonaPotential Abuse of Enterprise Management InfrastructureTargeting Supply Chain Nodes in Critical SectorsOngoing MonitoringSupporting Security Teams with Threat IntelligenceSort: