Common Questions

Who is behind the Handala Hack group?: Palo Alto Networks Unit 42 assessed Handala Hack as linked to Iran's Ministry of Intelligence and Security (MOIS). The group positions itself as a hacktivist collective retaliating for perceived attacks on Iran.Source: Palo Alto Networks Unit 42
How did Handala wipe Stryker's devices without using malware?: Handala used a single stolen Microsoft Intune administrator credential to issue remote-wipe commands from within the Stryker tenant's MDM console. No malware was deployed; the attack used legitimate IT tooling.Source: NCSC / Krebs on Security
Was the Stryker hack an Iranian government operation?: Palo Alto Networks assessed Handala as MOIS-linked. Handala framed the attack as retaliation for an Israeli missile strike on an Iranian school in February 2026. Iran has not officially acknowledged the group.Source: Palo Alto Networks / Stryker 8-K/A
What is Handala Hack's main target and motive?: Handala targets Israeli and Western entities, framing attacks as retaliation for Israeli or US-affiliated military actions against Iran. The Stryker wipe was explicitly framed as retaliation for the Minab school strike.Source: Handala public statements / Palo Alto

Background

Handala Hack claimed responsibility for wiping between 80,000 and 200,000 Stryker Corporation devices across 79 countries on 11 March 2026, using a single stolen Microsoft Intune administrator credential and no malware. The group framed the attack as retaliation for an Israeli missile strike on a school in the Iranian city of Minab in February 2026. Stryker filed an SEC 8-K/A disclosing the incident as material on 10 April, and NHS Supply Chain issued a disruption alert to UK hospitals on 18 March.

Handala emerged publicly around 2023 and has been linked by Palo Alto Networks Unit 42 to Iran's Ministry of Intelligence and Security (MOIS). The group operates as a hacktivist proxy, framing its campaigns in political terms while deploying capabilities above typical hacktivist tooling. Its known targets span Israel-affiliated organisations, defence supply chains and Western corporate entities. The Stryker operation demonstrated a shift from conventional malware-based wiping to credential-only MDM console abuse, eliminating the need to deploy or detonate a payload on endpoints.

The attack is significant because it establishes a low-malware, high-impact playbook for any actor with access to a single privileged cloud-identity credential. The framing as retaliation embeds the operation in Iran-Israel conflict dynamics that are tracked separately across Lowdown's Iran and geopolitics topics, suggesting Handala serves as an operational Arm for state-deniable cyber retaliation rather than purely independent hacktivist activity.

How the World Sees Them

Iran

Tehran has not acknowledged the group officially. Handala's stated framing links operations to Iranian military and political objectives, consistent with MOIS proxy deniability doctrine.

Israel

Israeli authorities regard Handala as part of a broader MOIS-directed cyber harassment campaign targeting Israeli and Israeli-adjacent entities.

United States

CISA and Palo Alto link the group to Iran's intelligence services. The Stryker incident has prompted review of MDM admin Conditional Access standards across the medical-device sector.

United Kingdom

NHS Supply Chain disruption alert placed the group on the UK's operational threat register for the first time alongside its better-known nation-state peers.