Iran-linked group Handala wiped up to 200,000 Stryker devices across 79 countries on 11 March 2026 using a single stolen Microsoft Intune admin credential. No malware ran. NHS England warned hospitals of three weeks of supply disruption.
Endpoint tools cannot block a wipe issued from a legitimate management console. One identity lacking step-up authentication handed the attackers root-equivalent authority over the entire estate.
