An Iranian Hacker Group Just Wiped a Medical Device Giant. Here's Why Your Donegal Business Should Care.
On the morning of 11 March 2026, employees at Stryker offices around the world turned on their computers and found them wiped.
Not encrypted, waiting for a ransom demand. Wiped. Gone. Login screens replaced with a logo. 200,000 devices across 79 countries, simultaneously, in the time it takes to issue a single command.
That is what happened to one of the largest medical technology companies on the planet. It is the most destructive cyberattack ever confirmed against a US Fortune 500 company. And because Stryker's largest hub outside the United States is in Cork, it is an Irish story — with consequences that reach into Donegal, Sligo, and every business in the North-West that supplies into healthcare, pharmaceuticals, or medical technology.
Here is what happened, how it was done, and why it matters to businesses your size.
What Is a Wiper Attack?
A wiper attack is a cyberattack designed not to steal your data or hold it for ransom — but to destroy it permanently and without recovery.
Unlike ransomware, there is no decryption key to purchase, no negotiation to be had. When the command is issued, the data is gone. Recovery depends entirely on whether your backups are intact, isolated, and genuinely restorable. For a company whose equipment is embedded in operating theatres and emergency departments across 79 countries, every hour of downtime carries consequences that go beyond balance sheets.
What Happened — The Facts
- On 11 March 2026, Stryker Corporation confirmed a global disruption to its Microsoft environment as a result of a cyberattack.
- The Iran-linked group Handala claimed responsibility, stating it had erased data from more than 200,000 systems, servers, and mobile devices simultaneously.
- Stryker employs approximately 56,000 people globally, reported $25 billion in revenue in 2025, and operates in over 60 countries.
- In Ireland, Stryker's Cork operation — its largest hub outside the US — sent approximately 5,500 employees home as internal networks went offline.
- Hospitals across multiple countries disconnected from Stryker's LifeNet system, which allows paramedics to transmit ECG data to emergency physicians before a cardiac patient arrives. In Maryland, the system was reported non-functional statewide.
- On 20 March 2026, the US Department of Justice formally attributed the attack to Iran's Ministry of Intelligence and Security (MOIS). The FBI seized four Handala domains. The State Department offered $10 million for information on the perpetrators.
How They Did It — Without a Single Piece of Malware
This is where the story gets technically important, and where most reporting has been imprecise.
There was no ransomware. No malicious software was deployed to individual devices. Your antivirus would have seen nothing. Your endpoint detection tools would have flagged nothing. Because nothing unusual happened — right up until 200,000 devices went dark simultaneously.
Stryker, like most large organisations, used Microsoft Intune — a cloud-based platform that allows IT teams to manage every laptop, phone, and tablet in an organisation from a single administrative console. It is the tool you use when an employee loses their phone and you need to wipe it remotely. It is designed for exactly that.
Handala gained access to the administrative layer of Stryker's Intune environment and issued a single remote wipe command across the entire global device fleet at once.
Because that command is a legitimate, built-in system function — the kind IT teams use every day — it bypassed every endpoint security control Stryker had in place. No malware signatures to detect. No unusual processes to flag. Just a button, pressed once, by someone who should not have been there.
This technique is known in security as "living off the land." The attacker does not bring a weapon. They pick up yours.
Not sure who has administrative access to your Microsoft 365 environment — or whether those accounts are properly protected? That is exactly the kind of question a structured security review answers. Book a free 20-minute strategy call — no sales pitch, no jargon.
The Irish Dimension
Stryker is not an abstract American company. In Ireland it is one of the largest employers in Munster, and its supply chain reaches into every corner of Irish healthcare.
Consider what sits around it:
| Stryker Relationship | Who in Ireland Is Affected |
|---|---|
| Direct employment | 5,500 Cork staff, plus contractors |
| Product supply chain | Hospitals, surgical centres, procurement teams |
| Service providers | IT, facilities, logistics, professional services |
| Data sharing partners | Clinical trial partners, quality assurance contractors |
Every firm in one of those columns potentially had data inside Stryker's environment. Handala claims to have taken 50 terabytes of data before executing the wipe. That number has not been independently verified — threat actors routinely exaggerate — but the category of data is what matters. Procurement contracts. Employee records. Clinical information shared for product development. If your business has shared data with an organisation like Stryker at any point in the past several years, some of that data may now be in the hands of a state intelligence service.
The National Cyber Security Centre Ireland has issued updated guidance on supply chain risk in light of the current escalation. The Garda National Cyber Crime Bureau is actively monitoring for downstream effects on Irish organisations [^1][^2].
Why This Is a Supply Chain Attack — Even If It Doesn't Look Like One
Palo Alto Networks, one of the security firms that has tracked Handala most closely, noted something specific in their assessment of the group's recent activity: a noticeable focus on supply-chain footholds — using IT providers and service companies to reach downstream victims.
Stryker itself was not the end goal of every piece of data Handala exfiltrated. Some of that data belongs to Stryker's suppliers, partners, and customers. Organisations that had no direct relationship with the attackers now have information in the hands of a state intelligence service because of a company they trusted.
This is the supply chain risk that NIS2 Article 21 was written to address — and it is no longer theoretical. If your business provides services to, procures from, or shares data with any organisation operating in healthcare, pharmaceuticals, or medical technology, the Stryker attack is a direct illustration of your exposure.
Not a hypothetical. Not a worst-case scenario from a framework document. A live case study, with your sector's name on it, published in the Irish Examiner and confirmed by the US Department of Justice.
Why It Matters to Your Business Right Now
The geopolitical trigger for this attack was a US-Israeli military strike on Iran in late February 2026. Handala retaliated by targeting companies they associated with Israel or its allies — including Stryker, which acquired an Israeli medical technology company called OrthoSpace in 2019.
Your business does not need to have a view on geopolitics to be caught in the crossfire. You just need to be in the supply chain of an organisation that does.
The NCSC Ireland has warned that Iranian threat actors have been increasing activity against European targets since the February escalation. The HSE, Irish hospitals, and pharmaceutical manufacturers operating in the North-West are all assessing their exposure. If any of them are your customers, your suppliers, or your data-sharing partners, that assessment now includes you.
Ready to understand your supply chain exposure before your customer asks you the same question? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.
What Next — Three Things to Do This Week
Map your upstream and downstream data relationships. List every organisation you share data with, or that has access to your systems. Ask: if that organisation were compromised tomorrow, what of yours would be exposed?
Audit who holds administrative access to your cloud platforms. If you use Microsoft 365, check who has global admin or Intune admin roles. Every one of those accounts is a potential single point of total failure. Multi-factor authentication on those accounts is non-negotiable.
Verify your backup is genuinely isolated. A backup that is connected to the same cloud environment as your primary systems is not protection against a wiper attack. It is a second target. If you have not tested a full restore in the last 90 days, you do not yet know whether your backup works.
In the next post in this series, we will look at exactly how attacks that begin with a target like Stryker find their way to businesses of your size — and what the entry point typically looks like from the inside.
Ready to find out exactly where your business stands? Book a free 20-minute strategy call with our vCISO team at www.pragmaticsecurity.ie/book-a-call. No sales pitch. No jargon. Just clarity on your cyber risk — and a clear plan to address it.
Related Reading
- The 10-Minute Security Review Every Donegal Business Should Do Every Quarter
- Privileged Access Management for Irish SMEs: Why Not Everyone Needs Admin Rights
- NIS2 and GDPR: How the Two Regulations Work Together
[^1]: National Cyber Security Centre Ireland — Advice for Organisations [^2]: Garda National Cyber Crime Bureau
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.
