On March 11, Handala, an Iran-linked group, wiped 200,000+ Stryker devices across 79 countries in a 3-hour window.
No malware. No EDR alerts. No payload to detect. They logged into Microsoft Intune as a Global Admin and pressed “wipe.”
A few things you MUST know:
- Attacker pre-positioned admin credentials months before the wipe
- Personal BYOD phones got factory-reset alongside corporate devices
- CISA issued an active advisory after the attack hit
- Your team might be targeted if they run Intune, Jamf, or Workspace ONE
Here’s an Iranian Threat actors brief on:
- what they're doing right now,
- how they’re exploiting, and
- how to protect yourself from the attack.
