Table of contents
  1. What Happened
  2. Who is Handala?
  3. How Did the Attack Work?
  4. Why It Matters
  5. What Does Defense Look Like
  6. Where Obsidian Can Help
  7. Conclusion

The kill switch inside Intune: How Iran-backed hackers used a SaaS breach to disrupt Stryker operations

On the morning of March 11, 2026, employees at Stryker offices around the world switched on their computers and found them wiped. Login screens were replaced with the logo of Handala, an Iran-linked hacktivist group, and corporate systems across dozens of countries went dark simultaneously.
March 18, 2026
Table of content
  1. What Happened
  2. Who is Handala?
  3. How Did the Attack Work?
  4. Why It Matters
  5. What Does Defense Look Like
  6. Where Obsidian Can Help
  7. Conclusion

What Happened

On the morning of March 11, 2026, employees at Stryker offices around the world switched on their computers and found them wiped in a major cyber breach. Login screens were replaced with the logo of Handala, an Iran-linked hacktivist group, and corporate systems across dozens of countries went dark simultaneously. Handala claimed data erasure across more than 200,000 systems, servers, and mobile devices, and the exfiltration of 50 terabytes of corporate data. Rather than a zero-day novel exploit or a new malware strain, this incident centers on a powerful IT administrative tool that went unmonitored.

Who is Handala?

Handala Hack is an online persona operated by Void Manticore (also known as Red Sandstorm and Banished Kitten), an actor affiliated with Iran's Ministry of Intelligence and Security (MOIS). Handala operates less like a sophisticated state-sponsored hacker and more like a group optimizing for speed and visibility: they rely on compromised credentials and off-the-shelf tools (rather than custom malware). They prioritize targets where a single foothold (usually through an IT service provider) grants access to a much larger downstream victim. Once inside an environment, they move fast, and often time publication for maximum impact.

How Did the Attack Work?

Handala likely broke into an internal admin account that granted them near-unlimited access to the company's Windows network. Researchers from Palo Alto Networks indicate they may have relied on either phishing or infostealer malware to initially obtain the Intune credentials. Intune is Microsoft's cloud-based endpoint management platform, used by tens of thousands of organizations worldwide to manage and secure employee devices from a central console. One of its built-in features allows administrators to remotely wipe a device (designed for situations where a device is lost or stolen). Once Handala gained administrative access to Stryker's Intune environment, they turned that feature against the entire enrolled device fleet, issuing a remote wipe command across every device simultaneously.

Why It Matters

This incident is a reminder that SaaS breaches are no longer just a data loss problem. More and more, they lead to severe operational failures and downtime. Following the attack, Stryker reported disruptions to order processing, manufacturing, and product shipments. Electronic ordering systems went offline entirely, forcing customers to revert to manual ordering through sales representatives and distributors while systems were restored. This isn’t dissimilar from other recent incidents, e.g. Scattered Spider’s attack on Marks & Spencer earlier last year led to $600 million in lost profit when online ordering was down for six weeks. A ShinyHunters attack on Jaguar Land Rover (JLR) halted production across every global facility for weeks. As a result, hundreds of workers were laid off, with eventual government intervention to stabilize the supply chain.

What Does Defense Look Like

Long-Term: The primary defense against this class of attack is treating SaaS management planes with the same rigor as on-premises infrastructure. That means:

  • Enforcing phishing-resistant MFA on all admin accounts
  • Implementing just-in-time access so that standing admin permissions don't exist by default
  • Requiring multi-admin approval for any high-impact action

Organizations should also layer identity threat detection and response atop these controls (i.e. monitoring for account abnormalities that may indicate malicious activity), as well as end-to-end phishing protection

Short-Term: Defending against this attack starts with two controls: reviewing standing admin permissions in Intune and Entra ID, and enabling multi-admin approval for destructive actions like device wipe, retire, and delete. The latter stops a single compromised account from wiping an entire device fleet.

Where Obsidian Can Help

Microsoft Intune is a trusted platform. The admin account that issued the wipe was, from the perspective of every system involved, a legitimate, authenticated, authorized user. 

The core of this incident is something most enterprises haven’t fully reckoned with: the gap between valid credentials and identity assurance. To Stryker systems, the attackers looked like a legitimate Stryker employee. That's the nature of how SaaS platforms extend trust today. A valid credential is a valid identity, and a valid identity can do whatever its permissions allow. The challenge does not stop at identity. As SaaS settings change and exceptions stack up, risky configurations quietly expand what an attacker can do.

Obsidian exists to close that gap: continuous visibility into enterprise application activity, privileged account monitoring, and cross-SaaS threat detection across the platforms where that implicit trust lives. And before an attacker ever reaches those platforms, Obsidian's browser extension cuts off the initial foothold, detecting and blocking the phishing attempts that turn a legitimate employee identity into an attacker's entry point.

Obsidian is also introducing a new Intune posture rule for mass-wipe risk.

Obsidian detects when Intune is misconfigured to allow single-admin approval for high-impact actions, before attackers exploit it.  Enforcing a second approver before any destructive action closes a door attackers actively target.

Conclusion

The Stryker attack didn't expose a flaw in Microsoft Intune, but rather a flaw in how enterprises extend trust to the platforms that run their business. And when that trust gets exploited at the SaaS layer, the consequences isn't limited to data loss. When systems go dark, operations come to a halt. Obsidian was built to answer this challenge, with continuous visibility across SaaS, identity threat detection that looks beyond whether a credential is valid, and posture management that closes the misconfigurations before they become incidents.