What we know about the March 2026 Stryker security incident

There’s not a lot of confirmed information about what’s actually happened at Stryker’s international offices and network, but from what we’ve been able to piece together:

• On March 11, 2026, Stryker employees woke up with their personal and work devices wiped; remote workers were unable to log in with their corporate usernames and credentials. (The Record)
  • Company communications have allegedly reverted to unofficial third-party texting apps, such as WhatsApp. (Irish Examiner)
• Stryker’s Ireland office sent over 5,000 employees home, with their U.S. headquarters voicemail stating they were experiencing a “building emergency”. (Krebs On Security)
• Unverified reports suggest that Microsoft Intune may have been used to send out a “remote wipe” command to all connected and managed devices. (Reddit)
• The Iranian state-backed hacktivist threat group Handala claimed credit for the attack against Stryker as a “Zionist-rooted corporation” as “retaliation for the brutal attack on the Minab school.” (Krebs On Security)
  • On February 28, 2026, a drone hit an Iranian elementary school that killed at least 175 people, including children. (New York Times)
• Stryker announced that they were “experiencing a global network disruption to our Microsoft environment as a result of a cyber attack,” adding that the incident was “contained” and they had “no indication of ransomware or malware.” (Stryker)
• Security teams around the world are currently assessing the current risk of Stryker medical hardware and devices on their networks, with some organizations removing possibly impacted equipment from operations. (Krebs On Security)

Should we send out a security notice specifically about the Stryker attack?

While your security team figures out how to protect your organization from a similar attack, does that mean that everyone at your organization needs to know about this, too?

Not necessarily.

Right now, if you try to send out an alert notice about the Stryker incident, you won’t be able to tell your employees what they can do to keep your organization safe.

Because frankly? We don’t know a lot yet.

1. We don’t know how the Stryker attackers got in.

While previous attacks from Middle Eastern threat groups have used spearphishing to break in, we don’t know if this attacker got into Stryker with a phishing email.

For example:

• Previous Iranian-attributed cyberattacks in 2025 broke in with password spraying and MFA bombing—two very different security training instructions!
• Recent 2026 Handala-attributed attacks showed this threat group using SMS messages to extort and threaten their targeted victims.
• Microsoft research demonstrated Iranian threat groups previously targeted IT vendors for supply-chain attacks—that is, breaking into a software company to then infect all of its customers.

Any or all of these might have been the Stryker attackers’ beachhead into the corporate environment.

But, we don’t know for sure. Ultimately, who you reach out to and what you ask them to do will change, depending on what the investigation reveals.

2. Microsoft Intune’s abuse is still unverified.

Yes, Stryker said in their official statement that their “Microsoft environment” was involved, and employees are telling reporters about how management’s asking them to uninstall Intune.

However, Stryker hasn’t verified that Intune was impacted; neither has anyone involved in the investigation.

(They won’t for a while, either. The organization is more worried about making sure the attackers are out of the environment before bringing systems back online, not necessarily how the attack unfolded just yet.)

The Intune deletion might have been a “better safe than sorry” instruction… or entirely made up by employees trying to get written up in the newspaper.

So, sending out an official organization alert that effectively spreads vague rumors of how “my company’s app erased my whole phone!” could lead individuals to panic uninstall mobile device management (MDM) applications, making them less secure.

3. We’re not even sure if Handala actually did attack Stryker!

I once heard a former incident responder talk about a threat actor that was trying to extort an organization because they’d “taken all your data!” before locking up the files.

He was able to prove that the threat actor was lying because it would’ve been physically impossible to export as much data as the threat actor was claiming during the two-day attack window, due to the broadband speed throttling.

So, while yes—the Handala threat group took credit and the impact reflects recent Iranian threat actor attacks to wipe instead of ransom—we have to remember that cybercriminals lie.

All the time. About everything.

• Iranian-linked cybercriminal “CyberAv3ngers” claimed they’d stolen and leaked documents from an Israeli power plant, but another cybercriminal had already leaked those documents two years before.
• The LockBit ransomware gang once claimed an attack on Oakland—when the Play threat group was actually responsible.
  • LockBit also claimed they broke into Darktrace… which never happened.
• In 2018, threat actors attacked the Olympics and left clues that made investigators initially attribute the attack to North Korea and China. Turns out, it was actually a Russian-affiliated attacker.

So until we get better information from the investigation, it might be a red herring to instruct employees to take precautions as though it really were an Iranian threat group that attacked.

But how can we reassure our employees (and our executives) that we’re protecting them from the Stryker attackers?

When a major breach happens, suddenly everyone wants to do something—anything!—to make sure it doesn’t happen to them.

Send a notice. Push a banner. Tell employees to stay hyperaware of every communication.

But unless you can connect that communication to a specific audience and a specific action, your notice risks becoming a security theater: Superficially relevant, but ultimately useless.

In fact, sending out notices prematurely can actually do more harm than good, by:

• Accidentally generating anxiety;
• Burning their limited attention for security notices; and even
• Training employees to tune out future alerts… because the old ones weren’t relevant to their immediate responsibilities and had no action they could take.

But, if you’re still being asked what you’ve done to account for this latest cybersecurity incident in the news, then consider the following notification variations.

1. Could your previous security awareness training have stopped Iranian cyberattacks?

Assuming, of course, that Handala was responsible for this attack on Stryker, you can look at previous Iranian-affiliated cyberattacks and how they manipulated employees.

Then, review your previous security awareness training.

You may have already run foundational briefings on basic cyber hygiene best practices that would’ve stopped those sorts of attacks.

For example:

• Multiple 2025 Iranian cyberattacks would’ve been stopped by employees who understood:
  • Secure password policies
  • The importance of MFA implementations
  • Why not to press unsolicited MFA notifications
• Previous SMS phishing lure simulations would have helped employees notice Handala text lures.
• Educating project managers and suppliers on the importance of security controls beyond audit checks during vendor evaluations could have helped avoid the attempted Iranian supply-chain attacks back in 2021.

These are all related attacks that could’ve been stopped by regular cyber hygiene briefings and training, not headline chasing.

2. Does your organization use any Stryker hardware right now?

Stryker equipment helps save lives, but it might be compromised right now… which could help the threat actors infect those environments in a future supply-chain attack.

So, instead of blasting everyone with a headline, check with IT to see if your organization has any internet-enabled Stryker equipment that may be vulnerable.

Then, make a list of the individuals who use that hardware, and let them know why you’ll be removing their regular equipment—and what you’ll be replacing it with in the meantime.

3. Expand your notice beyond the headline.

Again, while we’re not entirely sure what happened in the Stryker incident, if you really want to send something out, use this incident as a springboard to talk about the overall threat landscape right now.

Because regardless of whether Handala actually hacked Stryker, Middle Eastern threat actors are actively targeting Western organizations, according to the latest intelligence—and with the intent to destroy anything they can touch.

So increased vigilance is truly needed, especially for any organizations that supply or assist with critical infrastructure or military efforts, like Stryker’s connection to healthcare.

Make sure you keep your communication focused on what’s relevant to your frontline employees—that is, what they could expect to see, and then what they personally can do. That way, recipients will understand why you’re talking to them, specifically.

Your employees can relax, knowing that you’re on top of these changing political climates… while they personally avoid the shiny, unsolicited lure in their inbox.