As the Iran war escalates, an Iran-linked hacker group known as Handala has claimed responsibility for a cyber-attack targeting Stryker, a U.S. medical technology manufacturer based in Michigan. The attack appears to have disrupted employee devices by exploiting access to the company’s Microsoft Intune device management console, allowing attackers to remotely wipe corporate phones back to factory settings. The incident caused widespread disruption to employee communications and operations. The attack marks one of the first significant cyber incidents against a U.S. company since the escalation of hostilities involving Iran, signaling a potential shift from espionage toward more disruptive cyber operations.

Iran has historically deployed destructive cyber tactics — most notably data-wiping attacks such as the 2012 Shamoon attack on Saudi Aramco and the 2014 attack on the Sands Casino. The Stryker incident reflects a similar playbook, where attackers abuse legitimate administrative tools rather than traditional malware to disrupt operations. By compromising a centralized device management system like Intune, attackers can remotely control or erase thousands of devices simultaneously, effectively halting communications and internal workflows. In a climate of escalating geopolitical tensions, analysts warn that state-aligned hacktivists and proxy groups may increasingly target Western companies, particularly those in critical sectors like healthcare, infrastructure, and defense supply chains.

Defending against this new wave of cyber warfare requires a unified cyber situational awareness solution that combines identity analytics, endpoint telemetry, network detection, and real-time threat intelligence into a single platform like NIKSUN. In an era of escalating cyber conflict, the ability to see, detect, and respond across the entire attack chain — before disruption spreads — is critical to protecting both operations and reputation. Read more about this story on our LinkedIn page