Mar 30, 2026

Handala Wipes 200,000 Stryker Devices; DOJ Formally Attributes this Attack to Iran's MOIS

Handala’s attack on Stryker wiped over 200,000 devices, with the DOJ linking it to Iran’s MOIS. This incident highlights rising cyber threats targeting critical healthcare systems and the need for stronger data security.

On 20 March 2026, the Department of Justice identified Iran’s Ministry of Intelligence and Security (MOIS) as responsible for the destructive attack on Stryker Corporation carried out on 11 March 2026. A significant cyber incident targeting medical technology infrastructure has been formally attributed to the United States government. This marks the first occasion on which US authorities have officially linked a major civilian-sector cyber operation on American soil to MOIS amid the ongoing geopolitical tensions.

The attack was executed through the weaponisation of a widely used cloud management platform. At approximately 3:30 a.m. EST on 11 March, the pro-Iranian hacktivist group Handala triggered simultaneous factory resets on more than 200,000 Stryker devices across 79 countries. The attackers gained access to a Microsoft Intune administrator account and used the platform’s remote-wipe capability to erase data from every enrolled corporate endpoint within hours. Employees worldwide found their systems inaccessible, with login pages replaced by the group’s distinctive logo.

Stryker, a Fortune 500 company headquartered in Michigan, is a leading manufacturer of surgical equipment, orthopaedic implants, and neurotechnology, with annual revenue exceeding $25 billion. The group claimed to have exfiltrated 50 terabytes of corporate data before initiating the wipe, although this assertion has yet to be independently verified. Handala described the operation as retaliation for a reported US airstrike on a girls’ school in Tehran.

The incident carried immediate safety and operational consequences for healthcare delivery. Stryker’s Lifenet platform, which enables paramedics to transmit real-time ECG data to hospitals, was rendered offline. Emergency responders in Maryland temporarily lost access to critical cardiac monitoring information, while supply-chain disruptions extended to the UK’s National Health Service, illustrating how a single compromise in a global supplier can affect national healthcare systems.

In response, the Department of Justice formally attributed the attack to MOIS on 20 March, representing a notable escalation in public naming of state-linked actors. The FBI simultaneously seized four Handala-associated domains used for propaganda, data leaks, and threats. The State Department announced a $10 million reward for information leading to the perpetrators. Within hours, Handala established replacement infrastructure and continued its online activities.

Handala, long tracked by researchers as an MOIS-directed entity, has evolved from simple website defacement to sophisticated wiper malware and extortion campaigns against critical infrastructure. The Stryker operation stands as the group’s most disruptive action to date against a US corporation. The event underscores the growing vulnerabilities of cloud-based endpoint management systems and the cascading risks that state-sponsored cyberattacks pose to healthcare and manufacturing supply chains in the current geopolitical climate.

📰 MINI HEADLINES

US Data Centre Expansion Constrained by Energy Supply Shortages

US data centre growth is colliding with the limits of the power grid: the disclosed project pipeline swelled to 241 GW by end‑2025, but new additions in Q4 fell to roughly half the prior quarter as developers hit interconnection and generation constraints and pivoted from chasing new sites to actually delivering what is already in the queue. Texas remains the anchor market in absolute capacity while newer hubs like New Mexico, Indiana, and Wyoming are growing fastest, with per‑megawatt build costs easing even as denser, AI‑driven power requirements push up cost per square foot and make access to firm, low‑carbon power the defining competitive advantage.

Data Centre Energy

AppsFlyer Web SDK Compromised in Supply Chain Attack

A short but serious supply chain incident at AppsFlyer’s Web SDK showed how a single third‑party script can silently put thousands of brands at risk: between roughly 9 and 11 March, attackers briefly hijacked the SDK served from websdk.appsflyer.com to inject obfuscated JavaScript that watched for cryptocurrency wallet inputs and swapped in attacker‑controlled addresses while leaving normal analytics behavior intact. With the SDK embedded across more than 100,000 apps and sites, leadership teams should treat this as a live test of their third‑party script governance—review logs for suspicious calls to the AppsFlyer domain, validate current SDK versions, and be ready to assess breach‑notification and customer‑communication duties where payment or identity data may have been exposed.

Supply Chain Attack

UK Data Use and Access Act Privacy Provisions Enter into Force

The UK’s Data (Use and Access) Act 2025 has now brought most of its data protection reforms into force, with the key Part 5 provisions that amend the UK GDPR and Data Protection Act 2018 effective from 5 February 2026 and a new mandatory data‑protection complaints regime going live on 19 June 2026. For organisations, this means less box‑ticking on paperwork but a clearer expectation that they can evidence robust governance: boards should commission a gap‑analysis against the updated UK GDPR, stand up or refine a formal complaints‑handling process ahead of June, and track forthcoming ICO guidance and the parallel Cyber Security and Resilience Bill as part of their wider UK risk and compliance strategy.