On March 11, 2026, the Iranian hacktivist group Handala Hack Team claimed responsibility for compromising the American healthcare technology company Stryker. Public reporting suggests more than 200,000 systems were impacted and up to 50TB of data exfiltrated. While these figures remain unverified, the scale of operational disruption alone places this incident among the most significant enterprise cyber events of the year so far.

What happened in the Stryker hack?

Media reporting indicates that the attackers obtained Global Administrator-level access within Stryker’s Microsoft environment, giving them control over core administrative services, including endpoint management.

Bleeping Computer, citing an anonymous source described as familiar with Stryker’s internal response, reported that the attackers may have used Microsoft Intune to issue remote wipe commands between approximately 5:00 and 8:00 a.m. UTC on March 11. An estimated 80,000 devices enrolled in Stryker’s unified endpoint management service were reportedly impacted.

Because these actions appear to have been carried out through a legitimate administrative system, the disruption spread quickly. Employees across multiple regions reported devices being wiped overnight. Enrolled personal devices were also reportedly affected, resulting in the loss of personal data. As the activity became apparent, employees were instructed to power down devices in an attempt to limit further impact.

Stryker confirmed on March 15, 2026 that it remained confident its products and services were safe to operate, no connected products had been compromised, and that this was not a ransomware attack and that no malware had been deployed. The incident was contained and recovery was underway.

Possible initial access: exposed credentials in circulation

The initial access vector remains unconfirmed. However, one plausible pathway is compromised credentials sourced from infostealer activity or other exposure events. Outpost24’s threat intelligence team identified compromised credentials associated with the stryker.com domain in its telemetry prior to the incident.

Between October 2025 and March 2026:

• 278 compromised credentials were observed
• 138 were active in 2026
• 83 appeared in the pre-incident window (Feb 15 to March 11), linked to 31 unique accounts

Most of this activity was tied to Microsoft authentication services:

• microsoftonline.com, 248 instances
• office365.com, 29 instances
• microsoft.com, 1 instance

This does not confirm initial access, but it establishes a clear risk condition: valid credentials linked to the organization were already exposed and circulating.

It is also worth noting that Microsoft enforced multi-factor authentication on administrative accounts in late 2025. Therefore, if a privileged account was involved, attackers may have leveraged session hijacking, token theft, or social engineering to bypass MFA controls. The exact sequence remains unverified.

Post-attack Handala Hack Team activity

March 16, 2026

Handala Hack Team released screenshots claiming significantly greater levels of impact, including the wiping of 12 petabytes of data and access to Rubrik Secure Vault backups and vSphere control panels. These claims remain unverified and should be treated with caution.

Screenshot released by Handala Hack Team, supposedly showing Stryker’s Rubrik Secure Vault

As with many incidents involving destructive activity, attacker claims may be exaggerated to increase perceived impact. It remains unclear whether Stryker was deliberately targeted or opportunistically compromised. The Washington Post reported that the attack may have been framed by the group as part of a broader geopolitical narrative.

Screenshot showing Stryker’s VSphere Control Panel

March 19, 2026

US law enforcement seized infrastructure used by the group for public communications. A second domain, Handala Hack Team RedWanted, was also seized. In response, the group signaled its intent to continue operations and establish new infrastructure.

Subsequent posts on its replacement site included retaliatory messaging, threats of further action if Iranian power infrastructure was targeted, and imagery claiming to identify Israeli critical infrastructure.

Handala Hack Team’s site has since returned, on the same registrar and top-level domain, under a new domain name.

The FBI’s takedown notice of the Handala Hack website

Handala Hack Team response to website seizure

March 26, 2026

In an escalation of activity targeting US organizations, Handala Hack Team claimed via Telegram to possess sensitive data linked to Lockheed Martin, a major US-based aerospace and defense company that designs, builds, and supports military and government systems.

In a related post, the group published personal data of 28 employees based in the Middle East, including names, addresses, and passport images. It alleged these individuals were involved in critical projects, including F-35 and F-22 maintenance, and shared supposed direct communications warning them to leave within 48 hours.

Handala Hack Team Telegram post signaling alleged Lockheed Martin targeting

Separately, a group identifying as APT Iran also claimed a breach of Lockheed Martin, alleging the exfiltration of 375 terabytes of data and demanding a $400 million ransom. The group claims to have copies of blueprints of F-35 aircraft, which is America’s most advanced jet fighter, and other corporate information, according to Flashpoint.

A spokesperson for Lockheed Martin said the company is aware of the alleged claims: “We are aware of the reports and have policies and procedures in place to mitigate cyber threats to our business,” the spokesperson told Cybersecurity Dive via email.

What we know about Handala Hack Team

Handala Hack Team is an online persona associated with a broader Iranian threat cluster linked to the Ministry of Intelligence and Security). The group is also tracked by some vendors under names including Void Manticore and has been linked to a wider set of coordinated operations aligned with Iranian state interests.

It also operates under other personas, including Homeland Justice and previously Karma, which have been used in campaigns targeting government, telecommunications, and critical infrastructure sectors, particularly in Albania and Israel.

Their operations typically involve:

• Use of compromised credentials
• Manual access within victim environments
• Destructive actions including wiping and deletion
• Short-lived, high-impact campaigns

Handala Hack Team’s reliance on widely available tooling and anonymized infrastructure, including commercial VPN services, makes its activity harder to attribute and limits the effectiveness of static indicators.

Stryker hack: Lessons for defenders

The Stryker incident highlights a structural problem in many environments. By the time attackers are executing actions inside the environment, the initial failure has already occurred elsewhere.

In this case, the most credible pre-condition was not a vulnerability or exploit chain, but exposed credentials already circulating externally. This is where many organizations still lack visibility.

Attackers are sourcing access from outside the perimeter, through infostealer logs, dark web marketplaces, and exposed authentication data. These signals exist before the intrusion, but in many cases, they are not monitored or prioritized.

For defenders, the priority is no longer just strengthening controls at the point of login. It is understanding where exposure already exists across the broader digital ecosystem, and whether those exposures can be translated into real access.

Without visibility into external threats, including credential exposure, organizations are operating with an incomplete picture of risk.

How Outpost24 can help

Outpost24’s CompassDRP is designed to address this gap. By combining Digital Risk Protection, threat intelligence, and External Attack Surface Management, it provides a unified view of both:

External threats, such as leaked credentials, phishing infrastructure, and data exposure

Internal exposure, including internet-facing assets and authentication entry points

Digital Risk Protection alone identifies threats, but when enriched with attack surface context, those threats can be tied directly to exploitable access paths. In practice, this enables security teams to:

• Detect credential exposure in real time: CompassDRP continuously monitors open, deep, and dark web sources for compromised credentials, data leaks, and emerging threats before they are used in an attack.
• Understand whether exposed credentials are actually exploitable: By correlating credentials with known assets and authentication endpoints, teams can assess whether exposed accounts map to privileged access or critical systems
• Prioritize based on real attacker behavior: Threat intelligence enrichment provides context on how credentials are being traded, reused, or weaponized, helping teams focus on what is most likely to be exploited
• Respond before access is abused: Instead of reacting to post-compromise activity, teams can act on early indicators such as leaked credentials, impersonation campaigns, or suspicious domain activity.

Let’s talk

If you’re looking to close security gaps or meet compliance requirements, our team is here to help. Contact us today or book a personalized demo to see our services in action.

You can also try our free Credential Checker tool to get an instant, no strings attached visibility report to see if your corporate domain is linked to any compromised credentials on the dark web.