12 petabytes wiped overnight — Iran hackers turned Intune into a kill switch

On 11 March 2026, Iranian-linked group Handala executed the most destructive cyberattack of 2026. Target: Stryker Corporation — 51,000 employees, medical devices in hospitals worldwide. No ransomware. They wiped everything. 200,000 devices via Microsoft Intune. 12 petabytes gone. Maryland paramedics lost ECG transmission. This is cyber warfare.

What happened

Handala (Void Manticore/Storm-0842, attributed to Iran's MOIS) hijacked Stryker's Intune admin console and pushed a destructive wipe command to 200,000 devices overnight. Product development, testing, regulatory docs — all destroyed. No malware needed. They used Stryker's own management tools.

Why this is different

1. Legitimate tools as weapons. No exploit — Intune's built-in remote wipe with stolen credentials.
2. Medical device company. Impact is patient safety, not financial.
3. Retaliation, not profit. State-backed destruction, not ransomware.

What to do

1. Segment MDM admin access. Multi-person approval for bulk wipe.
2. Wipe confirmation workflows. Mandatory delay.
3. Air-gap backups from management plane.
4. Monitor anomalous admin activity.
5. Plan for destructive attacks. Not just data theft.