
Critical Infrastructure • MAR 16, 2026
Critical Infrastructure Wiper Attacks: Lessons from the 2026 Stryker Breach
In March 2026, medical technology giant Stryker suffered a devastating cyberattack. But unlike the ransomware epidemics of the early 2020s, the attackers weren’t looking for a payout. The Iran-linked group known as Handala deployed wiper malware, explicitly designed to permanently destroy data and paralyze operations across Stryker’s facilities in Ireland and beyond.
This incident marks a terrifying acceleration in a trend we’ve been tracking all year: the weaponization of enterprise management tools to deliver destructive payloads, pivoting away from financial extortion toward pure geopolitical disruption.
The Management Plane is the New Weapon
Historically, deploying wiper malware across a global enterprise required significant lateral movement and noisy propagation mechanisms. Today, attackers are taking a more efficient, lethal route. They are targeting the administrative control plane itself.
In the Stryker breach, threat actors compromised credentials with high-level access to the company’s endpoint management system (in this case, Microsoft Intune). Once inside, they didn’t need to write a custom worm to spread the malware or exploit legacy vulnerabilities to hop between servers. They simply used the company’s own trusted, legitimate IT infrastructure to push the destructive wiper payload to thousands of endpoints simultaneously.

Why Wipers? The Geopolitical Calculus
Ransomware is an economic tool; wipers are geopolitical weapons. As global tensions escalate, state-sponsored actors and hacktivist proxies are increasingly relying on destructive malware to signal capability, cause maximum operational disruption, and inflict unrecoverable damage. Because the actions are initiated through valid credentials and executed via trusted platforms, the destruction is often well underway before traditional EDR solutions flag the anomaly.
Defending Against Destruction
When the goal is absolute destruction rather than financial negotiation, the defensive playbook changes fundamentally.
Isolate the Management Plane: Access to tools like Intune, SCCM, or any RMM (Remote Monitoring and Management) platform must be heavily restricted. Implement Tiered Administration models where highly privileged accounts are completely isolated from standard corporate emails and web browsing.
Enforce Out-of-Band Approvals: A single compromised administrator account should not have the unilateral ability to wipe thousands of devices. Implement “two-man rule” approval workflows for any mass-deployment or destructive commands.
Immutable Backups: If your backups are accessible from the same administrative domain as your primary network, they are useless against a wiper. True offline, immutable backups—physically and logically segmented—are the only fail-safe against total data destruction.
The Stryker incident proves that if an attacker controls your infrastructure management tools, they control the lifespan of your data.