CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Iranian Hacktivist Group Claims Wiper Attack on Stryker

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

The Iranian hacktivist group Handala—linked to Iran’s Ministry of Intelligence and Security (MOIS)—conducted a destructive wiper attack against Stryker, a U.S. Fortune 500 medical technology company, on March 11, 2026. The attack affected over 200,000 systems across 79 countries, disrupted operations in Ireland, and sent over 5,000 workers home. Handala claimed responsibility, citing retaliation for a U.S. missile strike. The attack leveraged Microsoft Intune to issue remote wipe commands and defaced Stryker’s Entra login page. Stryker confirmed the incident in an SEC filing and reported no evidence of data exfiltration. Recovery efforts prioritized restoring supply-chain systems. In a separate but related development, Handala breached the personal email account of FBI Director Kash Patel on March 28, 2026, and leaked historical emails from 2010 and 2019. The FBI acknowledged the targeting and stated the leaked data was not government-related. Handala operates under multiple monikers, including Banished Kitten and Void Manticore, and has integrated criminal tools such as Rhadamanthys stealer to enhance its operations. The group’s activities align with broader Iranian cyber operations targeting Western entities amid heightened geopolitical tensions, including destructive attacks, hack-and-leak campaigns, and psychological influence operations. U.S. authorities have seized multiple domains linked to Handala and offered a $10 million reward for information on group members.

Timeline

  1. 11.03.2026 18:20 8 articles · 17d ago

    Handala Claims Wiper Attack on Stryker

    The article confirms the FBI Director Kash Patel’s personal email was compromised and historical personal emails were leaked by Handala Hack Team. The FBI acknowledged the breach and stated the leaked data was "historical in nature and involves no government information." The piece also expands on Handala’s operational infrastructure, including the use of compromised VPN accounts for initial access, reliance on legitimate tools like VeraCrypt to hinder recovery, and integration of criminal software such as Rhadamanthys stealer. Additionally, it contextualizes the Stryker attack as the first confirmed destructive wiper operation against a U.S. Fortune 500 company and notes the group’s broader destructive, psychological, and geopolitical operations amid escalating tensions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft Intune administrative control weaknesses exploited in Stryker breach leading to mass device wipes

A pro-Palestinian hacktivist group named Handala (also tracked as Handala Hack Team, Hatef, or Hamsa) compromised Microsoft Intune administrative controls at Stryker Corporation, a U.S.-based medical technology firm, on March 11, 2026. The attackers created a new Global Administrator account after breaching an existing administrator credential, stole approximately 50 terabytes of data, and executed device wipes across nearly 80,000 systems via Intune’s built-in wipe command. The incident follows Microsoft’s hardening guidance for Intune published days after the breach, which CISA subsequently mandated for all U.S. organizations to mitigate similar risks. The attack highlights the risks of excessive administrative privileges and insufficient privileged access hygiene in cloud-based endpoint management platforms.

Open in new tab

BlackSanta EDR Killer Targets HR Departments with Stealthy Malware Campaign

A Russian-speaking threat actor has been targeting HR departments with a sophisticated malware campaign that delivers a new EDR killer named BlackSanta. The campaign employs social engineering and advanced evasion techniques to steal sensitive information from compromised systems. The malware is suspected to be distributed via spear-phishing emails containing ISO image files disguised as resumes, hosted on cloud storage services like Dropbox. The attack chain involves steganography, DLL sideloading, and process hollowing to execute malicious payloads while evading detection. BlackSanta specifically targets and disables endpoint security solutions, including antivirus, EDR, SIEM, and forensic tools, by terminating their processes at the kernel level. The campaign has been active for over a year, utilizing Bring Your Own Driver (BYOD) components to gain elevated privileges and suppress security tools. The malware performs checks on system language, hostnames, and running processes before carrying out further actions. The campaign's ability to exfiltrate sensitive information while maintaining encrypted communications underscores both its persistence and the risk posed to targeted organizations.

Open in new tab

Storm-0249 Adopts Advanced Tactics for Ransomware Attacks

Storm-0249, previously known as an initial access broker, has escalated its operations by employing advanced tactics such as domain spoofing, DLL sideloading, and fileless PowerShell execution to facilitate ransomware attacks. These methods allow the threat actor to bypass defenses, infiltrate networks, maintain persistence, and operate undetected. The group has shifted from mass phishing campaigns to more precise attacks, leveraging the trust associated with signed processes for added stealth. The ultimate goal is to obtain persistent access to enterprise networks and monetize them by selling access to ransomware gangs.

Open in new tab

Merkle Breach Exposes Employee and Client Data

Merkle, a US-based subsidiary of Dentsu, experienced a cyberattack resulting in the theft of sensitive employee and client data. The breach was detected through unusual network activity, prompting an incident response and investigation. The stolen data includes bank details, payroll information, and personal contact details. Merkle has notified affected individuals and law enforcement, and is offering credit monitoring and Dark Web monitoring to impacted employees. The nature of the attack remains unknown, but it may involve data extortion or ransomware. The incident highlights the ongoing threat of data theft and the importance of robust incident response protocols.

Open in new tab

Russian Threat Actors Target Ukrainian and Polish Organizations with Data-Wiping Malware and LotL Tactics

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations and Poland's power sector using living-off-the-land (LotL) tactics and deploying data-wiping malware. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. In December 2025, Sandworm targeted Poland's power sector with a new wiper malware called DynoWiper, aiming to disrupt the energy infrastructure. The attack, which occurred on December 29 and 30, 2025, targeted two combined heat and power (CHP) plants and a system managing renewable energy sources. The attack was unsuccessful in causing disruption, and Polish authorities attributed it to Russian services. The attack coincided with the tenth anniversary of Sandworm's 2015 attack on Ukraine's power grid. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services. The cyber attack on the Polish power grid in December 2025 was attributed with medium confidence to a Russian state-sponsored hacking group known as ELECTRUM. The attack targeted distributed energy resources (DERs) and affected communication and control systems at combined heat and power (CHP) facilities and systems managing renewable energy systems. ELECTRUM and KAMACITE share overlaps with the Sandworm cluster, with KAMACITE focusing on initial access and ELECTRUM conducting operations that bridge IT and OT environments. The attackers gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. The attack was opportunistic and rushed, with the hackers attempting to inflict as much damage as possible by wiping Windows-based devices and resetting configurations. The majority of the equipment targeted was related to grid safety and stability monitoring. The coordinated attack on Poland's power grid in late December targeted multiple distributed energy resource (DER) sites across the country, including combined heat and power (CHP) facilities and wind and solar dispatch systems. Although the attacker compromised operational technology (OT) systems damaging "key equipment beyond repair," they failed to disrupt power, totaling 1.2 GW or 5% of Poland’s energy supply. Based on public reports, there are at least 12 confirmed affected sites. However, researchers at Dragos, a critical industrial infrastructure (OT) and control systems (ICS) security company say that the number is approximately 30. Dragos attributes the attack with moderate confidence to a Russian threat actor it tracks as Electrum, which, although it overlaps with Sandworm (APT44), the researchers underline that it is a distinct activity cluster. Electrum targeted exposed and vulnerable systems involved in dispatch and grid-facing communication, remote terminal units (RTUs), network edge devices, monitoring and control systems, and Windows-based machines at DER sites. Electrum successfully disabled communications equipment at multiple sites, resulting in a loss of remote monitoring and control, but power generation on the units continued without interruption. Certain OT/ICS devices were disabled, and their configurations were corrupted beyond recovery, while Windows systems at the sites were wiped. Even if the attacks had been successful in cutting the power, the relatively narrow targeting scope wouldn’t have been enough to cause a nationwide blackout in Poland. However, they could have caused significant destabilization of the system frequency. "Such frequency deviations have caused cascading failures in other electrical systems, including the 2025 Iberian grid collapse," the researchers say. CERT Polska revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) in Poland on December 29, 2025. The attacks were attributed to a threat cluster dubbed Static Tundra, which is linked to Russia's Federal Security Service's (FSB) Center 16 unit. The attacks had a purely destructive objective but did not affect the ongoing production of electricity or the heat supply to end users. The attackers gained access to the internal network of power substations associated with a renewable energy facility to carry out reconnaissance and disruptive activities, including damaging the firmware of controllers, deleting system files, or launching custom-built wiper malware codenamed DynoWiper. In the intrusion aimed at the CHP, the adversary engaged in long-term data theft dating back to March 2025, enabling them to escalate privileges and move laterally across the network. The attackers' attempts to detonate the wiper malware were unsuccessful. The targeting of the manufacturing sector company is believed to be opportunistic, with the threat actor gaining initial access via a vulnerable Fortinet perimeter device. At least four different versions of DynoWiper have been discovered to date. The wiper's functionality involves initializing a pseudorandom number generator (PRNG) called Mersenne Twister, enumerating files and corrupting them using the PRNG, and deleting files. The malware does not have a persistence mechanism, a way to communicate with a command-and-control (C2) server, or execute shell commands, and it does not attempt to hide the activity from security programs. The attack targeting the manufacturing sector company involved the use of a PowerShell-based wiper dubbed LazyWiper that scripts overwrites files on the system with pseudorandom 32-byte sequences to render them unrecoverable. The malware used in the incident involving renewable energy farms was executed directly on the HMI machine. In the CHP plant and the manufacturing sector company, the malware was distributed within the Active Directory domain via a PowerShell script executed on a domain controller. The attacker used credentials obtained from the on-premises environment in attempts to gain access to cloud services, downloading selected data from services such as Exchange, Teams, and SharePoint. The attacker was particularly interested in files and email messages related to OT network modernization, SCADA systems, and technical work carried out within the organizations. The attack on Poland's energy sector in December 2025 was the first large-scale attack against decentralized energy resources (DERs) like wind turbines and solar farms. The attack occurred during a period when Poland was struggling with low temperatures and snowstorms just before the New Year. Dragos assessed with moderate confidence that the activity reflects tradecraft and objectives in line with the Electrum threat group, which overlaps with Sandworm. Electrum has worked alongside another threat actor, tracked as Kamicite, to conduct destructive attacks against Ukrainian ISPs and persistent scanning of industrial devices in the US. Kamicite gained initial access and persistence against organizations, and Electrum executed follow-on activity. Dragos has tracked Kamicite activities against the European ICS/OT supply chain since late 2024. The attack on Poland's energy sector was significant because it was the first major attack against decentralized energy resources (DERs). There was no evidence that the adversary had full control of the DERs, and there was no attempt to mis-operate these resources. Poland was fortunate because DERs make up a smaller portion of its energy portfolio than some other countries. If this same style of attack happened in the US, Australia, or certain parts of Europe where DERs are more prevalent, it could have been potentially catastrophic for the system. The attack highlighted the ongoing threat faced by the energy sector, with threat actors gaining initial access through vulnerable Internet-facing edge devices before deploying wipers that damaged remote terminal units (RTUs). CISA advised OT operators to prioritize updates that allow firmware verification and to immediately change default passwords on things like edge devices. Dragos recommended that organizations ensure architecture is defensible through methods like strict authorization practices, OT/IT segmentation, strict vendor access governance, secure remote access, and ICS network visibility and monitoring.

Open in new tab