Iran-linked destructive cyber campaign tactics and mitigation strategies against wiper attacks
Summary
Hide ▲
Show ▼
An Iran-linked threat cluster tracked as Handala (and Void Manticore) executed a destructive wiper campaign against Stryker in March 2026 that erased tens of thousands of devices across 79 countries, disrupting manufacturing, order processing, and logistics for a Fortune 500 medical technology vendor. Unlike financially motivated ransomware, these attacks aim to create operational chaos and real-world consequences by deploying wipers via legitimate administrative tools and tunneling mechanisms to maximize lateral movement and simultaneous wiping. The event underscores a broader shift where geopolitical conflicts increasingly translate into destructive cyber operations against critical infrastructure and supply chains, requiring defenders to prioritize containment, identity controls, and administrative-path restrictions over traditional perimeter defenses.
Timeline
-
20.03.2026 16:01 1 articles · 2h ago
Iran-linked Handala group conducts destructive wiper attack against Stryker in March 2026
An Iran-aligned cluster attributed to Handala (Void Manticore) executed a destructive wiper campaign against Stryker, a Fortune 500 medical technology manufacturer, resulting in the erasure of tens of thousands of devices across 79 countries. Attackers gained initial access via stolen VPN credentials and used legitimate administrative tools (RDP, PowerShell remoting, WMI, SMB, SSH) for lateral movement and privilege escalation. Covert tunnels established with NetBird enabled persistent internal access. The incident disrupted manufacturing, order processing, and logistics operations globally.
Show sources
- How CISOs Can Survive the Era of Geopolitical Cyberattacks — www.bleepingcomputer.com — 20.03.2026 16:01
Information Snippets
-
The March 2026 attack by the Iran-linked Handala group against Stryker leveraged stolen VPN credentials for initial access and involved tens of thousands of wiped systems across 79 countries.
First reported: 20.03.2026 16:011 source, 1 articleShow sources
- How CISOs Can Survive the Era of Geopolitical Cyberattacks — www.bleepingcomputer.com — 20.03.2026 16:01
-
Threat intelligence on the Handala/Void Manticore cluster indicates destructive operations rely on manual, hands-on activity using legitimate enterprise tools including RDP, PowerShell remoting, WMI, SMB, and SSH for lateral movement and privilege escalation.
First reported: 20.03.2026 16:011 source, 1 articleShow sources
- How CISOs Can Survive the Era of Geopolitical Cyberattacks — www.bleepingcomputer.com — 20.03.2026 16:01
-
Operators established covert access using tunneling tools such as NetBird to maintain persistent, stealthy connectivity inside victim environments for prolonged operations.
First reported: 20.03.2026 16:011 source, 1 articleShow sources
- How CISOs Can Survive the Era of Geopolitical Cyberattacks — www.bleepingcomputer.com — 20.03.2026 16:01
-
The campaign targeted Stryker’s global manufacturing, order processing, and logistics operations, resulting in significant operational disruption across multiple countries.
First reported: 20.03.2026 16:011 source, 1 articleShow sources
- How CISOs Can Survive the Era of Geopolitical Cyberattacks — www.bleepingcomputer.com — 20.03.2026 16:01
-
Destructive wiper attacks often deploy multiple wiping mechanisms simultaneously to maximize impact once execution begins.
First reported: 20.03.2026 16:011 source, 1 articleShow sources
- How CISOs Can Survive the Era of Geopolitical Cyberattacks — www.bleepingcomputer.com — 20.03.2026 16:01