A Michigan company was hit hard this week. Here's what happened, what it means, and what's worth reviewing on your end.
What Happened
On March 11, 2026, Stryker Corporation, the Kalamazoo-based medical device giant with 56,000 employees across 60+ countries, was hit by one of the most disruptive cyberattacks on a U.S. company in recent memory. The incident has been attributed to Handala, a group with reported ties to Iranian state interests. Attackers gained unauthorized access to Stryker's Microsoft Intune console, a legitimate cloud-based platform that IT teams use to manage corporate devices. From there, they issued a remote wipe command to approximately 200,000 devices across 79 countries and operations were disrupted. For those of us in Michigan, this one hits close to home. But the broader lesson applies to organizations everywhere.
This was not a ransomware attack. It is being described by threat intelligence researchers as a destructive wiper attack, meaning the goal was not financial extortion but operational disruption. This is an important distinction: unlike ransomware, wiper attacks do not offer a payment option to restore data. Recovery depends entirely on whether clean, tested backups exist.
What This Type of Attack Looks Like
To understand how an attack like this unfolds and where defenses can make a difference, it helps to look at the Cyber Kill Chain, a widely used framework for mapping the stages of a sophisticated attack.
It starts with Reconnaissance: the attacker quietly studies the target, researching employees, systems, and vendor relationships using publicly available information. From there comes Weaponization, building a custom tool or payload based on what was learned. Then, delivery is most commonly through a phishing email, a compromised vendor, or an exposed web service.
Once inside, the attacker moves to Exploitation, leveraging a vulnerability to establish an initial foothold. That's followed by Installation, where malware is installed, and persistence is established, allowing the attacker to maintain access even if something triggers an alert. Next is Command and Control, where the attacker remotely communicates with the installed malware, directing its actions from outside your environment. The final stage is Actions on Objectives, where the goal is actually executed. In Stryker's case, that meant wiping 200,000 devices and walking out with 50 terabytes of data.
The honest takeaway from this framework is that there's almost always an opportunity somewhere in the sequence. The goal isn't perfection; it's knowing where your organization has visibility today and where there might be room to strengthen it.
Four Questions Worth Asking Your Team
This isn't a compliance checklist. These questions surface security gaps and are far easier to work through before an incident than during one.
Do we know the difference between our known and unknown threats? Traditional tools are effective at catching threats that have been seen before. The Stryker attack involved techniques designed to evade those tools. It's worth understanding what visibility you have into activity that doesn't match a known signature.
Are our backups truly isolated? Wiper attacks are designed to destroy data, including backups connected to the primary environment. Air-gapped or immutable backups are the only reliable recovery path when deletion is the attack method.
How do third-party vendors access our systems? Many attacks enter through a trusted partner, not the front door. Reviewing who has access and how that access is monitored is a straightforward place to start.
When did we last test our incident response plan? A documented plan that hasn't been exercised is difficult to execute under pressure. A tabletop walkthrough, even a basic one, surfaces gaps before they matter.
We're Here If You Want to Talk It Through
Situations like this can feel like a lot to take in. If it would help to talk through what any of this means for your organization, or simply to ask questions and get a clearer picture, we're here for that conversation.
Reach out to your C3 Advisor or visit C3TechAdvisors.com.