How Handala’s double-strike operation against Stryker combined mass data theft with deliberate destruction, and why that combination signals a dangerous new phase in state-aligned cyberwarfare.
Steal Everything, Then Burn It Down
When Handala claimed responsibility for the cyberattack on Stryker Corporation last week, the group did not simply boast about wiping tens of thousands of devices. Buried in its statement was the detail that made security analysts sit up straight: before destroying anything, the group says it pulled out 50 terabytes of data. That sequence, extraction followed by annihilation, is not accidental. It is a deliberate two-phase architecture that tells us a great deal about how Iran-aligned threat actors have matured their operations.
To understand why the order matters, it helps to think about what each phase accomplishes independently. Exfiltration is about intelligence and leverage. Wiping is about punishment and disruption. Done separately, each is effective in its own way. Done together, in that specific sequence, they become something considerably more dangerous than the sum of their parts.
The exfiltration phase would have been the quieter, more technically demanding portion of the operation. Moving 50 terabytes of data out of a corporate network without triggering alerts requires patience, planning, and usually an extended period of undetected access known as dwell time. Attackers staging an operation of this scale typically establish a foothold through a phishing campaign, a compromised credential, or exploitation of an unpatched vulnerability. From there, they map the network, identify high-value file stores, and begin staging data in a location they can reach from the outside. Exfiltration itself is often done slowly, in chunks, timed to blend with normal business traffic. Fifty terabytes is an enormous volume. For context, that is roughly equivalent to fifty million documents or the entire text contents of a large university library. Moving that much data without detection is a significant technical and operational achievement.
The choice of target within the Microsoft environment is also telling. Microsoft 365 environments typically contain email archives, SharePoint document libraries, Teams conversation histories, and OneDrive file stores. For a company like Stryker, which holds a 450 million dollar Department of Defense contract and operates across 79 countries, those repositories could contain procurement details, military supply chain documentation, internal communications about government relationships, and personnel records. A harvest of that breadth would be operationally valuable to Iranian intelligence independently of anything that came afterward.
Once exfiltration was complete, the destruction phase began. Wiper malware, the tool believed to be responsible for the device erasure employees encountered, is fundamentally different from ransomware in its intent. Ransomware encrypts data and demands payment, meaning the attacker has a financial incentive to keep the data recoverable. A wiper has no such incentive. It is designed to overwrite data at a low level, often targeting the master boot record or file allocation tables to make recovery effectively impossible even with forensic tools. The fact that remote employee devices running Windows, including laptops and mobile phones connected to Stryker systems, were wiped suggests the malware propagated through the Microsoft environment rather than requiring physical access to each machine.
The psychological and operational logic of wiping after exfiltration is layered. First, it destroys forensic evidence of how the attackers got in and what they accessed, complicating any attempt to understand the full scope of the breach. Second, it maximises disruption to the victim organisation, forcing a costly and time-consuming rebuild of infrastructure. Third, it sends a public signal, in this case a geopolitical one, amplified by Handala displaying its logo on affected login screens. The destruction is the message. The data theft is the prize collected quietly before the message is delivered.
Security researchers have noted that this steal-then-wipe pattern has been appearing with greater frequency in state-aligned operations. It was visible in Russian operations against Ukrainian targets before and during the 2022 invasion, and Iran-linked groups have been refining similar techniques over the past several years. What distinguishes the Stryker incident, if Handala’s claims are even partially accurate, is the claimed scale of data removed before the wiper was triggered and the apparent reach into devices across dozens of countries simultaneously.
The healthcare dimension of the attack also deserves technical scrutiny. Stryker’s Lifenet system, which transmits electrocardiogram data from ambulances to hospitals, was knocked offline in Maryland and potentially elsewhere. This is not a consequence of targeting medical devices directly. It is a consequence of the underlying Microsoft network infrastructure being disrupted, which in turn severed the connectivity that medical systems depend on. Modern hospitals and medical device networks are deeply entangled with corporate IT infrastructure, and that entanglement creates cascading failure pathways that attackers may not even need to deliberately target.
The broader lesson from the technical architecture of this attack is that the most damaging cyberoperations are no longer defined by a single dramatic action. They are defined by sequencing. Getting in quietly, staying long enough to extract what is valuable, and then detonating on the way out. That model requires a higher level of operational discipline and technical capability than a simple smash-and-grab. The fact that a hacktivist group with documented ties to Tehran appears to be executing it at this scale suggests that the line between loosely organised hacktivism and structured intelligence operations has become very thin, or perhaps no longer exists at all.