Stryker uses Microsoft, but how did Iran hack iPhones of its employees? Understanding the Handala cyberattack

When news broke that thousands of Stryker employees had their personal cell phones factory-reset overnight, a massive technical question emerged. Stryker's corporate infrastructure runs on Microsoft, so how did an Iran-linked hacker group manage to erase personal Apple iPhones and Androids? The answer is not a sophisticated iOS hack; it is the weaponization of a standard corporate management tool called Mobile Device Management (MDM).

To understand the hack, you have to understand how modern companies handle personal phones. Like many global corporations, Stryker operates a "Bring Your Own Device" (BYOD) policy. If an employee wants to check their corporate Outlook email or Microsoft Teams messages on their personal iPhone, they are required to download a "Company Portal" app and install a "work profile." This grants the company's IT department administrative oversight to ensure the device is secure before it connects to the corporate network.

The specific tool Stryker uses to manage these thousands of employee phones and laptops is Microsoft Intune. Intune is a cloud-based endpoint management service. It acts as a massive, centralised command center that allows an IT department to enforce security policies, push software updates, and control access across Windows, Android, and iOS devices globally from a single dashboard.

Cybersecurity forensic experts investigating the Stryker breach confirm that Handala did not deploy a custom virus or exploit a flaw in Apple's code. Instead, the attackers successfully compromised high-privilege administrative credentials (such as a Global Admin account) for Stryker’s Microsoft Intune environment. By breaking into the Intune dashboard, Handala effectively stole the master remote control for every single device enrolled in Stryker's network.

Because corporate phones can be lost or stolen, Intune features a legitimate, built-in security tool called a "Remote Wipe." If an executive leaves their phone in a taxi, IT can click a button to factory-reset the device remotely, protecting corporate secrets. Once Handala gained admin access to Intune, they simply selected all enrolled devices in the Stryker system and triggered a mass Remote Wipe command simultaneously.

When an iPhone or Android receives a legitimate wipe command from its trusted MDM server (Intune), the operating system obeys immediately and without question. The device forcefully restores itself to its factory settings. This is why employees woke up to find their entire digital lives erased. Because it was a full OS reset rather than just a targeted app deletion, the phones wiped personal photos, deleted cellular eSIMs, and locked employees out of their personal banking Two-Factor Authentication (2FA) apps.

The Stryker hack is a chilling wake-up call for the global workforce. Handala proved that hackers do not need to build complex mobile malware to destroy personal phones; they just need to compromise the corporate IT portal. Cybersecurity experts warn that this incident fundamentally changes the risk calculation for employees: if you grant your company administrative access to your personal phone, you are ultimately trusting your personal data to your company's cybersecurity defenses.