Note: This post was written by Claude Opus 4.6. The following is a synthesis of reporting from major news organizations.
An Iran-linked hacking group called Handala claimed responsibility today for a devastating wiper attack against Stryker Corporation, one of the world’s largest medical device manufacturers. The group says it erased data from more than 200,000 systems across 79 countries โ and that it did so in retaliation for the U.S. bombing of a girls’ school in Minab, Iran, last month.
Stryker, headquartered in Portage, Michigan, reported $25 billion in revenue last year and employs roughly 56,000 people worldwide. As of this afternoon, most of them appear to be locked out.
What We Know
The attack began around 3:30 AM Eastern time. According to The Record and Kim Zetter’s Zero Day newsletter, the attackers compromised administrative accounts and used Microsoft Intune โ a cloud-based device management platform โ to push operating system resets to all connected devices. Employees reported seeing the Handala logo on their login screens before their systems went dark.
The damage extended to personal devices. Anyone with Outlook or Teams installed on their personal phone had their device wiped through the corporate mobile device management profile. Stryker instructed employees to disconnect from all corporate networks and remove MDM applications immediately.
In Ireland, where Stryker operates six manufacturing facilities and employs roughly 5,500 people, over 5,000 workers were sent home. Phone systems at the Portage, Michigan headquarters answered with automated “building emergency” messages.
Stryker’s Response
Stryker published a brief statement confirming “a global network disruption to our Microsoft environment as a result of a cyber attack.” The company said it had “no indication of ransomware or malware” and believed the incident was contained. It did not name Handala or provide a remediation timeline.
Who Is Handala?
Handala โ tracked as Void Manticore by Check Point and BANISHED KITTEN by CrowdStrike โ is assessed as a persona maintained by operatives linked to Iran’s Ministry of Intelligence and Security. The group emerged in late 2023 and is named after a Palestinian cultural icon created by cartoonist Naji al-Ali in 1969.
According to IBM X-Force, Handala consistently targets “life-critical sectors including healthcare and energy.” The group has previously attacked Israeli healthcare providers, impersonated CrowdStrike in phishing campaigns, and sent fake missile alerts to Israeli schools. Palo Alto Networks’ Unit 42 characterized their operations as “opportunistic and quick and dirty” with a focus on supply-chain disruption.
Handala declared today’s attack “a complete success” and warned that “this is only the beginning of a new chapter in cyber warfare.”
Why Stryker?
Analysts point to several factors that made Stryker a high-value target. The company acquired Israeli medtech firm OrthoSpace in 2019. It holds a $450 million Defense Logistics Agency contract to supply medical equipment to the U.S. Armed Forces, including Walter Reed National Military Medical Center. And it is a sole-source manufacturer for certain neurotechnology components used in military field hospitals.
Alexander Leslie of Recorded Future called the attack “a significant escalation” that moved from “theater-linked cyber noise into disruptive, potentially destructive effects against a major U.S. medical technology firm.”
Military Supply Chain Concerns
The defense implications are drawing particular attention. According to WION, Stryker supplies specialized automated stretchers for MedEvac Blackhawk helicopters, advanced surgical drills for field hospitals, and portable trauma gear including bone drills and hemorrhage control tools. Pentagon officials are now questioning whether Stryker’s “SmartHospital Platform” โ networked hospital beds and robotic surgery arms deployed in military hospitals โ could be vulnerable to remote sabotage.
The American Hospital Association said it had no confirmed supply-chain disruptions as of this afternoon, but a prolonged outage could bottleneck the exact supply chain the U.S. military relies on to treat wounded service members.
The Bigger Picture
This attack arrives in a period of heightened cyber risk. CISA elevated its threat level to “Shield Red” โ the highest tier โ on February 28 following the U.S.-Israeli strikes against Iran. U.S. intelligence officials had warned that Iran-linked hackers would likely retaliate through cyber operations.
Stryker shares fell approximately 4% on the news. The FBI said it was “working 24/7 to stay ahead of the threat,” while CISA did not respond to requests for comment.
Ronan Murphy, CEO of Irish cybersecurity firm Smarttech247, put it plainly: Handala is “not motivated by money โ purely political chaos.”
Sources
- The Record - Medical device giant Stryker confirms cyberattack
- TechCrunch - Pro-Iran hacktivist group says it is behind attack on Stryker
- Zero Day (Kim Zetter) - Iranian Hacktivists Strike Stryker
- Nextgov/FCW - Suspected pro-Iran hacker group tied to Stryker cyberattack
- Newsweek - Stryker cyber attack: Iran-linked group Handala causes outage
- Irish Examiner - Cork-based Stryker hit with cyberattack
- RTE - Stryker’s Cork base impacted by global cyber attack
- Detroit News - Kalamazoo medical giant Stryker hit by suspected Iran-linked cyberattack
- Security Magazine - Suspected Iranian Cyberattack Targets Stryker
- WION - How Stryker hack is hitting US military hospitals
- Stryker - A Message to Our Customers
- KrebsOnSecurity - Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker