Iran-Linked Hackers Wipe Thousands of Stryker Devices in Retaliatory Cyberattack

A hacker group with documented ties to Iran has claimed responsibility for a sweeping cyberattack against Stryker Corporation, one of the world’s largest medical technology companies, disrupting employee devices across dozens of the firm’s international offices.

The incident, which Stryker acknowledged as a “global network disruption,” has drawn attention from cybersecurity analysts who say it signals a sharp escalation in Iranian cyber operations targeting American corporations.

The group behind the attack, known as the Handala Team, announced on its Telegram channel and on X that it had gained access to Stryker’s Microsoft Intune management console, a platform used by corporations to remotely manage employee devices. Using the console’s own remote-wipe capability, the attackers reset employee phones and computers to factory settings, bringing work and communications to an abrupt halt.

Stryker, headquartered in Portage, Michigan, confirmed the disruption without disputing the attackers’ claims about its scope. In a statement, the company said its internal systems had not been directly breached and that no ransomware was deployed, though employees reported that company-issued phones stopped functioning entirely. Callers to Stryker’s headquarters were met with a recorded message stating the building was experiencing “a building emergency.”

The Handala Team claims it wiped more than 200,000 systems, servers, and mobile devices across 79 offices worldwide, and that it exfiltrated 50 terabytes of data. Those figures have not been independently verified. The full extent of data loss remains unclear, though the company stated the incident appears to be contained.

In a manifesto posted to Telegram, Handala framed the attack as direct retaliation for a February 28 airstrike on a school in Minab, a town in southern Iran, which killed 170 people, many of them children. It has been reported that a U.S.-made Tomahawk missile appeared to have struck near the school. The group described Stryker as a “Zionist-rooted corporation,” a term analysts believe refers to Stryker’s 2019 acquisition of OrthoSpace, an Israeli medical device company.

Cybersecurity researchers note that Stryker may also have been selected as a target of opportunity, a company with a vulnerable configuration rather than a premeditated symbolic choice. The distinction matters little in terms of the damage inflicted.

The tactic employed in the Stryker attack is not new to Iran’s cyber arsenal. The country has a well-documented history of deploying so-called “wiper” attacks, which are designed not to extract data for financial gain but to permanently destroy it. In 2012, a wiper attack attributed to Iran devastated the network of Saudi Aramco, the Saudi state oil company. Two years later, a similar assault struck the Sands Casino in Las Vegas, owned by a prominent financial backer of Israel.

Prior to the Stryker incident, Iranian cyber efforts connected to the current regional conflict had been largely limited to minor website defacement and espionage operations. The attack on Stryker represents a significant departure from that pattern, with cybersecurity firm Sophos linking the Handala Team specifically to Iran’s Intelligence Ministry.

Despite the severity of the incident, neither the FBI nor the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency responded to requests for comment. The muted official response has drawn scrutiny from analysts who say attacks on medical device manufacturers raise particular concerns given the potential downstream impact on healthcare infrastructure.

Stryker has not publicly stated when it expects full operations to resume, nor has it detailed what data, if any, was stolen beyond the company’s own acknowledgment of the disruption.

Reporting based on statements from Stryker Corporation, NBC News, WOOD-TV, and analysis by cybersecurity firm Sophos.