An Iran-linked hacking group recently wiped data from tens of thousands of corporate devices at Stryker Corporation, which immediately brought global operations in one of the world’s largest medical technology companies to a standstill.
The attack was claimed by Handala, an Iran-linked hacking group, and it involved remotely wiping more than 200,000 servers, mobile devices, and other systems, ultimately stealing 50 terabytes of data and disrupting operations across 79 countries. The incident has since been confirmed as one of the most significant cyberattacks on a U.S. company since the start of the ongoing conflict between Iran and allies Israel and the United States.
Who Is Handala
Handala is a pro-Palestinian and pro-Iran-aligned hacktivist group active since at least 2023, known for deploying wiper malware and stealer malware during its attacks, as well as for conducting politically motivated operations against Israeli-linked targets.
Cybersecurity companies have linked the group to Iran’s Intelligence Ministry, as they’ve identified the group to be a front for Iran’s Ministry of Intelligence and Security (MOIS). The group has a documented history of wiper attacks, with the aim of releasing data rather than holding it for ransom.
Prior targets include a breach of FBI Director Kash Patel’s personal email, with the group publishing over 300 emails, along with photos and his resume, in retaliation for the FBI taking down the group’s websites.
In posts on X, Handala said the attack was retaliation “for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance.”
How the Attack Worked and the Scale of Disruption
Handala appeared to have accessed Stryker’s Microsoft Intune, a program used to remotely manage corporate phones and laptops, and deleted all data on connected devices en masse. Stryker confirmed the attack hit its Microsoft environment, although adding that it found no evidence of ransomware or malware and believed the incident was contained.
Stryker produces everything from artificial joints and surgical instruments to hospital beds and robotic surgery systems, reporting revenues of more than $25 billion in 2025, with its products reaching over 150 million patients annually across 61 countries. The scale of the attack made the disruption immediate and widespread.
The attack temporarily disabled Stryker’s electronic ordering systems, disrupted manufacturing and shipping operations, and prompted the U.K.’s National Health Service to issue an update noting that certain orders from Stryker in the days following the attack were affected, with an interim ordering system set up in response. Healthcare providers in some regions were forced to also delay surgeries involving Stryker products.
Where Things Stand
In a statement to its customers, Stryker confirmed it is fully operational across its global manufacturing network, with commercial ordering and distribution systems also restored. The company acknowledged that the attack had a material impact on its first-quarter earnings but said it does not expect the attack to affect its full-year financial guidance. Stryker is scheduled to report its Q1 2026 results on April 30.
The attack highlights a point cybersecurity professionals have raised for years, which is that critical infrastructure in the healthcare sector remains exposed to nation-state actors, and the tools already inside corporate environments can be turned into weapons with the right level of access.
