A hacktivist group with alleged links to Iran’s intelligence agencies has claimed responsibility for a destructive cyberattack against Stryker, the Michigan-based global medical technology company, in an incident that reportedly disrupted operations across the company’s international network.
News reports from Ireland, Stryker’s largest hub outside the United States, said the company sent more than 5,000 employees home following a major IT outage. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters reportedly informed callers that the company was experiencing a “building emergency,” highlighting the scale of the disruption affecting internal operations.
In a statement posted to Telegram, the Iranian-aligned hacktivist group Handala, also known as Handala Hack Team, claimed responsibility for the attack. The group alleged it had wiped data from more than 200,000 systems, servers, and mobile devices across Stryker’s global network, forcing the shutdown of offices in 79 countries.
Early reports suggest the attack may have targeted remote Windows devices and internal systems, prompting employees to disconnect corporate devices while the company works with partners to restore services.
Sam Soares, Chief Revenue Officer at CultureAI, said the incident highlights how cyber risk has evolved into a critical operational threat for global organisations.
“Medical technology giant Stryker is reportedly experiencing a major global systems disruption following a suspected cyberattack, with some reports linking the incident to an Iran-aligned hacking group known as ‘Handala,’” Soares said.
“For organisations, the incident is another reminder that cyber risk is no longer hypothetical or confined to IT departments. Instead, cyber risk is a core operational risk that can halt global operations overnight.”
Soares added that the implications are particularly serious in the healthcare sector, where technology suppliers support essential clinical operations.
“For healthcare organizations and suppliers, the stakes are even higher, as system outages can ripple through hospitals, clinical workflows, and supply chains. Attacks like this can be costly for organisations in terms of both reputation and financial loss, and could also present an indirect threat to life.”
Cybersecurity experts say the attack is notable because it appears to be destructive rather than financially motivated.
Chris Henderson, Chief Information Security Officer at Huntress, said the incident demonstrates how attackers can leverage legitimate enterprise tools to cause widespread damage once they gain access to privileged systems.
“This attack is significant because it’s destructive, not ransomware,” Henderson said. “Handala allegedly used Microsoft Intune, a legitimate IT management tool, to remotely wipe more than 200,000 devices across Stryker’s global network. No malware is needed when the right credentials are compromised.”
Henderson also warned that disruptions involving large healthcare suppliers can have significant downstream effects.
“Stryker manufactures critical medical devices used in operating rooms and ICUs worldwide. When a supplier of this scale goes offline, it doesn’t just impact their employees. It creates ripple effects across hospitals, surgical centers, and healthcare providers that depend on their equipment and support infrastructure.”
Cian Heasley, Principal Consultant at Acumen Cyber, said the incident demonstrates the destructive potential of so called “wiper” attacks when attackers gain access to highly privileged systems.
“Reports of a large scale wiper incident affecting medical technology provider Stryker Corporation show how damaging destructive cyber operations can be when attackers gain access to highly privileged systems,” Heasley said.
“Wiper attacks are different from financially motivated cybercrime because the goal is purely destructive with no attempt at extortion. The intention is to cause disruption by destroying systems and the data they contain.”
Heasley noted that incidents like this often hinge on attackers gaining control of administrative systems or device management platforms.
“There have been suggestions that device management platforms such as Microsoft Intune may have been involved in this specific incident. If an attacker gains control of a management platform or a privileged administrative account, they can push malicious commands across a large number of systems very quickly,” he said.
“The potential wider impact should not be overlooked either. When incidents affect organizations that support critical industries such as healthcare or medical supply chains, the consequences can extend well beyond the immediate target.”
Collin Hogue-Spears, senior director of solution management at Black Duck, said the group behind the attack has previously been linked by security researchers to Iranian intelligence operations.
“Handala brands itself as a pro-Palestinian hacktivist collective, but Check Point and Microsoft track the group as Void Manticore and Storm-0842 respectively, both linked to Iran’s Ministry of Intelligence and Security,” Hogue-Spears said.
He noted that the attack appears to have been retaliatory rather than financially motivated.
“This operation wiped over 200,000 systems across 79 countries to punish a surgical equipment maker for its U.S. defense ties and its acquisition of the Israeli orthopedic company OrthoSpace Ltd. The attack was retaliatory, not financial.”
According to one technical assessment, the attackers may have gained access to Stryker’s Microsoft Intune console, the mobile device management platform used to control the company’s global device fleet, and issued a mass wipe command.
“The console that pushes security patches to 200,000 machines is the same console that erased them,” Hogue-Spears said. “The weapon was not custom malware deployed endpoint by endpoint. The weapon was the management plane, doing exactly what it was designed to do under adversary control.”
He added that attackers may not have needed sophisticated exploits to carry out the operation.
“Handala did not need a zero-day. They needed one set of privileged credentials and the tools Stryker already paid for.”
