U.S.-based medical technology company Stryker confirmed that a recent cyberattack linked to Iran significantly disrupted its global operations, affecting manufacturing, shipping, and order processing. The attack exploited endpoint management tools rather than traditional malware, highlighting a sophisticated “living-off-the-land” approach.
In its latest statement, Stryker said the intrusion targeted its Microsoft environment exclusively and did not involve its operational technology (OT) systems. The company emphasized that business continuity measures were implemented to minimize impacts on customers and partners.
“This incident has caused disruptions to order processing, manufacturing, and shipping,” Stryker said. “We are working diligently to restore systems and ensure seamless patient care.”
Attack Details
The hacker group Handala, which claims affiliation with Iranian state-sponsored actors, has taken responsibility for the breach. The group asserted that it wiped over 200,000 devices, including phones, and exfiltrated approximately 50TB of data from Stryker systems.
Contrary to early reports suggesting wiper malware, evidence now indicates that the attackers leveraged Microsoft Intune, a cloud-based endpoint management service, to remotely wipe devices. Stryker confirmed no malware or ransomware was detected during its investigation. Cybersecurity experts describe this technique as a sophisticated abuse of legitimate administrative tools to cause maximum disruption.
Support staff, engineers, and administrative personnel at Stryker’s largest international hub in Ireland were reportedly sent home, relying on messaging apps like WhatsApp for updates on resuming work.
Handala’s Rising Activity
Handala has intensified operations since the escalation of the U.S.-Israel-Iran conflict in late February, targeting organizations perceived as aligned with Israel and its allies. While the group presents itself as a pro-Palestinian hacktivist entity, cybersecurity researchers widely view it as a front for Void Manticore, an Iranian state-linked actor operating under the Ministry of Intelligence and Security (MOIS).
The group has previously conducted destructive attacks, including wiping military servers, exfiltrating corporate data, compromising surveillance systems, and publicly exposing sensitive intelligence information. Many of Handala’s claims are disseminated through Telegram and X, although independent verification is often limited.
Stryker, a global manufacturer of surgical equipment, orthopedic implants, and neurotechnology, reported revenues of $25 billion in 2025, underscoring the potential scale and impact of the attack on the healthcare sector.
