The Handala hacking group claimed responsibility for hitting the Michigan medical device giant — using Stryker’s own device management software to factory-reset employee phones and laptops, sending shares down more than 3%.
The Stryker cyberattack that paralyzed the medical device company’s global Microsoft systems on Wednesday appears to be the first significant Iranian-linked hack against a major American corporation since the United States and Israel began bombing Iran last month. The attack sent Stryker’s stock down more than 3% and left employees at locations including Boise, Idaho unable to access their networks — instructed by the company not to connect to any Stryker VPN or software on any device.
What happened inside Stryker’s systems tells a more precise story than most corporate cyberattack disclosures do. According to cybersecurity researchers, this was not a ransomware attack. It was something closer to a deliberate act of erasure.
What the Stryker Cyberattack Actually Did
Rafe Pilling, director of threat intelligence at cybersecurity firm Sophos — which has formally tied the Handala hacking group to Iran’s Intelligence Ministry — explained the mechanism. Hackers appear to have obtained access to Stryker’s Microsoft Intune account, a corporate device management platform companies use to remotely monitor and control employee laptops and phones.
“They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices,” Pilling said. “One of the features is the ability to remotely wipe a device if it’s lost or stolen. Looks like they triggered that for some or all of the enrolled devices.”
Microsoft’s own documentation describes that remote wipe feature as designed for devices that need to be “retired, repurposed, reset for troubleshooting, or securely erased if lost or stolen.” In Handala’s case, it was used as a weapon.
A Stryker employee based in Boise, Idaho confirmed the attack to Fox Business, saying coworkers’ work phones were wiped Wednesday morning. The employee, who was not authorized to speak on behalf of the company, said they were told to avoid connecting to any Stryker VPN networks or software on any device.
Stryker’s computers in Ireland were also hit, according to local media reports. The company serves more than 150 million patients through its health equipment and services.
In a statement posted to its website, Stryker confirmed the disruption but said it found no evidence of ransomware or malware, and believed the incident was contained. “Our teams are working rapidly to understand the impact of the attack on our systems,” the company said. “Stryker has business continuity measures in place to continue to support our customers and partners.”
Who Is Handala, and Why Did They Target Stryker?
Handala Team claimed responsibility in posts on its Telegram and X accounts. The group, which social media platforms have repeatedly removed and which routinely re-creates new accounts after takedowns, described Stryker as a “Zionist-rooted corporation” and framed the attack as retaliation for a missile strike on an elementary school in Iran. Iranian state media has claimed that strike killed at least 168 children. The Pentagon says it is investigating the incident.
Handala also claimed 200,000 systems were affected in the Stryker attack and that 50 terabytes of data were extracted. Stryker has not confirmed those figures. The company did not respond to further requests for comment.
The same group claimed it also breached Verifone, a New York City-based company that provides electronic payment technology to roughly 75% of the country’s top retailers. Verifone flatly denied it. “We have observed recent allegations on March 11 from threat actors claiming an intrusion into our systems in Israel,” a Verifone spokesperson told Fox Business. “Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients.”
The Geopolitical Context: A Shift in Iranian Hacking Activity
Until Wednesday, Iran-linked hackers had been largely quiet in targeting U.S. organizations since the war with Israel began. Security firms monitoring Iranian threat groups told CNN they had seen mostly espionage activity — probing networks, tracking communications — rather than destructive attacks. Email security company Proofpoint said it had observed only one notable hacking campaign since the war started: an attempt to breach a U.S. think tank employee.
The Stryker incident appears to mark a shift. U.S. intelligence officials had already warned of the possibility that Tehran-linked hackers would retaliate for the U.S. and Israeli bombing campaign. A CNN report published Tuesday, the day before the attack, cited those warnings directly.
Iran has a documented history of using destructive “wiper” attacks against its geopolitical enemies. The Saudi Aramco attack in 2012 erased data on tens of thousands of computers at the Saudi national oil company. Iranian hackers hit the Sands Casino in Las Vegas in 2014 in a similar fashion. Those attacks are widely regarded as among the most damaging corporate cyberattacks ever attributed to a nation-state actor.
“Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we’re increasing our exposures to nation states and other enemies who seek to disrupt and destroy,” Joshua Corman, a cybersecurity expert who has spent years focused on the health sector, told CNN. “China, Iran, Russia — all have the means, motive, and opportunity to deal us devastating disruptions.”
The Wall Street Journal was first to report the pro-Iran connection to the Stryker hack. Stryker’s shares fell more than 3% following that report.
What This Means for Healthcare Cybersecurity
Stryker produces a wide range of hospital equipment — defibrillators, ambulance cots, surgical robotics, orthopedic implants, and trauma systems. Its products are used in hospitals and operating rooms globally. As of Wednesday, there was no confirmed evidence that the attack had directly affected patient care or that hospital equipment in clinical use had been disrupted.
That caveat matters, but so does the underlying risk. When a company this embedded in healthcare supply chains has employee devices wiped across multiple countries simultaneously, the question of downstream impact does not resolve immediately. Cybersecurity executives across the health sector told CNN on Wednesday they were on alert.
The technique used — turning a company’s own device management infrastructure against it — also raises a particular concern for security professionals. Microsoft Intune is used by tens of thousands of organizations globally. Gaining unauthorized access to an Intune console gives attackers the ability to neutralize corporate devices at scale without ever deploying traditional malware, which is precisely why Stryker’s statement showed no evidence of ransomware or malware: technically, none was needed.
FAQ
Q1: What happened in the Stryker cyberattack? Stryker, the Michigan-based medical device company, experienced a global disruption to its Microsoft systems after a pro-Iranian hacking group called Handala gained access to the company’s Microsoft Intune device management console and remotely wiped employee devices back to factory settings. Stryker confirmed the attack on Wednesday, March 11, 2026, saying it found no evidence of ransomware or malware and believed the incident was contained.
Q2: Who is the Handala hacking group behind the Stryker cyberattack? Handala Team is a pro-Iranian hacktivist group that cybersecurity firm Sophos has formally tied to Iran’s Intelligence Ministry. The group claimed responsibility for the Stryker attack via posts on Telegram and X, framing it as retaliation for a U.S.-Israeli missile strike on an Iranian elementary school. Handala routinely claims large-scale breaches on social media; its Stryker claims of 200,000 systems affected and 50 terabytes of data stolen have not been confirmed by the company.
Q3: How exactly did the hackers disrupt Stryker’s systems? According to Rafe Pilling, director of threat intelligence at Sophos, the attackers appear to have accessed Stryker’s Microsoft Intune management console — a platform corporations use to manage employee devices. From there, they triggered the remote wipe feature, resetting some or all enrolled employee devices to factory settings. This is why Stryker reported no ransomware or malware: the attack exploited a legitimate corporate tool rather than deploying traditional malicious software.
Q4: How did the Stryker cyberattack affect stock prices? Stryker’s stock (ticker: SYK) fell more than 3% — closing down $12.87 at $345.82 — after the Wall Street Journal reported the suspected pro-Iran connection to the attack. The stock decline reflected investor concern about the scope of the disruption and its potential operational impact.
Q5: Were patients or hospital equipment affected by the Stryker cyberattack? As of Wednesday, there was no confirmed evidence that patient care or clinical hospital equipment was directly disrupted. Stryker said it has business continuity measures in place to support customers and partners. However, cybersecurity executives across the healthcare sector told CNN they were on alert and monitoring for any downstream impacts given Stryker’s deep integration into global hospital supply chains.
Sources & References
- CNN — Pro-Iran Hackers Claim Cyberattack on Major US Medical Device Maker
- NBC News via Yahoo News — Iran Appears to Have Conducted a Significant Cyberattack Against a U.S. Company
- Fox Business — Medical Device Giant Hit by Global Network Disruption After Cyberattack Possibly Linked to Pro-Iranian Group
- Stryker Official Statement — A Message to Our Customers
- Sophos Threat Intelligence — Handala Group Attribution
- Proofpoint — Iran Conflict Drives Heightened Espionage Activity
