A sophisticated cyberattack, attributed to an Iran-linked hacking group, has disrupted operations at Stryker, a global medical technology company headquartered in Kalamazoo, Michigan. The attack, reportedly a wiper attack designed to erase data, has impacted systems across 79 countries and prompted the company to send over 5,000 employees home in Ireland, its largest hub outside of the United States. The incident underscores the growing threat of cyberattacks targeting critical infrastructure, particularly within the healthcare sector.
Stryker, a major player in the medical device industry with approximately 56,000 employees worldwide and $25 billion in global sales in 2023, confirmed experiencing a building emergency at its U.S. Headquarters. Initial reports indicate that the group, known as Handala (also referred to as Handala Hack Team), claimed responsibility for the attack in a statement posted to Telegram. The group alleges it erased data from over 200,000 systems, servers, and mobile devices. This disruption has already begun to affect healthcare providers, with at least one university medical system reporting an inability to order surgical supplies normally sourced through Stryker, highlighting the potential for a significant supply chain impact.
Iran-Linked Hacktivist Group Claims Responsibility
Handala has been linked to Iran’s Ministry of Intelligence and Security (MOIS) by security researchers at Palo Alto Networks. According to a report by Palo Alto Networks’ Unit 42, Handala surfaced in late 2023 and operates as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor. The group’s activities primarily focus on Israel, but have occasionally extended to targets outside that region when aligned with a specific agenda. Recent activity has been described as “opportunistic and ‘quick and dirty’,” with a focus on exploiting supply chain vulnerabilities to reach a wider range of victims. This attack on Stryker appears to be a continuation of that pattern.
A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker.
The Attack and Method of Operation
The attack comes amid heightened geopolitical tensions, with Handala citing a February 28 missile strike that reportedly killed at least 175 people, most of them children, in Iran as the motivation for the cyberattack. The New York Times reported that an ongoing military investigation has determined the United States was responsible for the deadly Tomahawk missile strike. While this claim is under investigation, it provides context for the group’s stated rationale.
Unlike traditional wiper attacks that rely on malicious software, initial analysis suggests the perpetrators exploited a Microsoft service, specifically Microsoft Intune, to remotely wipe devices. Intune is a cloud-based service used by IT departments to manage and secure devices, allowing for remote data deletion. Reports from Stryker employees on Reddit indicate that the company urged users to uninstall Intune urgently, suggesting the company recognized the vulnerability and attempted to mitigate the damage. This method of attack highlights a concerning trend of attackers leveraging legitimate administrative tools to cause widespread disruption.
Impact on Healthcare Supply Chains
The disruption at Stryker has already begun to ripple through the healthcare system. One healthcare professional at a major university medical system, speaking anonymously, reported an inability to order essential surgical supplies. This underscores the vulnerability of healthcare supply chains to cyberattacks, as Stryker is a major supplier of medical devices used in hospitals across the United States. John Riggi, national advisor for the American Hospital Association (AHA), stated that the AHA is actively exchanging information with the hospital field and the federal government to assess the impact of the attack, but as of March 12, 2026, no widespread supply chain disruptions have been confirmed. However, Riggi cautioned that the situation remains fluid and could change as hospitals evaluate their reliance on Stryker’s products and services.
Handala’s History and Tactics
Handala’s history of cyber activity reveals a pattern of targeting entities perceived as aligned with Israel or the United States. Palo Alto Networks has documented the group’s previous attacks against fuel systems in Jordan and an Israeli energy exploration company. The group’s tactics are characterized by a focus on quick, opportunistic attacks that leverage existing vulnerabilities and supply chain relationships. This approach allows them to amplify their impact and intimidate targets with minimal effort. The group’s manifesto, referencing Stryker as a “Zionist-rooted corporation” – a reference to Stryker’s 2019 acquisition of the Israeli company OrthoSpace – further illustrates this ideological motivation.
Microsoft Intune and Remote Wipe Capabilities
The use of Microsoft Intune in this attack raises concerns about the security of cloud-based device management systems. Intune, designed to enhance security, was seemingly turned against the company. Microsoft Intune allows IT administrators to enforce security policies, remotely wipe devices, and manage applications. While a powerful tool for security, it also presents a potential attack vector if compromised. The incident highlights the importance of robust access controls and security measures to protect these administrative systems from unauthorized access.
The Irish Examiner reported that Stryker staff are communicating via WhatsApp for updates, and that login pages on company devices have been defaced with the Handala logo. This indicates a significant compromise of Stryker’s internal systems and a disruption of normal communication channels. The extent of the data compromised remains unclear, but the group claims to have acquired data from systems in 79 countries.
The situation remains dynamic, and investigations are ongoing. Stryker has not yet released a comprehensive statement detailing the full extent of the damage or the steps being taken to restore operations. The AHA is continuing to monitor the situation and coordinate with federal agencies to assess the potential impact on hospitals and healthcare providers. Further updates are expected as the investigation progresses and more information becomes available.
Update, 2:54 p.m. ET: Added comment from John Riggi, national advisor for the American Hospital Association, and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.
The next key development will likely be a more detailed statement from Stryker outlining the scope of the breach, the data potentially compromised, and the timeline for restoring full operations. Readers are encouraged to share their experiences and insights in the comments below, and to stay informed about this evolving situation.