Handala Hackers Wipe Stryker Systems in Most Significant Iran Cyberattack on U.S. Company Yet

The Iran war just hit an American medical giant. Handala, a pro-Iranian hacktivist group, has claimed credit for a devastating cyberattack against Stryker Corporation — potentially marking the first known major cyber disruption of an American organization since the joint U.S.-Israeli strikes against Iran began on February 28. The attack is still unfolding.

"The Entire Company Is at a Complete Stop"

Medical technology giant Stryker Corporation suffered a major cyberattack Wednesday that crippled its global IT systems, wiped data from thousands of employee devices, and idled tens of thousands of workers worldwide. The attack struck around 3:30 a.m. ET. Hackers gained access to administrator accounts, pushed out an operating system reset to computers and phones connected to the company's network, and wiped many servers clean. Workers could not log into their accounts or use company applications.

A source with knowledge of the attack told KrebsOnSecurity the perpetrators appear to have weaponized Microsoft Intune — a legitimate cloud-based IT management service — to issue a remote wipe command against all connected devices globally. It's a brazen method: turning a company's own device management infrastructure against itself.

Handala's logo appeared on every compromised login page. Emails were sent directly to company executives claiming ownership of the attack.

What Handala Claims — and What Stryker Confirmed

In a lengthy Telegram manifesto, Handala claimed Stryker's offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data.

Stryker's own communications to employees were stark. An internal notice described "a severe, global disruption across the Windows environment impacting both client devices and servers," stating the issue was "widespread and significantly affecting users' ability to access systems and services."

The public statement was more measured. A Stryker spokesperson told Newsweek the company is "experiencing a global network disruption to our Microsoft environment as a result of a cyberattack," adding it had "no indication of ransomware or malware" and believed the incident was contained. Those two characterizations — severe internal disruption vs. contained external statement — tell different stories.

Why Stryker Was Targeted

Handala said the attack was retaliation for a U.S. missile strike on the Minab girls school in Tehran, which killed more than 175 people, most of them children. The geopolitical grievance is explicit. So is the corporate rationale.

Handala's manifesto referred to Stryker as a "Zionist-rooted corporation" — a reference to the company's 2019 acquisition of Israeli medical technology firm OrthoSpace. Stryker also holds significant contracts with the U.S. Department of Defense and the Department of Veterans Affairs. Both factors made the company a high-value symbolic target.

Palo Alto Networks has linked Handala to Iran's Ministry of Intelligence and Security, identifying it as one of several online personas maintained by Void Manticore, a MOIS-affiliated threat actor.

Ireland Hit Hard, Stock Drops

Ireland is home to Stryker's largest hub outside the United States, with 5,500 workers — roughly 4,000 of them in Cork alone — across six manufacturing facilities and three innovation centers. Staff in Cork are communicating via WhatsApp while systems remain down. Ireland's National Cyber Security Centre has been informed and is responding.

Shares of Stryker fell approximately 3% to 3.4% in trading following the news. The company reported $25 billion in global sales last year and employs approximately 56,000 people across 61 countries.

Smartech247 CEO Ronan Murphy issued a direct warning to the broader corporate world. "Any organisation has to be on very, very significant high alert to potentially be hit by these guys because they're quite sophisticated, they have a lot of resources."

Analysts warn that recovery from a wiper attack could take weeks or months, as wiped systems require rebuilding from backups or clean installations. Stryker has not released a timeline for full recovery.