Stryker Cyberattack: Handala Wipes 200,000 Devices, Recovery Could Take Months

The full picture of Wednesday's Handala attack on Stryker Corporation is becoming clearer — and it's worse than the company's cautious public statement suggests. The Portage, Michigan-based medical device manufacturer has been effectively shut down globally, with all 56,000 employees worldwide idled after the attack wiped systems across 79 countries. Stryker's Kalamazoo headquarters closed entirely, with signs on doors instructing employees to stay off the network and away from their computers.

What Happened Inside Stryker's Buildings

An internal message to employees described "a severe, global disruption impacting all Stryker laptops and systems that connect to the network," instructing workers not to connect through any device or mobile app — including Microsoft Outlook and Microsoft Teams. The notification told staff that security experts and law enforcement had been contacted.

Many of Stryker's global systems were wiped, and login pages across the company's network were replaced with Handala's logo instead of standard authentication screens. The attack vector was Microsoft Intune — the company's own cloud-based device management platform was weaponized to push a remote wipe command to every connected device simultaneously. Employees arriving Wednesday morning found phones, laptops, and workstations completely erased.

Employees in Australia reported being locked out of company-linked phones and instructed to remove Microsoft Intune from personal devices as well — a sign the attack's reach extended into employee-owned hardware enrolled in Stryker's mobile device management program.

Stryker's Official Position vs. The Reality on the Ground

Stryker's public statement has been carefully worded and notably narrow. "We have no indication of ransomware or malware and believe the incident is contained. Our teams are working rapidly to understand the impact of the attack on our systems," the company told CNN.

That framing — no ransomware, no malware — is technically precise but strategically misleading. A wiper attack doesn't deploy ransomware. It simply destroys. The Irish Examiner confirmed the attack is classified as a wiper attack, in which data is obliterated and cannot be retrieved — a category considered more severe than ransomware because extortion isn't the goal. The purpose is pure destruction, driven by political motivation.

As of Wednesday morning, Stryker had not disclosed the cyberattack to federal securities regulators — a notable omission given the company's $131 billion market valuation and publicly traded status on the NYSE. Shares dropped approximately 3.5%.

Why Stryker, Why Now

Handala's targeting logic is explicit. The group stated in its claim of responsibility that it attacked Stryker in retaliation for the U.S. bombing of the Minab girls school in Tehran, which killed more than 175 people, most of them children. The Pentagon is investigating that incident.

The corporate connection to Israel sealed the choice. In 2019, Stryker acquired Israeli medical technology company OrthoSpace. Last year, the company won a $450 million contract to supply medical devices to the U.S. Department of Defense — making it simultaneously an Israeli-linked corporation and a direct U.S. military contractor. From Handala's perspective, it was an ideal target.

Handala has simultaneously claimed to have broken into the website of the Academy of the Hebrew Language and compromised multiple oil and gas installations across Israel, Jordan, and Saudi Arabia. The Israeli National Cyber Directorate said it was working to intercept a wave of Iranian cyberattacks on Israeli civilian companies.

Congress Responds, Experts Warn of a Long Road

Representative Bill Huizenga, a Michigan Republican whose district includes Stryker's headquarters, said his office is in contact with both the company and the Trump Administration, calling the attack further evidence of the threat Iran poses to American interests.

Cybersecurity expert Scott Bailey was unsparing about the recovery timeline. "This does not just give them a few days, and they're going to be up and running. They are going to be recovering from this probably for several months," Bailey said, adding that any global company without confidence in its cybersecurity measures should treat this as a direct warning.

"Right now, the Iranian missiles and drones obviously can't reach us. So how do you inflict pain? This is the best way to do it," Bailey said.

The U.S. Cybersecurity and Infrastructure Security Agency had not responded to press requests as of Wednesday evening ET.