Stryker Corporation Cyberattack: Everything We Know as Recovery Begins

The Handala attack on Stryker Corporation is now confirmed as the most significant Iran-linked cyber strike on a U.S. company since Operation Epic Fury began February 28. Here is the complete, updated picture as of Thursday morning.

What Happened and When

Windows devices — including laptops and mobile phones connected to Stryker's networks — were remotely wiped. The Handala logo appeared on login screens across the company's global network. An internal company notice described "a severe, global disruption across the Windows environment impacting both client devices and servers" — and said Stryker had engaged Microsoft to help investigate.

Handala claimed to have struck an "unprecedented blow" to the company, wiping more than 200,000 servers, mobile devices, and other systems, and forcing Stryker to shut down offices in 79 countries. The group also claims to have extracted 50 terabytes of data and says it will make it public.

Stryker's Official Position

Stryker's latest statement to TechCrunch reads: "Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyberattack. We have no indication of ransomware or malware and believe the incident is contained. Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we're committed to continuing to serve our customers."

The company's framing is precise but narrow. A wiper attack by definition contains no ransomware — the purpose is destruction, not extortion. Neither Stryker nor any cybersecurity agency has officially confirmed that an Iranian group was behind the incident, though Handala's claim is consistent across multiple platforms and corroborated by employee accounts worldwide.

Verifone Also Hit

The attack didn't stop at Stryker. Handala posted that it had also carried out an attack on Verifone, which specializes in electronic and point-of-sale payment systems. AFP could not independently verify that claim. If confirmed, it signals the group is moving rapidly across multiple U.S. corporate targets.

The Hospital Supply Chain Question Nobody Can Answer Yet

It was unclear what immediate impacts, if any, the hack had on Stryker's provision of medical equipment to U.S. hospitals. Cybersecurity executives across the health sector told CNN on Wednesday they were on alert for any impacts.

Stryker produces defibrillators, ambulance cots, orthopedic implants, robotic surgery systems, and surgical instruments used in hospitals globally. Its disruption doesn't automatically mean devices stop functioning — but procurement, logistics, and servicing pipelines run through the same IT infrastructure that was wiped.

Joshua Corman, a cybersecurity expert focused on the health sector, was direct in his assessment. "Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we're increasing our exposures to nation states and other enemies who seek to disrupt and destroy. China, Iran, Russia — all have the means, motive, and opportunity to deal us devastating disruptions."

FBI Director and Congress Respond

FBI Director Kash Patel said Tuesday — the day before the attack — that "the FBI is working 24/7 to stay ahead of the threat and implement a sweeping Cyber strategy pursuant to President Trump's 'Cyber Strategy for America.'" The timing was not coincidental. U.S. intelligence had flagged escalating Iranian cyber activity in the days prior.

Representative Bill Huizenga said he'd spoken with both Stryker and the Trump Administration, stating: "Early reports are connecting this attack to a group linked to Iran. If true, this continues to demonstrate the threat the Iranian regime poses to America, our allies, and our interests."

Stryker Stock and the Road to Recovery

Stryker shares slid 3.6% on Wednesday to close at $345.78, but moved higher after hours. Recovery from a wiper attack of this scale — 200,000 devices across 79 countries — requires rebuilding systems from clean backups or fresh installations, a process cybersecurity experts have said could take several months. If fully confirmed, the hack represents arguably the most significant cyber incident linked to the Iran war so far.

CISA has not publicly responded.