Iranian Cyber Attacks Hit U.S. Medical Giant Stryker as Iran Cyber Attack Wave Escalates

Iran's digital war against America just got real. A pro-Iranian hacker group wiped data from Stryker Corporation's global network Wednesday — the most damaging Iranian cyber attack on U.S. soil since Operation Epic Fury began 12 days ago — as federal agencies scrambled to assess whether patient care at hospitals was at risk. The Michigan-based medical device maker confirmed the breach. Its stock fell more than 3%.

It is the loudest shot fired yet in a cyber conflict that has been building since February 28.

What Happened to Stryker

Handala Hack claimed responsibility for the attack, calling it retaliation "for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance." The group allegedly wiped data from over 200,000 systems, servers, and employee devices across 60-plus countries.

Stryker confirmed it was "experiencing a global network disruption to our Microsoft environment as a result of a cyberattack," adding it had "no indication of ransomware or malware" and believed the incident was "contained."

Cybersecurity experts were not satisfied with that answer. "Stryker needs to quickly become more forthcoming as hospitals are faced with the dilemma of whether to cut off Stryker or not," one cybersecurity executive in the health sector told CNN. "Stryker publicly claims the situation is 'contained.' What does that mean?"

Stryker's Cork, Ireland facility — the company's largest outside the United States with up to 5,500 employees — was hit hardest, with manufacturing technology disabled.

Who Is Behind the Iranian Cyber Attacks

Handala is not a random hacker collective. The group is a hacktivist persona linked to Iran's Ministry of Intelligence and Security, blending data exfiltration with cyber operations against Israeli and Western political and defense targets. It sits at the center of a broader coordination structure.

Iran established what it calls an "Electronic Operations Room" on February 28, the same day Operation Epic Fury launched — a Telegram-based coordination hub for hacktivist operations across at least 60 active groups, including pro-Russian factions.

The Stryker attack also came alongside a separate claim: Handala claims to have breached Verifone, an Israeli-origin payment systems provider, extracting transaction and financial data. That claim is unconfirmed.

The Bigger Threat: CISA Weakened, Defenses Stretched

The timing could not be worse for the federal government. The Cybersecurity and Infrastructure Security Agency is operating at reduced capacity due to the ongoing DHS government shutdown, with some furloughed workers on standby orders.

A current CISA employee, speaking anonymously for fear of retribution, said: "Some in the private sector are surprised that there's a furlough right now going on at CISA," noting uncertainty about when the agency would receive full funding.

The FBI and NSA have separately warned defense contractors — particularly those with ties to Israeli research and defense firms — that "Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations."

What U.S. Intelligence Is Watching

A DHS bulletin issued to law enforcement agencies warned of a heightened threat environment following the killing of Iran's Supreme Leader Ayatollah Ali Khamenei, noting that two top Iranian religious leaders issued Farsi-language fatwas calling on Muslims worldwide to take revenge.

The financial sector is on high alert. U.S. security officials warned private companies that "ongoing claims and calls for cyberattacks targeting U.S. entities by Iranian-aligned groups could lead to an increase in malicious activity against the financial services sector."

Since the war began, Google's Threat Intelligence Group documented over 150 hacktivist-claimed incidents in the first 72 hours alone — DDoS floods, website defacements, and data-exfiltration operations hitting government, financial, aviation, telecom, and critical infrastructure sectors.

Google Threat Intelligence Group chief analyst John Hultquist offered a note of measured caution. "Iran has historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact," Hultquist said.

The Department of Health and Human Services was still working Wednesday night to determine whether the Stryker breach posed any direct risk to patient care.