A sophisticated cyberattack, attributed to an Iran-linked hacking group, has disrupted operations at Stryker, a global medical technology company headquartered in Kalamazoo, Michigan. The attack, which began on March 11, 2026, has impacted Stryker’s systems in 79 countries and prompted the company to send over 5,000 employees home in Ireland, its largest hub outside of the United States. The incident highlights the growing threat of cyberattacks targeting critical infrastructure, particularly within the healthcare sector.
The hacktivist group, known as Handala (also referred to as Handala Hack Team), claimed responsibility for the attack in a statement posted to Telegram. According to security experts, Handala is linked to Iran’s Ministry of Intelligence and Security (MOIS) and operates as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor. The group alleges it erased data from more than 200,000 systems, servers, and mobile devices, effectively shutting down Stryker’s offices worldwide. A manifesto posted by the group, defacing Stryker’s login pages with the Handala logo, has been widely circulated online.
A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker.
Stryker, which reported $25 billion in global sales in 2025, has 56,000 employees across 61 countries. The company has stated it does not believe the disruption involves ransomware or malware, but rather a targeted attack. Employees have reported receiving text messages indicating a “severe, global disruption” impacting all Stryker laptops and systems connected to the network. A voicemail message at Stryker’s Michigan headquarters confirmed a “building emergency,” directing callers to try their calls later.
A Novel Attack Vector: Microsoft Intune
Although wiper attacks typically involve malicious software, security researchers believe the perpetrators in this case exploited a Microsoft service called Microsoft Intune. According to a source with knowledge of the attack, the group appears to have used Intune to issue a ‘remote wipe’ command against connected devices. Intune is a cloud-based solution used by IT teams to enforce security policies and manage devices. This method was supported by discussions on Reddit, where Stryker employees reported being instructed to uninstall Intune urgently.
Retaliation and Geopolitical Context
Handala claims the attack was in retaliation for a February 28 missile strike that reportedly killed at least 175 people, most of them children, at an Iranian school. The New York Times reported that an ongoing military investigation determined the United States was responsible for the deadly Tomahawk missile strike. The group also referred to Stryker as a “Zionist-rooted corporation,” potentially referencing the company’s 2019 acquisition of the Israeli company OrthoSpace.
Supply Chain Concerns and Healthcare Impact
The attack on Stryker is already causing disruptions within the healthcare system. One healthcare professional at a major university medical system in the United States reported being unable to order surgical supplies normally sourced through Stryker, highlighting the potential for a real-world supply chain attack. John Riggi, national advisor for the American Hospital Association (AHA), stated the AHA is actively exchanging information with the hospital field and the federal government to assess the impact on hospital operations, but as of March 12, 2026, had not yet identified any direct disruptions to U.S. Hospitals.
A memo from the Maryland Institute for Emergency Medical Services Systems indicated that some hospitals have temporarily disconnected from Stryker’s online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians. This disconnection, while a precautionary measure, could potentially delay critical treatment for heart attack patients.
Previous Activity and Targeting
Palo Alto Networks has profiled Handala, noting its activity primarily focuses on Israel, with occasional targeting outside that scope when it aligns with a specific agenda. The security firm also reported Handala has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company. Palo Alto researchers describe Handala’s activities as “opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds.”
The Irish Examiner reported that Stryker staff in Cork, Ireland, are communicating via WhatsApp for updates, and that devices connected to the network have been wiped.
The situation remains fluid. Stryker has not yet provided a timeline for full system restoration. The company is working to understand the full impact of the attack and has stated its commitment to transparency. Further updates are expected as the investigation progresses.
Disclaimer: This report provides information regarding a cybersecurity incident and its potential impact. It is not intended to provide medical, financial, or legal advice. If you are experiencing a medical emergency, please contact emergency services immediately.
Share your thoughts on this developing story and its potential implications in the comments below.
