On March 11, 2026, medical technology giant Stryker confirmed that Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. The iran-linked hacking group known as Handala claimed responsibility for the attack, calling it retaliation for a deadly missile strike on a school in Iran. With over 200,000 devices wiped across 79 countries, this targeted attack on Stryker represents one of the most destructive cyber operations ever carried out against a US company in the medical device sector. This article breaks down exactly what happened, who was behind the attack, what it means for enterprise cybersecurity, and what steps organizations can take right now to protect themselves from similar threats.
Stryker Corporation, one of the largest medical technology companies in the world with $25 billion in annual revenue, woke up on March 11 to a devastating reality. Stryker employees across Ireland, the United States, Australia, and India found their laptops, phones, and servers wiped clean of all data. Login screens displayed the logo of Handala, a pro-Iran hacker group, instead of the usual Windows interface. Within hours, Stryker sent more than 5,000 workers home from its Irish operations alone and shut down offices in dozens of countries.
The company said in a statement that it had “no indication of ransomware or malware and believe the incident is contained.” However, the sheer scope of the disruption told a different story. Stryker said it had activated its cybersecurity response plan, and the SEC filing confirmed the cyberattack caused a global disruption to the company’s Microsoft environment, and external cybersecurity experts were brought in to assess and contain the threat. The timeline for full recovery remains unknown. Stryker has business continuity measures in place to continue serving customers and partners, but the operational damage is extensive.
A voicemail at Stryker’s Michigan headquarters simply stated the company was “experiencing a building emergency.” Staff communicated through WhatsApp because corporate email systems were offline. Anyone with Microsoft Outlook on personal phones had those mobile devices wiped as well. Products like the Mako surgical robot and LifePak35 defibrillator remain safe to use, but supply chain systems including the critical LifeNet platform used by paramedics to transmit EKGs went down across multiple states.
The group Handala claimed responsibility shortly after the attack began, posting a lengthy manifesto on Telegram. Also known as the Handala Hack Team, this hacking group has been active since late 2023 and is assessed by Palo Alto Networks’ Unit 42 as one of several online personas maintained by Void Manticore, an actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Cybersecurity firm Flashpoint confirmed that while Handala presents itself as a grassroots resistance movement, its tactics are “far more consistent with activity linked to Iranian state actors than with independent hacktivism.”
There is also significant overlap between Handala and a state-backed group linked to Iran’s Islamic Revolutionary Guard Corps known as APT34, according to research from Optiv and other cyber threat intelligence firms. Before targeting Stryker, Handala had primarily focused on Israeli targets. Previous operations included attacks on fuel systems in Jordan and an Israeli energy exploration company. The Stryker medical attack marks the first time this Iranian cyber threat actor has disruptively targeted a major US enterprise, a significant escalation in the ongoing cyber conflict between Tehran and Washington.
Handala explicitly stated that the attack came “in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure” of Iran and its allies. The hackers were referring to a February 28 missile strike that hit a girls’ school in Minab, Iran, killing at least 175 people, most of them children. A U.S. military investigation has since determined that the United States was responsible for the deadly strike, which employed Tomahawk missiles during ongoing joint operations with Israeli forces.
Beyond the minab school connection, Stryker’s 2019 acquisition of Israeli medical technology company OrthoSpace likely put it on Handala’s radar. The manifesto referred to Stryker as a “Zionist-rooted corporation.” This pattern of targeting companies with Israeli business ties is consistent with how pro-Tehran hacking groups have historically selected victims. Since the U.S. and Israel began joint military operations against Iran in late February 2026, experts warned that destructive cyber operations by both Iranian state-backed groups and hacktivists were inevitable. The Stryker incident proved those warnings correct.
What makes the Stryker cyber incident technically remarkable is that no traditional malware was involved. According to a source who spoke to KrebsOnSecurity on condition of anonymity, the attackers compromised administrator credentials for Stryker’s Microsoft 365 tenant and then weaponized Microsoft Intune, the company’s own cloud-based endpoint management platform, to issue remote wipe commands to all connected remote devices.
Microsoft Intune is a legitimate tool designed for IT teams to enforce security policies and manage devices at scale. The attackers essentially turned Stryker’s own IT management infrastructure against itself, a technique sometimes called “living off the land.” This approach is consistent with how 65% of initial access in recent incidents is driven by identity-based techniques, according to Unit 42’s 2026 Global Incident Response Report. The result was catastrophic: more than 200,000 systems, servers, and mobile devices across Stryker systems worldwide were wiped clean in a matter of hours.
This was not a Microsoft platform breach. Intune performed exactly as designed. The failure was in how Stryker managed privileged access to its own Microsoft environment. Two specific security controls, Privileged Identity Management (PIM) and administrative unit scoping, would have prevented the entire attack. Both are available within licensing that most enterprise organizations already own.
The impact of the attack extends far beyond Stryker’s own walls. As a medical company supplying surgical equipment to hospitals worldwide, the disruption immediately rippled into the broader healthcare system. One healthcare professional at a major US medical university told KrebsOnSecurity that surgical supply orders through Stryker had completely stopped. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies,” the source said.
In Maryland, the state’s EMS medical director issued a notice that Stryker’s LifeNet system, which paramedics use to transmit electrocardiogram data to emergency physicians for heart attack patients, was “non-functional in most parts of the state.” Hospitals were instructed to fall back on radio consultations. Several hospitals across the country proactively disconnected from Stryker systems as a precautionary measure. This is a real-world supply chain attack with direct implications for patient care, even if Stryker’s medical equipment itself remains physically safe to operate.
Stryker’s teams are working rapidly to understand the impact of the attack on our systems. The SEC filing made clear that the disruption “is expected to continue to cause disruptions and limitations of access to certain of the Company’s information systems.” Financial impacts remain unclear, though Stryker shares fell more than 3% following initial reports.
The Cybersecurity and Infrastructure Security Agency responded swiftly. CISA Acting Director Nick Andersen said in a statement that the agency has launched an investigation into the incident and is providing information and provide technical assistance for the targeted attack on Stryker. “We are working shoulder-to-shoulder with our public- and private‑sector partners as we continue to uncover relevant information and provide technical assistance,” Andersen stated, adding that CISA stands “at the ready to defend our nation’s critical infrastructure.”
The Department of Health and Human Services also scrambled to assess potential impacts on patient care. The Healthcare and Public Health Sector Coordinating Council held an emergency briefing on the evening of March 11. The FBI had issued warnings in the days before the Stryker incident about Iranian cyber threats targeting U.S. companies, and a joint NSA, CISA, FBI, and DC3 advisory from June 2025 had specifically warned that Iranian state-sponsored actors were actively targeting U.S. critical infrastructure.
Cybersecurity experts overwhelmingly view the Stryker attack as a harbinger of more to come. Since the U.S.-Israel military campaign against Iran began in late February 2026, several alleged Iranian groups have defaced websites, conducted espionage incursions, and launched DDoS attacks. But no major cyber incident was reported until Handala struck Stryker. Email security firm Proofpoint noted that its tracking of known Iranian groups had only turned up one hacking campaign, an attempt to compromise a US think tank employee, since the war began.
That relative quiet appears to be over. Symantec and Carbon Black researchers have found backdoors planted by an Iranian state-linked actor called MuddyWater (also known as Seedworm) on the networks of multiple U.S. firms as recently as early March 2026. This suggests pre-positioning for future destructive cyber operations. As cybersecurity expert Joshua Corman put it: “China, Iran, Russia all have the means, motive, and opportunity to deal us devastating disruptions.” The Stryker breach may be the first strike in what becomes a sustained campaign of cyber conflict targeting US medical companies and other sectors.
The Stryker incident offers a stark lesson for every organization relying on cloud-based endpoint management. The attackers did not deploy exotic zero-day exploits. They did not use sophisticated malware. They compromised admin credentials and pressed buttons that Intune provides to every IT administrator. That simplicity is what makes this cyber threat so alarming for enterprises everywhere.
Organizations should immediately audit privileged access to their Microsoft environment and any other cloud management platforms. Implementing Privileged Identity Management (PIM) forces administrators to request just-in-time elevation rather than holding standing admin roles. Administrative unit scoping limits the blast radius of any single compromised account. Multi-factor authentication should be enforced on every identity with administrative privileges, period. These are not advanced controls. They are baseline hygiene that Stryker apparently lacked.
Threat intelligence sharing between industry peers, government agencies, and cybersecurity vendors has never been more critical. Enterprises should also consider whether their data transfer and file management infrastructure can withstand a wiper-style attack. Redundant, air-gapped backups and the ability to rapidly restore operations across global offices are no longer optional. Comprehensive cybersecurity solutions from Aspera for secure high-throughput file transfer and TrendMicro for layered endpoint protection can materially reduce exposure. Organizations dealing with massive data volumes should also evaluate whether legacy protocols like SFTP and TCP-based transfers are introducing unnecessary latency and throughput bottlenecks that slow recovery when systems need to be rebuilt at scale. Solutions from companies like Irdeto can also add an additional layer of software protection for critical enterprise applications.
Stryker was targeted primarily because of geopolitical motivations. The iran-linked hacking group Handala explicitly framed the attack as retaliation for the attack on the Minab school, a deadly missile strike on a girls’ school in Iran that killed more than 175 people, mostly children. Stryker’s acquisition of Israeli company OrthoSpace in 2019 also likely placed the US medical company on Handala’s target list. The group labeled Stryker a “Zionist-rooted corporation” in its Telegram manifesto. This pattern fits a broader trend of Iranian cyber actors targeting organizations with ties to Israel or the U.S. defense sector, especially during periods of active military conflict.
No. Synnovis, the UK-based pathology services provider hit by the Qilin ransomware group in June 2024, did not pay the ransom. After consulting with its NHS Trust partners, Synnovis decided that paying would violate its ethical principles and would fund further attacks on critical infrastructure. The Qilin group had reportedly demanded $50 million and later published nearly 400GB of stolen patient data on the dark web when payment was not received. The attack disrupted diagnostic services across southeast London for months, led to the cancellation of thousands of surgical procedures, and cost Synnovis an estimated ÂŁ32.7 million. A subsequent investigation found the attack contributed to at least one patient death, making it one of the first ransomware incidents directly linked to a fatality.
That would be Marcus Hutchins, a British cybersecurity researcher who stopped the WannaCry ransomware attack in May 2017 at the age of 22. Working from his bedroom in England, Hutchins reverse-engineered the WannaCry code and discovered it was tied to an unregistered domain name. He registered that domain, which turned out to be the worm’s kill switch, effectively halting the attack after it had already infected over 300,000 computers in 150 countries. Wired Magazine featured his story on its June 2020 cover with the headline “The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet.” Hutchins was later arrested by the FBI for unrelated hacking offenses from his teenage years, but the judge weighed his contributions to global cybersecurity and sentenced him to time served.
Yes. UnitedHealth Group CEO Andrew Witty confirmed during testimony before the U.S. Senate Finance Committee in May 2024 that the company paid $22 million to the BlackCat/ALPHV ransomware group following the devastating February 2024 attack on its subsidiary Change Healthcare. Witty called it “one of the hardest decisions” he had ever made. The attack was caused by a compromised Citrix remote access portal that lacked multi-factor authentication. Despite paying the ransom, UnitedHealth did not get its data back. The ransomware group performed an exit scam, pocketed the payment, and an affiliate later attempted further extortion through a second group called RansomHub. The attack affected over 190 million Americans and has cost UnitedHealth more than $2.4 billion to date.
PacGenesis is an IBM Platinum Business Partner serving over 300 global customers with enterprise data transfer and cybersecurity solutions. If your organization needs to evaluate its file transfer infrastructure, endpoint security posture, or disaster recovery readiness in light of escalating nation-state cyber threats, contact PacGenesis for a consultation.
Why Public Wi-Fi Raises Security Concerns Public Wi-Fi networks are everywhere. Airports, hotels, cafes, and…
TrendAI continues to raise the bar. You might know VisionOne File Security for securing your media assets that…
Prompt injection has quickly become the most important security challenge in the age of generative…
One of the most fulfilling statements we hear from our customer base is “we buy this product because of PacGenesis”. This includes…
We’re excited to share some meaningful news about growth at PacGenesis. Over the past year, we’ve seen a high interest…
Understanding VPN File Transfers in a Cloud-First World Virtual Private Networks are widely used to…