Iran-Linked Handala Group Claims Massive Wiper Attack on MedTech Giant Stryker
Pro-Iranian hacking group Handala has claimed a devastating wiper attack on medical technology firm Stryker, wiping over 200,000 systems and exfiltrating 50TB of data, forcing offices in 79 countries to shut down.
Pro-Iranian hackers have claimed a major scalp after causing global disruption at Fortune 500 medical technology vendor Stryker. The Handala group claimed in an online post that it wiped "over 200,000 systems, servers, and mobile devices" and exfiltrated 50TB of the firm's data. "Stryker's offices in 79 countries have been forced to shut down," the message claimed. "All the acquired data is now in the hands of the free people of the world, ready to be used for true advancement of humanity and the exposure of injustice and corruption."
Stryker, a maker of neurotechnology, orthopaedics and surgery equipment, employs over 56,000 people in 61 countries and posted sales of $22.6bn in 2024. The company confirmed the attack in an 8-K filing with the SEC, noting that it led to "global disruption to the company's Microsoft environment." It added that there is no indication of ransomware or malware and the firm believes that the incident is contained. "The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions," the filing stated.
Experts were quick to link Handala to the Iranian regime, which is currently engaged in an existential war with the US and Israel. "From our perspective tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement. However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism," explained Kathryn Raines, cyber-threat intelligence team lead at Flashpoint.
What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure to carry out destructive activity at scale. Researchers suspect the group weaponized Microsoft Intune, potentially after a credential compromise, to wipe devices en masse. Huntress CISO Chris Henderson noted that "this goes to show geopolitical conflicts don't stay overseas. Nation-state actors are targeting American companies that support critical infrastructure, healthcare, energy, and manufacturing, because the disruption extends far beyond the initial victim."
The attack's impact on healthcare supply chains has been severe. Stryker's products are used in hospitals worldwide for surgeries and patient care, and the disruption has forced the company to activate business continuity measures. "Hospitals are waiting for equipment, patients are unable to receive care, and supply chains are grinding to a halt. This is the reality of modern conflict, and healthcare organisations are directly in the crossfire whether they realise it or not," Henderson added.
While Stryker works diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known. The incident underscores the growing threat of state-linked hacktivist groups targeting critical infrastructure and healthcare organizations, leveraging sophisticated techniques to maximize disruption. The Handala group's ability to compromise enterprise management tools like Microsoft Intune represents a significant escalation in the capabilities of such threat actors.