A hacktivist group with ties to Iran's intelligence apparatus has claimed responsibility for a devastating data-wiping attack against Stryker, one of the world's largest medical technology companies. The assault forced the Kalamazoo, Michigan-based firm to shut down operations across 79 countries, with over 5,000 employees sent home from its Ireland facility alone.
Iran-Linked Group Claims Massive Stryker Attack
Stryker, which reported $25 billion in global sales last year, manufactures medical and surgical equipment used in hospitals worldwide. The group calling itself Handala claimed the attack erased data from more than 200,000 systems, servers, and mobile devices. In a statement posted to Telegram, Handala characterized the offensive as retaliation for a February 28 missile strike targeting an Iranian school that killed at least 175 people, predominantly children.
Exploiting Cloud Management for Device Destruction
Security researchers at Palo Alto Networks have linked Handala to Iran's Ministry of Intelligence and Security, identifying it as one of several online personas operated by Void Manticore, a MOIS-affiliated threat actor that emerged in late 2023. The group's statement claimed all acquired data would be released publicly, though specifics remain unclear.
Global Operations Paralyzed Across 79 Countries
The scale of the disruption became evident as Irish media reported employees communicating via WhatsApp after network systems went offline. Staff confirmed that devices connected to the network had been wiped, with defaced login pages displaying the Handala logo. Remarkably, even personal smartphones with Microsoft Outlook synced to corporate accounts experienced data deletion.
Recovery Challenges for Medical Device Manufacturer
What distinguishes this attack from typical wiper malware is the apparent methodology. Rather than deploying destructive software, the perpetrators allegedly exploited Microsoft Intune, a legitimate cloud management service, to issue remote wipe commands across all connected devices. This approach proved particularly effective given Stryker's global infrastructure and reliance on cloud-based device management.
Stryker's U.S. headquarters remained inaccessible to media inquiries, with automated messages referencing an ongoing building emergency. The company, which employs 56,000 people across 61 countries, has not yet released an official statement detailing recovery efforts or the full extent of operational impact. Recovery timelines for organizations affected by such attacks typically extend weeks or months.