Iran-Linked Handala Group Claims Massive Data-Wiping Attack on Stryker

Stryker, a global medical technology company based in Kalamazoo, Michigan, was targeted in March 2026 by a destructive data-wiping attack. The incident, claimed by an Iranian-linked hacktivist group known as Handala, resulted in significant network disruptions and the reported erasure of data across thousands of systems.

The attack caused immediate operational turmoil for the medical equipment maker, which reported $25 billion in global sales in 2025. Reports indicated that more than 5,000 employees at Stryker’s largest hub outside the U.S., located in Ireland, were sent home. At the company’s U.S. Headquarters, a voicemail message indicated the facility was experiencing a building emergency.

Technical Execution and Scope

Handala claimed in a Telegram statement that it erased data from more than 200,000 systems, servers, and mobile devices, forcing the shutdown of offices in 79 countries. While wiper attacks typically involve software that overwrites data on infected devices, evidence suggests a different method was used in this instance.

A source with knowledge of the attack informed KrebsOnSecurity that the perpetrators likely utilized Microsoft Intune to execute the disruption. Intune is a cloud-based endpoint management solution that allows IT administrators to enforce security policies and monitor devices. In this case, it appears the attackers issued a remote wipe command to all connected devices.

This technical detail was supported by reports from employees in Ireland who claimed that any device connected to the network was down and that personal phones with Microsoft Outlook were wiped. Some employees reported that login pages on their devices were defaced with the Handala logo.

Attribution and Motivation

Palo Alto Networks has profiled Handala as an online persona maintained by Void Manticore, an actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS). According to the security firm, Handala surfaced in late 2023 and typically focuses on targets in Israel, though it occasionally targets other entities to serve specific agendas.

Handala stated that the attack was retaliation for a February 28, 2026, missile strike on an Iranian school that killed at least 175 people, mostly children. The New York Times reported that a military investigation determined the United States was responsible for the Tomahawk missile strike.

In its manifesto, Handala referred to Stryker as a Zionist-rooted corporation. This likely refers to Stryker’s 2019 acquisition of OrthoSpace, an Israeli company.

Impact on Healthcare Supply Chains

Because Stryker is a primary supplier of surgical and medical devices, the outage created risks for healthcare providers. One healthcare professional reported being unable to order surgical supplies normally sourced through the company, describing the event as a real-world supply chain attack.

The disruption extended to critical emergency services. A March 11, 2026, memo from Maryland’s Institute for Emergency Medical Services Systems noted that some hospitals disconnected from Stryker’s online services as a precaution. This included LifeNet, a service used by paramedics to transmit EKGs to emergency physicians to expedite treatment for heart attack patients.

John Riggi, national advisor for the American Hospital Association (AHA), stated that while the AHA was aware of the attack and exchanging information with the federal government, they were not aware of direct impacts or disruptions to U.S. Hospitals as of the initial reporting period.

Recovery Status

Following the global network disruption and the subsequent fall in share prices reported on March 11, 2026, the company worked toward restoration. According to reporting from The HIPAA Journal, Stryker was fully operational following the March cyberattack.