A suspected Iran-linked cyberattack has disrupted global systems at medical technology giant Stryker Corp., knocking some internal services offline and triggering operational limitations across the company’s network. The intrusion, claimed by the pro-Iranian hacking persona Handala, reportedly wiped corporate devices connected to the firm’s Microsoft environment and forced the company to restrict access to certain information systems while incident responders worked to contain the breach and restore operations. The attack comes amid escalating geopolitical tensions following recent U.S.–Israeli strikes in Iran, which have heightened concerns that state-aligned cyber actors may expand retaliatory operations against Western companies and critical supply chains.
“Stryker is responding to a global network disruption to our Microsoft environment as a result of a cyber attack,” Kalamazoo, Michigan-based Stryker said in a Thursday customer update. “We have no indication of ransomware or malware and believe the incident is contained. Our teams are working to understand the full impact to our internal environment.”
Clarifying that the Mako System used for hip, knee, and shoulder procedures is not a connected device, Stryker said the system operates independently of network connectivity.
The company added that multiple layers of data security are built into the USB flash drives used for Mako plans, including encryption and automated quality checks that generate an error message if an uploaded plan does not match the expected file. Stryker also confirmed that no malware can be downloaded through the flash drives, noting that the disruption is affecting its internal Microsoft environment rather than the Mako platform.
Stryker said previously downloaded Mako plans can still be used. The system supports local case planning for total and partial knee procedures directly on the Mako System, as well as planning on MPS laptops. Representatives can also hand-carry CDs to the device and complete planning locally without requiring network connectivity.
Earlier on Thursday, Stryker said the company is “continuing to resolve the disruption impacting our global network, resulting from the cyber attack. At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.”
“Our products like Mako, Vocera and LIFEPAK35 are fully safe to use,” according to the statement. “We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible.”
It added that “It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility. We are committed to keeping our stakeholders informed as we manage this situation. There is nothing more important to us than the customers and patients we serve.”
In a LinkedIn message addressed to customers on Wednesday, Stryker said its “teams are working rapidly to understand the impact of the attack on our systems.”
It added, “Stryker has business continuity measures in place to continue to support our customers and partners. We are committed to transparency and will keep stakeholders informed as we know more.”
In a lengthy statement posted to X, formerly Twitter, Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices. “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption.”
“We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete Success,” the statement added. “The Zionist-rooted corporation, Stryker, one of the key arms of the global Zionist lobby and a central ring in the ‘New Epstein’ chain, has been struck with an unprecedented blow. In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.”
Stryker is a global medical technology company and manufacturer of medical and surgical equipment that reported about $25 billion in worldwide sales last year. The company develops products and services across medsurg, neurotechnology and orthopaedics, focusing on technologies designed to improve clinical performance and patient outcomes.
In an emailed statement, “Handala (aka: Handala Hack Team, Void Manticore, Storm-842) is a pro-Palestinian, pro-Iran-aligned hacktivist group that has been active since at least 2023. Handala is known to deploy the Hatef wiper malware as well as the Radthief (aka: Rhadamanthys) stealer malware during its attacks,” Optiv’s gTIC analyst said. “The group focuses on politically motivated cyber operations against Israeli-linked targets. Handala is associated with destructive ‘hack-and-leak’ activity and has publicized wiper malware delivered through multi-stage tooling to wipe Windows and Linux systems. Handala commonly gains Initial Access through social engineering via phishing using a combination of exploitation of major events and vulnerabilities and impersonation of legitimate organizations to steal and leak data through a dedicated leak site.”
The statement added that research suggests significant overlap between Void Manticore (Handala) and another IRGC-linked advanced persistent threat (APT) group, Scarred Manticore (aka: OilRig, APT34). “The current incident suggests native features and tooling (Microsoft Intune) was used to push operating system reset commands to disrupt and wipe data off systems and mobile devices, rather than deploying wiper malware. Use of Microsoft Intune to wipe and reset systems and devices requires access to administrator-level portals and control panels, which suggests the threat actor was able to acquire high-level credentials during the course of the attack. This suggests capabilities of a well-resourced and experienced threat actor.”
It added, “Other Iranian IRGC-sponsored cyber threat groups known to deploy destructive wiper malware as part of their attacks against Industrials, Utilities, and Government entities include APT33 (aka: Elfin) and Agrius. As of this writing, there are no additional details regarding indicators of attack or compromise associated with Handala’s recent attack against the medical supplier.”
The Handala hacking collective has emerged as one of the most visible pro-Iranian cyber personas operating amid rising geopolitical tensions in the Middle East. Researchers describe the group as a hacktivist front linked to Iran’s Ministry of Intelligence that blends cyber intrusion with information operations designed to pressure adversaries and shape public narratives.
The group has claimed responsibility for multiple cyber campaigns targeting organizations across Israel, Jordan, and Saudi Arabia, including alleged compromises of oil and gas organizations and other regional entities. Analysts note that such activity reflects a broader pattern of Iranian-aligned actors using cyber operations as a tool of geopolitical signaling and retaliation.
Security researchers warn that Iranian cyber activity is expanding alongside regional conflict dynamics, with espionage campaigns and disruptive operations increasingly targeting critical infrastructure, government systems, and supply-chain networks.
Reports from intelligence and cybersecurity organizations highlight that Iranian groups, including clusters such as Seedworm, have already infiltrated U.S. infrastructure and defense supply chains, while Western security agencies caution that cyber spillover from Middle East tensions could extend to international targets. Within this landscape, personas like Handala serve as visible operators capable of conducting hack-and-leak campaigns, destructive attacks, and psychological operations aimed at amplifying political impact beyond the immediate technical intrusion.
