Inside cyber attacks on Stryker Corp, US medical giant, targeted by Iran

A large-scale cyberattack targeted US medical technology giant Stryker Corporation as an Iran-linked hacking group claimed responsibility for disrupting the company’s digital infrastructure and allegedly wiping thousands of systems.

The Wednesday incident caused outages within the multinational healthcare company’s network and raised concerns as the development was linked to the escalating conflict in West Asia involving Iran, the United States and Israel.

Soon after the attack became public, a hacking persona known as Handala said it had carried out the operation, describing it as retaliation for military strikes in Iran and ongoing cyber activities targeting groups aligned with Tehran.

The disruption affected Stryker’s systems globally, forced employees offline in several locations and triggered an investigation.

What exactly happened in the cyberattack on Stryker?

The cyber disruption began shortly after midnight on Wednesday on the US East Coast, according to people familiar with the matter cited in media reports.

Soon afterward, Stryker’s internal technology environment began experiencing major outages. Devices connected to the company’s network — including laptops, mobile devices and other remote systems configured to access corporate infrastructure — were reportedly wiped or rendered unusable.

More from Explainers

Iran War Day 13: Drone attack in Dubai, fuel tankers hit in Bahrain and more ‘Asian economies could end up paying the cost of Iran war’: West Asia expert to Firstpost

An internal company communication described the incident as a severe global disruption affecting the firm’s Windows-based technology environment. Both client devices and servers were impacted, forcing employees and contractors to lose access to corporate systems.

In some instances, staff reported seeing the logo of an Iran-linked hacking group appearing on login pages used to access company platforms. These claims circulated on social media, although they could not be independently verified.

The outage disrupted operations across multiple facilities. One example came from Stryker’s manufacturing facility in Cork, Ireland, where thousands of employees work. The plant was unable to operate during the disruption as systems went offline.

Editor’s Picks

1

From Basmati to cars: How the Iran war could hit India’s Gulf trade 2

IMEC in the crossfire: How an Iran-Israel war could reshape India’s West Asia strategy

At the company’s global headquarters in Portage, Michigan, phone calls were answered with a recorded message stating that the organization was dealing with a building emergency.

The medical technology company confirmed the incident in a filing with the US Securities and Exchange Commission, stating that the attack had limited access to several of its systems. It also acknowledged that restoring operations could take time and that the full recovery timeline was not yet known.

A spokesperson for the company said, “We have no indication of ransomware or malware and believe the incident is contained,” while declining to comment on the identity of the attackers.

The company has said that its business continuity plans are being implemented while teams continue working to restore affected systems and support customers and partners.

Who claimed responsibility and why?

Shortly after news of the cyberattack emerged, the hacking persona Handala posted messages on its Telegram channel claiming responsibility for the operation.

The group alleged that it had wiped thousands of systems connected to the company’s network and extracted large volumes of data. It framed the operation as retaliation for military actions involving Iran.

In one statement that circulated widely online, the group said, “The Zionist-rooted corporation, Stryker, one of the key arms of the global Zionist lobby and a central ring in the ‘New Epstein’ chain, has been struck with an unprecedented blow. In this operation, over 20 000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.”

The group also declared the attack successful.

“Our major cyber operation has been executed with complete success,” it said, describing the attack as retaliation to the “brutal attack” on Minab school and for “ongoing cyber assaults against the infrastructure of the Axis of Resistance.”

The statement referenced a missile strike on a girls’ school in the southern Iranian city of Minab. According to Iran’s ambassador to the United Nations in Geneva, Ali Bahreini, around 150 students were killed in the strike on the first day of US-Israeli attacks on Iran.

The hackers also claimed the cyber operation forced Stryker offices across the world to shut down.

“Stryker’s offices in 79 countries have been forced to shut down. All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” it said.

Later, the same group claimed it had also targeted Verifone, a firm that specialises in electronic and point-of-sale payment systems.

What do cybersecurity experts say about the attack?

Cybersecurity researchers have previously linked Handala to Iran. The group first appeared around 2022 and has claimed responsibility for several cyber incidents targeting companies in Israel and the Gulf region.

Its operations often involve hack-and-leak campaigns or disruptive cyber activities designed to damage systems or expose stolen data.

Cybersecurity firm Check Point Software Technologies has tracked the group’s activity for several years. Gil Messing, chief of staff at the company, described the group as one of the most prominent cyber actors connected to Iran.

“They are the most notorious group affiliated with the Iranian regime,” Messing told Reuters.

According to Messing, researchers believe the group operates under Iran’s Ministry of Intelligence. He also noted that the group’s decision to publicly claim responsibility for the Stryker attack could indicate a shift in strategy.

“The fact they publicly take responsibility on this attack, and the fact they know they are linked to the government, show a new phase in Iran’s motivations.”

Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center and a former senior FBI cyber official, said the incident fits the pattern experts have been anticipating.

“This is exactly the type of attack we have been worried about: Iranian proxies using destructive cyber attacks like data deletion against U.S. companies to retaliate,” Kaiser told Reuters.

A White House official said the administration of Donald Trump was monitoring cyber threats closely and coordinating responses through agencies responsible for critical infrastructure protection, regulatory oversight and law enforcement.

What is wiper malware and why is it so destructive?

Investigators examining the cyberattack believe the incident involved the use of wiper malware, a type of malicious software designed to destroy data rather than extract money.

Unlike ransomware, which encrypts files and demands payment to restore access, wiper malware permanently deletes or corrupts files so that they cannot be recovered.

These programmes typically target critical parts of computer systems, including the Master Boot Record or key file system structures. Once those elements are overwritten, the operating system cannot start and the machine becomes unusable.

In many cyber incidents, such malware spreads across a network after entering through phishing emails, compromised websites or malicious downloads. Once inside, it can propagate across connected systems and erase files, databases and entire drives.

Several wiper malware variants have been observed in recent cyber conflicts. Examples include CaddyWiper, HermeticWiper, IsaacWiper and FoxBlade, all of which were deployed during cyber operations linked to geopolitical conflicts such as the Russia-Ukraine war.

The main risk associated with such attacks is permanent data loss. Because files are deleted rather than encrypted, recovery can be extremely difficult unless secure backups exist.

In large organisations, the consequences can be severe. Critical operational data, communications and infrastructure may be wiped, forcing companies to rebuild systems from scratch.

Cybersecurity experts say recovering from a major wiper attack can take weeks or even months. Each affected device must be rebuilt, reconfigured and checked before it can be returned to the network.

In Stryker’s case, cybersecurity specialists and external investigators are continuing to examine the incident while working to repair and restore the company’s technology infrastructure.

What is Stryker Corporation?

Stryker Corporation is one of the largest medical technology companies in the world.

The US-based multinational, headquartered in Portage, Michigan, employs around 56,000 people and operates across more than 60 countries. Its products are sold in over 75 countries and are used by approximately 150 million patients every year.

The company’s business is broadly divided into two major segments: medical and surgical technology, and orthopedic solutions.

Medical and surgical technologies — including neurotechnology — accounted for about 60 percent of the company’s revenue in 2024.

This segment includes surgical instruments, endoscopy systems, neurosurgical and neurovascular implants, patient safety technologies, emergency medical equipment, intensive care disposable products and devices used in oral and maxillofacial surgery.

The orthopedic division, which generated roughly 40 per cent of revenue that year, focuses on implants used in joint replacement procedures such as hip, knee and shoulder surgeries. It also produces equipment used in trauma and extremity operations.

Despite its global presence, the United States remains the company’s primary market. Around three-quarters of its revenue in 2024 came from the US. The firm is ranked 195th on the Fortune 500 list and 331st on the Forbes Global 2000.

Following the cyberattack, the company’s shares fell roughly three per cent in market trading.

With inputs from agencies