Iran-Linked Hackers Cripple Medical Giant Stryker in Global Wiper Attack

A suspected Iranian-backed hacking group has paralyzed Kalamazoo-based medical device giant Stryker Corporation, wiping data from employee devices across its global network and forcing thousands of workers offline in one of the most disruptive cyberattacks to hit a major U.S. healthcare company in recent memory.

Stryker disclosed the incident on Wednesday, telling employees it was "experiencing a severe, global disruption impacting all Stryker laptops and systems that connect to our network." A company spokesperson confirmed the scope to the Wall Street Journal: "Our teams are actively working to restore systems and operations as quickly as possible."

The scale is significant. Stryker reported $25 billion in revenue last year and employs roughly 56,000 people worldwide. Investors reacted sharply, with shares falling 4.4% following the Journal's report.

The Iran-backed hacktivist group Handala, which security researchers describe as having links to Iran's intelligence agencies, claimed responsibility in a lengthy manifesto posted to Telegram. The group alleged it erased data from more than 200,000 systems, servers and mobile devices and forced Stryker offices in 79 countries to shut down. Those figures are the group's own assertions and have not been independently verified. Handala referred to Stryker as a "Zionist-rooted corporation," a designation that security researchers at Krebsonsecurity suggest may reference Stryker's 2019 acquisition of Israeli orthopedic company OrthoSpace.

The operational evidence, however, is not limited to the group's claims. Employees and contractors reported that the logo of an Iran-connected hacking group appeared on the company's login pages. Cellphones, laptops and other remote devices running Microsoft Windows on Stryker's platforms had been wiped, according to reporting in the Wall Street Journal. In Cork, Ireland, one of Stryker's largest international hubs, systems were shut down and devices belonging to employees wiped out, with thousands of workers affected.

The attack employs what cybersecurity professionals call a wiper: "a form of malware engineered to destroy or corrupt data on targeted systems," in CrowdStrike's description. Unlike ransomware, which encrypts data pending a ransom payment, wipers are designed for pure destruction, deleting "critical files and data" and inflicting "severe business disruptions" that can prove irreversible.

The geopolitical backdrop is combustible. The attack comes less than two weeks after the United States and Israel launched a military campaign against Iran beginning February 28. Reporting by Detroitnews and Newsweek frames the strike on a company of Stryker's size as a potential escalation, with Iran's cyber arsenal well documented: previous campaigns have included wiper attacks against critical infrastructure, distributed denial-of-service attacks against major U.S. banks, election interference operations, and exploitation of industrial control systems.

Stryker has not publicly confirmed the identity of the attacker, the precise number of affected endpoints, or whether any patient or customer data was exfiltrated rather than simply destroyed. What remains unaddressed is whether the disruption has cascaded into hospital supply chains or clinical operations, given that Stryker manufactures surgical equipment, orthopedic implants, and other devices on which healthcare systems depend.

The incident underscores an uncomfortable reality for critical-sector manufacturers: when state-aligned actors deploy destructive malware against commercial targets, the collateral consequences reach well beyond the corporate network and into operating rooms.