Pro-Iran Hackers Claim Cyberattack on Stryker, Knocking Key Systems Offline Worldwide

Stryker, one of America’s biggest medical device makers, says it was hit by a cyberattack that triggered a worldwide outage across its Microsoft-based systems, an incident that’s now rippling into hospitals that rely on the company for equipment, parts, and support.

The company told employees to disconnect devices and avoid powering work equipment back on, a sign the priority was containment over keeping business-as-usual online. A group calling itself “Handala,” which presents as pro-Iran, quickly claimed credit, raising fresh fears that Middle East conflict is spilling into cyberspace, with health care squarely in the crosshairs.

Stryker says its Microsoft environment went down globally

Stryker confirmed a “global disruption” affecting its Microsoft environment, industry shorthand for core workplace tools going dark at once, including email, remote access, device management, and internal communications.

The outages reportedly began shortly after midnight on the U.S. East Coast, a timing detail investigators typically use to line up access logs, administrator activity, and any automated triggers.

Public reports suggest the attack may have targeted centralized device management. Windows endpoints, including phones and laptops, were reportedly affected, with some devices remotely wiped. That’s not a routine network hiccup; it’s closer to an active effort to neutralize an organization’s ability to communicate and operate, even without an obvious ransom demand.

Stryker said it has no indication, so far, of ransomware or malware and believes the incident is contained. In the hospital world, that wording can land with a thud: “contained” can mean the spread is stopped, the damage is limited, or simply that the full scope isn’t yet known.

The stakes are high because Stryker’s footprint is enormous. The company sells everything from defibrillators to ambulance stretchers and says its products and services touch more than 150 million patients. Reports of impacted computers in Ireland underscore that this wasn’t confined to one office or one country, complicating recovery across time zones and regulatory regimes.

A group calling itself Handala claims responsibility, citing the war

Handala claimed the operation on social media, framing it as political retaliation tied to a disputed military incident. In its messaging, the group pointed to an alleged missile strike on an elementary school in Iran, an account circulated by Iranian media that the Pentagon has said it is reviewing.

Cybersecurity researchers describe Handala as a pro-Iran “hacktivist” brand that some analysts suspect may be linked to Iran’s Ministry of Intelligence, an important distinction. If true, it shifts the story from online activism to potential state-aligned pressure tactics.

Health care is a high-impact target because downtime isn’t just about data. It can become a patient-safety issue. Hospitals depend on vendors like Stryker for maintenance, software updates, replacement parts, and ordering systems, so a disruption at the supplier can quickly turn into operational stress on the front lines.

Handala also claimed it stole 50 terabytes of data, about 50,000 gigabytes. Stryker has not publicly confirmed that. But even an unverified claim can force customers and partners to assume the worst and start asking what might have been exposed, from contracts to technical documentation.

Investigators are watching a possible Intune-style remote wipe scenario

One technical theory getting close attention: attackers gained access to a device-management console such as Microsoft Intune, a tool companies use to enforce security policies and manage fleets of phones and computers, including the ability to remotely wipe devices.

If an attacker gets that level of administrative control, they can turn a security platform into a sabotage tool. And it can bypass classic defenses: instead of planting malware on thousands of machines, the attacker uses the organization’s own management infrastructure to push destructive actions at scale.

That also makes incident response harder. If the platform is issuing the commands, the activity can look “legitimate” inside the system, raising questions about whether an admin account was compromised, a cloud token was stolen, or a configuration mistake opened the door.

One employee account described work phones suddenly failing, cutting off day-to-day coordination. In a company that supports hospitals and emergency services, losing messaging and telephony at the same time can slow decisions, delay escalations, and jam customer support.

Hospitals face a tough call: cut ties or keep connections for support

When a major supplier gets hit, hospital security teams often confront an uncomfortable question: Do you disconnect the vendor from your network out of caution, or keep connections open to preserve remote support, ordering, and maintenance workflows?

Disconnecting can reduce the risk of spillover. But it can also slow repairs, delay shipments, or complicate urgent troubleshooting. Keeping connections preserves speed, while accepting uncertainty about what systems were touched and whether the incident could spread.

The geopolitical backdrop is amplifying the caution. U.S. officials have warned that cyber retaliation could accompany military escalation in the region. Investors also reacted: Stryker shares fell more than 3% after early reports, signaling concern about the potential cost and duration of the disruption.

Even if patient-facing devices aren’t directly compromised, a supplier’s internal breakdown can still hit hospitals where it hurts, logistics, support tickets, updates, and procurement. In health care, lost time isn’t an inconvenience. It’s a risk multiplier.

A possible escalation as Iran-linked cyber activity draws scrutiny

Since fighting intensified in late February, pro-Iran cyber actors have been tied to activity across the region, including attempts to disrupt infrastructure and institutions. A major strike on a U.S. medical manufacturer would mark a broader reach, both symbolically and practically.

Some analysts had noted relatively limited, publicly visible Iranian-linked campaigns against U.S. organizations in recent weeks. That’s one reason the Stryker incident stands out: it looks louder, more disruptive, and aimed at a sector where the consequences can cascade quickly.

Iranian officials have also issued warnings that economic centers and banks tied to the U.S. and Israel could be treated as legitimate targets, while state media have floated lists of major tech companies as potential marks. None of that proves who hit Stryker, but it sets a climate where cyberattacks can function as pressure, signaling, and punishment.

The key caution: claims on social media don’t equal proof. Attribution will hinge on access paths, forensic evidence, and whether investigators can tie the operation to known infrastructure or tactics. For hospitals and patients, the more immediate question is simpler, who still has access, what was disrupted, and how fast systems can be trusted again.