TLDR
- Iranian-backed hacking collective Handala took credit for a devastating cyberattack targeting Stryker on March 11, 2026
- The medical device manufacturer disclosed widespread network disruptions affecting multiple systems and key business applications globally
- Handala asserted they destroyed data on 200,000+ devices and stole 50TB of information, describing it as payback for Iran’s Minab school bombing
- The company stated no ransomware or malicious software was found and maintains the breach has been isolated
- Shares of SYK declined 3.6% Wednesday as news of the security incident spread
Michigan-headquartered medical technology company Stryker experienced a devastating cyberattack on March 11 that crippled significant portions of its worldwide network infrastructure and triggered a 3.6% stock price decline.
In an SEC filing, the medical device giant disclosed that the security breach resulted in lost connectivity to multiple information technology systems and critical business platforms. The company refrained from providing specific timelines regarding complete system recovery.
Employees and external contractors took to social platforms reporting that login screens displayed the insignia of an Iranian-affiliated cyber threat actor. Phone calls placed to the company’s Portage, Michigan corporate offices were greeted with an automated message indicating the facility was “currently experiencing a building emergency.”
According to Stryker’s statement, investigators discovered no evidence of ransomware deployment or malware infection, and the organization maintains the security event has been successfully contained. However, the operational impact proved substantial enough to disrupt activities at its Cork, Ireland manufacturing facility — home to over 4,000 workers — alongside operations in Limerick and Belfast.
The Iran-affiliated threat group Handala announced their involvement through official Telegram and X social media channels. The collective characterized the operation as revenge for the bombing of a Minab girls’ educational institution in southern Iran, which Iranian authorities claim resulted in approximately 150 student fatalities during the initial wave of joint U.S.-Israeli military operations against Iran starting February 28. Reuters has been unable to independently confirm this casualty count.
Handala’s public statements claimed the operation successfully erased data from over 200,000 computer systems, servers, and mobile endpoints while exfiltrating 50 terabytes of corporate information. The group additionally alleged that Stryker locations across 79 nations were compelled to cease operations. The company has not publicly verified these particular assertions.
What Happened on the Ground
According to Wall Street Journal reporting, system failures initiated shortly after midnight Eastern Standard Time Wednesday morning, subsequently cascading across international time zones. Remote Windows-based equipment — encompassing laptops and smartphones authenticated to Stryker’s corporate infrastructure — underwent complete data deletion.
Cynthia Kaiser, previously a high-ranking FBI cybersecurity executive and currently with Halcyon, commented: “This is exactly the type of attack we have been worried about: Iranian proxies using destructive cyber attacks like data deletion against U.S. companies to retaliate.”
Handala possesses an established operational history. Israeli cybersecurity research organization Check Point released findings Tuesday documenting the group’s involvement in numerous data-theft campaigns and destructive operations featuring comprehensive data elimination.
Gil Messing, Check Point’s Chief of Staff, identified the organization as operating under Iran’s Ministry of Intelligence umbrella and characterized them as “the most notorious group affiliated with the Iranian regime.” He suggested their public acknowledgment of this operation represents “a new phase in Iran’s motivations.”
White House and Verifone
White House officials indicated the Trump administration is “proactively monitoring potential cyber threats” while maintaining coordination channels with critical infrastructure entities and law enforcement partners. Both the FBI and CISA declined to provide statements.
Subsequent to the Stryker incident, Handala publicized claims of a secondary operation targeting Israeli financial technology provider Verifone. Verifone categorically rejected these allegations, stating forensic investigations uncovered zero indicators of network compromise and confirmed uninterrupted service delivery to customers.
Ken Sheehan, director of operations at Smarttech247, highlighted that Handala’s preferred attack vector continues to be phishing campaigns and recommended organizations enhance cybersecurity awareness education programs.
With approximately 56,000 employees distributed across 61 nations, Stryker generated over $25 billion in annual revenue during the previous fiscal year.
