Cyberwarfare Iran-Linked Hacker Attack on Stryker Disrupted Manufacturing and Shipping Evidence indicates that the attackers leveraged existing endpoint management software rather than malware to wipe devices. By Eduard Kovacs | March 13, 2026 (6:38 AM ET) Flipboard Reddit Whatsapp Whatsapp Email US-based medical technology giant Stryker admitted on Thursday that the recent Iran-linked cyberattack has caused significant disruption, as more evidence has come to light on the tactics and techniques used by the attackers. Stryker said in its latest media statement that the hacker attack caused global disruption to the company’s Microsoft environment, but noted that the intrusion was limited to this environment. “This incident has caused disruptions to order processing, manufacturing and shipping,” Stryker stated. “However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care.” “We implemented business continuity measures to support our customers and partners to the fullest extent possible,” the company added. It’s unclear whether the hackers directly targeted operational technology (OT) systems or manufacturing disruptions stem from an IT system compromise. According to media reports from Ireland, home to Stryker’s largest hub outside the US, support staff, administrative staff, and engineers have been sent home, and they are using WhatsApp for information on when they can resume work. Advertisement. Scroll to continue reading. Stryker, a manufacturer of surgical equipment, orthopedic implants, and neurotechnology for healthcare organizations worldwide, reported a revenue of $25 billion in 2025. A threat group named Handala has taken credit for the attack, claiming to have wiped more than 200,000 devices (including phones) and forcing Stryker to shut down offices in dozens of countries. The hackers also claimed to have stolen 50TB of data from the medtech giant’s systems. While some initial media reports said wiper malware was used in the attack, new evidence indicates that the hackers used living-off-the-land techniques to remotely wipe systems. According to unverified reports from individuals claiming to have inside knowledge of the incident, the attackers wiped systems using Microsoft Intune, a cloud-based unified endpoint management service designed to secure and manage user devices (including Windows, macOS, iOS, Android, and Linux) and applications within an organization. Investigative cybersecurity blogger Brian Krebs also learned from sources that Intune has been abused by Handala to cause disruption. Indeed Stryker stated that no malware or ransomware was detected during its investigation. Handala hacker group Since the US-Israel-Iran conflict erupted in late February, the Handala group has sharply ramped up its claimed activity, focusing on targets perceived as aligned with Israel and its allies. Handala portrays itself as a pro-Palestinian hacktivist outfit motivated by anti-Israeli ideology. Cybersecurity researchers, however, widely regard it as a cover for Void Manticore, an Iranian state-sponsored actor believed to operate under the direction of Iran’s Ministry of Intelligence and Security (MOIS). The group is best known for phishing, stealing sensitive data, extortion threats, and launching destructive attacks, frequently deploying custom wiper malware to erase files and systems. In the wake of the conflict’s start , Handala has allegedly launched many attacks against Israel, including wiping military weather servers, hijacking security camera feeds, exfiltrating and deleting corporate data, publicly exposing details of intelligence personnel, and compromising an oil and gas exploration firm. The collective regularly shares purported evidence of its actions via Telegram and X, though many claims lack independent confirmation and are often difficult to fully verify. Related : Michelin Confirms Data Breach Linked to Oracle EBS Attack Related : Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea Related : 238,000 Impacted by Bell Ambulance Data Breach Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea MedTech Giant Stryker Crippled by Iran-Linked Hacker Attack Wiz Joins Google Cloud as Landmark Acquisition Closes OpenAI to Acquire AI Security Startup Promptfoo Michelin Confirms Data Breach Linked to Oracle EBS Attack ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric Jazz Emerges From Stealth With $61M in Funding for AI-Powered DLP Kai Emerges From Stealth With $125M in Funding for AI Platform Bridging IT and OT Security Latest News Onyx Security Launches With $40 Million in Funding Authorities Disrupt SocksEscort Proxy Service Powered by AVrecon Botnet Chrome 146 Update Patches Two Exploited Zero-Days Apple Updates Legacy iOS Versions to Patch Coruna Exploits Meta Launches New Protection Tools as It Helps Disrupt Scam Centers Ally WordPress Plugin Flaw Exposes Over 200,000 Websites to Attacks The Human IOC: Why Security Professionals Struggle with Social Vetting Splunk, Zoom Patch Severe Vulnerabilities Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move The US Senate has confirmed Army Lt. Gen. Joshua Rudd to lead NSA and CYBERCOM. Business software company Rippling has appointed Adrian Ludwig as CSO. Orca Security has named Rachel Nislick as Chief Marketing Officer. More People On The Move Expert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email