Iran-Backed Hackers Hit Medtech Giant Stryker With Wiper Attack

The voicemail picked up on the second ring. “We are currently experiencing a building emergency. Please try your call again later.”

That was the entirety of Stryker Corporation’s response when a reporter called the media line at the company’s Michigan headquarters on a Wednesday morning in late March 2026. Not a press officer. Not a holding statement. A generic emergency recording, looping on repeat, at one of the largest medical technology companies in the world.

Outside Stryker’s offices in Cork, Ireland, more than 5,000 workers were being sent home. They weren’t being briefed through company email or internal communications platforms. They were getting their updates through WhatsApp.

---

Stryker’s $25 Billion Blindside

Stryker [NYSE: SYK] is not a small target. Based in Kalamazoo, Michigan, the company manufactures medical and surgical equipment sold across 61 countries and reported $25 billion in global sales last year. It employs 56,000 people. Its products are found in operating rooms, emergency departments, and rehabilitation centers on every inhabited continent. When Stryker goes dark, the ripple effects reach surgeons, hospital procurement systems, and patients waiting on equipment deliveries.

The group claiming responsibility for taking Stryker dark calls itself Handala, also known as the Handala Hack Team. In a lengthy statement posted to Telegram, the group said it had erased data from more than 200,000 systems, servers, and mobile devices across Stryker’s offices in 79 countries, forcing a shutdown of operations at a scale that, if accurate, would rank among the most destructive cyberattacks ever carried out against a private corporation.

The Handala statement read, in part: “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption.”

The language is theatrical. The damage, based on available evidence, appears to be real.

Employees in Cork told the Irish Examiner that anything connected to Stryker’s network was down. Multiple sources told the outlet that company devices held by employees had been wiped. Login screens on those devices had been defaced with the Handala logo, a detail consistent with wiper malware deployments that include a propaganda payload alongside the destructive code. One unnamed employee told the Examiner that “anyone with Microsoft Outlook on their personal phones had their devices wiped,” a claim that, if verified, would indicate Handala’s access extended to mobile device management infrastructure, not just workstations and servers.

That level of reach is not the work of opportunists.

---

Handala, Void Manticore, and the MOIS Connection

Handala is a name borrowed from a beloved Palestinian cartoon character created by the artist Naji al-Ali, a symbol of dispossessed childhood and resistance that has appeared on walls from Beirut to the West Bank for decades. The hacker group adopted the name deliberately. Its messaging is saturated with references to Palestinian suffering, Israeli military operations, and what the group frames as Western complicity in those operations.

But the group is not simply a collection of ideologically motivated freelancers.

Palo Alto Networks has profiled Handala as one of several online personas maintained by a threat actor it tracks as Void Manticore, an entity assessed as affiliated with Iran’s Ministry of Intelligence and Security, known by its Persian-language acronym MOIS. According to Palo Alto, Handala surfaced in late 2023 and has since been used as a public-facing identity for operations that carry the technical fingerprints and strategic logic of a state-directed program.

MOIS is Iran’s primary civilian intelligence apparatus, responsible for domestic surveillance, counterintelligence, and foreign operations targeting perceived enemies of the Islamic Republic. It is distinct from the Islamic Revolutionary Guard Corps, which runs its own parallel cyber programs, though the two organizations have historically collaborated on disruptive operations. The U.S. Treasury Department has sanctioned multiple individuals and entities connected to MOIS cyber operations over the past several years.

The Void Manticore designation matters because it places Handala within a documented pattern of Iranian state behavior rather than treating the group as an autonomous hacktivist outfit. Wiper attacks, specifically, have been a recurring tool in Iran’s cyber arsenal since at least 2012, when the Shamoon malware destroyed data on tens of thousands of computers at Saudi Aramco. The strategic logic has remained consistent across more than a decade: the goal is not intelligence collection but pain, disruption, and the demonstration of reach.

---

The February 28 Missile Strike and Handala’s Stated Motive

Handala did not claim the Stryker attack as an act of random cyberterrorism. The group framed it explicitly as retaliation for a specific event: a missile strike on February 28, 2026, that hit an Iranian school and killed at least 175 people, most of them children.

The New York Times reported, on the same day Stryker’s systems went dark, that an ongoing military investigation had determined the United States was responsible for the Tomahawk missile strike that caused those deaths. The convergence of that reporting and the Handala attack was not coincidental. The group’s Telegram post drew a direct line from the missile strike to the targeting of Stryker, framing the medtech company as a proxy for American power.

The choice of Stryker as the target deserves scrutiny. Stryker manufactures surgical and trauma care equipment. It does not make weapons. It does not have U.S. defense contracts in the conventional sense. But Handala’s selection of a medical technology company carries its own symbolic weight: if the stated grievance is the killing of children in a school, hitting a company whose products are used to save lives in operating rooms sends a message about willingness to cause harm without obvious military logic. It also maximizes disruption across a sector with minimal defenses and enormous downstream vulnerability.

This target selection pattern is also consistent with prior Void Manticore operations. Iranian state-affiliated actors have repeatedly targeted hospitals, healthcare networks, and medical infrastructure, in part because those organizations hold sensitive personal data, in part because they are structurally underprepared for sophisticated intrusions, and in part because disrupting them generates immediate, visible public impact.

---

What a Wiper Attack Actually Does

The term “wiper attack” sometimes gets lost in the broader vocabulary of ransomware and data breaches, so it is worth being precise about what distinguishes it.

Wiper malware is designed with one primary function: to overwrite or corrupt data on infected systems so that it cannot be recovered. Unlike ransomware, which encrypts files and demands payment for a decryption key, a wiper leaves nothing to negotiate. There is no key. There is no restoration path. The data is gone, and the only recovery option is restoring from clean backups, assuming those backups exist, were stored offline or in an isolated environment, and were not themselves compromised during the intrusion.

The 2012 Shamoon attack against Saudi Aramco, which destroyed data on approximately 35,000 computers, required the company months to fully recover and forced it to purchase hard drives on the open market from multiple continents to replace destroyed systems. The 2017 NotPetya attack, which the U.S. government later attributed to Russian military intelligence, caused an estimated $10 billion in global damage and wiped systems at companies ranging from the shipping giant Maersk to the pharmaceutical company Merck. NotPetya, notably, also initially disguised itself as ransomware before revealing its true function.

Handala’s claim of 200,000 wiped systems would, if accurate, exceed the Shamoon attack by an order of magnitude. Verification of that number is not currently possible from public sources. But the corroborating details from Cork, including the defaced login screens, the non-functional network infrastructure, and the mobile device wipes, suggest that whatever Handala deployed achieved meaningful destructive impact at scale.

The specific claim about Outlook on personal phones warrants attention. If Handala penetrated Stryker’s mobile device management platform, the company’s security team faces a recovery task far more complex than simply imaging workstations. Mobile device management systems, when compromised by a wiper payload, can be used to push destructive commands to every enrolled device simultaneously. The attacker doesn’t need to reach each phone individually. They compromise the management layer once, and the system does the rest.

---

Cork’s 5,000 Workers and the Human Equation

Ireland has become one of the most significant technology and pharmaceutical hubs in Europe, a product of favorable corporate tax policy, a well-educated English-speaking workforce, and aggressive recruitment by multinational companies over the past three decades. Stryker’s presence in Cork is substantial. The company employs thousands of workers there across research, manufacturing, and operational functions, making it one of the larger private employers in the region.

When those 5,000 workers were sent home on Wednesday morning, they left behind a workplace that, according to their own accounts, had been rendered completely non-functional. No email. No internal systems. No company devices. Communication redirected to personal WhatsApp groups. The scene described by the Irish Examiner was not a company managing a cybersecurity incident with its continuity plans intact. It was a company that had been stopped cold.

The practical consequences extend beyond disrupted workdays. Stryker manufactures equipment used in active clinical settings. Supply chain disruptions at a company of its size propagate outward quickly, affecting hospital procurement, surgical scheduling, and equipment maintenance contracts. The company has not, as of available reporting, made any public statement about impacts to product supply or clinical operations. That silence may reflect genuine uncertainty about the scope of the damage as much as any communications strategy.

---

The Escalating Use of Wiper Malware Against Western Infrastructure

The Stryker attack fits within a documented escalation in the use of destructive malware against Western civilian and commercial targets by state-affiliated actors. The pattern has accelerated since 2022, when Russian forces deployed multiple wiper variants against Ukrainian government and critical infrastructure networks in the days preceding the ground invasion, attacks documented by Microsoft, ESET, and other security researchers.

Iranian actors have adapted and accelerated their own wiper programs in parallel. The group tracked as APT33, also linked to MOIS, has historically targeted aerospace and energy companies with destructive payloads. The broader Iranian cyber ecosystem has demonstrated increasing technical sophistication over the past three years, including improved operational security, more complex intrusion chains, and a greater willingness to deploy destructive tools against targets in NATO-aligned countries.

The attribution of Handala to Void Manticore, and of Void Manticore to MOIS, carries legal and diplomatic weight beyond the technical. Operations assessed as directed by a foreign government’s intelligence ministry are not treated the same as criminal hacking under U.S. law or international norms. They create potential triggers for diplomatic response, sanctions designations, and, under some interpretations of existing frameworks, potential justification for countermeasures.

Whether the United States government will pursue any of those responses in the Stryker case is an open question. The context created by the February 28 missile strike, and the ongoing military investigation into U.S. responsibility for that strike, complicates any straightforward framing of Stryker’s attackers as purely criminal actors deserving of prosecution.

---

What the Source Reporting Shows

Reporting on the Stryker attack, including the details about the Cork shutdown, the defaced login screens, and Handala’s Telegram manifesto, was first aggregated and published by Krebs on Security, which reached Stryker’s Michigan headquarters and received only the building emergency voicemail. The Irish Examiner’s on-the-ground reporting from Cork provided the most detailed picture of conditions inside affected facilities, drawing on multiple unnamed employees with direct knowledge of what they were experiencing.

Stryker had not, as of available public reporting, issued a formal statement acknowledging the attack or characterizing its scope. The company’s website was functional. Its stock continued to trade. The absence of a public statement from a company of Stryker’s size and regulatory exposure, given that it is a publicly traded company subject to SEC disclosure requirements around material events, is itself a data point.

Under SEC cybersecurity disclosure rules that took effect in late 2023, publicly traded companies are required to disclose material cybersecurity incidents within four business days of determining that an incident is material. A wiper attack affecting 200,000 systems across 79 countries, if Handala’s claims are accurate, would by most reasonable interpretations qualify as material. Stryker’s legal team is almost certainly working through that analysis in real time.

---

The Limits of What We Know

Every detail in Handala’s Telegram statement should be held at arm’s length. Hacktivist groups, including those operating under state direction, routinely exaggerate the scope of their operations for maximum propaganda value. The claim of 200,000 wiped systems across 79 countries may be accurate, may be inflated, or may mix legitimate damage with aspirational claims. Without access to Stryker’s internal incident response data, no independent verification is possible.

What is verifiable, from public sources, is this: 5,000 workers were sent home from the Cork facility. The company’s main U.S. phone line was routing to an emergency recording. Employees were reporting wiped devices and defaced login screens. The network was down. Those facts are consistent with a serious, large-scale intrusion. They do not confirm or deny the specific numbers Handala claims.

The claim about personal phone wipes is particularly significant if verified, because it suggests either that Stryker’s mobile device management platform was fully compromised or that employees had connected personal devices to corporate systems in ways that exposed them to the wiper payload. Either scenario has implications for the company’s security architecture that go beyond the immediate incident.

---

No Clean Backups, No Easy Answer

Recovery from a wiper attack at Stryker’s scale is not a matter of weeks. It is a matter of months, and that timeline assumes the company’s backup infrastructure survived intact and uncompromised. One of the more sophisticated recent evolutions in wiper attack methodology is the targeting of backup systems and disaster recovery infrastructure before deploying the destructive payload. If an attacker can identify and corrupt or destroy an organization’s backups before wiping primary systems, the victim is left with nothing to restore from.

Whether Handala had the access and the time to compromise Stryker’s backup infrastructure is unknown. What is known is that the group claims to have been inside Stryker’s systems long enough to exfiltrate data from those systems before wiping them. That exfiltration claim, if true, implies a dwell time measured in days or weeks, not hours. Extended presence inside a network of Stryker’s complexity would give a sophisticated actor ample opportunity to identify and target backup systems.

The 56,000 employees who showed up to work Wednesday morning and found their systems dark are the visible face of an incident whose full scope will take months to understand. Some of them work in facilities that supply equipment to hospitals. Some of them maintain systems that track active orders and service contracts for surgical equipment in clinical use. The downstream effects of their inability to do their jobs on Wednesday morning are not theoretical.

In Cork, 5,000 of those employees went home and waited for a WhatsApp message to tell them when they could come back. By Wednesday afternoon, that message had not arrived.