Overview of the Attack
A hacktivist group with ties to Iran's intelligence apparatus has claimed responsibility for a devastating data-wiping attack on Stryker, a global medical technology company headquartered in Michigan. The group, known as Handala (also called Handala Hack Team), alleges it erased data from over 200,000 systems, servers, and mobile devices across Stryker's global operations, forcing the closure of offices in 79 countries.
Immediate Impact on Operations
Reports from Ireland, where Stryker maintains its largest hub outside the United States, indicate that the company sent home more than 5,000 workers at its Cork facilities. A voicemail message at Stryker's main U.S. headquarters informed callers that the company is experiencing a "building emergency." Employees in Ireland have turned to WhatsApp for updates on when they can resume work, according to the Irish Examiner.
Employee Accounts of the Disruption
Citing an unnamed Stryker employee, the Irish Examiner reported that anything connected to the corporate network is down, and personal phones with Microsoft Outlook installed had their devices completely wiped. The report added that login pages on affected devices now display the Handala logo, confirming the group's hand in the incident.
The Attackers' Motive
In a lengthy statement posted on Telegram, Handala claimed the wiper attack was retaliation for a February 28 missile strike that hit an Iranian school, killing at least 175 people, most of them children. According to The New York Times, an ongoing military investigation has determined that the United States was responsible for the Tomahawk missile strike. Handala's manifesto declared, "All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption."
Profile of Handala and Its Iranian Connections
Cybersecurity researchers at Palo Alto Networks have identified Handala as one of several online personas maintained by Void Manticore, a threat actor affiliated with Iran's Ministry of Intelligence and Security (MOIS). Handala emerged in late 2023 and has since been linked to multiple cyber operations targeting entities perceived as hostile to Iran's interests.
Technical Details of the Wiper Attack
Wiper attacks involve malicious software designed to overwrite existing data on infected devices, rendering them unusable. In this case, the attack appears to have targeted Stryker's systems globally, disrupting the company's ability to communicate and operate. The group's claim of affecting 200,000 devices suggests a widespread and coordinated assault.
Stryker's Profile and Response
Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a leading manufacturer of medical and surgical equipment, reporting $25 billion in global sales last year. The company employs approximately 56,000 people across 61 countries. As of now, Stryker has not issued an official statement regarding the attack, and its media line remains diverted to the building emergency voicemail.
Broader Implications and Ongoing Investigation
This incident underscores the growing threat of state-sponsored hacktivism, where groups use destructive cyberattacks to advance geopolitical agendas. The targeting of a medical technology firm raises concerns about patient safety and operational continuity. Irish authorities and cybersecurity firms are likely investigating the breach, while Stryker focuses on restoring systems and supporting affected employees.
For more context on Handala's previous activities, see our coverage of Iran-linked cyber groups. Also, learn about protective measures against wiper attacks in our cybersecurity guide.