Pro-Iran hackers claim cyberattack on medical device giant Stryker

A pro-Iranian hacking group claimed responsibility Wednesday for a cyberattack on Stryker, a major U.S. medical technology company, triggering a global network disruption that knocked many employees offline and disrupted company systems.

The Michigan-based company confirmed the breach in a public statement, saying it was “experiencing a global network disruption to our Microsoft environment as a result of a cyberattack.” Stryker said it had found no indication of ransomware or malware and believed the incident had been contained while teams worked to understand the full impact on its systems. 

Stryker manufactures a wide range of medical equipment, including defibrillators and ambulance cots, and says its products and services help treat more than 150 million patients each year. 

The attack was claimed by Handala, a hacking group linked to Iran that has previously carried out several cyber operations primarily targeting Israel. The group said the intrusion was retaliation for a missile strike on an elementary school in Iran, an incident Iranian state media claimed killed at least 168 children. The Pentagon said it is investigating that claim. 

The disruption affected company operations worldwide. Employees were instructed not to log onto company computers or connect to Stryker mobile applications, according to reports from NewsNation affiliate WOOD-TV. Some remote devices running Microsoft Windows, including laptops and mobile devices connected to Stryker systems, were reportedly wiped. One employee said they saw a message from the group Handala when they opened their browser. 

An internal message described “a severe, global disruption impacting all Stryker laptops and systems that connect to our network,” according to the report. 

Stryker is headquartered in Portage, Michigan, and develops medical technology products in areas including medical and surgical equipment, neurotechnology and orthopaedics. The company operates in more than 60 countries and employs more than 56,000 people. 

Computers at Stryker facilities in Ireland were also reportedly affected by the disruption. The company’s shares fell more than 3% after the Wall Street Journal first reported the cyberattack. 

The incident appears to be one of the first notable Iran-linked cyber operations targeting a U.S. company since the United States and Israel began bombing Iran last month. U.S. intelligence officials had warned that hackers tied to Tehran could attempt retaliatory cyberattacks following the joint military campaign.

Despite those warnings, Iranian cyber activity had remained relatively limited in the weeks following the start of the conflict. Email security firm Proofpoint said it had identified only one known Iranian hacking campaign during that time, an attempt to compromise a U.S. think tank employee. 

Michael Vatis, the founding head of the FBI’s computer crime and infrastructure protection program, told NewsNation the attack did not directly target critical infrastructure such as energy or healthcare systems. However, he warned that similar incidents could become more serious if they signal broader cyber operations. 

Cybersecurity experts say Iran has steadily expanded its cyber capabilities over the past decade, particularly after the 2010 Stuxnet attack that damaged Iran’s nuclear centrifuges and was widely attributed to the United States and Israel. Since then, Iranian cyber activity has evolved from espionage and influence campaigns to more disruptive attacks, including the 2012 Shamoon malware attack on Saudi Aramco and cyberattacks targeting U.S. banks. 

Cybersecurity expert Joshua Corman told CNN that nation-state hackers increasingly pose a serious threat to critical systems.

“China, Iran, Russia, etc. all have the means, motive, and opportunity to deal us devastating disruptions,” Mr. Corman said.