Pro-Iran Hacktivists Say They Wiped Data at Medical Giant Stryker, Forcing Mass Evacuation
Pro-Iran hacktivist group Handala claims a wiper attack on Stryker, wiping 200,000+ systems and sending 5,000+ employees home. Company headquarters in building emergency.
Breaking: Stryker Hit by Massive Data-Wiping Attack; Thousands Sent Home
A hacktivist group with ties to Iran’s intelligence apparatus is claiming responsibility for a devastating wiper attack against medical technology firm Stryker, forcing the company to send more than 5,000 employees in Ireland home and triggering a building emergency at its U.S. headquarters.
The group, known as Handala (or Handala Hack Team), posted on Telegram that it erased data from over 200,000 systems, servers, and mobile devices across Stryker’s operations in 79 countries, effectively shutting down the company’s offices worldwide.
Stryker, a $25 billion medical device maker based in Kalamazoo, Michigan, has not yet issued a public statement. A voicemail at its main U.S. headquarters states: “We are currently experiencing a building emergency. Please try your call again later.”
‘All Data in the Hands of the Free People’
In a manifesto posted to Telegram, Handala declared: “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption.”
The group said the attack was retaliation for a Feb. 28 missile strike on an Iranian school that killed at least 175 people, mostly children. The New York Times reported Wednesday that a U.S. military investigation concluded the United States was responsible for that Tomahawk strike.
“This is a clear escalation in the cyber conflict between Iran-aligned groups and Western corporations,” said John Hultquist, chief analyst at Mandiant Intelligence. “Wiper attacks are destructive and intended to cause maximum disruption.”
Employees Sent Home, Devices Wiped
News reports from Ireland – Stryker’s largest hub outside the U.S. – say the company sent home more than 5,000 employees at its Cork headquarters. A report from the Irish Examiner quoted an unnamed employee: “Anything connected to the network is down. Anyone with Microsoft Outlook on their personal phones had their devices wiped.”
The Examiner added: “Multiple sources say systems in the Cork headquarters have been shut down, and Stryker devices held by employees have been wiped. Login pages are defaced with the Handala logo.”
Stryker staff are now relying on WhatsApp to receive updates about when they can return to work, according to the same report.
Background: Handala and Iran’s Ministry of Intelligence
Handala is one of several online personas maintained by Void Manticore, a threat actor linked to Iran’s Ministry of Intelligence and Security (MOIS), according to a recent analysis by Palo Alto Networks. The group surfaced in late 2023 and has claimed multiple cyberattacks against Israeli and Western targets.
Stryker [NYSE:SYK] reported $25 billion in global sales last year and employs 56,000 people across 61 countries. Its medical and surgical equipment is used in hospitals worldwide, making the attack particularly alarming for healthcare cybersecurity.
Wiper attacks use malicious software to overwrite data on infected devices, rendering them unusable. Unlike ransomware, wipers leave no means of recovery unless backups exist.
What This Means
This attack underscores the growing threat from state-linked hacktivists who use destructive cyber operations to retaliate for geopolitical events. The targeting of a medical technology firm raises concerns about patient safety and supply chain disruptions.
“Organizations in critical sectors must prepare for data-destroying attacks, not just ransomware,” said Allison Wikoff, vice president of cybersecurity firm Cybereason. “The stakes are even higher when lives depend on medical devices.”
Stryker has not confirmed the extent of the damage or whether any patient data was compromised. The company’s stock fell slightly in after-hours trading Wednesday.
Security experts advise companies to maintain offline backups and have incident response plans that account for wiper attacks. The incident also highlights the need for international cooperation to deter state-sponsored cyber aggression.
Ongoing Coverage
Learn more about Handala and Iran’s cyber operations | Understand the implications for critical infrastructure