When thousands of Stryker employees arrived at work on 11 March and tried to log into their computers, they found a logo they weren't expecting. The Handala group claimed responsibility, calling it retaliation "for the brutal attack on the Minab school." Within hours, the Michigan-based medical equipment maker had become the target of what appears to be the first significant Iranian cyberattack against a US company since the conflict began.
Handala claimed that Stryker's offices in 79 countries had been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices. The company's response was swift but grim. A text sent to Stryker employees read, "We are experiencing a severe, global disruption impacting all Stryker laptops and systems that connect to our network."
The technical mechanism behind the attack proved relatively simple yet devastatingly effective. Security researchers with Palo Alto Networks said the Handala hackers may have relied on phishing to compromise Stryker's network. Once inside, analysts believe attackers gained access to Microsoft Intune, a device management system that allows remote administration. The feature is used to remotely wipe a device if it's lost or stolen. It appears they triggered that for some or all of the enrolled devices. A week after the attack, Stryker's ability to process orders, manufacture, or ship devices continued to be disrupted.
What makes this attack significant is not its technical sophistication but its timing and target. An Iran-linked hacker group claimed responsibility in what appears to be the first significant instance of Iran's hacking an American company since the start of the war between the countries. Before Stryker, Iran-linked hackers had been largely quiet in terms of attacks on US organisations since the war began. Email security firm Proofpoint said Wednesday that its tracking of known Iranian groups had turned up only one hacking campaign since the war began.
This shift matters. Iran has a long history of cyber operations, from espionage to phishing campaigns spanning fifteen years. But the Stryker attack represents something different: destructive operations against civilian infrastructure. Historically, Iran conducted some of the most infamous "wiper" cyberattacks on national enemies, aiming to erase all data on computers' networks. Victims include Saudi Aramco, Saudi Arabia's national oil company, in 2012, and the Sands Casino in 2014. Now, that capability has reached a US company at the centre of global healthcare supply chains.
The Strategic Logic
From Tehran's perspective, the appeal of cyber operations is obvious. The goal is to wear down the American war effort, drive up the costs of energy, strain cyber resources and cause as much pain as possible for American companies that depend on the defence industry. But security analysts also note a practical advantage: Iranian hackers and their allies aim for quick victories by targeting the weakest links in American cybersecurity. Often, local water plants or health care facilities lack the funds and know-how to install the latest software patches or take other security steps. That has made them a favourite target, both because of the relative ease of penetrating them and because of the panic these disruptions can cause.
The scale of risk ahead is serious. Going forward, US defence contractors, government vendors and businesses that work with Israel are likely targets, as is critical infrastructure such as hospitals, ports, water plants, power stations and railways. However, there is a countervailing view worth noting. The strikes on Iran's military as well as internet outages may have limited Iran's cyberattacks in the short term. But experts say Iranian hackers and their allies will aim for quick victories by targeting the weakest links in American cybersecurity.
What remains unclear is how aggressively Iran's intelligence services will coordinate with these proxy groups going forward. The use of Handala as an apparent proxy provides plausible deniability. Handala was recently profiled by Palo Alto Networks, which links it to Iran's Ministry of Intelligence and Security. Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.
For American companies, the implications are immediate. Spear-phishing remains one of the most common and effective attack vectors, but vishing is rapidly closing the gap. The FBI, CISA, and other US government agencies have repeatedly warned that Iranian state-sponsored threat actors are actively targeting US critical infrastructure, including health care. These threat actors employ a range of sophisticated techniques, including spear-phishing, vishing, exploitation of known vulnerabilities, credential theft, and deployment of ransomware and data-wiping malware.
Stryker's experience offers both a warning and a lesson. The company's connected medical devices themselves were not compromised, meaning patient safety was not directly threatened. But a week of order and shipping disruption at a firm serving 150 million patients annually demonstrates how cyber operations can ripple through global healthcare without needing to penetrate the clinical systems themselves. That distinction matters less to the patient waiting for surgery.