A cyberattack attributed to the Iran-aligned Handala Hack group has disrupted the Microsoft environment of medical device maker Stryker, paralyzing much of its global operations. The incident, which emerged shortly after US and Israeli airstrikes on Iran, involved data wiping across tens of thousands of computers. Stryker confirmed the attack is contained, with no impact on its critical medical devices.
The cyberattack on Stryker, a multinational producer of medical equipment, surfaced on March 11, 2026, amid warnings of retaliatory hacks following US and Israeli airstrikes on Iran in late February. Initial reports came from social media posts by purported Stryker employees and a story in the Irish Examiner, describing wiped phones and computers displaying the Handala Hack logo. The group, active since at least 2023 and named after a Palestinian cartoon character symbolizing resistance, claimed responsibility on its Telegram channel and website. Handala cited the killing of 165 civilians at a girls' school in Iran by a US Tomahawk missile and prior US-Israeli operations against Iran as motivations.
Stryker acknowledged the incident on March 12, stating it faced a "global network disruption to our Microsoft environment as a result of a cyber attack." The company reported no evidence of ransomware or malware, and responders believe the disruption is contained to its internal Microsoft systems. Critical devices such as Lifepak for heart monitoring, Lifenet for patient data management, and Mako for surgeries continue to function normally. In a US Securities and Exchange Commission filing, Stryker noted it has no timeline for restoring normal operations.
Security researchers from Check Point, who track Handala as "Void Manticore," describe the group as affiliated with Iran's Ministry of Intelligence and Security. It has a history of destructive wiping attacks using custom tools, public software, and manual methods, often gaining access via underground services. Analysts suggest the attackers may have exploited Stryker's Microsoft InTune tool to issue deletion commands across its Windows network. Flashpoint researchers highlighted the symbolic targeting of Stryker, a key supplier of lifesaving devices to the US and allies, as a low-cost way for pro-Iranian actors to demonstrate reach while maintaining plausible deniability under a pro-Palestinian persona.
The breach, which reportedly affected tens of thousands of computers, underscores Iran's use of hacker groups for psychological retaliation when military options are limited.
