Handala Cyberattack Disrupts Stryker Systems

A major cyberattack attributed to the Iran-linked hacking group Handala has disrupted systems at Stryker Corporation, one of the world’s largest healthcare technology providers. Employees across multiple countries reportedly found company devices wiped or locked, with screens displaying the image of Handala, a symbolic figure associated with Palestinian resistance.

Stryker confirmed the incident in a filing with the U.S. Securities and Exchange Commission, stating that the disruption affected its global Microsoft environment but that there was no evidence of ransomware. Instead, the attack appeared to involve destructive techniques designed to erase systems rather than demand payment.

Reports suggest that more than 200,000 devices, including laptops, servers, and mobile phones, may have been wiped, while attackers claim to have extracted around 50 terabytes of data. The disruption forced operational challenges across Stryker’s network spanning dozens of countries.

Security analysts believe the attackers exploited administrative access to Microsoft Intune, a cloud-based system used to manage corporate devices. With such access, attackers can remotely control and erase enrolled endpoints, effectively creating a large-scale “kill switch” for an organization’s devices.

The group behind the attack, Handala, first emerged in 2023 and is believed by several threat intelligence firms to be linked to Iran’s Ministry of Intelligence and Security. The group has previously targeted Israeli government and private-sector entities with destructive cyber operations and data leaks.

Cybersecurity researchers say Handala operates as part of a broader network of Iran-aligned cyber actors sometimes associated with operations attributed to the cluster known as Void Manticore, which focuses on psychological pressure, reputational damage, and disruptive cyberattacks.

In earlier campaigns, the group reportedly used phishing campaigns, compromised web servers, and vulnerabilities in VPN or remote-access infrastructure to gain initial entry into networks. Once inside, attackers typically move laterally using legitimate administrative tools before deploying destructive malware designed to erase data and disable systems.

The timing of the attack has raised geopolitical questions. Handala claimed the operation was retaliation for a U.S. military strike in Iran, although Stryker itself is primarily a healthcare technology provider. However, the company did sign a significant medical supply contract with the U.S. Department of Defense in 2025, which may have increased its visibility to politically motivated threat actors.

Security experts also note that attacks like this highlight the growing risk of cyber operations linked to geopolitical conflicts. Instead of traditional ransomware campaigns focused on financial gain, some state-aligned groups are increasingly carrying out destructive cyberattacks designed to disrupt operations and send political messages.

While Stryker says its medical devices remain safe and operational, the incident underscores how deeply connected enterprise IT systems have become to global supply chains and critical services. As cyber conflicts expand alongside geopolitical tensions, large multinational organizations are increasingly finding themselves caught in the crossfire.