Iran-Backed Hackers Target Stryker with Wiper Attack, Disrupt Global Operations

A hacktivist group with alleged ties to Iran’s intelligence agencies has claimed responsibility for a destructive wiper attack against Stryker, a global medical technology company headquartered in Michigan. The attack has disrupted operations worldwide, including the forced shutdown of Stryker’s largest hub outside the U.S.—in Ireland—where more than 5,000 employees were sent home.

A voicemail message at Stryker’s main U.S. headquarters in Kalamazoo, Michigan, confirmed a building emergency is underway. Stryker [NYSE:SYK], a leading manufacturer of medical and surgical equipment, reported $25 billion in global sales in 2023.

The hacktivist group Handala (also known as Handala Hack Team), which has been linked to Iran’s Ministry of Intelligence and Security (MOIS), posted a lengthy statement on Telegram detailing the attack. According to Handala, offices in 79 countries were forced to shut down after the group erased data from more than 200,000 systems, servers, and mobile devices.

"All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption."

The group justified the attack as retaliation for a February 28 missile strike that struck an Iranian school, killing at least 175 people, most of them children. The New York Times reported today that a U.S. military investigation has determined America was responsible for the strike, which involved Tomahawk missiles.

Handala was among several hacker groups recently profiled by Palo Alto Networks, which links the group to Iran’s MOIS. Palo Alto assesses Handala as one of multiple online personas operated by Void Manticore, a MOIS-affiliated actor that emerged in late 2023.

Stryker employs 56,000 people across 61 countries. A call to the company’s Michigan media line Wednesday morning routed to a voicemail stating: "We are currently experiencing a building emergency. Please try your call again later."

According to a report from the Irish Examiner, Stryker staff in Ireland are now relying on WhatsApp for updates. An unnamed employee told the outlet that any device connected to the network has been affected, adding that "anyone with Microsoft Outlook on their personal phones had their devices wiped."

Multiple sources cited by the Examiner confirmed that systems at Stryker’s Cork headquarters have been shut down and that company-issued devices have been wiped. The login pages on these devices were defaced with the Handala logo.

Wiper attacks typically involve malware designed to overwrite existing data on infected systems. However, a trusted source with knowledge of the incident, speaking on condition of anonymity to KrebsOnSecurity, stated that the attackers in this case appear to have exploited Microsoft Intune, a cloud-based device management service, to issue a remote wipe command across all connected devices.