US-based medical technology giant Stryker admitted on Thursday that the recent Iran-linked cyberattack has caused significant disruption, as more evidence has come to light on the tactics and techniques used by the attackers.
Stryker said in its latest media statement that the hacker attack caused global disruption to the company’s Microsoft environment, but noted that the intrusion was limited to this environment.
“This incident has caused disruptions to order processing, manufacturing and shipping,” Stryker stated. “However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care.”
“We implemented business continuity measures to support our customers and partners to the fullest extent possible,” the company added.
It’s unclear whether the hackers directly targeted operational technology (OT) systems or manufacturing disruptions stem from an IT system compromise.
According to media reports from Ireland, home to Stryker’s largest hub outside the US, support staff, administrative staff, and engineers have been sent home, and they are using WhatsApp for information on when they can resume work.
Stryker, a manufacturer of surgical equipment, orthopedic implants, and neurotechnology for healthcare organizations worldwide, reported a revenue of $25 billion in 2025.
A threat group named Handala has taken credit for the attack, claiming to have wiped more than 200,000 devices (including phones) and forcing Stryker to shut down offices in dozens of countries. The hackers also claimed to have stolen 50TB of data from the medtech giant’s systems.
While some initial media reports said wiper malware was used in the attack, new evidence indicates that the hackers used living-off-the-land techniques to remotely wipe systems.
According to unverified reports from individuals claiming to have inside knowledge of the incident, the attackers wiped systems using Microsoft Intune, a cloud-based unified endpoint management service designed to secure and manage user devices (including Windows, macOS, iOS, Android, and Linux) and applications within an organization.
Investigative cybersecurity blogger Brian Krebs also learned from sources that Intune has been abused by Handala to cause disruption.
Indeed Stryker stated that no malware or ransomware was detected during its investigation.
Handala hacker group
Since the US-Israel-Iran conflict erupted in late February, the Handala group has sharply ramped up its claimed activity, focusing on targets perceived as aligned with Israel and its allies.
Handala portrays itself as a pro-Palestinian hacktivist outfit motivated by anti-Israeli ideology. Cybersecurity researchers, however, widely regard it as a cover for Void Manticore, an Iranian state-sponsored actor believed to operate under the direction of Iran’s Ministry of Intelligence and Security (MOIS).
The group is best known for phishing, stealing sensitive data, extortion threats, and launching destructive attacks, frequently deploying custom wiper malware to erase files and systems.
In the wake of the conflict’s start, Handala has allegedly launched many attacks against Israel, including wiping military weather servers, hijacking security camera feeds, exfiltrating and deleting corporate data, publicly exposing details of intelligence personnel, and compromising an oil and gas exploration firm.
The collective regularly shares purported evidence of its actions via Telegram and X, though many claims lack independent confirmation and are often difficult to fully verify.
Related: Michelin Confirms Data Breach Linked to Oracle EBS Attack
Related: Polyfill Supply Chain Attack Impacting 100k Sites Linked to North Korea
