Stryker Confirms Destructive Wiper Attack – Tens of Thousands of Devices Wiped

Medical technology giant Stryker Corporation confirmed on March 11, 2026, that it suffered a significant cyberattack that disrupted its global Microsoft environment, with Iran-linked threat actor Handala claiming responsibility for what appears to be a politically motivated, destructive operation.

Unlike typical financially driven intrusions, the attack on Stryker bears the hallmarks of a destructive wiper campaign. Stryker consistently confirmed across multiple customer updates that there is “no indication of ransomware or malware,” pointing investigators toward a deliberate data destruction strategy rather than extortion.

Handala claimed to have wiped thousands of servers and endpoint devices, including Windows laptops and smartphones, and simultaneously alleged exfiltration of 50 terabytes of critical corporate data.

Open-source intelligence and cybersecurity researchers at Arctic Wolf indicated that perpetrators likely exploited Microsoft Intune, Stryker’s mobile device management platform, to remotely issue mass factory reset or wipe commands to enrolled corporate endpoints globally.

Employees reported watching their devices being erased in real time, with some login pages defaced with Handala’s logo.

Stryker’s corporate offices in multiple countries were evacuated, and staff were instructed to disconnect from all company networks and refrain from powering on company-issued devices.

Handala presents itself publicly as a pro-Iran hacktivist collective, but researchers at Palo Alto Networks’ Unit 42 have assessed that it is affiliated with the Iranian Ministry of Intelligence and Security (MOIS), classifying it as a state-backed threat actor rather than an independent hacktivist group.

The group claimed the Stryker attack was a retaliatory action following a U.S. military strike on a school in Minab, Iran, which Iranian state media reported killed at least 168 children. Handala described the operation as “the start of a new era in cyber warfare.”

Stryker Cyberattack Disruptions

The attack caused significant disruption across Stryker’s order processing, manufacturing, and global shipping operations. The company, which generated $25.1 billion in revenue in 2025 and employs approximately 56,000 people across 61 countries, filed an 8-K disclosure with the U.S. Securities and Exchange Commission and confirmed it has no current timeline for full system restoration. Stryker’s stock declined over 3% in the immediate aftermath of the incident becoming public.

Critically, Stryker confirmed that all medical products across its global portfolio, including connected and life-saving devices, remain safe to use. Devices such as LIFEPAK defibrillators, Mako robotic surgical systems, SurgiCount and Triton applications, Vocera Edge, Vocera Ease, and the care.ai platform were confirmed unaffected.

Cloud-hosted platforms, including Vocera Ease on AWS and care.ai on Google Cloud Platform, operate on infrastructure architecturally independent of Stryker’s affected Microsoft corporate environment. SurgiCount specifically operates within a dedicated, isolated cloud environment with no interface to Stryker’s internal Microsoft systems.

Stryker activated its incident response plan immediately upon detection, engaging external cybersecurity advisors and coordinating with U.S. law enforcement and government agency partners.

The company is prioritizing restoration of customer-facing ordering and shipping systems first. As of the latest update, the core transactional systems are on a clear path to recovery, with system restoration progressing steadily.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.