NEED TO KNOW

  • Iran-linked group Handala claims wiping 200,000+ Stryker systems across 79 countries on Wednesday
  • Maryland EMS agencies reported Stryker's cardiac transmission system non-functional, forcing radio-only hospital communication
  • Stryker's $25 billion global operation supplies surgical equipment to most U.S. hospitals, raising supply chain alarms

PORTAGE, MI (TDR) — A pro-Iranian hacking group known as Handala claimed responsibility Wednesday for a sweeping cyberattack on Stryker, one of the world's largest medical device manufacturers, wiping data from more than 200,000 systems across 79 countries and triggering what the Michigan-based company acknowledged as a "global network disruption." Federal health agencies scrambled to assess patient care impacts as hospitals across the country began disconnecting Stryker equipment from their systems.

The Handala attack represents a significant escalation in the U.S.-Iran conflict that began last month, marking one of the first major Iranian cyber operations against American civilian infrastructure since hostilities commenced. The group framed the assault as direct retaliation for a U.S. missile strike on the Shajareh Tayyebeh girls' elementary school in the southern Iranian city of Minab, which killed approximately 175 people, most of them children. The Pentagon has confirmed it is investigating that incident.

Handala Claims Mass Data Wipe Across Stryker's Global Network

Stryker, headquartered in Portage, Michigan, confirmed Wednesday that it was "experiencing a global network disruption to our Microsoft environment as a result of a cyberattack," adding it had found no evidence of ransomware or malware and believed the incident was contained. Employees across multiple countries reported that devices running Microsoft Windows, including laptops and work phones connected to Stryker systems, had been wiped clean. The company's headquarters fielded calls with a recorded message citing a "building emergency," and more than 5,000 workers at Stryker's largest non-U.S. hub in Ireland were sent home.

Freedom-Loving Beachwear by Red Beach Nation - Save 10% With Code RVM10

MORE NEWS: Carlson Invokes Antichrist Scripture Against Trump

Handala, posting on Telegram and social media, claimed it had extracted 50 terabytes of data and wiped systems across the company's offices in 79 countries.

"In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted. Stryker's offices in 79 countries have been forced to shut down." — Handala statement

Employees reported seeing Handala's logo appear on company login pages when they attempted to access Stryker systems Wednesday morning. The group described the operation as "the beginning of a new chapter in cyber warfare."

Stryker has not confirmed the scope of Handala's claims. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) did not respond to multiple media requests for comment. The FBI also had not confirmed details of the breach.

Patient Care Disruptions Surface Across U.S. Healthcare System

The real-world consequences moved quickly beyond Stryker's internal operations. Maryland's Institute for Emergency Medical Services Systems notified hospitals statewide Wednesday that Stryker's Lifenet electrocardiogram transmission system, used by emergency responders to relay patient cardiac data ahead of hospital arrival, was "non-functional in most parts of the state."

"Until the transmission capability has been restored, EMS clinicians should initiate radio consultation with the receiving hospital." — Maryland Institute for Emergency Medical Services Systems notice

The notice, obtained by CNN, underscored how deeply embedded Stryker's products are in everyday emergency care. Stryker reports that its equipment and services reach more than 150 million patients annually across 61 countries. Its product line spans artificial joints, surgical instruments, hospital beds, robotic surgery platforms and the defibrillators and cardiac monitoring systems now going dark in emergency vehicles.

A healthcare professional at a major university medical system, speaking anonymously because they were not authorized to comment publicly, told KrebsOnSecurity that surgical supply ordering had been disrupted.

"This is a real-world supply chain attack. Pretty much every hospital in the U.S. that performs surgeries uses their supplies." — Anonymous healthcare professional, quoted by KrebsOnSecurity

John Riggi, national advisor for the American Hospital Association, told reporters Wednesday that the AHA was actively exchanging information with hospitals and the federal government to assess any broader impact on hospital operations. He noted no confirmed supply disruptions had been reported through official channels as of Wednesday evening.

Handala's Iran Ties and Expanding Target List

Handala is not a new actor. According to Palo Alto Networks, the group has documented links to Iran's Ministry of Intelligence and Security (MOIS) and operates as one of several online personas maintained by Void Manticore, a MOIS-affiliated threat actor. The group surfaced in late 2023 following Hamas' October 7 attack on Israel and has since conducted operations against Israeli civilian infrastructure and energy companies throughout the Gulf region, before expanding operations to target Western organizations.

IBM's X-Force Exchange describes the group's operations as designed to generate "disruptive and psychological impact" rather than financial gain, a profile consistent with Wednesday's wiper attack, which destroys data rather than encrypts it for ransom.

CLICK HERE TO READ MORE FROM THE THE DUPREE REPORT

Do you support the U.S. government increasing restrictions or a potential ban on TikTok over national security concerns?

By completing the poll, you agree to receive emails from The Dupree Report, occasional offers from our partners and that you've read and agree to our privacy policy and legal statement.

The same day as the Stryker attack, Handala also claimed a simultaneous breach of Verifone, the payment technology company that services 75% of top U.S. retailers. Verifone denied any disruption to its services.

Stryker has operations in Israel and secured a $450 million Department of Defense contract last year to supply medical devices to the U.S. military, a fact Handala cited in its targeting rationale, calling the company a "Zionist-rooted corporation."

Federal Response and Security Community Reaction

FBI Director Kash Patel had posted a statement on social media just one day before the attack, warning that the bureau was working around the clock on cyber threats.

"The FBI is working 24/7 to stay ahead of the threat and implement a sweeping Cyber strategy pursuant to President Trump's 'Cyber Strategy for America.' The goal is clear: impose real cost on those who target Americans in cyberspace by dismantling their networks, pursuing the hackers and spies behind them, and degrading their capacity to operate." — FBI Director Kash Patel

The Department of Health and Human Services began coordinating Wednesday with the Healthcare and Public Health Sector Coordinating Council to assess potential patient care impacts, though sources on a Wednesday evening call told CNN the gathering yielded little new information about the scope of the attack.

Joshua Corman, a cybersecurity expert who has spent years focused on healthcare sector vulnerabilities, offered a blunter assessment.

"Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we're increasing our exposures to nation states and other enemies who seek to disrupt and destroy. China, Iran, Russia — all have the means, motive, and opportunity to deal us devastating disruptions." — Joshua Corman, cybersecurity expert

Rep. Bill Huizenga (R-MI), whose district includes Stryker's headquarters, connected the attack directly to the broader conflict.

"Early reports are connecting this attack to a group linked to Iran. If true, this continues to demonstrate the threat the Iranian regime poses to America, our allies, and our interests." — Rep. Bill Huizenga (R-MI)

Email security firm Proofpoint noted Wednesday that Iranian hacking groups had been largely dormant against U.S. organizations since the war began last month, making the Stryker strike a potential turning point in how Iran chooses to respond on the cyber front.

What Comes Next

Cybersecurity experts Wednesday urged hospitals to evaluate known vulnerabilities, confirm software is current and maintain backup strategies in the event of system wipes. The Stryker attack, experts said, should be read as a signal, not an isolated incident.

Whether Stryker's systems can be recovered without data loss remains unclear, as does whether the 50 terabytes of extracted data Handala claims to possess will be publicly released. Stryker has not addressed the data extraction claims directly.

Close

MORE NEWS: Zelensky to Europe: Stop Waiting on America to Act

When a nation-state conflict migrates into hospital supply chains and cardiac monitoring systems, how should policymakers weigh offensive cyber operations against the civilian healthcare infrastructure that may be targeted in response — and who bears accountability when patients are caught in the crossfire?

Sources

This report was compiled using information from CNN's reporting on the cyberattack and patient care disruptions, KrebsOnSecurity's investigation of Handala's wiper attack claims, TechCrunch's reporting on the Handala claim and Stryker's DoD contract, reporting by The Hill, NewsNation, Al Jazeera, Fox Business, and the Detroit News, and threat intelligence from Palo Alto Networks Unit 42 and the IBM X-Force Exchange.

Freedom-Loving Beachwear by Red Beach Nation - Save 10% With Code RVM10