Pro-Iran hacking group claims responsibility for cyberattack on medical technology firm Stryker

A hacker group linked to Iran says it has infiltrated the servers of U.S. medical technology giant Stryker, triggering disruptions across the company's operations worldwide. By Wednesday morning, many of Stryker's global systems had reportedly been wiped, while some login pages displayed the hacking group's logo instead.

The hacktivist group, known as Handala, claimed responsibility for the cyberattack in a message posted on an X account attributed to it. In that statement, the hackers said they targeted Stryker "in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure" of Iran and its allies. The reference was to the Minab girls' school in Tehran, which the U.S. military reportedly struck during its recent attacks on Iran, killing more than 175 people, most of them children.

Stryker, which manufactures medical devices and hospital technology, does not appear to have any direct connection to the recent attacks on Iran. However, the company operates in Israel and secured a $450 million contract last year from the U.S. Department of Defence to provide medical devices to the military.

"In this operation, over 200,000 systems, servers, and mobile devices have been wiped, and 50 terabytes of critical data have been extracted. Stryker's offices in 79 countries have been forced to shut down," the hackers wrote.

At least part of the hackers' account appears to be credible. According to The Wall Street Journal, some Stryker systems around the world have been wiped, while others are showing the group's logo on login pages.

"Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyberattack. We have no indication of ransomware or malware and believe the incident is contained," a Stryker spokesperson said. "Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we're committed to continuing to serve our customers."

"Stryker is currently experiencing a severe, global disruption across the Windows environment impacting both client devices and servers," said a notice sent to employees, according to the WSJ. "The issue is widespread and significantly affecting users' ability to access systems and services."

Nick Andersen, acting director of the U.S. Cybersecurity and Infrastructure Security Agency, said in a statement that the agency is investigating the incident. "We are working shoulder-to-shoulder with our public and private sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker," Andersen said.

According to IBM X-Force Exchange, Handala appeared after Hamas's October 7 attack on Israel and has since targeted Israeli civilian infrastructure, Gulf-region energy companies, and Western organisations. "Its operations focus on generating disruptive and psychological impact," IBM wrote on the exchange, which monitors threat groups. "Handala employs a broad and evolving toolkit, including phishing, custom wiper malware, ransomware-style extortion, data theft, and hack and leak activity. Its campaigns consistently feature ideological messaging, inflated or misleading breach claims, and deliberate targeting of life-critical sectors such as healthcare and energy."

Handala also operates a website that lists and publishes personal details of dozens of Israelis who allegedly work, or previously worked, for the Israeli Defence Forces, along with major domestic defence and surveillance contractors such as Elbit Systems and NSO Group.

Israeli cybersecurity company Check Point said in a recent report that, since the start of the war involving Iran, Handala has been "breaking into low-hanging systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximise pressure."