A pro-Iran hacking group has claimed responsibility for a major cyberattack on Stryker Corporation, one of the world's largest medical device manufacturers, in what security researchers are calling a significant escalation in Iran-linked cyber operations against US companies.
The Michigan-based company confirmed it experienced a global network disruption to its Microsoft environment on March 11, 2026. Stryker said it found no evidence of ransomware or malware but acknowledged that order processing, manufacturing, and shipping operations were disrupted. The company has since activated business continuity measures while restoring affected systems.
A hacking group called Handala, believed to operate under Iran's Ministry of Intelligence and Security, claimed credit for the attack. The group says the hack was retaliation for a US airstrike on a school in Minab, Iran. Handala claimed it wiped more than 200,000 devices and stole 50 terabytes of data from Stryker's servers.
Security researchers say the attackers did not use malware. Instead, they exploited Microsoft Intune, a cloud-based device management platform widely used by enterprises to remotely manage employee laptops and mobile phones. By compromising a high-privilege Intune administrator account, the attackers gained access to a centralised dashboard controlling every enrolled device across Stryker's global network. They then triggered a mass remote wipe command, factory-resetting thousands of corporate and personal employee devices simultaneously.
The breach had immediate consequences beyond internal operations. In Maryland, emergency services agencies reported that Stryker's Lifenet electrocardiogram transmission system, used by paramedics to relay patient data to hospitals, was non-functional across much of the state. Federal agencies including the Department of Health and Human Services began investigating the potential impact on patient care.
Analysts at SecurityWeek found that administrator credentials used in the attack were likely harvested through infostealer malware logs, some dating back months or years, suggesting the breach could have been prevented through routine credential resets.
Microsoft has not commented on the incident. Stryker said in a March 15 update that system restoration is progressing, with priority given to customer-facing ordering and shipping operations.