Iran Hit Stryker. Is Your Business Next?

On the morning of March 11, 2026, employees at Stryker Corporation arrived at work to find something no one expects to see: the login screens on their company systems had been replaced by the logo of a pro-Iranian hacking group. Laptops were wiped. Phones were dead.

Within hours, tens of thousands of workers across 79 countries had been sent home, and one of the largest medical device companies in the world, a Fortune 500 firm reporting $25 billion in annual revenue, was running on pen and paper.

This article first published on March 13, 2026. It was updated on March 25, 2026 to include the Stryker class action filing (PDF), additional technical details, and the updated Securities and Exchange Commission (SEC) filing.

Access the Iran-Israel/U.S. War 2026: The attack on Stryker isn't just a corporate cybersecurity story. It's a preview of what economic warfare looks like when a foreign adversary decides American businesses are the battlefield.

A threat actor group using the cyber persona "Handala" claimed responsibility, posting on social media it had struck what it called a "Zionist-rooted corporation" in retaliation for U.S. military action against Iran. A cyber persona is a moniker usually created by the threat actor to claim responsibility for its malicious cyber activity. This criminal organization is known by many cyber personas, including Justice Homeland, Handala Hack, Karma Below, Homeland Justice, Banished Kitten, Void Manticore, Dune, Red Sandstorm, and more. Void Manticore (aka Storm-842) stands out as an Iranian threat actor known for conducting destructive attacks and leaking information through the online persona ’Karma’ (sometime written as KarMa), according to Check Point Research.

The group claimed it wiped more than 200,000 servers, mobile devices, and other systems, and extracted 50 terabytes of sensitive corporate data. Stryker confirmed in a filing with the Securities and Exchange Commission (SEC) it was experiencing a global network disruption to its Microsoft environment.

The human consequences materialized quickly. Maryland's Institute for Emergency Medical Services Systems notified hospitals across the state that Stryker's LIFENET electrocardiogram transmission system, which paramedics use to send patient cardiac data to emergency rooms before arrival, was non-functional in most parts of the state.

Surgeries were delayed. Patients had procedures rescheduled due to shipping disruptions. Field service requests couldn't be processed. Even though Stryker's medical devices themselves remained safe to use, the support infrastructure that hospitals depend on every day had collapsed.

Why Stryker Targeted

The targeting logic follows a clear and documented pattern. In 2019, Stryker acquired OrthoSpace, an Israeli medical device company. That acquisition gave Handala the justification it needed. The group has made explicit that any company with business ties to Israel, whether through acquisitions, partnerships, shared customers or investment relationships, is a potential target. Stryker was likely targeted because of its business history.

Multiple intelligence firms including Palo Alto Networks, Check Point Research, and Microsoft assess Handala as one of several online personas maintained by Void Manticore, a destructive operations unit inside Iran's Ministry of Intelligence and Security.

It presents itself as an independent hacktivist collective. It is not. It is a state-backed operation with state-level resources and a specific political mandate, using the hacktivist framing to give Iran plausible deniability for its cyber operations.

What Stryker Has Confirmed Since the Attack

On March 24, two weeks after the attack, Stryker released its most detailed technical disclosure yet, confirming the threat actor used a malicious file specifically designed to conceal their activity while inside the network. The company says the file couldn't spread on its own and was never directed toward customer, supplier, vendor, or partner systems.

Stryker also made public a March 20 letter from Palo Alto Networks Unit 42 confirming all known indicators of compromise have been identified and addressed, with no evidence of active, unauthorized access remaining in the environment. The firm found no indication the attack spread beyond Stryker's internal Microsoft environment. The company filed that letter with federal securities regulators the same day. It has not yet determined whether the incident will have a material financial impact, a significant open question for a firm its size.

Restoration is underway. Stryker says manufacturing capability is ramping back up, with critical lines and plants being brought back online with a focus on patient-critical needs. The company has been in direct contact with the White House National Cyber Director, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security, the Department of Health and Human Services and Health-ISAC throughout the recovery.

FBI Explained Attack Chain

On March 24, the FBI published a formal alert describing the malware used by Iranian government-linked threat actors, including tools associated with Handala's broader operation. The alert describes a three-stage chain.

1. Stage one involves malware masquerading as commonly used applications; KeePass, Pictory, and Telegram were specifically named. A user interacts with what appears to be a familiar tool, and stage two executes.
2. NStage two involves a persistent implant that embeds and waits.
3. Stage three delivers additional capabilities tailored to the target environment.

This matters for any business running standard endpoint detection tools. The initial phase of this attack produces nothing for those tools to flag. The wipe is executed through a legitimate administrative channel. By the time anything looks wrong, the damage is already done. This is a deliberate design choice by the hackers to operate entirely within normal administrative workflows.

Federal Response

CISA launched a formal investigation into the attack the day after it occurred and on March 18 issued a formal alert urging all companies to harden their endpoint management systems, specifically calling out weaknesses in how companies secure administrative access to platforms like Microsoft Intune.

On March 20, the FBI seized four domains linked to Iran's Ministry of Intelligence and Security (MOIS). Read the FBI affidavit (PDF) supporting the seizure warrant filed on March 19, 2026 in the United States District Court for the District of Maryland. This included infrastructure tied directly to Handala, which the bureau alleged was used for psychological operations, claiming attacks, leaking stolen data and publishing calls for violence against journalists and dissidents.

On March 23, the U.S. State Department launched the Bureau of Emerging Threats, a new office created specifically to counter cyberattacks from Iran-affiliated and other state-linked groups.

The timing reflects an institutional acknowledgment that the existing response framework wasn't built for the pace or scale of what is currently active. CISA can issue guidance to every company in the country. But CISA can't implement guidance for companies.

Handala has been quiet since the Stryker attack. The FBI's domain seizures appear to have had at least a temporary chilling effect on the group's public operations. That quiet should not be mistaken for inactivity.

Researchers tracking Iranian cyber operations report more than 100 attacks have been documented globally in the weeks since the conflict began, spanning industries from health care to banking, many tied to groups operating in alignment with Iran.

Why This Isn't Someone Else's Problem

The attack vector that brought down Stryker works against any company running Microsoft 365 and Intune without the right controls in place: stolen credentials, a trusted admin tool, and no malware required. Stryker was targeted because of its business history. Your company could be targeted for the same reason, or simply because your credentials are already sitting in an infostealer log on a dark web forum and someone decides to use them.

Iran can't match the United States militarily. That asymmetry doesn't make it less dangerous. It makes Iran more deliberate about finding leverage through other means.

Cyberattacks are low-cost, high-impact and carry plausible deniability when routed through hacktivist fronts. They can reach into the American heartland without deploying a single soldier. They can disrupt supply chains, delay surgeries, and paralyze workforces without crossing the threshold that triggers a formal military response.

Cybersecurity is no longer a line item. For businesses with any connection to the defense supply chain, the health care sector or companies with international operations, it's a survival strategy and increasingly a matter of national consequence. The question is not whether foreign adversaries will continue targeting American economic infrastructure. They will. The question is whether your business is prepared when it becomes their next objective.

Learn more about STACK Cybersecurity works with businesses across the country to assess vulnerabilities, implement layered defenses, and build compliance programs that protect both operations and contracts. Contact our team to find out where your greatest exposures are before someone else does.

Related Resources

• How to Remove Browser Passwords
• Password Reset 1
• Browser Passwords Remain Hacker Favorite
• Cybersecurity Dashboard
• Cybersecurity Overconfidence