An Iranian-linked hacking group has publicly claimed responsibility for a destructive cyberattack targeting Stryker Corporation, a major U.S.-based medical device and services provider. The group, known as Handala, announced its involvement through messages posted on its Telegram channel on Wednesday, linking the attack to recent U.S.-Israeli military actions against Iran.
Company Confirms System Disruptions
Stryker, headquartered in Portage, Michigan, with 56,000 employees across 61 countries, confirmed in an SEC filing that the cyber incident caused significant disruptions. The company reported limitations in accessing some of its critical systems, with the timeline for a full restoration remaining uncertain. A company spokesperson stated, "We have no indication of ransomware or malware and believe the incident is contained," but declined to comment on potential perpetrators.
Evidence of Attack Emerges
Staff and contractors took to social media to report that the logo of an Iran-linked hacking group had appeared on Stryker's internal login pages, though Reuters could not independently verify these posts. The Wall Street Journal reported that network outages began shortly after midnight on Wednesday on the East Coast, citing sources familiar with the matter.
Employees discovered that remote devices configured to connect to Stryker's technology systems—including cellphones, laptops, and other equipment running Microsoft Windows—had been wiped clean of data. This aligns with Handala's history of disruptive attacks involving data destruction, as noted by cybersecurity firm Check Point in a recent report.
Geopolitical Motivations Suspected
Handala's Telegram message explicitly cited the attack as a response to the strike on the Minab school in southern Iran, which occurred during the first day of U.S.-Israeli airstrikes. Iran's ambassador to the U.N. in Geneva, Ali Bahreini, claimed the school attack killed an estimated 150 students, though Reuters has not verified this figure.
Cynthia Kaiser, senior vice president of Halcyon's Ransomware Research Center and a former senior FBI cyber official, expressed concern: "This is exactly the type of attack we have been worried about: Iranian proxies using destructive cyber attacks like data deletion against U.S. companies to retaliate."
Expert Analysis and Government Response
Gil Messing, Chief of Staff at Check Point, described Handala as "the most notorious group affiliated with the Iranian regime," adding that the firm has tracked their activities for years and believes they operate under Iran's Ministry of Intelligence. Messing noted, "The fact they publicly take responsibility on this attack, and the fact they know they are linked to the government, show a new phase in Iran's motivations."
A White House official commented that the administration is "always proactively monitoring potential cyber threats and driving a response with our world-class critical infrastructure, regulator agencies and law enforcement entities." However, the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency did not respond to requests for comment on the incident.
Financial and Operational Impact
The cyberattack had immediate financial repercussions, with Stryker's shares closing down 3.6% on Wednesday. Operational disruptions were also evident, as calls to the company's global headquarters were answered by a recording stating that Stryker is "currently experiencing a building emergency."
This incident underscores growing fears that Iran, with its sophisticated cyber espionage capabilities, may escalate retaliatory actions against U.S. or Israeli entities following recent military tensions. The attack on Stryker highlights the vulnerabilities of critical infrastructure sectors, including healthcare, to state-sponsored cyber threats.
