Pro-Iran Hackers Remotely Wiped Thousands of Stryker Employee Devices

Medical technology giant Stryker is scrambling to restore tens of thousands of employee devices after a pro-Iranian hacking group breached the company's internal systems and remotely wiped laptops and phones in what is being described as the first major retaliatory cyberattack on a U.S. company linked to the Trump administration's military operations in Iran.

The attack, which occurred on March 11, targeted Stryker's Microsoft environment and specifically its Intune device management dashboards — tools designed to allow IT administrators to remotely manage, update, and if necessary erase employee devices. According to reports from Bleeping Computer and The Wall Street Journal, the hackers may have gained access through a compromised internal administrator account, giving them near-unlimited control over the company's Windows network. Rather than deploying ransomware, the attackers used Stryker's own infrastructure against it, wiping devices including personal phones enrolled in the company's management system.

A pro-Iran group calling itself Handala claimed responsibility for the breach, stating it was carried out in response to a U.S. air strike on an Iranian school that killed at least 175 people, predominantly children. The group also defaced Stryker's internal login pages with its logo. Security researchers at Palo Alto Networks have suggested phishing was the likely initial attack vector, while IBM noted that Handala has a history of destructive attacks against healthcare and energy targets. The possible role of infostealer malware — designed to harvest credentials — has not been ruled out.

Stryker, which employs 56,000 people across more than 60 countries, said in a weekend update that its internet-connected medical products remain safe to use. However, the company acknowledged that its ability to process orders, manufacture devices, and fulfill shipments continues to be disrupted nearly a week after the incident. The company has not confirmed whether the compromised administrator account was protected by multi-factor authentication, and a spokesperson did not respond to requests for comment.

The incident underscores the growing vulnerability of large enterprises to attacks that exploit legitimate management tools rather than traditional malware. By turning Stryker's own device management platform into a weapon, the hackers achieved widespread disruption without tripping conventional security defenses — a tactic that cybersecurity experts warn could become increasingly common as geopolitical tensions spill into the digital domain.