Iranian Hacktivist Group Handala Claims Responsibility for March 11 Cyberattack on Stryker
On March 23, 2026, medical technology manufacturer Stryker informed its investors that a cyber incident, which occurred on March 11, has been successfully contained. This attack was claimed by the Iranian hacktivist group Handala, which is widely believed to operate as a front for Iranian intelligence. The company is reported to be "working around the clock" to restore its IT systems critical for supporting customers, managing orders, and facilitating shipping.
Handala made bold claims regarding the extent of the damage inflicted during the cyberattack. The group asserted that it permanently erased over 12 petabytes of Stryker’s data and illegally acquired 50 terabytes of information. While Stryker has not publicly addressed these claims, it has stressed its belief that the attack did not involve malware or ransomware.
According to a regulatory filing submitted to investors, Stryker disclosed that a thorough investigation conducted by Palo Alto Networks’ Unit 42 revealed that the hackers utilized a malicious file to execute commands that concealed their activities within Stryker’s systems. Importantly, the investigation found that this malicious file lacked the capability to propagate, either within or outside the company’s networks. As of the most recent updates, Stryker has indicated no evidence of malicious activities targeting its customers, suppliers, or partners.
Additionally, Stryker provided a letter from Palo Alto Networks which stated that the cyber incident affected the company’s “Entra ID environment, servers, and workstations.” The implications of this breach are significant, especially considering Stryker’s pivotal role in the healthcare technology sector.
In a rapid response to the incident, the U.S. Department of Justice reported the seizure of web domains associated with Iranian intelligence just days after Handala released documents and screenshots purportedly taken from Stryker’s IT systems. This action highlights the increasing reach of U.S. law enforcement in combating cyber threats.
Unit 42’s forensic analysis reassured stakeholders that no active, uncontained unauthorized access was detected within Stryker’s infrastructure during their investigation. The cybersecurity firm noted that all known indicators of compromise related to the incident have been successfully identified and mitigated. Stryker has enlisted Microsoft’s assistance in recovery efforts for its identity infrastructure, reporting that existing accounts have been safeguarded.
In an effort to further protect against future breaches, Stryker is in the process of rebuilding affected systems and restoring them from backups predating the identified timeframe of compromise. To mitigate the risks of another breach, systems that remain unrebuilt have been isolated from the broader network.
Stryker, a leading global manufacturer of medical devices, has generated significant revenue, with sales reaching $25.1 billion in 2025. The company is celebrated for a wide range of medical equipment, including robotic surgery systems and hospital beds. Amid the ongoing recovery from the cyber incident, Stryker has stated that it is closely collaborating with its global manufacturing sites to stabilize operations. Some experts have raised concerns about potential product shortages and delays for healthcare organizations if the IT outage persists.
The cyberattack by Handala is alarming, particularly against the backdrop of escalating tensions in the Middle East following the commencement of a protracted bombing campaign against Iran by the United States and Israel on February 28. Since then, Handala has been notably active, claiming responsibility not only for the attack on Stryker but also releasing sensitive information. The group announced the release of what they allege to be 100,000 emails from a former Israeli intelligence agent, documents from subscribers of an Iranian Telegram channel, and supposedly confidential data from Sanzer Hasidic Jews.
In response to this rising tide of cyber threats, the U.S. Cybersecurity Infrastructure and Security Agency, alongside the FBI, has issued an alert encouraging U.S.-based organizations to strengthen their endpoint management system configurations. The implications of this incident extend beyond Stryker, indicating a broader trend of nation-state and politically motivated cyberattacks that pose significant risks to critical infrastructure and national security.
As companies like Stryker navigate this evolving threat landscape, they must prioritize cybersecurity and resilience to safeguard both their operational integrity and the vital healthcare services they provide. The current situation serves as a stark reminder of the cyber realm’s interconnectedness and the potential fallout that can arise from geopolitical conflicts.