.png)
Stryker Cyberattack 2026: Iranian Hacktivists Wipe Medical Device Giant in Real Time
In March 2026, Stryker Corporation — one of the world's largest medical device companies — was hit by a cyberattack carried out by Handala, an Iran-linked hacktivist group. Unlike ransomware attacks focused on financial gain, the attack appeared designed for maximum operational disruption and public embarrassment: employees watched in real time as company computers were remotely wiped, forcing offices across the globe to shut down while security teams worked to contain the damage.
Stryker confirmed system outages and launched an investigation with third-party cybersecurity experts. The attack illustrated the growing threat of Iranian hacktivist groups targeting Western healthcare and defense-adjacent companies as geopolitical tools.
Handala announced the attack on March 2026, claiming to have compromised Stryker's systems and stolen sensitive data before deploying wiper malware. Stryker employees at offices worldwide reported watching their computers go dark in real time. Stryker confirmed the incident and began working with external cybersecurity experts to assess the damage and restore affected systems. The company's medical device manufacturing and hospital supply operations were disrupted. Stryker did not confirm the scope of any data theft. Handala, which has previously claimed attacks on Israeli defense companies and their international partners, stated the Stryker attack was in response to the company's business relationships with Israeli healthcare and defense organizations.
Handala used a destructive wiper malware deployment that overwrote system data on infected machines, rendering them inoperable. The initial access vector was not publicly confirmed, but Handala's previous campaigns have used phishing, VPN credential compromise, and exploitation of unpatched public-facing systems. The group claimed to have stolen sensitive company data before deploying the wiper. Stryker's status as a medical device company with government and defense hospital contracts may have made it a target of geopolitical significance to Iranian state-adjacent actors.
Stryker established that wiper malware deployed by nation-state-adjacent groups represents a different threat model than ransomware: the objective is destruction, not extortion. Organizations in defense-adjacent, healthcare technology, or critical manufacturing sectors must maintain offline, immutable backups as a baseline control — not for ransomware recovery, but for wiper attack recovery. The public nature of the attack — employees watching machines go dark — also demonstrates that physical security indicators of a cyberattack create employee relations and operational continuity challenges distinct from quiet data exfiltration.
For PE sponsors with medical device, healthcare technology, or defense-adjacent portfolio companies, Stryker establishes that geopolitical hacktivist targeting is a material risk that belongs in the threat model alongside financially motivated ransomware. Companies with US government or military hospital contracts should assess their exposure to Iranian and other state-linked hacktivist groups and ensure wiper-resilient backup architectures are in place.