Stryker Cyber Attack: Iranian Threat Actor Claims Revenge - Cyber Magazine

Article Hacking & Malware Stryker Cyber Attack: Iranian Threat Actor Claims Revenge By Rithula Nisha March 12, 2026 4 mins SHARE Stryker suffers major disruption after cyber incident that saw thousands of corporate devices wiped and company login defaced Iranian threat group Handala Hack has claimed a cyber attack on US medical technology giant Stryker as retaliation for missile strike on Iranian school On Day 12 of the US-Israeli war on Iran, the looming threat of an Iranian cyber attack materialised and claimed its first major victim – Stryker. The global medical technology supplier, headquartered in Michigan, US, was subject to a severe cyber attack which left thousands of employees locked out of accessing critical systems.  “Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack,” the company said in a statement.  What happened? Past midnight on Wednesday, outages struck Stryker, as its devices were wiped clean and the company login page was reportedly defaced with the logo of Tehran-linked cyber persona Handala.  Early investigations into the cyber attack linearly point to the attackers gaining access to the company’s Microsoft Intune management console. Intune, which is used to manage devices in a corporate setting, contains a feature which can be used to remotely wipe devices, designed to be used in case of lost or stolen devices.  Stryker says there is no indication of ransomware or malware in cyber attack | Credit: Getty This feature appears to be what the nation-state actors used to perform such a large-scale wipe and reset. This action requires access to administrator-level portals and control panels, which signals high-level credential compromise.  Who was behind the attack? On March 11 2026, Handala Hack, put out a lengthy statement on Telegram taking responsibility for the attack, which they say was retaliation for the missile strike on an Iranian school that occurred on February 28, 2026. The advanced persistent threat (APT), linked to the Islamic Revolutionary Guard Corps also goes by aliases – Void Manticore and Storm-842. The group claimed to have erased data from more than 200,000 Stryker systems, servers and mobile devices across 79 countries and says it plans to publicly distribute the information, sticking to its hack-and-leak modus operandi.  Void Manticore claims to have 50 terabytes of Stryker’s data “now in the hands of the free people of the world”. “This incident underscores a growing reality in cyber conflict: nation-state actors are increasingly willing to use destructive cyber operations to achieve geopolitical objectives,” says Aamil Karimi, principal consultant in Optiv’s Global Threat Intelligence Center (gTIC). “The abuse of legitimate enterprise management tools to wipe more than 200,000 systems demonstrates both the sophistication of the threat and the potential for devastating operational disruption when privileged access is compromised.” Threat actor Background from gTIC Cybersecurity firm Optiv’s Global Threat Intelligence Centre (gTIC) says that Handala Hack, is a pro-Palestinian, pro-Iran-aligned hacktivist group that has been active since at least 2023. This group of threat actors known to perform politically motivated cyber operations, have previously deployed Hatef wiper malware and Radthief stealer malware in its previous attacks. “Handala has publicised wiper malware delivered through multi-stage tooling to wipe Windows and Linux systems,” the company says.  Like most threat groups, social engineering and phishing are how the Handala gains initial access, before it leaks stolen information through its dedicated leak site.  Iranian state sponsored cyber threat actors  Research from gTIC suggests overlap between the threat activities of Handala (Void Manticore) and Scarred Manticore, another APT linked to the IRGC. Wiper malware and the destruction that comes with it, is a notable modus operandi of other Iranian threat actor groups such as APT33 (aka: Elfin) and Agrius, who have mounted cyber attacks against industries, utilities and Government entities. Skip Sorrells, Field CTO-CISO at Claroty, says that he unfortunately doesn’t find attacks like hat on Stryker surprising.  Skip Sorrels, Field CTO-CISO at Claroty “Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing and that trend makes organisations like medical device manufacturers and hospitals more likely to be caught in the crossfire,” Skip notes. “In many cases, attackers simply find the path of least resistance – an exposed system, an unsecured management console or credentials that allow them to move deeper into the environment and once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems.  “As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organisations prioritising visibility into their cyber-physical systems and closing those ‘open doors’ before attackers find them.” Stryker has noted that they have no indication that any ransomware or malware was involved, saying that it believes that “the incident is contained”. COMPANY PORTALS Claroty Optiv EXECUTIVES Skip Sorrels, MSCIA, CISSP Field CTO - CISO TAGS Iran Cyber War Iran War Stryker Cyber Attack Handala Hack APT Iranian APTs Wiper Malware Microsoft Intune Cybersecurity News Iran Threat Intelligence Company Portals Claroty Optiv Read Now RELATED CONTENT This Week's Top Five Stories in Cyber Cyber Security Iran War: The Convergence of Cyber and Kinetic Warfare Hacking & Malware This Week's Top Five Stories in Cyber Cyber Security This Week's Top Five Stories in Cyber Cyber Security