Stryker Global Network Disruption Claimed by Iran-Linked Handala Hacktivists
U.S. medical device manufacturer Stryker reported a severe, global disruption to its Microsoft/Windows environment following a cyberattack that left employees unable to access corporate systems. Staff reported corporate laptops and phones being wiped, widespread outages of work applications and email, and some login pages displaying the Handala logo; the company also routed calls to an automated message citing a “building emergency.” Stryker said it is experiencing a “global network disruption,” believes the incident is contained, and stated it has no indication of ransomware while working to restore operations using business continuity measures.
A pro-Iran hacktivist group calling itself Handala publicly claimed responsibility, framing the attack as retaliation tied to the U.S.-Iran conflict and citing a reported U.S. strike on a girls’ school in Tehran. The group alleged it wiped large numbers of systems and exfiltrated significant data, and reporting indicated at least partial corroboration of system wiping and defacement across Stryker’s global environment. The incident appears to have caused broad operational impact across Stryker’s international footprint, with claims and employee reports indicating both destructive activity (device/server wiping) and potential data theft, though Stryker’s public statement did not confirm exfiltration.
Related Entities
Malware
Organizations
Affected Products
Sources
5 more from sources like thecyberexpress com vulnerabilities, industrialcyber, vulnu, technologymatch.com and arstechnica security
Related Stories
Handala Hack Destructive Intrusions Linked to Iran's MOIS
**Handala Hack**, a persona within the **Void Manticore** intrusion set also tracked as **Red Sandstorm** and **Banished Kitten**, has been conducting destructive cyberattacks against organizations in **Israel, Albania, and the United States**. The activity is attributed to Iran’s **Ministry of Intelligence and Security (MOIS)** and is characterized by operations designed to **destroy data rather than collect intelligence**. Check Point’s reporting says the group has operated through multiple personas, including **Handala Hack**, **Karma**, and **Homeland Justice**, with the latter previously used against Albanian government and telecom targets and Handala now appearing in more recent campaigns, including an intrusion affecting medical technology firm **Stryker**. The intrusions typically begin with **compromised VPN credentials**, after which the attackers use **RDP** for remote access, **NetBird** for peer-to-peer tunneling inside victim environments, and **multiple parallel wiping tools** to maximize damage and hinder recovery. Researchers also observed an **AI-assisted PowerShell script** in the wiping toolkit and noted weaker operational security than in earlier activity, including connections traced directly to **Iranian IP addresses** instead of commercial VPN infrastructure. A separate podcast reference aligns with the same incident by describing the attack on **Stryker** as a network disruption that wiped more than **200,000 resources**, reinforcing the destructive nature and scale of the campaign.
Today
Iran-Linked Handala Hack Wiper Campaign Against Israeli and U.S. Organizations
**Handala Hack**, an online persona tied to **Void Manticore** and assessed by multiple researchers as linked to Iran’s **Ministry of Intelligence and Security (MOIS)**, is being tracked for destructive intrusions involving **wiper attacks** and related hack-and-leak activity against organizations in **Israel** and the **United States**. Public reporting cited by Unit 42 says attackers gained access to corporate networks using legitimate user credentials, while recent tradecraft includes phishing, identity compromise, and abuse of administrative access through **Microsoft Intune**. Israel’s National Cyber Directorate warned that several incidents involved deletion of servers and workstations to disrupt operations, reinforcing concern that the current regional conflict is increasing the likelihood of further destructive cyber activity. Technical reporting indicates the actor continues to favor **hands-on-keyboard** operations, multiple wiping methods, and a mix of custom and publicly available tooling. Check Point said newly observed techniques include use of **NetBird** for tunneling and an **AI-assisted PowerShell** script for wiping, while Blackpoint’s advisory highlighted a broader Iranian threat posture featuring credential theft, phishing, password spraying, remote management tools, and exfiltration utilities such as **Rclone**. The combined reporting points to a near-term risk of disruptive attacks focused on identity compromise, lateral movement, data theft, and system destruction, particularly for organizations with exposed services, weak privilege controls, or insufficiently protected administrative accounts.
4 days ago
Cyber Operations Escalate Following US-Israeli Strikes on Iran
Military strikes by the United States and Israel against Iranian targets on **February 28, 2026** were followed within hours by a sharp escalation in cyber activity across the Middle East. Reporting describes widespread **DDoS attacks, website compromises, defacements, and breach claims**, with more than 150 hacktivist incidents reportedly claimed in the first two days of the crisis. Iranian connectivity was heavily disrupted, including outages affecting **IRNA**, while **Tasnim News** was reportedly compromised and displayed anti-regime messaging. The most affected sectors were identified as **government, aerospace and defense, and technology**, and regional states including **Israel, Kuwait, Jordan, Bahrain, Qatar, and the UAE** saw elevated cyber pressure. The surge also expanded beyond immediate regional targets, with security reporting warning that the conflict was driving attacks against global commercial sectors such as **travel, hospitality, and energy**. One cited example was a **March 11** claim by **Handala**, a hacktivist group alleged to have ties to Iranian intelligence, that it had conducted a large-scale **data-wiping attack** against medical technology company **Stryker**, allegedly destroying several terabytes of data. Additional reporting noted unconfirmed concerns that Iranian-linked actors could target the physical and digital infrastructure of major U.S. technology firms. The activity reflects a broader pattern of **geopolitically motivated cyber operations** acting as a force multiplier alongside kinetic conflict, rather than a standalone marketing or advisory narrative.
2 days ago