As reported by NBC News, an Iran-linked hacker group has claimed responsibility for a cyberattack on medical tech giant Stryker, marking what appears to be the first significant instance of Iran hacking an American company since the recent war began. This incident, which caused considerable disruption for employees, seems to be a different kind of attack than what we’ve seen recently.
Stryker, a company based in Michigan, is a big player in the medical world, producing a wide range of equipment and technology. While the company stated that its own systems weren’t directly compromised, the impact on employees was immediate and severe. One employee, who wished to remain anonymous because they aren’t authorized to speak publicly, reported that their work-issued phones simply stopped working. This brought work and communications with colleagues to a complete standstill.
The group behind this, Handala Team, has publicly taken credit for the Stryker hack across their Telegram and X accounts. Cybersecurity companies have connected Handala Team to Iran’s Intelligence Ministry, suggesting a pretty serious link. This group is known for regularly boasting about their exploits on social media, though their previous accounts have been taken down recently.
Details on how the hack was pulled off aren’t entirely clear, but public evidence points to the hackers likely gaining access to Stryker’s Microsoft Intune account
The anonymous employee confirmed that Stryker uses Intune, which is a common solution for managing corporate devices. From there, Handala seems to have wiped some employees’ devices straight back to their factory settings. Rafe Pilling, the director of threat intelligence at cybersecurity company Sophos, confirmed this. Sophos has also linked Handala to Iran’s intelligence operations.
Pilling explained in a written exchange, “They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices.” He added, “One of the features is the ability to remotely wipe a device if it’s lost/stolen etc. Looks like they triggered that for some or all of the enrolled devices.” It’s a feature Microsoft describes as “commonly used when a device needs to be retired, repurposed, reset for troubleshooting, or securely erased if lost or stolen,” but clearly, it can be weaponized.
Historically, Iran has been behind some truly infamous “wiper” cyberattacks, which are designed to simply erase all data from computer networks. We saw this with Saudi Aramco, Saudi Arabia’s national oil company, back in 2012, and the Sands Casino in 2014.
Since the recent conflict started, some hacker groups sympathetic to Iranian leadership have claimed minor attacks, mostly just defacing websites, but nothing with a major impact. Tech and cybersecurity companies have mostly observed Iranian hackers focusing on espionage related to the war, so this incident represents a significant escalation.
Despite the disruption, Stryker put out a statement on its website, acknowledging the cyberattack but claiming its own systems weren’t directly hacked. Their statement read, “Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained.”
Published: Mar 12, 2026 02:00 pm