Iranian Hackers Wiped 200,000 Devices Across 79 Countries in One Night — and a Major US Medical Company Was the Target

Thousands of employees around the world showed up to work on Wednesday morning and found the same terrifying message on their screens — the logo of an Iranian-linked hacker group staring back at them where their login page should have been. Their phones had been wiped. Their laptops had been wiped.

Their servers were gone. In 79 countries simultaneously, one of the world’s largest medical device companies had been brought to a complete stop. This was not a drill. This was not ransomware. This was something far more calculated — and cybersecurity experts are warning it may be just the beginning.

What Are Iranian Cyber Attacks?

Iranian cyber attacks are state-directed or state-affiliated digital warfare operations launched by groups with ties to Iran’s government — specifically Iran’s Ministry of Intelligence and Security and the Islamic Revolutionary Guard Corps.

Unlike financially motivated cybercriminals who seek ransoms or steal credit card numbers, Iranian cyber operations are primarily political in nature. Their goals are disruption, retaliation, psychological impact, and the projection of power against adversaries — particularly the United States, Israel, and their allies.

Iran did not become a major cyber power by accident. The turning point came in 2010, when the Stuxnet virus — a sophisticated cyberweapon jointly attributed to the United States and Israel — destroyed approximately 1,000 Iranian nuclear centrifuges by causing them to spin out of control while reporting normal operations to their operators. Iran was humiliated. And Iran learned.

“They’ve greatly improved and enhanced their capabilities over the years,” said attorney Michael Vatis, the founding head of the FBI’s computer crime and infrastructure protection program. “I think they made a big concerted effort to improve their capabilities after they were the victims of Stuxnet.”

The 2012 Shamoon attack on Saudi Aramco — which erased data from more than 30,000 systems at Saudi Arabia’s national oil company — demonstrated that Iran had mastered the wiper attack.

The 2014 attack on the Las Vegas Sands Casino showed Iran was willing to strike American soil. And the 2026 Stryker corporation cyber attack showed the world that Iranian cyber attacks have now reached a new level of scale and ambition.

Iran’s approach to cyber warfare is deliberately indirect. Rather than launching attacks from official government infrastructure, Iran uses proxy actors — groups that operate independently but are aligned with Iran and may receive government assistance. This gives Tehran plausible deniability while maintaining the ability to strike at will.

What Happened in the Stryker Cyberattack?

The Stryker cyber attack began in the early hours of Wednesday, March 11, 2026 — with reports suggesting it struck around 3:30 AM EDT.

Stryker Corporation is a Fortune 500 medical technology giant headquartered in Kalamazoo, Michigan. The company employs approximately 56,000 people, reported over $25 billion in revenue for 2025, and makes everything from artificial joints and surgical instruments to hospital beds, defibrillators, ambulance cots, and robotic surgery systems. Its products reach more than 150 million patients annually across 61 countries.

When Stryker employees began their workday on Wednesday, they found their devices had been remotely wiped back to factory settings. Laptops, mobile phones, and servers were all affected. Login pages displayed the logo of the Handala hacking group. Emails were sent directly to company executives claiming ownership of the attack.

According to an internal company notice obtained by The Wall Street Journal, Stryker was experiencing “a severe, global disruption across the Windows environment impacting both client devices and servers,” with the outage described as “widespread and significantly affecting users’ ability to access systems and services.”

Cybersecurity experts traced the method of attack to Microsoft Intune — a cloud-based device management platform that Stryker used to enforce security policies across its global workforce. Hackers appear to have gained access to the Microsoft Intune management console and triggered a remote wipe command against all connected devices simultaneously.

“They seem to have obtained access to the Microsoft Intune management console,” said Rafe Pilling, director of threat intelligence at cybersecurity company Sophos. “One of the features is the ability to remotely wipe a device if it’s lost or stolen. Looks like they triggered that for some or all of the enrolled devices.”

Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices across Stryker’s global network, forced offices in 79 countries to shut down, and extracted 50 terabytes of sensitive company data. “All the acquired data is now in the hands of the free people of the world,” the group declared.

The impact on healthcare was immediate. Maryland’s Institute for Emergency Medical Services notified hospitals statewide that Stryker’s Lifenet electrocardiogram transmission system was non-functional across most of the state. Hospitals began evaluating whether to disconnect Stryker equipment from their own systems entirely. Federal agencies including the Department of Health and Human Services scrambled to assess the impact on patient care.

Stryker’s response was measured. “We have no indication of ransomware or malware and believe the incident is contained,” the company stated. “Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we’re committed to continuing to serve our customers.”

Stryker stock fell more than 3% following initial reports of the attack.

Who Is the Hacker Group Behind the Attack?

The group behind the Stryker corporation cyber attack is known as Handala — and their name carries deliberate symbolism. Handala is a famous Palestinian cartoon character created in 1969, representing a displaced Palestinian refugee child. The choice of name signals Handala’s stated political identity as a pro-Palestinian, anti-Western hacktivist collective.

But security researchers are clear — Handala is far more than an independent activist group.

Handala emerged in late 2023, around the time of Hamas’s October 7 attack on Israel. According to Palo Alto Networks, which has extensively analyzed the group, Handala is assessed as one of several online personas maintained by Void Manticore — a threat actor directly sponsored by Iran’s Ministry of Intelligence and Security. Cybersecurity firm Sophos has independently linked Handala to Iran’s intelligence operations.

Handala’s operational profile is consistent with state-backed cyber warfare rather than independent hacktivism. The group has claimed strikes on Israeli military weather servers, intercepted security feeds in Jerusalem, targeted fuel systems in Jordan, hacked an Israeli oil and gas exploration company, and doxxed Israeli intelligence officers. Its Stryker attack was the most significant strike on a US company the group had ever claimed.

The group justified the Stryker attack as retaliation for a missile strike on a school in Minab, a city in southern Iran, on the first day of the US-Israeli military campaign against Iran. More than 170 people were killed — most of them schoolgirls. The New York Times subsequently reported that an ongoing US military investigation determined the United States was responsible for the strike.

“Our major cyber operation has been executed with complete success,” Handala declared. “This is only the beginning of a new chapter in cyber warfare.”

The group also referenced Stryker’s 2019 acquisition of OrthoSpace — an Israeli medical technology company — as a factor in their targeting decision, describing Stryker as a “Zionist-rooted corporation.”

Why Healthcare and Technology Companies Are Targets

The Stryker cyber attack was not random. It was precisely calculated — and understanding why healthcare and technology companies are targeted helps explain the broader threat landscape of Iranian cyber attacks.

Valuable and Sensitive Data Medical technology companies hold extraordinary volumes of sensitive data — patient records, surgical outcomes, proprietary device specifications, clinical trial data, and hospital system access credentials. Fifty terabytes of extracted Stryker data represents not just a corporate breach but a potential intelligence treasure trove with implications far beyond one company.

Critical Infrastructure Connections Stryker equipment is embedded in hospital systems around the world. A company whose products include defibrillators, ambulance cots, and surgical robots is not simply a manufacturer — it is a component of critical healthcare infrastructure. Disrupting Stryker disrupts hospitals. Disrupting hospitals disrupts patient care. This is asymmetric warfare at its most effective.

Political Retaliation and Psychological Impact Iran’s Islamic Revolutionary Guard Corps explicitly warned this week that US and Israeli-linked economic centers and banks across the region were now legitimate targets. State-affiliated Iranian media published a list of US tech firms — including Google, Microsoft, and Nvidia — describing their regional infrastructure as quote “Iran’s new targets.”

“Too much of cybersecurity is focused on lower consequence breaches from financially motivated enemies, while we’re increasing our exposures to nation states and other enemies who seek to disrupt and destroy,” said cybersecurity expert Joshua Corman. “China, Iran, Russia — all have the means, motive, and opportunity to deal us devastating disruptions.”

Supply Chain Vulnerabilities Palo Alto researchers noted that Handala has increasingly focused on supply chain footholds — targeting IT service providers to reach downstream victims. Stryker may have been attacked not only for its own value but as a gateway to the hospital systems and healthcare networks it serves globally.

Could More Iranian Cyber Attacks Happen?

The short and honest answer from every cybersecurity expert watching this situation is: yes. Almost certainly.

FBI Director Kash Patel stated on Tuesday — one day before the Stryker attack — that the FBI was working around the clock to implement a sweeping cyber strategy and to impose real costs on those who target Americans in cyberspace. Hours later, Stryker was hit.

Email security firm Proofpoint reported that Iranian hacking groups had been relatively quiet since the war began last month — with only one confirmed campaign targeting a US think tank employee. The Stryker attack broke that relative quiet in the most dramatic way possible.

Attorney Michael Vatis offered a sobering assessment of what comes next. The Stryker attack, he noted, was not against critical infrastructure like energy grids or financial systems. But “to the extent that this is a prelude to a much broader attack of the same sort, it could, in the aggregate, become serious.”

Iran’s IRGC has specifically named Google, Microsoft, Nvidia, IBM, Oracle, and Palantir as targets — companies whose regional infrastructure is now described as legitimate military objectives in state-affiliated Iranian media. A cyberattack on any one of those companies would make the Stryker disruption look minor by comparison.

The Council on Foreign Relations published a report on March 5 identifying sleeper agents, lone actors inspired by Iran, cyberattacks on US infrastructure, and proxy-group operations as the most credible immediate threat vectors as the war with Iran escalates.

For American companies — particularly those in healthcare, technology, finance, and energy — the message from every credible security analyst is identical: assume you are a target, act accordingly, and do not wait for an attack to begin hardening your defenses.

Conclusion

The Stryker corporation cyber attack is not an isolated incident. It is a milestone — the most significant Iranian cyber strike on a US company since the war began, and by Handala’s own declaration, only the beginning of a new chapter.

Iranian cyber attacks have evolved from the crude website defacements of a decade ago into precision operations capable of wiping 200,000 devices across 79 countries in a single night. The US government is responding. Companies are on high alert. But the threat is real, it is escalating, and it is no longer something that happens only to someone else.

Information sourced from CNN, NBC News, TechCrunch, Al Jazeera, SecurityWeek, KrebsOnSecurity, NewsNation, The Hill, and RTE as of March 12, 2026. This is a developing story — all updates will be reflected as new information becomes available.