The attack, attributed to pro-Palestinian hacking group Handala, reportedly wiped Windows devices across Stryker’s enterprise environment and disrupted ordering systems.
By Alyx Arnett
Stryker, a US medical technology company, is experiencing a global network outage after a cyberattack believed to be linked to Handala, a pro-Palestinian hacking group with suspected ties to Iran. The attack, which came to light on March 11, 2026, reportedly wiped Windows devices—including laptops and cellphones—across the company, disrupting staff and contractors and taking down electronic ordering systems.
In a statement posted to its website, Stryker confirmed the scope of the disruption. “Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack,” the company said on March 11. “We have no indication of ransomware or malware and believe the incident is contained.”
In an updated statement on March 12, Stryker added that the situation is believed to be “contained to our internal Microsoft environment only” and confirmed that products including Mako, Vocera, and LIFEPAK35 “are fully safe to use.” The company said orders entered before the event will ship once system communications are restored, while orders received after the event are being examined.
Supply Chain Disruption as the Attack Vector
Cybersecurity analysts say the incident is notable not just for its scale, but for what it signals about the evolving targeting strategy of state-linked threat actors.
“The attack on Stryker highlights a troubling shift we’re increasingly seeing in destructive cyber operations,” says Josh Lefkowitz, chief executive officer of Flashpoint. “Rather than targeting hospitals or frontline healthcare providers directly, adversaries may focus on critical suppliers and logistics providers where disruption can cascade across the entire healthcare ecosystem. A single intrusion at a key node in the supply chain has the potential to create widespread operational impact far beyond the initial target.”
Analysts at Flashpoint, who have tracked Handala activity over the past year, assess that the group consistently attempts to portray itself as a grassroots resistance movement through political messaging and symbolic imagery, but that its operational behavior and targeting patterns are more consistent with activity linked to Iranian intelligence services. Unlike financially motivated ransomware groups, Handala appears primarily focused on disruption, psychological pressure, and geopolitical signaling.
“From our perspective tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement,” says Kathryn Raines, cyber threat intelligence team lead for the National Security Solutions team at Flashpoint. “However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism. What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure—potentially weaponizing Microsoft Intune—to carry out destructive activity at scale.”
A Concerning Evolution in Attacker Tradecraft
If confirmed, the use of enterprise device management infrastructure as a wiping mechanism would mark a significant escalation in attacker sophistication. Flashpoint analysts assess with moderate confidence that future destructive cyber operations may increasingly focus on centralized information technology (IT) management infrastructure, which can enable attackers to amplify the impact of a single compromise across large enterprise environments.
Joseph M. Saunders, founder and chief executive officer of RunSafe Security, placed the attack within a broader geopolitical context. “Whether this incident ultimately proves to be the work of a nation-state, hacktivist group, or another actor, it reflects a broader global trend,” says Saunders. “Cyber operations are increasingly being used as instruments of geopolitical pressure and retaliation. When attacks disrupt major technology or healthcare companies, the impact extends beyond a single organization and becomes an economic and national security issue.”
Patient Safety and the Clinical Environment
For healthcare facilities that rely on Stryker products and supply chains, the attack carries implications that extend into care delivery. Skip Sorrels, field chief technology officer and chief information security officer at Claroty and a former intensive care unit (ICU) nurse, says incidents like this underscore why cybersecurity in healthcare must be framed as a patient safety issue.
“Attacks like this unfortunately aren’t surprising,” says Sorrels. “Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire. In many cases, attackers simply find the path of least resistance—an exposed system, an unsecured management console, or credentials that allow them to move deeper into the environment—and once they gain administrative access, they effectively hold the keys to the kingdom and can disrupt everything from mobile devices to operational systems.”
Sorrels adds, “As a former ICU nurse, I’ve seen firsthand how even small technology outages ripple through care delivery, which is why cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those ‘open doors’ before attackers find them.”
Stryker says in the statement on its website that it will continue to provide daily updates at Stryker.com/newsroom as it works to restore its electronic ordering system and broader network communications.
Styker has not responded to a request for comment.
ID 190585455 © Pavel Kapysh | Dreamstime.com
