When a global medical technology leader suddenly sends thousands of workers home and has its headquarters declare a building emergency, the world takes notice. That’s exactly what happened to Stryker, a Michigan-based maker of surgical equipment and hospital supplies, after a hacktivist group with ties to Iran’s intelligence services claimed a devastating data-wiping attack. The incident, which surfaced in early March 2025, has disrupted operations across dozens of countries and raised serious concerns about cybersecurity in the healthcare sector. Here are ten essential things you need to know about this unfolding cyber crisis.

1. Stryker: A Medtech Powerhouse Under Siege

Stryker Corporation, headquartered in Kalamazoo, Michigan, is one of the world’s leading medical and surgical equipment manufacturers. With reported global sales of $25 billion last year, the company employs around 56,000 people across 61 countries. Its products range from orthopedic implants to hospital beds and surgical navigation systems. The attack forced the company to shut down offices in 79 countries, making this one of the most widespread disruptions ever experienced by a medical device maker. Stryker’s stock (NYSE: SYK) saw immediate volatility as investors digested the news of potential operational paralysis and data breaches.

2. The Irish Hub: 5,000 Workers Sent Home

Stryker’s largest operational base outside the United States is in Cork, Ireland. On the day of the attack, local news reports confirmed that more than 5,000 employees were told to leave the office and work from home—or simply wait for updates via WhatsApp. The Irish Examiner quoted an unnamed employee who said “anything connected to the network is down” and that anyone using Microsoft Outlook on personal devices saw their phones wiped clean. The login screens of company devices now displayed the Handala logo, a clear sign of who was behind the breach. This disruption in Cork alone represents a massive logistical and productivity hit for the company.

3. What Is a Wiper Attack?

A wiper attack is a type of malicious cyber operation designed not to steal data but to permanently destroy it. Unlike ransomware, which encrypts files for a ransom, wipers overwrite or erase data beyond recovery. In Stryker’s case, the Handala group claimed to have wiped data from more than 200,000 systems, servers, and mobile devices. The goal appears to be pure sabotage, crippling the company’s operations and forcing a halt to business activities worldwide. Security experts note that wiper attacks are particularly dangerous for healthcare and medical device companies because patient records, manufacturing protocols, and regulatory compliance data can be lost forever if backups are compromised.

4. Handala: The Hacktivist Group Behind the Attack

Handala, also known as the Handala Hack Team, is a relatively new player in the cyber threat landscape. According to a profile by Palo Alto Networks, the group surfaced in late 2023 and is closely linked to Iran’s Ministry of Intelligence and Security (MOIS). Cybersecurity researchers assess Handala as one of several online personas maintained by a MOIS-affiliated actor called Void Manticore. The group operates under the guise of hacktivism, often claiming to fight for justice against oppression. In this case, it framed the attack as retaliation for a US missile strike that killed civilians in Iran. Their manifesto, posted on Telegram, boasts of exposing “injustice and corruption.”

5. The Retaliation Narrative: A Missile Strike in Iran

Handala’s statement explicitly linked the Stryker attack to a February 28, 2025 missile strike that hit an Iranian school, killing at least 175 people—most of them children. The New York Times reported that an ongoing military investigation determined the United States was responsible for that deadly Tomahawk missile strike. By targeting a major US medical technology company, Handala aimed to send a message that American interests abroad would face consequences for actions in Iran. This geopolitical context transforms the cyber attack from a simple criminal act into a form of asymmetric warfare, where a nation-state proxy uses digital means to retaliate against a perceived enemy.

6. Data Theft Claims: ‘All Acquired Data Is Now in the Hands of the Free People’

In addition to the wiper component, Handala claimed to have stolen a massive trove of data from Stryker. A portion of their statement reads: “All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption.” While the group did not immediately release any stolen files, the threat of data exposure adds a layer of extortion. Stryker must now worry not only about operational recovery but also about potential leaks of intellectual property, trade secrets, or employee and patient information. The healthcare sector is particularly sensitive to data breaches due to stringent regulations like HIPAA.

7. Stryker’s Headquarters in ‘Building Emergency’ Mode

When a reporter attempted to contact Stryker’s media line at its Michigan headquarters, a voicemail message stated: “We are currently experiencing a building emergency. Please try your call again later.” This unusual message suggests that the company’s physical facilities may have been affected, possibly due to network shutdowns, security lockdowns, or precautionary evacuations. The phrase “building emergency” is broad, but in the context of a cyber attack, it likely refers to the need to isolate infected systems and prevent further spread. It also implies a coordinated crisis management response, with public communication paused until the situation is under control.

8. Employee Devices Wiped and Network Shutdown

According to multiple sources cited by the Irish Examiner, Stryker employees in Cork reported that all systems connected to the corporate network were shut down. Personal devices with Microsoft Outlook installed were entirely wiped, losing emails, calendars, and possibly local files. The login pages of company-issued devices were defaced with the Handala logo, a classic hacktivist tactic to claim credit. This indicates that the attackers gained high-level access to Stryker’s network, likely through compromised credentials or a zero-day exploit, enabling them to remotely wipe devices and alter user interfaces. The disruption left employees reliant on WhatsApp for internal communication, highlighting the breakdown of standard IT operations.

9. Iran’s Intelligence Connection: Void Manticore

Security researchers at Palo Alto Networks have linked Handala to Void Manticore, a known cyber espionage group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Void Manticore has been active since at least 2021, conducting espionage and destructive attacks against targets in the US, Israel, and Europe. The group is known for using multiple personas to mask its activities, with Handala being one of the more aggressive, hacktivist-flavored fronts. This connection suggests the attack was not a spontaneous act of protest but a carefully planned operation backed by state resources. The use of a wiper attack, rather than ransomware, points to a desire to cause maximum disruption rather than financial gain.

10. The Aftermath and Implications for Healthcare Cybersecurity

As of now, Stryker has not issued a formal public statement beyond the building emergency voicemail. The company is likely working with cybersecurity firms, law enforcement, and government agencies to contain the damage, restore systems from backups, and investigate the breach. For the healthcare and medtech industries, this attack serves as a stark warning: even global giants with significant resources are vulnerable to state-backed hacktivist groups. The targeting of a company that produces life-saving medical equipment raises ethical questions about the rules of cyberwarfare. Moving forward, organizations should expect more wiper attacks disguised as hacktivism, and must prioritize offline backups, network segmentation, and rapid incident response plans.

The Stryker incident is a sobering reminder that cyber attacks are no longer just about stealing credit card numbers or holding files for ransom. When a nation-state proxy decides to wipe data and shut down a critical medical supplier, the consequences ripple through global healthcare systems. As investigators dig deeper, the true scale of this attack—and what it means for US-Iran tensions in cyberspace—will become clearer. For now, the medical technology industry must brace itself for a new era of targeted, destructive cyber warfare.