This story was originally published on mynorthwest.com.
An Iran-linked hacking group launched a massive cyberattack on Stryker Corporation, wiping more than 200,000 devices worldwide by exploiting the company’s own system, cybersecurity experts say.
The March 11 attack, attributed to the hacker group Handala, targeted administrator-level accounts and used them to issue remote wipe commands across Stryker’s global network. The breach impacted devices in 79 countries, including laptops, smartphones, and servers.
Experts said the attackers used a “living off the land” technique, meaning they leveraged legitimate internal tools instead of deploying malware or ransomware, allowing them to effectively turn Stryker’s systems against itself.
“This is a five-alarm fire,” Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency, told CBS Mornings. “It’s a wake-up call for every organization.”
Global impact of the Stryker cyberattack
The cyberattack caused widespread disruption to Stryker’s operations, taking internal systems offline and affecting ordering, shipping, and employee workflows worldwide.
“Handala was able to gain access to privileged, important administrator-level accounts within Stryker and then wipe out devices, hundreds of thousands of devices worldwide,” Krebs explained.
Employees were instructed to disconnect devices immediately, with some reporting their systems were erased in real time.
Handala also claimed it stole 50 terabytes of corporate data before launching the attack, though that has not been independently verified.
Investigators said the breach likely involved compromised credentials, potentially through phishing or other identity-based attacks, allowing hackers to gain access to high-level administrative controls.
“I think the conditions that created this attack on Stryker were probably independent anyway, in that some misconfiguration or other vulnerability contributed to the ability of Handala to get in.”
Medical devices not impacted
Despite the scale of the attack, Stryker said its connected medical devices, including LIFEPAK defibrillators, Mako surgical systems, and Vocera platforms, were not affected because they operate on separate networks.
However, some indirect impacts were reported. In Maryland, paramedics temporarily lost the ability to transmit ECG data to hospitals due to network disruptions tied to the incident.
Iran-linked motive and geopolitical context
There are reports that the group behind the attack claimed it was retaliation for a U.S.-Israeli missile strike in Iran, that reportedly killed more than 100 people.
Cybersecurity analysts said the Stryker cyberattack is one of the most significant and destructive cyber incidents targeting a U.S. company amid rising tensions involving Iran.
Recovery and cybersecurity concerns
Experts warn recovery from the Stryker attack could take months and cost millions, as the company works to restore systems and identify vulnerabilities.
Krebs said organizations across the U.S. should treat the incident as a warning.
“Every organization today, right now, yesterday even, needs to be running a full hands-on deck rehearsal of what happens if they have a similar event,” Krebs said. “Make sure the bad guys cannot easily get in and move throughout the entirety of an organization.”
Local healthcare systems monitoring
Healthcare and higher education sectors, which are often considered higher risk for cyberattacks according to cybercrime experts, are closely watching the situation.
A spokesperson for University of Washington (UW) Medicine said its operations and patient care remain unaffected. Washington State University also reported no impact, while UW has not yet responded to requests for comment.
©2026 Cox Media Group
