An Iran-linked hacker group has claimed responsibility for a cyberattack on Stryker, a Michigan-based medical technology company, in what appears to be the first significant case of Iran-aligned hackers hitting an American company since the war began.
Attack Appears to Target Device Management
The group Handala Team said it carried out the intrusion in posts on Telegram and X. The accounts used to publicize the claims have previously been taken down and reappeared under new versions, according to the report.
While the technical entry point has not been publicly confirmed, available evidence suggests the attackers may have accessed Stryker’s Microsoft Intune device management environment and then triggered remote wipe actions that reset some devices to factory settings, according to a security expert.
Rafe Pilling, director of threat intelligence at Sophos, said Sophos has tied Handala to Iran’s Intelligence Ministry and that the behavior matches a misuse of Intune’s administrative controls. Intune includes a remote wipe feature that Microsoft describes as commonly used to retire or repurpose devices, troubleshoot issues, or erase lost or stolen hardware.
Operational Disruption Reported Internally
A Stryker employee, speaking anonymously because they were not authorized to comment publicly, said work-issued phones stopped functioning, disrupting communications and day-to-day work. The employee confirmed the company uses Intune.
Stryker said in a statement posted on its website that it was experiencing a global network disruption tied to a cyberattack affecting its Microsoft environment. The company said it had no indication of ransomware or malware and believed the incident was contained. Stryker did not provide further technical details in the statement, and Microsoft did not respond to a request for comment.
Shift From Symbolic Hacks to Destructive Tactics
Iran has a history of destructive cyber operations, including so-called wiper attacks intended to erase data. Past targets have included Saudi Aramco in 2012 and the Sands Casino in 2014.
Since the war began, some Iran-sympathetic groups have claimed smaller, low-impact actions, often involving brief website defacements. Cybersecurity firms including Google and email security company Proofpoint have said they primarily observed Iranian-linked activity focused on espionage related to the conflict. The Stryker incident stands out as a potentially more disruptive move, particularly if device wipes were executed at scale.