Skip to content
Chimera readability score 0.6402 out of 100, reading level.

Stryker, a leading maker of medical devices, was hit early this morning with a cyberattack that has reportedly caused the company's systems to shut down globally. The company has acknowledged the attack and called it "severe" in communication with employees.
A known Iranian hacktivist group named Handala posted messages on hacked systems and on social media taking credit for the hit, which they say is partly in retaliation for the US bombing of an all-girls school in Iran, which occurred on the first day of the US-Israeli assault on that country.
Workers at Stryker in the US, Australia, India, Ireland and elsewhere began posting to a Reddit forum early this morning talking about what occurred, and the first media reports about the hack came out of Ireland, where the company has a division. According to the latter reports, the company's internal login and admin pages were defaced with the logo of Handala and a message from the hackers was posted on systems claiming they hit more than 200,000 Stryker servers, systems and employee devices – many of which have been wiped – and that they stole 50 terabytes of data.
Stryker released a statement acknowledging that it is "experiencing a global network disruption affecting the Windows environment. Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we’re committed to continuing to serve our customers."
In a message sent to employees, the company said it was experiencing "a severe, global disruption impacting all Stryker laptops and systems that connect to our network."
Stryker, which employs 56,000 people globally, makes surgical and imaging equipment, defibrillators, hospital beds, joint-replacement systems and other medical devices – including systems used by the US military to treat wounded personnel. In 2020, Stryker signed a $225 million contract with the Defense Logistics Agency to supply medical, patient monitoring, and other equipment to the US military. Last year, the military extended the contract in a $450 million deal. Notably, the company has the same name as a model of armored combat carriers used by the US Army to transport troops in battle, though the medical device company does not produce the troop carriers.
According to unconfirmed posts on Reddit by Stryker workers and those purporting to have knowledge of the hack, the cyberattack struck around 3:30 am EDT today. One Reddit post says it hit at 12:30 am EST.
According to one poster, the hackers pushed out an operating system reset to computers and phones that connect to the company's network and wiped "many" servers clean. As a result, workers could not log into their accounts or use company applications.
"The entire company is at a complete stop," one wrote. "Also, the servers at the DataCenter are inaccessible."
According to the person who posted this message, the hackers gained access to administrator accounts and put "their signature Handala artwork on every login page." They also sent emails to a number of company executives taking ownership of the cyberattack.
Another poster on Reddit wrote that "many colleagues phones have been wiped," and they were instructed to remove "intune, company portal, teams, VPN" from their personal devices. The author of the post indicated that they were unable to log into many of their accounts because they used their phone to provide two-factor authentication codes to log into those accounts.
"Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams," the poster, who said they were based in Australia, wrote.
Wiper attacks are one of the most common types of destructive cyberattacks that occur. Iran was behind one of the most famous wiping attacks, the Shamoon attack that struck Saudi Aramco in 2012. The attack erased data from more than 30,000 systems belonging to the Saudi Arabian oil company. Wipers have also been deployed extensively by Russia against targets in Ukraine, and earlier this year, Russian hackers are believed to be behind a wiper that was used in a cyberattack that targeted energy grid systems in Poland. North Korea also used a wiper attack in its infamous hack of Sony in 2014.
Notably, Iran's Islamic Revolutionary Guard Corps has warned that the offices and infrastructure of US companies with links to Israel and whose technology has been used to assist military operations will be targets for physical attack. The list includes potential infrastructure used for cloud-based services operated by companies such as Google, Palantir, Microsoft, IBM, Nvidia and Oracle.
This is a developing story so more information is likely to become available later.
See also:
Cyberattack Targeting Poland's Energy Grid Used a Wiper
Second Wiper Attack Strikes Systems in Ukraine
Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack

Facts Only

Stryker, a medical device manufacturer, suffered a global cyberattack early this morning.
The attack caused systems to shut down worldwide, affecting Windows environments.
The Iranian hacktivist group Handala claimed responsibility for the attack.
Handala defaced Stryker’s internal login and admin pages with their logo and a message.
The group stated they wiped over 200,000 servers, systems, and employee devices.
They claimed to have stolen 50 terabytes of data.
Employees in the US, Australia, India, Ireland, and other locations reported being unable to log in or use company applications.
Some employees’ personal devices were wiped, including phones enrolled in company systems.
Stryker acknowledged the attack as "severe" and confirmed a global network disruption.
The company employs 56,000 people and supplies medical equipment to the US military.
The attack occurred around 3:30 am EDT, according to unconfirmed employee reports.
Handala cited retaliation for a US bombing of an all-girls school in Iran as the motive.

Executive Summary

Stryker, a major medical device manufacturer, experienced a severe global cyberattack early this morning, causing widespread system disruptions. The attack, claimed by the Iranian hacktivist group Handala, reportedly wiped data from over 200,000 servers, systems, and employee devices, while also stealing 50 terabytes of data. Employees across multiple countries, including the US, Australia, India, and Ireland, reported being locked out of company systems, with login pages defaced by Handala’s logo. Stryker confirmed the disruption, stating it was working to restore operations but did not confirm the extent of the damage or data theft. The hackers cited retaliation for a US bombing of an all-girls school in Iran as motivation. Stryker, which supplies medical equipment to the US military, has not commented on whether the attack targeted its defense contracts. The incident follows a pattern of destructive wiper attacks, previously used by state-affiliated groups like those from Iran, Russia, and North Korea.

Full Take

This cyberattack on Stryker fits a broader pattern of state-aligned hacktivism, where geopolitical grievances are weaponized against high-value targets. The strongest version of this narrative is that Iran-affiliated actors are escalating cyber retaliation against Western entities, particularly those with military ties, in response to perceived aggression. The attack’s scale—wiping systems and stealing data—aligns with historical wiper campaigns like Shamoon, suggesting a deliberate effort to disrupt operations rather than merely steal information.
However, the narrative also carries potential manipulation risks. The claim of retaliation for a US bombing of an all-girls school in Iran is emotionally charged, which could amplify outrage without independent verification of the event’s details. The article does not confirm the bombing’s occurrence or its connection to the cyberattack, leaving room for distortion. Additionally, the focus on Stryker’s military contracts may serve to frame the attack as part of a broader conflict, potentially obscuring other motives, such as intellectual property theft or ransomware leverage.
Root cause: This reflects the growing normalization of cyber warfare as an asymmetric tool for states and proxies to project power. The assumption that corporate infrastructure is a legitimate target in geopolitical disputes remains unchallenged, raising questions about the erosion of civilian protections in digital conflict.
Implications: The attack disrupts critical medical supply chains, potentially endangering patient care. It also signals to other defense contractors that they are vulnerable to retaliatory strikes, which could accelerate the militarization of corporate cybersecurity. Second-order effects may include increased insurance costs, regulatory scrutiny, and a chilling effect on international business operations.
Bridge questions: How can we verify the hackers’ stated motive without independent confirmation of the triggering event? What safeguards exist to prevent medical device manufacturers from becoming collateral damage in state-sponsored cyber conflicts? Would the narrative shift if evidence emerged that the attack was financially motivated rather than ideological?
Counterstrike scan: A coordinated influence campaign would likely amplify the emotional framing (e.g., "attack on girls’ school") while downplaying uncertainties about the bombing’s details. The actual content includes these elements but also presents employee accounts and Stryker’s response, which adds balance. No structural alignment with a disinformation playbook is detected.
Patterns detected: ARC-0024 Ambiguity (unverified bombing claim), ARC-0043 Motte-and-Bailey (broad retaliation framing without specific evidence)

Sentinel — Human

Confidence

The article shows strong signs of human authorship, with natural variability, specific attributions, and idiosyncratic details inconsistent with AI generation.

Signals Detected
low severity: Sentence length variance is high, with erratic rhythm and natural digressions (e.g., clarification about Stryker's name vs. armored vehicles).
low severity: Text contains idiosyncratic emphasis (e.g., worker quotes, Reddit posts) and stylistic fingerprint (e.g., parenthetical explanations).
low severity: No template-matching or verbatim talking points; attribution is specific (e.g., Reddit posts, company statements).
low severity: Claims are attributed to verifiable sources (company statements, Reddit posts) with no obvious confabulation.
Human Indicators
Natural digressions (e.g., Stryker's name vs. armored vehicles)
Idiosyncratic worker quotes and Reddit posts
Uneven sentence structure and stylistic variability