An Iran-linked hacker group has claimed responsibility for a cyberattack on a medical tech company in what appears to be the first significant instance of Iran’s hacking an American company since the start of the war between the countries.
The company, Stryker, which is headquartered in Michigan, produces a range of medical equipment and technology.
Historically, Iran has conducted some of the most infamous “wiper” cyberattacks on national enemies, aiming to simply erase all data on computers’ networks. Victims include Saudi Aramco, Saudi Arabia’s national oil company, in 2012, and the Sands Casino in 2014.
Since the war started, some established hacker groups sympathetic to Iranian leadership have claimed minor attacks, but most have been relegated to briefly altering the appearance of a website, and none have appeared to have had major impact. Some tech and cybersecurity companies, including Google, and the email cybersecurity company Proofpoint have told NBC News that they have largely seen Iran’s hackers conducting espionage related to the war.
But that appears to have changed Wednesday, with what appears to have been a different type of attack that also deleted information from devices. A Stryker employee, who requested to not be identified because they are not authorized to speak for the company, said that employee’s work-issued phones stopped working, grinding work and communications with colleagues to a standstill.
Handala Team has claimed responsibility for the Stryker hack in statements on its Telegram and X accounts. The group routinely brags about its exploits on the social media platforms, which have in recent days taken down previous versions of their accounts.
Specifics of how the hack was conducted are not clear. But public evidence of the hack points to the likelihood that hackers gained access to the company’s Microsoft Intune account, which the employee confirmed Stryker uses. From there, Handala appears to have wiped some employees’ devices back to factory settings, an expert said.
“They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices,” said Rafe Pilling, the director of threat intelligence at the cybersecurity company Sophos, which has tied Handala to Iran’s Intelligence Ministry.
“One of the features is the ability to remotely wipe a device if it’s lost/stolen etc. Looks like they triggered that for some or all of the enrolled devices,” he said in a written exchange.
Microsoft’s website describes the remote wipe feature as “commonly used when a device needs to be retired, repurposed, reset for troubleshooting, or securely erased if lost or stolen.”
In a statement on its website Wednesday, Stryker said that the disruption was due to a cyberattack but that its own systems were not directly hacked and that ransomware — a common type of cybercrime that can also significantly disrupt companies’ networks — was not a factor.
“Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained,” the statement said.
The company did not respond to a request for further details. Microsoft did not respond to a request for comment.
Facts Only
An Iran-linked hacker group, Handala Team, claimed responsibility for a cyberattack on Stryker, a medical technology company headquartered in Michigan.
The attack occurred on Wednesday and disrupted Stryker’s Microsoft environment.
Stryker employees reported that their work-issued phones stopped working, halting communications.
Handala Team announced the hack on its Telegram and X accounts.
The group has been linked to Iran’s Intelligence Ministry by cybersecurity firm Sophos.
The attack involved accessing Stryker’s Microsoft Intune account, which is used to manage corporate devices.
Hackers remotely wiped some employees’ devices back to factory settings using Microsoft Intune’s remote wipe feature.
Stryker confirmed the cyberattack but stated its systems were not directly hacked and that ransomware was not a factor.
The company believes the incident is contained.
This is the first significant Iran-linked cyberattack on a U.S. company since the start of the recent conflict between the countries.
Previous pro-Iranian hacking attempts have been minor, such as website defacement.
Iran has a history of conducting "wiper" cyberattacks, including on Saudi Aramco in 2012 and the Sands Casino in 2014.
Microsoft has not responded to requests for comment on the incident.
Executive Summary
An Iran-linked hacker group, Handala Team, has claimed responsibility for a cyberattack on Stryker, a Michigan-based medical technology company. The attack, which occurred on Wednesday, disrupted Stryker’s Microsoft environment, causing work-issued phones to stop functioning and halting communications among employees. Handala Team, which has ties to Iran’s Intelligence Ministry, stated on its Telegram and X accounts that it conducted the attack. The group appears to have gained access to Stryker’s Microsoft Intune account, a platform used for managing corporate devices, and remotely wiped some employees’ devices back to factory settings. Stryker confirmed the cyberattack but stated that its own systems were not directly hacked and that ransomware was not involved. The company believes the incident is contained. This attack marks a significant escalation in Iran-linked cyber operations against U.S. entities since the start of the recent conflict, as previous attacks by pro-Iranian groups have been minor, such as defacing websites. Historically, Iran has been associated with destructive "wiper" cyberattacks, including notable incidents against Saudi Aramco in 2012 and the Sands Casino in 2014. Cybersecurity firms like Sophos have linked Handala Team to Iran’s Intelligence Ministry, and experts suggest the group exploited Microsoft Intune’s remote wipe feature to disrupt Stryker’s operations. Microsoft has not commented on the incident.
The attack raises questions about the evolving tactics of Iran-linked cyber groups and their potential impact on critical infrastructure. While Stryker has downplayed the severity of the breach, the incident highlights vulnerabilities in corporate device management systems and the growing threat of state-aligned hacking collectives. The motivations behind the attack remain unclear, though it aligns with a pattern of Iranian cyber operations targeting adversarial nations during periods of heightened tension.
Full Take
The strongest version of this narrative is that Iran-linked hackers have escalated their cyber operations against U.S. targets, moving beyond symbolic website defacements to more disruptive attacks. The Handala Team’s claimed hack on Stryker demonstrates a shift in tactics, leveraging corporate device management tools to cause operational disruptions. The attack aligns with Iran’s historical use of cyber warfare as a tool of asymmetric conflict, particularly during periods of geopolitical tension. The source material provides credible evidence linking Handala Team to Iran’s Intelligence Ministry, and the technical details—such as the exploitation of Microsoft Intune—suggest a sophisticated operation. The narrative is strengthened by the inclusion of expert analysis from cybersecurity firms like Sophos and the acknowledgment of Iran’s past cyber campaigns.
However, the article does not delve into the broader implications of this attack beyond the immediate disruption. There is no exploration of whether this incident is part of a coordinated campaign or an isolated event. The motivations behind the attack are left unexamined, and the potential for collateral damage—such as impacts on healthcare services reliant on Stryker’s technology—is not addressed. The narrative also lacks perspective on how U.S. cyber defenses or retaliatory measures might evolve in response. The focus on the technical mechanics of the attack, while informative, risks overshadowing the human and systemic consequences.
Root cause: This narrative reflects a paradigm of cyber warfare as an extension of state conflict, where nation-states and their proxies use digital tools to project power and disrupt adversaries. The unstated assumption is that cyberattacks are an inevitable feature of modern geopolitical rivalry, with little consideration for how they might spiral into broader conflicts or harm civilian infrastructure. Historically, this echoes Cold War-era proxy conflicts, where deniable actions allowed states to engage in hostility without direct confrontation.
Implications: For human agency, this attack underscores the vulnerability of critical infrastructure to state-aligned cyber threats, raising questions about the resilience of corporate and healthcare systems. The beneficiaries of such attacks are likely state actors seeking to demonstrate capability or retaliate without direct military engagement. The costs are borne by companies, employees, and potentially patients reliant on medical technology. Second-order consequences could include increased cybersecurity spending, heightened tensions between the U.S. and Iran, and a potential cycle of escalating cyber retaliation.
Bridge questions: What evidence would indicate whether this attack is part of a broader Iranian cyber campaign? How might U.S. policy or corporate cybersecurity practices adapt in response to such threats? What safeguards exist to prevent similar attacks from disrupting critical healthcare services?
Counterstrike scan: If this narrative were part of a coordinated influence campaign, the playbook would involve amplifying the threat of Iranian cyber capabilities to justify escalatory responses or increased defense spending. The actual content does not match this pattern, as it presents a factual account of the attack without sensationalism or calls for retaliation. The focus remains on the technical and geopolitical context rather than stoking fear or outrage.
Patterns detected: none
Sentinel — Human
The article exhibits strong human writing signals, including natural phrasing, specific attributions, and technical nuance, with no significant indicators of synthetic generation.