A large‑scale cyberattack on Stryker Corporation, one of the United States’ leading medical technology firms, has disrupted systems worldwide and highlighted the growing risk of geopolitical cyber warfare to global markets and critical industries. The incident, which began early Wednesday and was claimed by an Iran‑linked hacking group, forced shutdowns of internal networks, left thousands of devices unusable, and sent Stryker’s shares down sharply in trading as investors reassessed risk in the sector.
The attack comes amid heightened tensions between Iran, the United States and Israel and underscores how conflicts abroad are increasingly spilling into the digital infrastructure that supports global commerce.
What Happened to Stryker
The cyber disruption hit Stryker shortly after midnight on the U.S. East Coast, according to people familiar with the matter speaking to media outlets. Soon afterward, significant outages spread across the company’s internal technology systems. Devices configured to access Stryker’s digital environment, including laptops, mobile devices and other remote connections, were reportedly wiped or rendered unusable.
An internal company communication characterized the breach as a severe global disruption affecting the firm’s Windows technology environment, impacting both employee devices and servers and forcing staff offline. In some cases, employees reported seeing the logo of an Iran‑linked hacking group on login pages, though these social media claims have not been independently verified.
Operations were significantly disrupted at facilities around the world. At Stryker’s major manufacturing plant in Cork, Ireland, thousands of employees were unable to work while systems were offline. At the company’s global headquarters in Portage, Michigan, phone systems played a recorded message indicating the organization was dealing with a building emergency.
In a filing with the Securities and Exchange Commission, Stryker confirmed the incident and that access to some systems was limited. The company said restoring operations could take time and that the full recovery timeline is not yet known. A spokesperson added, “We have no indication of ransomware or malware and believe the incident is contained,” while declining to comment on the identity of the attackers. Business continuity plans are in effect and teams are working to support customers and partners.
Following news of the attack, Stryker’s stock declined about three percent in market trading, reflecting investor concern over the scope and potential financial impact of the breach.
Who Claimed Responsibility and Why It Matters
Shortly after the attack was reported, a hacking persona known as Handala claimed responsibility via its Telegram channel. The group alleged it had wiped thousands of systems and extracted large volumes of data, framing the operation as retaliation for military strikes involving Iran.
In one widely circulated statement, Handala said, “The Zionist‑rooted corporation, Stryker, one of the key arms of the global Zionist lobby and a central ring in the ‘New Epstein’ chain, has been struck with an unprecedented blow.” The message claimed over 20,000 systems, servers and mobile devices were wiped and that “50 terabytes of critical data have been extracted.”
Handala described the attack as retaliation for what it called the “brutal attack” on a girls’ school in Minab, Iran, where Iran’s ambassador to the United Nations in Geneva, Ali Bahreini, said around 150 students were killed in a missile strike on the first day of U.S.‑Israeli operations. The hackers also claimed the breach forced Stryker offices in 79 countries to shut down, and that stolen data was “in the hands of the free people of the world.”
The same group later claimed it had also targeted Verifone, a company specializing in electronic and point‑of‑sale payment systems, suggesting a broader campaign against corporate digital infrastructure.
What Cybersecurity Experts Say
Cybersecurity researchers have previously linked Handala to Iran and have tracked the group’s activity since around 2022. The entity has been tied to a range of disruptive operations targeting companies in Israel and the Gulf region, often involving hack‑and‑leak campaigns or destructive cyber activity.
Gil Messing, chief of staff at cybersecurity firm Check Point Software Technologies, described Handala as “one of the most prominent cyber actors connected to Iran.” Messing told Reuters that the group’s decision to publicly claim responsibility for the Stryker attack could signal a strategic shift in how Iran‑linked actors operate.
“The fact they publicly take responsibility on this attack, and the fact they know they are linked to the government, show a new phase in Iran’s motivations,” Messing said.
Cynthia Kaiser, senior vice president at Halcyon’s Ransomware Research Center and a former senior FBI cyber official, said the incident fits a pattern that experts have long anticipated: destructive cyberattacks by proxies on U.S. companies. “This is exactly the type of attack we have been worried about: Iranian proxies using destructive cyber attacks like data deletion against U.S. companies to retaliate,” she told Reuters.
A White House official said the Trump administration is closely monitoring cyber threats and coordinating responses through agencies responsible for infrastructure protection, regulatory oversight and law enforcement.
Understanding Wiper Malware and Its Risks
Investigators examining the attack believe it involved wiper malware, a type of malicious code designed to destroy data rather than extort money. Unlike ransomware, which encrypts files and demands payment for a decryption key, wiper malware permanently deletes or corrupts files so they cannot be recovered.
Wiper malware typically targets critical system components, including the Master Boot Record and key file system structures. Once these elements are overwritten, devices can no longer boot and become unusable. Wipers often spread after entering networks through phishing emails, compromised websites or malicious downloads, and can erase files, databases and entire drives across an organization’s infrastructure.
Several wiper variants have appeared in recent cyber conflicts, including CaddyWiper, HermeticWiper, IsaacWiper and FoxBlade, which were deployed in incidents linked to geopolitical tensions such as the Russia‑Ukraine war. The main risk associated with such attacks is permanent data loss, making recovery extremely difficult unless secure, isolated backups are available. For large enterprises, rebuilding systems from scratch can take weeks or months as each affected device must be rebuilt, reconfigured and verified before rejoining the network.
In Stryker’s case, cybersecurity specialists and external investigators are continuing to assess the extent of the damage while working to repair and restore infrastructure.
Who Stryker Is and Why This Matters to Investors
Stryker Corporation is one of the largest medical technology companies globally. Headquartered in Portage, Michigan, the firm employs around 56,000 people and operates in more than 60 countries. Its products are sold in over 75 countries and are used by approximately 150 million patients each year.
The company’s business is divided into two major segments. Medical and surgical technologies, including neurotechnology, accounted for about 60 percent of revenue in 2024, covering surgical instruments, endoscopy systems, neurovascular implants and intensive care equipment. The orthopedic division, focused on joint replacement and trauma implants, generated roughly 40 percent of revenue.
Despite its global footprint, the United States remains Stryker’s primary market, with about three-quarters of revenue coming from the U.S. in 2024. The company ranks 195th on the Fortune 500 list and 331st on the Forbes Global 2000 list.
For financial markets, the attack raises important questions about the vulnerability of critical supply chains and the potential for geopolitical cyber operations to drive volatility in corporate earnings, share prices and sector risk premiums. Investors, regulators and corporate boards will be watching closely as Stryker works to restore systems and as broader cyber defenses are tested by an increasingly complex global threat environment.
