Back to Posts

Iran Hit Stryker. Is Your Business Next?

Mar. 13, 2026

Map of the world with binary overlayed. Stryker and Verifone logos with red attack lines going from Iran to the logos.

On the morning of March 11, 2026, employees at Stryker Corp. arrived at work in Portage, Mich. to find something no one expects to see: the login screens on their company systems had been taken over by the logo of a pro-Iranian hacking group. Their laptops were wiped. Their phones were dead. Within hours, thousands of workers across 79 countries had been sent home, and one of the largest medical device companies in the world was running on pen and paper.

The attack on Stryker, a Fortune 500 firm generating $25 billion in annual revenue, is a preview of what economic warfare looks like when a foreign adversary decides that American businesses are the battlefield.

What Happened to Stryker

A hacker group called Handala claimed responsibility for the attack, posting on social media it had struck what it called a "Zionist-rooted corporation" in retaliation for U.S. military action against Iran. The group said it wiped more than 200,000 servers, mobile devices and other systems and extracted 50 terabytes of sensitive corporate data. Stryker confirmed in an 8K filing with the Securities and Exchange Commission (SEC) it was experiencing a global network disruption to its Microsoft environment and the timeline for full restoration was unknown.

The attack exploited Stryker's mobile device management (MDM) software, an administrative tool used to manage corporate devices remotely. Hackers gained control of that system and used it to trigger a mass remote wipe across the company's global fleet. It wasn't ransomware. There was no demand for payment. The goal was destruction, humiliation and disruption, not money.

The human consequences materialized quickly. Maryland's Institute for Emergency Medical Services Systems notified hospitals across the state that Stryker's LIFENET electrocardiogram transmission system was non-functional in most parts of the state. Paramedics use LIFENET to send patient cardiac data to emergency rooms before arrival. At least one major university medical center reported being unable to order surgical supplies. Surgeries were delayed. Field service requests couldn't be processed. Even though Stryker's medical devices themselves remained safe to use, the support infrastructure that hospitals depend on had collapsed.

Why Stryker Targeted

The targeting logic behind the Stryker attack follows a clear and documented pattern. In 2019, Stryker acquired OrthoSpace, an Israeli medical device company, for up to $220 million. That acquisition gave Handala the justification it needed. In the group's ideology, any American firm with business ties to Israel, regardless of the nature of those ties, is a legitimate target for cyberattack. A shoulder implant company became a geopolitical symbol.

Stryker also held a $450 million contract with the U.S. military for medical devices. This was another factor that made the company attractive to a group whose stated mission is to cause maximum damage to American and Israeli economic interests. The Cybersecurity and Infrastructure Security Agency (CISA) had already warned that defense industrial base (DIB) companies with holdings or relationships with Israeli research and defense firms were at increased risk. Stryker fit that profile precisely.

Verifone: Second Target, Same Day

Stryker wasn't the only American company in Handala's crosshairs on March 11. The group simultaneously claimed to have attacked Verifone, an Israeli payment processing giant that handles roughly $8 trillion in annual transaction volume across more than 165 countries. Verifone disputed the claim, stating it had found no evidence of an incident and no service disruption. But its own statement contained a telling detail: the company acknowledged receiving allegations related to "intrusion into our systems in Israel."

STACK Cybersecurity has confirmed Verifone was breached. And the targeting pattern is what commands attention. On the same day, the same hacker group went after two prominent American companies that both had Israeli business connections. That isn't a coincidence. It's a strategy. If you do business with or in Israel, you're on the list. If you have contracts with the U.S. miliary, you're on the list.

Not a New Playbook

Iran has used destructive cyberattacks as an instrument of foreign policy for more than a decade. In 2012, Iranian-linked actors deployed the Shamoon wiper malware against Saudi Aramco, destroying data on about 30,000 computers at the Saudi state oil company. This was one of the most devastating cyberattacks ever recorded against a private firm. In 2014, the Sands Casino in Las Vegas was targeted after its owner made public remarks supporting military action against Iran. The pattern, attack American economic targets when conventional military response isn't an option, has been consistent.

What makes the current moment different is the scale and urgency. Following the start of the U.S.-Israel war with Iran on Feb. 28, 2026, the Islamic Revolutionary Guard Corps publicly announced facilities tied to Amazon, Google, Microsoft, Oracle, IBM and Nvidia were now on its list of military targets. Dozens of pro-Iranian hacking collectives mobilized in the weeks that followed. Intelligence firms including Palo Alto Networks, Check Point Research and Sophos all assessed Handala as a front for Iran's Ministry of Intelligence and Security, not a loosely organized hacktivist group, but a state-backed operation with state-level resources.

Handala is also not operating alone. Other Iranian-affiliated groups, including CyberAv3ngers, Cyber Toufan and Seedworm have been active in the current escalation. Before the war began, researchers at Symantec reported Seedworm had already established access inside U.S. and Israeli critical networks. Some of these groups have coordinated with pro-Russian hacking collectives as well, adding another layer of complexity to the threat environment.

Warning Before Stryker Hit

The federal government had been sounding alarms about this threat long before Handala's logo appeared on Stryker's login screens. CISA issued a formal advisory urging critical infrastructure operators to increase vigilance amid the conflict with Iran, specifically citing the threat to health care, defense, financial services, energy, water systems and transportation. A separate CISA Cyber Vulnerability Insights Estimate documented 136 unique vulnerabilities that Iranian government-sponsored actors had previously targeted or successfully exploited since 2012, and found that 59 of those vulnerabilities were still actively exposed on the internet-accessible networks of American critical infrastructure entities as of early 2026.

Nearly 30% of those vulnerabilities were tied to Microsoft software — the same environment that Handala exploited at Stryker. The advisory noted that Iranian actors commonly gain initial access through credential abuse, weak passwords and the absence of multi-factor authentication, then leverage those footholds to move laterally and escalate privileges inside victim networks. The warnings were specific, they were timely and they were public. For many businesses, they went unheeded.

The Real Lesson for American Businesses

The instinct after an attack like Stryker is to treat it as a large-company problem — a Fortune 500 cautionary tale that has little relevance to a mid-sized manufacturer in Michigan or a regional health system in the Midwest. That instinct is wrong, and it is dangerous.

Iranian actors documented by CISA do not target only the largest firms. They target targets of opportunity: companies with exposed devices, unpatched software, default credentials left unchanged on internet-facing equipment and no multi-factor authentication protecting remote access. Iranian actors are specifically targeting small and mid-sized suppliers because they are the entry point into larger defense contractors. A machine shop with weak passwords manufacturing precision components for a Tier 1 defense contractor is not too small to be a target — it is valuable precisely because it is small, under-resourced and easier to compromise. Once inside that network, attackers can move laterally into customer systems, steal intellectual property or simply disrupt the supply chain that larger manufacturers depend on. Contractors with military contracts face particular exposure, both because they're on Iran's conceptual target list and because CMMC compliance gaps leave them more vulnerable than they realize.

The protective steps don't require the security budget of a Fortune 500 company. Multi-factor authentication (MFA) is the single highest-return action any business can take right now. Keeping software patched and current eliminates a significant portion of the attack surface hackers exploit. Offline backups protect against wiper malware: you can't destroy what can't be reached. And having a tested incident response plan can be the difference between a crisis that is managed and one that metastasizes.

What happened to Stryker didn't require a novel exploit or an elite technical operation. It required a vulnerability, a determined adversary, and a business that didn't anticipate being a target. That description fits far more American companies than most executives want to acknowledge.

Escalation Pattern

The Stryker attack didn't happen in isolation. Since the U.S.-Israel war with Iran began on February 28, a pattern has emerged: an attack on a major university (Old Dominion University in Virginia, March 12), multiple synagogue attacks including a vehicle ramming in West Bloomfield, Mich. the day after the Stryker cyberattack, a shooting in Austin, Texas by an attacker wearing an Iranian flag hoodie, and an ISIS-inspired bomb attack at the New York City mayor's home. The FBI said the United States is in a "heightened threat environment." Businesses are learning that environment includes them.

A Different Kind of War

Iran can't match the United States militarily. That asymmetry doesn't make Iran less dangerous. It makes it more creative. Cyberattacks are low-cost, high-impact and carry plausible deniability when routed through hacktivist fronts like Handala. They can reach into the American heartland without deploying a single soldier. They can disrupt supply chains, delay surgeries, paralyze workforces, and generate fear across an economy without crossing the threshold that triggers a formal military response.

That's the threat American businesses are navigating right now. It showed up on the login screens of a Michigan company on a Wednesday morning in March, and 56,000 employees were sent home.

Cybersecurity is a survival strategy. For businesses with any connection to the defense supply chain or the health care sector, it's increasingly a matter of national consequence.

STACK Cybersecurity works with businesses across industries to assess vulnerabilities, implement layered defenses, and build compliance programs that protect both operations and contracts. Contact our team to learn where your greatest exposures are before someone else finds them.

Cybersecurity Consultation

Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.

Schedule a Consultation Explore our Risk Assessment