Apr 05, 2026 · 6 min read
Iranian Hackers Wiped 80,000 Devices at a Medical Device Giant—It Took Three Weeks to Recover
Stryker Corporation, a Fortune 500 medical technology company with over 53,000 employees, suffered a devastating data wiping attack that destroyed 80,000 devices and disrupted global manufacturing for three weeks.
What Happened
On March 11, 2026, attackers deployed data wiping malware across Stryker's global network, destroying approximately 80,000 devices in a matter of hours. The attack crippled the company's manufacturing operations, forcing one of the world's largest surgical equipment makers to halt production across its global network.
Unlike a typical ransomware attack where files are encrypted and held for ransom, this was a wiper attack. The goal was destruction, not negotiation. The malware did not lock systems waiting for payment. It erased them.
How the Attackers Got In
The attackers compromised a Windows domain administrator account and used it to create a new Global Administrator account within Stryker's environment. From that elevated position, they deployed the wiper across the network.
Security investigators later discovered a malicious file that the attackers used to conceal their activities within the network while preparing for the destructive phase. The time between initial access and the wiper deployment is not yet publicly known, but the attackers also claim to have exfiltrated 50 terabytes of data before triggering the destruction.
If the 50TB exfiltration claim is accurate, the attackers would have needed sustained network access over days or weeks to extract that volume of data, meaning they were inside Stryker's systems long before anyone noticed.
Who Did It
The Iranian linked Handala hacktivist group claimed responsibility. Also known as Handala Hack Team, Hatef, or Hamsa, the group is linked to Iran's Ministry of Intelligence and Security (MOIS). Handala primarily targets Israeli organizations and entities with Israeli business ties, and Stryker has significant operations in Israel.
The FBI has since seized two of Handala's data leak websites, though the group continues to operate through alternative channels. The attack appears motivated by geopolitical objectives rather than financial gain, consistent with Handala's pattern of destructive attacks against organizations connected to Israel.
Three Weeks of Disruption
The recovery timeline tells the story of how severe the damage was:
- March 11: Wiper deployed, 80,000 devices destroyed in the early morning hours
- March 23: Stryker announced it was prioritizing system restoration for customer facing operations
- April 2: The company declared full operational recovery, three weeks after the attack
During those three weeks, Stryker's global manufacturing network was severely disrupted. For a company that makes surgical instruments, joint replacements, and medical imaging equipment, production outages directly affect hospital supply chains and patient care timelines.
Why Wiper Attacks Are Different
Most cyberattacks against large organizations involve ransomware, where data is encrypted and the attacker demands payment for the decryption key. Wiper attacks skip the negotiation entirely. There is no key to buy, no data to recover from the attacker. The goal is maximum damage.
Wiper malware has historically been associated with state sponsored operations. Russia deployed wipers against Ukrainian infrastructure (NotPetya, WhisperGate, HermeticWiper). Iran has used wipers against Saudi Arabian targets (Shamoon). The Stryker attack fits this pattern: a state linked group using destructive malware against a geopolitically relevant target.
For organizations preparing their incident response plans, wiper attacks change the calculus. You cannot negotiate your way out. Recovery depends entirely on the quality of your backups, your ability to rebuild from scratch, and whether the attackers also compromised your backup infrastructure.
The Healthcare Sector Target
Stryker is the latest in a growing list of healthcare organizations hit by major cyberattacks. The sector is attractive to attackers because of its low tolerance for downtime, the sensitivity of patient data, and the complexity of its supply chains.
Recent healthcare incidents include the $14 million McLaren Health ransomware settlement and CareCloud's breach that exposed millions of patient records. CISA and Microsoft have both issued guidance on securing healthcare IT environments in response to the Stryker attack, recommending organizations harden Windows domains and audit Microsoft Intune configurations.
What Organizations Can Learn
The Stryker attack highlights several defensive priorities:
- Protect domain admin accounts. The attack pivoted on a compromised domain administrator credential. Privileged access management, hardware security keys, and just in time access controls can limit this risk
- Monitor for new admin accounts. The creation of a new Global Administrator account should trigger an immediate alert. If your monitoring cannot detect this, your detection is insufficient
- Test backup restoration. Wipers destroy live systems. Recovery depends on backups that are isolated, tested, and can be deployed at scale. If you have never restored 80,000 devices from backup, you do not know if you can
- Segment networks by function. Manufacturing systems, corporate IT, and backup infrastructure should be isolated so a single compromise cannot reach everything
Current Status
Stryker announced on April 2 that it is "fully operational across our global manufacturing network" and that production is "rapidly toward peak capacity" with "healthy" product supply. The company's SEC filings will likely reveal the financial impact in the coming quarters.
Whether the 50TB of allegedly stolen data surfaces on alternative leak sites remains to be seen. The FBI's seizure of Handala's primary sites may slow but is unlikely to prevent eventual disclosure if the data is genuine.