Stryker Global Networks Still Down After Iran-Linked Hackers Claim Retaliatory Cyberattack

On the morning of March 11, 2026, employees at Stryker Corporation logged in to find every screen dark. The Michigan-based medical-device maker soon confirmed a "severe, global disruption" of its Microsoft environment that froze operations across 61 countries and idled all or part of its 56,000-person workforce, according to internal memos cited by WXYZ and Fox11online. Iranian hacktivist persona Handala quickly claimed credit on Telegram, posting images of what it said were wiped workstations and boasting that 200,000 devices had been erased, Gizmodo and PCMag report. Stryker’s public statement offered few specifics, noting only that it has "no indication of ransomware or malware" and believes the incident is contained .

Handala is a long-running pro-Iranian hacking identity that has previously targeted Israeli organizations. In messages circulated Wednesday, the group said the strike was retaliation for a U.S. missile attack on an Iranian elementary school on the first day of what it calls the "Iran War," an incident in which at least 175 children were reportedly killed, according to Gizmodo and The Hill. Security researchers told GovInfoSecurity that Handala has recently expanded its sights to Western cloud infrastructure, naming AWS, Google, and Microsoft as earlier targets this year .

Stryker plants from Cork, Ireland to Portage, Michigan remained at a standstill Thursday. Employees described being unable to access email, ERP, or manufacturing execution systems, forcing some production lines to halt mid-shift, local outlets WXYZ and Fox11online reported. Healthcare customers have yet to report device shortages, but analysts told FierceBiotech that even a week-long outage could ripple through surgical schedules because Stryker supplies joint implants, surgical tools, and hospital beds worldwide .

Neither Stryker nor U.S. cyber agencies have formally attributed the incident to Iran. Independent analysts caution that Handala’s device-wipe claim is hard to verify remotely; screenshots could be staged. Bloomberg sources close to the investigation say incident responders have yet to determine the initial intrusion vector or whether patient data was touched .

The strike lands amid escalating cyber exchanges between Tehran and Washington. Just last month, CISA warned that Iranian actors were scanning U.S. healthcare networks for unpatched VPN appliances. Stryker’s purchase of Israeli orthopedic startup OrthoSpace in 2019 may have placed it on Handala’s target list, The Independent notes .

Stryker has hired outside forensics shops and is rebuilding systems from bare metal, Bloomberg reports. The company has not given a timeline for restoration, telling employees only to expect "rolling outages" as services are brought back online. Meanwhile, CISA and the FBI have opened a joint investigation, and European regulators are pressing for evidence that patient implants already in the field remain safe .