Cyber Incident Victim: Stryker

On March 11, 2026, Stryker Corporation experienced a cyberattack that disrupted its global Microsoft environment, affecting order processing, shipping, and manufacturing operations. The attack was claimed by the Iran‑linked threat actor Handala, as reported by Check Point Research and other security sources. According to the attackers, they used a compromised administrator account to create a new Global Administrator account and then executed the built‑in wipe command in Microsoft Intune, remotely deleting data from tens of thousands of employee devices. Stryker confirmed that no malware or ransomware was detected and that the incident was confined to its internal Microsoft systems, with connected medical products remaining safe to use. Handala asserted that it had wiped over 200,000 systems, servers, and mobile devices and had exfiltrated 50 terabytes of data, although Stryker did not publicly confirm the extent of any data loss.

In the immediate aftermath, Stryker’s ordering, shipping, and manufacturing functions were halted, causing delays in procedures and preventing employees from accessing their work devices. Employees reported being instructed to stay home for multiple days, with some personal devices enrolled in the company network losing data during the wipe. Restoration efforts began quickly; by March 20, some employees were still unable to work, but by March 27 the company reported that most manufacturing sites and critical lines had been restored. Stryker announced on April 2 that it had returned to pre‑attack operational levels across its global manufacturing network, and by April 10 it stated that operations were fully operational after roughly one month of disruption. The company emphasized that product supply remained healthy and that it continued to meet customer demand while working with external cybersecurity experts and government agencies.

Financially, the cyberattack had a material effect on Stryker’s first‑quarter results, which showed $6 billion in sales, a 2.6 percent year‑over‑year increase, with MedSurg and Neurotechnology contributing $3.21 billion (5 percent growth) and Orthopedics contributing $2.81 billion (roughly flat). CEO Kevin Lobo described the impact as “big” and said it affected each business differently, but he maintained that no overall business was lost. CFO Preston Wells indicated that recovery would occur in the second quarter and continue through the year, allowing Stryker to uphold its full‑year guidance of 8 to 9.5 percent organic sales growth and adjusted earnings per share of $14.90 to $15.10. The company also said it would continue to pay employees for their regularly scheduled time despite the work stoppage.

The attack prompted a response from U.S. government agencies; the FBI seized websites linked to Handala, and the Justice Department accused Iran’s Ministry of Intelligence and Security of operating the group as a front for psychological operations. CISA issued an advisory urging organizations to harden their Microsoft Intune configurations, referencing the Stryker incident as a catalyst for the guidance. Stryker cooperated with the FBI, CISA, the White House National Cyber Director, the Department of Health and Human Services, and external firms such as Palo Alto Networks Unit 42 and Microsoft’s Detection and Response Team during its investigation. Handala claimed the operation was retaliation for a U.S. air strike on an Iranian school that, according to Iranian officials, killed 168 children, while the group’s own statements cited at least 175 victims. The narrative of the incident remains confined to the facts presented in the source material, with no speculation beyond those details.