The U.S.-based MedTech giant Stryker in an update shared late Thursday night confirmed that its supply chain has been impacted adversely with no timeline in place for a full restoration due to the cyberattack claimed by Iran-linked hacker collective - the Handala group. While Stryker maintained that the root of the global disruption is an intrusion in its Microsoft environment, it now added that the incident is contained to its "own internal systems" and not spilled over to its customers. "Our connected products are not impacted and are safe to use," the update said. Based on reports on several social media platforms, Handala allegedly used data wiper malware in this campaign, in accordance to its regular modus operandi. However, Stryker reiterated that no malware or ransomware was detected on its systems, as of now.

Also read: Who Is Handala — The Iran-Linked Ghost Group That Just Wiped 200K Stryker Devices

Even though Stryker claims negligible impact on its connected products, the MedTech firm admitted disruption to its supply chain.

"This incident has caused disruptions to order processing, manufacturing and shipping," Stryker said.

This is not the worrying part alone. The fact that there is no definitive timeline that Stryker foresees for its resumption, is. In an 8-K filing to the U.S. SEC, the company said:

"The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions. While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known."

The full scope of financial and material impact is yet to be determined too. Stryker added that although the timeline to get up and running is blurry at this point, it "has business continuity measures in place to continue to support its customers and partners."

CISA Joins Investigation

While the company responds and conducts its own assessment, CISA said it was following the due process of investigating the incident as well. “We are working shoulder-to-shoulder with our public- and private‑sector partners as we continue to uncover relevant information and provide technical assistance for the targeted attack on Stryker, while steadfastly standing at the ready to defend our nation’s critical infrastructure,” CISA acting director Nick Andersen told The Cyber Express. “As with all cyber incidents, we have launched an investigation into this matter.”

The Israel Connect of Stryker, The Real Reason?

And while the world calls this an attack on a U.S.-based company - a country that has supported Israel in the ongoing West Asia war - the actual reason could be debated. Why? Because half a decade ago Stryker acquired OrthoSpace, Ltd., a privately held company headquartered in Caesarea, Israel, in an all cash transaction. What does this imply? Not to jump to conclusions, but all the companies with trade and links to Israel may be carrying targets on their back. Updated March 14, 10:35 AM ET: For adding CISA acting director Nick Andersen's comments.

On the morning of March 11, employees at Stryker offices worldwide switched on their computers and found them blank — login screens replaced by a logo most had never seen. A small, barefoot boy with a slingshot, the symbol of Handala.

The attack on Stryker Corporation — a Fortune 500 medical technology giant that supplies surgical equipment, orthopedic implants, and neurotechnology to hospitals globally — ranks as one of the most operationally destructive cyberattacks ever executed against a U.S. healthcare company.

Stryker reported $25 billion in revenue in 2025 and employs approximately 56,000 people, with its products embedded in hospital supply chains worldwide. What hit it was not ransomware. The attackers came to destroy, not extort.

Stryker confirmed the incident in a Form 8-K filing with the U.S. SEC, describing "a global disruption to the Company's Microsoft environment" and stating it had no indication of ransomware or malware and believed the incident was contained. The company's own filing, however, understated what employees were already reporting on the ground.

Employees in the United States, Ireland, Costa Rica, and Australia reported that managed Windows laptops and mobile devices had been remotely wiped.

"My wife had 3 Stryker managed devices wiped around 3:30 AM EDT. Their Entra login page was defaced with the Handala logo," a Reddit user said.

Another claimed the situation as "bad" and said: "Many colleagues phones have been wiped. Instructed to remove intune, company portal, teams, VPN from personal devices. Personal phone so have lost access to my eSim. Unable to log in to many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.

Handala claimed to have wiped more than 200,000 systems, servers, and mobile devices and extracted 50 terabytes of data, forcing Stryker to shut down operations across 79 countries. Stryker in a midnight update said it was still working on complete restoration post the cyberattack.

"We are continuing to resolve the disruption impacting our global network, resulting from the cyber attack.  At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only.  Our products like Mako, Vocera and LIFEPAK35 are fully safe to use.  We have visibility to the orders entered before the event, and they will be shipped as soon as our system communications are restored. Any orders that have come in after the event are being examined. We are working to ensure our electronic ordering system is back up and running as quickly as possible. It is safe to communicate with Stryker employees and sales representatives by email and phone, and within your facility." - Stryker's update on the cyberattack

The mechanism behind the attack points to a calculated abuse of Microsoft Intune — a cloud-based platform enterprises use to manage and push policy updates to all enrolled devices from a single console. A wiper is malware that permanently erases data rather than encrypting it for ransom.

In short, an attacker with admin-level access to Intune effectively is holding a kill switch for every enrolled endpoint in the organization. The Handala branding that appeared on screens before the wipe confirmed that access had been established and held well before the destructive phase began — this was a deliberate, staged operation.

So Who Exactly is Handala?

Handala — also known as Handala Hack Team, Hatef, and Hamsa — first surfaced in December 2023 as a hacktivist operation linked to Iran's Ministry of Intelligence and Security (MOIS), initially targeting Israeli organizations with destructive malware designed to wipe both Windows and Linux devices, explained researchers at AI-powered threat intelligence firm, Cyble.

The group takes its name and visual branding from the iconic Palestinian cartoon character created by Naji al-Ali — a child refugee who never grows up and always turns his back to the viewer.

The hacktivist branding, however, obscures a more serious intelligence attribution. Multiple threat intelligence firms assess Handala as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor optimized for psychological and reputational disruption — breaking into systems, conducting hack-and-leak activity, and timing the publication of stolen material to maximize pressure.

Check Point Research found repeated overlaps between MuddyWater — another MOIS-affiliated group — and Void Manticore, including shared criminal tooling. Handala has used Rhadamanthys, a commercial infostealer sold on dark web forums, pairing it with custom data wipers in phishing lures that impersonated F5 software updates and even Israel's own National Cyber Directorate.

Cyble has observed Handala hackers using Hamsa and Hatef data wipers in its previous campaigns targeted mainly at Israeli entities. [caption id="attachment_110112" align="aligncenter" width="500"] Source: Cyble Research and Intelligence Labs[/caption]

Also read: Iran-linked Threat Group Handala Actively Targets Israel

Void Manticore's attack playbook follows a consistent pattern of Handala too. Initial access through unpatched web servers, VPN gateways, and remote access solutions; lateral movement using living-off-the-land tools like PowerShell and scheduled tasks; and final-stage deployment of destructive wiper families designed to erase file systems and corrupt boot records.

The group's prior targets read like a map of sensitive sectors. Since the start of the Iran-Israel war, Handala has claimed to have wiped Israeli military weather servers, intercepted security feeds in Jerusalem, stolen and wiped data from various companies, doxxed Israeli intelligence officers, and breached an Israeli oil and gas exploration company.

Most recently, threat intelligence reporting documented the group publishing identifying details for 50 senior Israeli Air Force officers — names, IDs, addresses, and phone numbers.

Handala stated the Stryker attack was carried out in retaliation for a U.S. military strike on a school in Minab, Iran, that reportedly killed more than 175 people, most of them children.

[caption id="attachment_110115" align="aligncenter" width="500"] Stryker Cyberattack Claim by Handala (Source: X)[/caption]

Stryker has no direct connection to military operations, though it did secure a $450 million Department of Defense contract in 2025 to supply medical devices to the U.S. military.

That contract likely put a target on Stryker's back.

Recent reporting indicates that MOIS-affiliated groups, including Handala, infiltrated U.S. and Israeli infrastructure weeks before the military operations conducted as part of Operation Epic Fury, suggesting pre-positioned access rather than reactive intrusion. In other words, Handala may have been inside Stryker's environment long before anyone noticed.

Check Point researchers also observed Handala routing operations through Starlink IP ranges to probe externally facing applications for misconfigurations and weak credentials — a deliberate technique to blend reconnaissance traffic into legitimate satellite internet usage and frustrate IP-based blocking.

The hacker collective on Wednesday also claimed hacking another Israeli company Verifone, a leading provider of payment solutions and point-of-sale terminals to countries across the globe. However, a spokesperson for the company told The Cyber Express that all such claims are "fake news" and do not hold any substance. “Verifone closely monitors the security and integrity of its systems worldwide. We have observed recent allegations on March 11, 2026 from threat actors claiming an intrusion into our systems in Israel. Verifone has found no evidence of any incident related to this claim and has no service disruption to our clients," the spokesperson said. Updated on March 13, 2026 1:24 AM ET: The article was updated with a statement from Verifone spokesperson confirming no evidence of intrusion and no authenticity in Handala's claims.