An Iran-linked hacking persona publicly claimed responsibility on Wednesday for a cyber operation that caused disruptions at Stryker, a Michigan-headquartered medical device and services company, according to messages posted to the group’s Telegram channel.
Stryker, which employs about 56,000 people and operates in 61 countries, disclosed in a filing with the Securities and Exchange Commission that the intrusion led to disruptions and limited access to certain systems. The company said in the filing that it does not yet know when full restoration of affected systems will be completed.
Employees and contractors posted to social media that a logo associated with an Iran-linked hacking group had appeared on some Stryker login pages; those social media posts have not been independently verified. When reached for comment, a Stryker spokesperson said: "We have no indication of ransomware or malware and believe the incident is contained," and declined to comment on attribution.
Calls to Stryker’s global headquarters in Portage, Michigan, were answered with a recorded message stating the company was "currently experiencing a building emergency." On the market, Stryker shares closed down 3.6% on Wednesday.
Security researchers and industry observers have voiced broader concerns about potential retaliatory cyber operations tied to geopolitical escalations. There are rising fears that Iran, which possesses sophisticated cyber capabilities, could target U.S. or Israeli entities following airstrikes directed at Iran.
"This is exactly the type of attack we have been worried about: Iranian proxies using destructive cyber attacks like data deletion against U.S. companies to retaliate," said Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center and a former senior FBI cyber official.
The persona that claimed responsibility, using the name Handala, has previously asserted responsibility for multiple attacks on targets in Israel and elsewhere. In its Telegram post regarding the Stryker incident, Handala said the operation was in response to a strike on a girls’ school in Minab in southern Iran "and ongoing cyber assaults." The group did not reply to a request for comment sent to one of its messaging accounts.
Iran’s ambassador to the United Nations in Geneva, Ali Bahreini, told U.N. officials that the Minab girls’ school was hit on the first day of U.S.-Israeli attacks on Iran and that an estimated 150 students were killed. That casualty figure has not been independently verified.
Reports indicate that outages on Stryker’s network began shortly after midnight on Wednesday on the U.S. East Coast, according to the Wall Street Journal, which cited people familiar with the matter. Employees discovered that remote devices using Microsoft Windows - including mobile phones and laptops configured to connect to Stryker’s technology systems - had been wiped.
A White House official was quoted saying: "(The) Trump administration is always proactively monitoring potential cyber threats and driving a response with our world-class critical infrastructure, regulator agencies and law enforcement entities." The Federal Bureau of Investigation and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency did not respond to requests for comment.
Cybersecurity firm Check Point reported that Handala has been linked to multiple hack-and-leak operations and disruptive attacks, including incidents in which data was destroyed. In a statement, Check Point’s Chief of Staff Gil Messing said the group is "the most notorious group affiliated with the Iranian regime" and that his firm has tracked the persona for years, concluding that the group operates under Iran’s Ministry of Intelligence. Messing added that the group’s public claim of responsibility and apparent acceptance of government linkage suggest a shift in the group’s motivations.
In addition to operational developments, readers were directed to a market-oriented assessment of Stryker’s stock. An AI-driven service, ProPicks, was described as evaluating Stryker’s ticker SYK among thousands of companies monthly using more than 100 financial metrics. The service was presented as an automated tool that generates stock ideas by assessing fundamentals, momentum, and valuation, and it cited past performance examples for other stocks. The service offered readers the option to check whether SYK appears in its strategies or whether alternative opportunities exist in the same sector.
Investigations into the incident and its full scope remain ongoing. Stryker’s SEC filing confirms disruption to systems and limited access, but the company and federal agencies have not yet provided a public, comprehensive timeline for remediation or detailed findings on the method of intrusion.
Given the information available, assessments of the incident’s ultimate operational and financial impact on Stryker will depend on further disclosures from the company and statements from investigative authorities.