WRAVEN Intel Brief

Stryker has publicly confirmed a cyberattack that caused a global disruption to its Microsoft environment. The company states it has no indication of ransomware or malware, believes the incident is contained, and says key patient-facing or connected products including LIFEPAK, LIFENET, Mako, Vocera, and LIFEPAK35 are not impacted. At the same time, Stryker has acknowledged continuing disruption to operations including ordering, manufacturing, shipping, and access to internal systems and applications.

Public attribution has converged on Handala, which Check Point identifies as a persona operated by Void Manticore / Red Sandstorm / Banished Kitten, an actor affiliated with Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto Unit 42 and Sophos reporting are broadly aligned on Handala as an Iran-linked front or persona associated with destructive and hack-and-leak operations.

The key caution is that the company’s statements and the actor’s claims do not fully align yet. Stryker says it sees no ransomware or malware and is still assessing impact, while Handala and some external reporting describe widespread wiping and large-scale data theft. Those claims are not publicly validated by Stryker, CISA, or the FBI at this time.

Stryker’s public updates dated March 11 and March 12 state that the incident caused a global network disruption affecting its Microsoft environment, that the company has no indication of ransomware or malware, and that it believes the event is contained.

Stryker also stated:

In its SEC 8-K, Stryker said it identified the incident on March 11, 2026, activated its cyber response plan, and brought in external advisors and cybersecurity experts.

Reuters reported on March 12 that Stryker flagged disruption to orders, manufacturing, and shipping operations.

Stryker’s corporate materials state that it operates in 61 countries, has about 56,000 employees, and impacts more than 150 million patients annually. Its 2024 company facts page lists $22.6 billion in global sales for 2024.

Stryker’s 2024 Form 10-K states that it sells products in about 75 countries and has roughly 27 company-owned and 297 leased locations worldwide, including 45 manufacturing locations.

Market reaction was immediate. Reuters reported Stryker shares fell roughly 3% to 3.6% after the incident became public.

Handala has claimed that it wiped over 200,000 systems, servers, and mobile devices and exfiltrated 50 TB of data. These are actor claims only and are not confirmed by Stryker or U.S. government agencies at this time.

Check Point’s March 12 report is the strongest public technical source currently available. It states:

Sophos also describes Handala as a hacktivist persona linked to Iran’s MOIS and notes that while the group may exaggerate impact, it has been associated with data theft and wiper attacks.

Palo Alto Unit 42 likewise identifies Handala as a prominent Iran-linked persona in the current escalation environment.

According to Check Point, Handala has used:

Check Point describes four distinct wiping techniques in one observed intrusion and says one PowerShell wiper was likely written with AI assistance. It also says the PowerShell component deleted files under C:\Users and dropped propaganda imagery across drives.

This matters even if some actor claims are inflated. The TTP family is real, the destructive capability is real, and the healthcare-adjacent targeting pattern is real.

There are no public Stryker-specific IoCs from Stryker, CISA, or the FBI that could be independently verified as of March 12, 2026. The public indicators below are from Check Point’s Handala reporting and should be treated as Handala-related indicators, not confirmed Stryker victim-side indicators.

These are useful as hunting leads, not standalone proof of attribution.

CISA has reportedly launched an investigation into the Stryker incident. Nextgov reported that Acting Director Nick Andersen said CISA is working with public- and private-sector partners and providing technical assistance related to the targeted attack.

A June 30, 2025 joint fact sheet from CISA, FBI, NSA, and DC3 warned that Iranian-affiliated cyber actors and aligned hacktivist groups may target vulnerable U.S. organizations, often exploiting unpatched internet-facing services, known vulnerabilities, and weak or default credentials.

CISA’s earlier 2020 advisory on Iranian cyber response specifically warned about possible wiper activity and disruptive operations during periods of U.S.-Iran tension.

CISA’s 2022 Albania advisory publicly linked the Homeland Justice persona to Iranian state cyber actors. This is relevant because Check Point ties Homeland Justice and Handala to the same broader operator cluster.

HHS HC3 has also published healthcare-focused analysis on Iranian threat actors, reinforcing that the healthcare sector remains a relevant concern area for Iranian cyber activity.

Current public attribution is strong enough to describe this as an incident attributed to Handala, an Iran-linked and MOIS-associated persona, but not strong enough to make detailed claims about the exact Stryker intrusion path without additional evidence.

The most plausible current assessment is:

Stryker Customer Update (March 2026): https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html

Stryker SEC Form 8-K: https://www.sec.gov/Archives/edgar/data/310764/000119312526102460/d76279d8k.htm

Check Point Research, “Handala Hack: Unveiling Group’s Modus Operandi”: https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

Reuters, Stryker flags disruption to orders, manufacturing, and shipping: https://www.reuters.com/technology/stryker-flags-disruption-orders-manufacturing-day-after-cyberattack-2026-03-12/

Stryker Company Profile / Facts: https://www.stryker.com/pt/en/about.html

Palo Alto Unit 42, Iranian cyberattacks 2026: https://unit42.paloaltonetworks.com/iranian-cyberattacks-2026/

Sophos, Cyber advisory on U.S.-Israel-Iran escalation: https://www.sophos.com/en-us/blog/cyber-advisory-increased-cyber-risk-amid-u-s-israel-iran-escalation

Stryker 2024 Form 10-K: https://www.sec.gov/Archives/edgar/data/310764/000031076425000023/syk-20241231.htm

Yahoo / claim-reporting on actor-stated impact numbers: https://www.yahoo.com/news/articles/iranian-linked-cyberattack-cripples-global-152702123.html

Reuters, attribution / market reaction: https://www.reuters.com/markets/europe/stryker-shares-fall-after-report-suspected-iran-linked-cyberattack-2026-03-11/

Nextgov, CISA launches investigation into Stryker cyberattack: https://www.nextgov.com/cybersecurity/2026/03/cisa-launches-investigation-stryker-cyberattack/412079/

CISA/FBI/NSA/DC3 Joint Fact Sheet, June 30 2025: https://media.defense.gov/2025/Jun/30/2003745375/-1/-1/0/JOINT-FACT-SHEET-IRANIAN-CYBER-ACTORS-MAY-TARGET-VULNERABLE-US-NETWORKS-AND-ENTITIES-OF-INTEREST-508C.PDF

CISA Advisory AA20-006A, Iran-based cyber response: https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-006a

CISA Advisory AA22-264A, Albania / Homeland Justice: https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a

HHS HC3, Iranian Threat Actors and Healthcare: https://www.hhs.gov/sites/default/files/iranian-threat-actors-and-healthcare.pdf