Stryker Iran-linked attack wiped tens of thousands of devices, reports say

Stryker Corporation is continuing to recover from a cyberattack that disrupted its global network and wiped thousands of employee devices by exploiting its Microsoft environment rather than deploying malware.

What happened

As an update to the Stryker data breach, Bleeping Computer has just confirmed that tens of thousands of employee devices were remotely wiped in a large-scale cyberattack, without the use of malware or ransomware.

Investigators found that the attacker exploited legitimate administrative tools within Microsoft’s cloud environment to issue mass wipe commands, erasing data from approximately 80,000 devices within a matter of hours on March 11.

The incident caused widespread disruption across Stryker’s global operations, forcing teams to rely on manual processes for important functions such as order management and customer support. Despite the scale of the attack, the company confirmed that its medical devices and patient-facing systems were not affected.

The backstory

The breach at Stryker Corporation began on March 11, 2026, when attackers gained access to the company’s internal Microsoft environment. The incident was later claimed by the hacktivist group Handala, which has been linked by researchers to Iranian-aligned cyber activity.

In posts shared online, the group alleged it had wiped hundreds of thousands of systems and exfiltrated large volumes of data, though these claims were unverified. The attackers framed the operation as politically motivated, citing broader geopolitical tensions in the Middle East.

Initial reporting suggests the breach may have been enabled through compromised administrative credentials or misuse of enterprise management tools, giving attackers high-level control over connected devices.

Go deeper: US medical tech company Stryker attacked by Iran-linked hackers

What was said

In its customer update, Stryker Corporation notes that “This was not a ransomware attack, and there is no evidence of malware deployed to our systems.” Stryker reassured customers that product safety has not been affected, stating that “all Stryker products across our global portfolio… remain safe to use” and that the incident was “contained to Stryker’s internal Microsoft environment” and “did not affect any of our products—connected or otherwise.”

The company also emphasized that its systems and processes provide “additional assurances that no potential vulnerabilities or risk of exploitation related to our connected products exist.” They also confirmed that connected devices “were not impacted by the incident and remain safe to use.”

Looking ahead, the company said it is “prioritizing restoration of systems that directly support customers, ordering and shipping,” with “core transactional systems… on a clear path to full recovery,” and committed to “continue to provide updates as progress is made.”

The bigger picture

Unlike traditional cyberattacks that rely on ransomware or malicious software, this incident leveraged legitimate enterprise management tools to carry out a large-scale disruption. By exploiting access to systems such as Microsoft Intune, attackers remotely wiped commands across thousands of enrolled devices.

This technique, often referred to as “living off the land,” allows threat actors to operate using trusted system functions, making detection more difficult. Since no malware is deployed, many conventional security tools may fail to flag the activity until damage is already done.

The attack also exposed a secondary risk: employees who had enrolled personal devices into corporate management systems reportedly lost data when those devices were wiped alongside company hardware. This indicates how modern bring-your-own-device (BYOD) environments can expand the blast radius of a breach when administrative controls are compromised.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Could patient data be at risk?

Currently, there is no evidence that patient data was exposed. The incident was contained to Stryker’s internal systems and did not impact connected devices or products in use.

Why do cyberattacks target healthcare and medical companies?

Healthcare and medtech companies are attractive targets because they operate critical infrastructure, handle sensitive data, and impact patient care, making them high-value targets for attackers seeking disruption or political impact.

How can companies protect themselves from cyberattacks?

Organizations can reduce risk by implementing strong passwords, multi-factor authentication, endpoint management, network monitoring, employee training, and rapid incident response plans.