Stryker becomes a proxy target of cyberattacks in the 2026 Iran war
After a bit of a hiatus due to the launch of my book, Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, The Latest Breach returns!
Code War could not be launching at a more vital time, as many of the book's themes provide background on why the geopolitical and cybersecurity environment is the way it is today. Read about the latest out of the Iran war with the attack against Stryker below.
What happened: Public details on the incident are still largely incomplete, since the attack was only just announced on Wednesday, March 11. That said, reporting indicates that in the early hours of Wednesday morning, employees at Stryker found that many of their Windows systems and mobile devices had been completely erased. Based on public reporting and a Reddit thread about the incident, which includes comments from self-identified Stryker employees, it appears the attack leveraged Microsoft Intune to remotely wipe all connected devices. To quote Stryker,
“Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack.”
The attack seems to be affecting employees in multiple countries, including the United States and Ireland.
Who did it: Many signs point towards the Handala hackers as those responsible for the cyberattack. The Handala logo appeared on Stryker screens during the attack, along with the particularly disturbing message,
“No need to learn Hebrew anymore. You won’t need it for much longer. “
which marks the attack as geopolitically driven. The Handala hackers publicly took responsibility for it and stated it was in retaliation for the strike on a school in Iran that killed at least 175 people, most of whom were children. The preliminary investigation into the strike has determined that the United States is responsible.
Handala hackers are also known to use wiper malware, which has outcomes similar to those of the Stryker attack. They are a pro-Iran, pro-Palestinian threat actor known to target Israeli infrastructure and affiliated organizations that has been more actively targeting organizations since the 2026 Iran war broke out.
All that said, we cannot definitively state that this attack was perpetrated by them until a root cause analysis is conducted. They could be taking opportunistic credit for a copycat attack, or it could be a false-flag operation. We need actual threat intelligence to make a definitive determination here, rather than relying on bombastic messages from a hacktivist group known for loudly spreading propaganda.
Why Stryker: Stryker sits at a unique intersection, making it a prime target for a pro-Iran threat actor. It holds Defense Logistics Agency and Department of Defense contracts to provide medical technology to US military facilities. It also has a presence in Israel, as it acquired OrthoSpace Ltd., an Israel‑based orthopedic device company, in 2019. These connections are exactly the kind a pro-Iran threat actor would want to exploit in its propaganda: a US firm that supports the US military and owns Israeli technology assets. Lastly, of course, it’s a large company: Stryker employs about 56,000 people across 61 countries and generates roughly 25B USD in annual revenue as of 2025. A global network disruption at an organization of that size guarantees international media coverage, which in turn amplifies the pro-Iran message and perceived cyber strength.
Take note: Cyberattacks are never carried out without a real-world motive. In this case, it appears to be an attempt to enact retribution against the United States and Israel as part of a cyber counter-offensive following US and Israeli strikes at the end of February. Stryker wasn’t chosen by accident; it’s a publicly traded, high-visibility US company and major US military medical supplier that also happens to have at least one Israeli company under its umbrella. This lets pro-Iran hackers send a targeted political message while also dealing a critical blow to the US military support system.
This is also why it’s so important for geopolitical risk conversations to be a regular and evolving topic that involves the security team. The geopolitical ecosystem is chaotic right now and will remain so for the foreseeable future (likely years). To prepare, every organization, large or small, needs to evaluate which threat actors would identify them as a likely target given the up-to-the-minute geopolitical dynamics at play.
While many of the internal changes needed to prevent this from happening again should be the organization's focus, there are things you, as an individual, can do as well. If there’s one thing every person should do in light of this attack, it’s maintain regular backups of personal devices, especially those also used for work, so that if a situation like this happens, you can recover quickly.
Lastly, make sure you check out my book, Code War: How Nations Hack, Spy, and Shape the Digital Battlefield. Code War breaks down what makes China, Russia, and the United States the top cyber powers on the planet, examining how their histories and current contexts shape the cyberattacks they perpetrate. It also delves into why each nation makes the defensive decisions it does. This book is written for anyone interested in geopolitics, tech, or cybersecurity — no advanced technical knowledge required, just curiosity. And of course, there are several mentions of Iran. Pre-order your copy here.
⬇️ Share your perspective with me below. ⬇️
"Take note: Cyberattacks are never carried out without a real-world motive. In this case, it appears to be an attempt to enact retribution against the United States and Israel as part of a cyber counter-offensive following US and Israeli strikes at the end of February."
This has been my experience too. It's no longer the early days, it takes real resources to develop these tools and they are done so with targets in mind.
Good insights.