The first signs of iranian cyber attacks were not dramatic on the ground—just a workday that suddenly stopped working. A Stryker employee in Boise, Idaho described being unable to access the company network, alongside guidance to avoid connecting to any Stryker VPN networks or software on any device, and word that coworkers’ work phones were wiped Wednesday morning.
What happened to Stryker—and why does it matter?
Stryker, a Michigan-based medical device company, said it is experiencing a “global network disruption” to its Microsoft environment after a cyberattack. In a message to customers, Stryker confirmed the disruption and said: “We have no indication of ransomware or malware and believe the incident is contained. ” The company added that its teams were working rapidly to understand the impact.
In a separate statement, Stryker warned the incident is expected to continue to cause “disruptions and limitations of access to certain of the Company’s information systems and business applications, ” and cautioned that “the timeline for a full restoration is not yet known. ” In a filing to the Securities and Exchange Commission, Stryker said its investigation is ongoing and that the full scope, nature and impacts—including operational and financial impacts—are not yet known. it has not yet determined whether the incident is reasonably likely to have a material impact.
The market reaction came quickly: Stryker’s share price dropped about 3% on news of the attack. Inside the company, the disruption rippled through daily routines, with employees confronting basic questions—what systems can be trusted, what can be accessed, and what work can be done while core tools remain out of reach.
Iranian Cyber Attacks: who claimed responsibility and what is verified?
A pro-Iranian hacktivist group later claimed responsibility for the cyberattack. Handala, described as an Iran-linked group, said the operation targeted Stryker and framed it as retaliation for the bombing of the Minab school in Iran. posted to X, apparently from Handala, the group said it carried out a “major cyber operation” in response to what it called ongoing cyber assaults against the infrastructure of the “Axis of Resistance. ”
Handala called Stryker a “Zionist-rooted corporation” and claimed, without showing evidence, that it had wiped thousands of systems and mobile devices and extracted 50 terabytes of data. A separate claim circulating from the hackers alleged 200, 000 systems were affected and 50 terabytes of data were extracted. Stryker has not confirmed the group’s involvement, and it remained unclear who was responsible for the cyberattack.
Outside Stryker, the same hacking group claimed to have breached New York City-based company Verifone. A spokesperson for Verifone rejected the allegations, saying the company closely monitors the security and integrity of its systems worldwide, found no evidence of any incident related to the claim, and had no service disruption to clients.
How did employees and investigators describe the disruption?
For staff members, the disruption was both technical and personal: the loss of routine access to tools that structure the workday. The Boise-based Stryker employee who confirmed the attack described being locked out of the network and receiving instructions designed to prevent further exposure—avoid VPN connections and company software on any device—alongside the reported wiping of coworkers’ work phones Wednesday morning.
For investigators watching the broader pattern, the incident carried a different kind of weight. Lee Sult, chief investigator at cybersecurity firm Binalyze, called it “the first drop of blood in the water” as the Iran conflict spreads to US cyber targets, adding that “more shots are coming. ” The framing was stark: an operational disruption at a medical device maker as a signal event, not an isolated one.
Handala has been described by Sophos, a cybersecurity company, as an Iranian hacktivist persona first observed in 2023. Intel 471, a threat intelligence company, has said the “Handala Hack Team” has claimed to have compromised multiple oil and gas organizations across locations including Israel, Jordan and Saudi Arabia. Intel 471 said the recent surge in pro-Iranian hacktivist activity is providing the Iranian regime with a greater ability to project perceived power at a time when domestic connectivity is highly constrained.
What is being done now, and what questions remain?
Stryker’s immediate response has centered on containment, investigation, and restoring access. it believes the incident is contained and that teams are working to understand the impact. Yet its own warnings to customers underscore the uncertainty: disruptions and limitations of access are expected to continue, and a full restoration timeline is not yet known.
The gap between claim and confirmation remains central. The hackers’ statements—retaliation for the Minab school bombing, assertions of wiped systems, and claims of extracted data—have not been substantiated in the information publicly available in Stryker’s statements. Stryker has not confirmed the group’s involvement. The company has also said it has no indication of ransomware or malware, while acknowledging that the overall scope and impacts are not yet known.
In that space—between what a company can safely say during an active investigation and what attackers claim for maximum effect—employees still have to get through the day, customers still need clarity on service and support, and a global business has to function while key parts of its digital environment are constrained.
Back in Boise, the story of iranian cyber attacks was experienced as a set of instructions and a blank login screen—don’t connect, don’t open, wait. The larger meaning is still being measured, but the immediate reality is plain: when a medical device maker’s systems go dark, the disruption is not just global. It is personal, one workstation at a time.
