On 11 March 2026, employees at Stryker, one of the world's largest medical technology companies, arrived at work to find their login screens replaced with a hacker's logo. Staff were told not to touch their devices. Phones had stopped working. Data had been wiped. More than 5,000 workers at the company's largest hub outside the US, in Cork, Ireland, were sent home.
The group claiming responsibility is Handala, an Iran-linked state-aligned threat actor. Whether you supply the NHS, manufacture medical devices, or sit anywhere in the healthcare supply chain, this attack is a direct signal about the threat environment you are operating in right now.
Stryker is a Fortune 500 company specialising in surgical equipment, orthopaedic implants, and neurotechnology. Headquartered in Michigan, it employs approximately 56,000 people and reported over $25 billion in revenue in 2025. Its critical role in the global healthcare supply chain makes it an essential partner for hospitals worldwide.
The attack exploited Stryker's Microsoft environment, remotely wiping devices running Windows, including laptops, phones, and other connected systems, and forcing the company to restrict access to information systems while incident responders worked to contain the breach.
Stryker confirmed the attack publicly, stating it was experiencing a global network disruption to its Microsoft environment, adding it had found no evidence of ransomware or malware and believed the incident was contained. Handala's own claims were far more dramatic: the group said it had wiped over 200,000 systems and extracted 50 terabytes of data across 79 countries.
Whether those figures are entirely accurate is disputed. Handala has a history of inflating claims, but the operational disruption was undeniably real and severe.
Handala is not a loosely organised hacktivist collective. It is assessed as one of several online personas maintained by Void Manticore, a group affiliated with Iran's Ministry of Intelligence and Security (MOIS), which emerged following Hamas's October 7 attack on Israel.
According to IBM X-Force Exchange, Handala has previously targeted Israeli civilian infrastructure, energy companies in the Gulf region, and Western organisations, with operations focused on generating disruptive and psychological impact. Its toolkit includes phishing, custom wiper malware (notably Hatef), ransomware-style extortion, data theft, and hack-and-leak campaigns. Its attacks consistently feature ideological messaging and deliberate targeting of life-critical sectors — healthcare and energy in particular.
The Stryker attack marks the first time Handala has disruptively targeted a major US enterprise, representing a significant escalation.
The geopolitical context matters. Handala cited the Minab school bombing in which over 165 children were reportedly killed in a US-Israeli military strike on Iran, as its stated motivation.
Two theories have emerged as to why Stryker specifically was targeted. First, Stryker acquired Israeli medical tech company OrthoSpace in 2019 and holds a $450 million contract with the US Department of Defence to supply military hospitals, connections that may have made it an ideologically attractive target.
Second, analysts noted the attack has the hallmarks of an opportunistic one: Handala is known more for exploiting vulnerabilities it happens to find than for conducting long, carefully planned campaigns against specific organisations.
This level of destruction may not have required meticulous planning. It may have required Stryker to simply have a vulnerability that Handala found first.
Critical healthcare infrastructure is a high-value target precisely because the stakes extend beyond lost data; when systems fail, patient care fails. For the medtech sector, this attack is a signal that the threat landscape has fundamentally shifted.
Industry analysts highlighted that the attack puts Stryker's supply chain at risk until the full impact is resolved, with consumables supply likely the first area to be affected, potentially forcing clinicians to switch brands or take equipment offline entirely.
The Stryker attack may signal the start of a broader wave, identifying healthcare, banking, agriculture, and energy as the sectors most likely to face further targeting in the weeks ahead.
The Stryker attack did not happen in isolation. Iranian threat actors have a documented history of destructive cyber operations, including the 2012 Shamoon wiper attack on Saudi Aramco and the 2014 attack on the Sands Casino. These are not new tactics. They are proven ones, now being applied with greater frequency and against a wider range of targets.
Intelligence reporting indicates that Iran-aligned groups, including Seedworm (also tracked as MuddyWater), have already placed backdoors on US company networks since early 2026, with Western security agencies warning that cyber spillover from Middle East tensions could extend to international targets, including the UK.
For organisations in the UK, NHS trusts, health tech suppliers, and medtech manufacturers, this is not a distant American problem. Iranian-linked actors are serving as visible operators capable of conducting hack-and-leak campaigns, destructive attacks, and psychological operations aimed at amplifying political impact beyond the immediate technical intrusion.
The convergence of health tech, defence supply chains, and nation-state aggression is the threat environment UK organisations need to prepare for now.
The Stryker attack lands at a moment when NHS England is actively tightening its expectations of suppliers. From January 2026, NHS England may contact suppliers directly to discuss cyber security controls and request evidence of compliance, particularly where suppliers deliver services critical to patient care or operational continuity.
There has been a steady uptick in high-profile attacks targeting NHS suppliers in recent years, including a 2022 attack on Advanced Computer Software Group that disrupted services across the country for weeks, and a 2024 attack on blood testing company Synnovis that saw patients diverted from London hospitals.
The direction is clear: if you supply the NHS and you cannot demonstrate a credible security posture, the risk is not just operational, it is reputational and commercial.
The Stryker incident raises urgent questions for any organisation operating in or adjacent to critical healthcare infrastructure.
The Stryker attack exploited vulnerabilities in a Microsoft environment. Understanding what is exposed, endpoints, MDM configurations, cloud environments is foundational. Penetration testing should be routine, not reactive.
Third-party risk is not someone else's risk. It is yours. Analysts noted that depending on how integrated Stryker's systems are with those of its suppliers and customers, concerns about the breach spreading are legitimate. The same logic applies to every interconnected supply chain.
For NHS suppliers, NHS DSPT obligations and Cyber Essentials certification are not tick-box exercises. They are the minimum viable defence posture, and NHS England is now actively checking.
The difference between a contained incident and an operational catastrophe often comes down to whether your response plan has been tested, not just written.
Cyber Essentials is the UK government-backed scheme that verifies the five core technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. The Plus level adds independent hands-on technical verification, moving your organisation from believing it is secure to knowing it has a verified baseline. For any NHS supplier, this should be considered the minimum viable starting point.
Automated scanning identifies known vulnerabilities. Penetration testing — conducted by certified ethical hackers using real-world attacker techniques — uncovers the complex, contextual flaws that automated tools miss: business logic errors, misconfigured access paths, weaknesses in human processes. For organisations in the medtech and health tech sectors, this should be an annual exercise at minimum, with additional testing after significant infrastructure changes.
The Stryker attack may have been opportunistic — exploiting a vulnerability Handala found before Stryker did. Continuous scanning addresses exactly this risk. By regularly checking your networks, servers, and applications against known vulnerability databases, you reduce the window of opportunity for attackers and give your teams the visibility needed to prioritise remediation before exploitation occurs.
A former US Air Force cyber officer described the psychological impact plainly: "Coming into work and finding an Iranian flag on your workstation would be a little bit disconcerting, they're letting you know that 'I can reach out and touch you.'"
Nation-state actors are targeting healthcare. They are targeting supply chains. They are using wiper malware designed not to extort, but to destroy. The Stryker cyberattack is not an anomaly; it is a preview.
If you are a health tech supplier, a medtech manufacturer, or an NHS-connected organisation and you have not recently assessed your threat posture, now is the time.
To understand your organisation's exposure through penetration testing, Cyber Essentials, NHS DSPT support, or supply chain risk assessment, get in touch with our team today.