Since the start of the conflict between the United States and Iran, cybersecurity experts have watched closely for signs that Iran’s well-documented hacking capabilities would be turned directly against American companies. That moment now appears to have arrived.
A hacker group with documented ties to Iran’s Intelligence Ministry has claimed responsibility for a cyberattack on Stryker, a major medical technology company headquartered in Michigan. If confirmed at full scale, it would represent the first significant instance of an Iran-linked group successfully disrupting a U.S. company since the war began, marking a notable shift in the cyber dimension of the ongoing conflict.
What happened inside Stryker
Stryker, which manufactures a wide range of medical equipment and devices, confirmed on its website that it experienced a global network disruption tied to a cyberattack affecting its Microsoft environment. The company stated that its own internal systems were not directly breached and that ransomware was not involved, describing the incident as contained.
But for employees on the ground, the experience was disruptive in a very immediate way. Work-issued phones stopped functioning, cutting off communication between colleagues and bringing day-to-day operations to a standstill. The disruption pointed to something more targeted than a typical network intrusion.
How the attack appears to have worked
Cybersecurity researchers believe the attackers gained access to Stryker’s Microsoft Intune account, a platform used by companies to manage and monitor corporate devices remotely. One of Intune’s built-in features allows administrators to wipe a device back to factory settings, a tool designed for situations where a phone or laptop is lost or stolen. The attackers appear to have triggered that feature across some or all enrolled employee devices, effectively erasing them from the inside out.
A threat intelligence expert at Sophos, a cybersecurity firm that has previously linked the responsible group to Iran’s Intelligence Ministry, described the method as a straightforward but highly effective exploitation of a legitimate corporate tool. The group responsible, known as Handala Team, claimed the attack publicly across its social media accounts, where it routinely publicizes its activities. Several of those accounts have been taken down in recent days, only to reappear under new handles.
A group with a history of escalation
Handala Team is not a new name in cybersecurity circles, but its targeting of a U.S. company of Stryker’s scale represents an escalation from what analysts had seen since the war’s start. Earlier activity from Iran-aligned groups had largely been limited to website defacements and minor disruptions with little lasting impact.
Iran’s history with more destructive cyberattacks, however, is well established. The country has been linked to some of the most damaging digital strikes on record, including a 2012 attack on Saudi Arabia’s national oil company, Saudi Aramco, and a 2014 intrusion at the Sands Casino. Both involved so-called wiper attacks, designed not to steal data but to destroy it entirely.
A shift in strategy
For much of the conflict, Iran’s hackers appeared focused primarily on espionage, gathering intelligence rather than causing visible damage. The Stryker incident suggests that calculus may be changing. Targeting a medical technology company introduces a layer of sensitivity that goes beyond typical corporate disruption, raising questions about infrastructure vulnerability and the boundaries of cyber conflict in a period of active war.
Neither Stryker nor Microsoft offered additional details beyond their initial statements.
