An Iran-linked hacking group has claimed responsibility for a major cyberattack that caused global disruption to the systems of US medical device company Stryker Corporation this week, stating it was retaliation for a recent school bombing in Iran.

Global Disruption Hits Stryker

The hacker group, identified as Handala, announced on Wednesday they had successfully targeted Michigan-based Stryker, a company known for manufacturing a wide range of medical devices, from artificial joints to robotic surgery systems. The attack impacted thousands of employees accessing the company’s Microsoft systems, leading to widespread outages.

Stryker confirmed the incident, stating it was experiencing a “global network disruption to our Microsoft environment as a result of a cyberattack.” The company warned that disruptions and limited access to its information systems and business applications were expected to continue, with no clear timeline for a full restoration of services.

The financial markets reacted swiftly, with Stryker’s share price dropping approximately 3% following news of the breach. Lee Sult, chief investigator at cybersecurity firm Binalyze, described the incident as “the first drop of blood in the water,” suggesting it marks an expansion of the Iran conflict into US cyber targets and predicting further attacks.

While Handala claimed to have wiped thousands of systems and mobile devices, extracting 50 terabytes of data, Stryker said it had found no indication of ransomware or malware and believed the incident was contained. The company’s investigation is ongoing, and the full scope, nature, and financial impacts are yet to be determined, according to a filing with the Securities and Exchange Commission.

Employees reported seeing Handala’s logo appear on company login pages, and calls to Stryker’s headquarters in Portage, Michigan, were met with a recorded message citing a “building emergency.” Stryker, which reported revenues exceeding $25 billion in 2025, boasts products reaching over 150 million patients annually across 61 countries.

Retaliation for Minab School Bombing

Handala explicitly stated the cyberattack was an act of retaliation for what it called a “brutal attack on the Minab school” in Iran. The group claimed the bombing, which reportedly killed more than 170 people, mostly schoolgirls, was a result of US-Israeli military action.

In a statement posted to X, Handala declared: “We announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success.” The group labelled Stryker a “Zionist-rooted corporation.”

The bombing of the Minab school has drawn international attention. An investigation by Al Jazeera’s Digital Investigations Unit, using satellite imagery, suggested the school might have been deliberately targeted. Six senior Democratic senators in the United States have called for an investigation into the strike, expressing horror over the incident.

Handala also claimed the seized 50 terabytes of company data were “now in the hands of the free people of the world,” though no evidence for this claim was immediately presented.

Handala's History and Escalating Cyber Warfare

The “Handala Hack Team” is an Iranian hacktivist persona first observed in 2023, according to cybersecurity firm Sophos. Threat intelligence company Intel 471 reports that Handala has previously claimed compromises of multiple oil and gas organisations across Israel, Jordan, and Saudi Arabia.

Intel 471 noted that “the recent surge in pro-Iranian hacktivist activity currently is providing the Iranian regime with a greater ability to project perceived power in a time where domestic connectivity is highly constrained.” This latest attack on Stryker signals a significant escalation, with Handala warning it marks “the beginning of a new chapter in cyber warfare.”

The group’s historical activity suggests a pattern of targeting adversaries of Iran, aiming to inflict economic disruption. This latest move against a major US corporation indicates a broadening scope beyond previous regional targets, taking the conflict into the global cyber realm.

Broader Threats and Future Targets

The attack on Stryker aligns with escalating threats from Iran against Western economic interests. The Islamic Revolutionary Guard Corps (IRGC) recently warned that US and Israeli-linked “economic centres and banks” across the region were now legitimate targets.

State-affiliated media in Iran published a list of prominent US tech firms, including Google, Microsoft, and Nvidia, describing their regional infrastructure as “Iran’s new targets.” This suggests a deliberate strategy to disrupt critical sectors and key players in the global economy.

An Iranian security source, speaking to Al Jazeera, hinted that the conflict was entering “a new phase,” and suggested another key regional waterway could face restrictions similar to those threatened by Tehran on vessels seeking to cross the Strait of Hormuz. Handala also claimed a simultaneous attack on payments company Verifone, though Verifone denied any disruption to its services.

Neither the FBI nor the Department of Homeland Security’s cybersecurity agency has responded to requests for comment regarding the incident.