When the Goal Is Destruction: What the Stryker Cyber Attack Means

The American manufacturing sector continues to rank among the most frequently targeted by cyberattacks.

On March 11, 2026, that reality came into sharp focus when Stryker Corporation, one of the world’s largest medical device manufacturers, was crippled by a cyberattack carried out by Handala, a hacking group widely believed to be a front for Iran’s Ministry of Intelligence and Security.

The attackers wiped more than 200,000 company devices across the U.S., Ireland, India, and other countries, forcing the company to shut down offices and halt manufacturing operations globally.

Surgeries were cancelled, hospitals severed connections to Stryker systems out of caution, and emergency medical services in Maryland were forced to revert to verbal radio consultations after patient data transmission systems went dark. 

The Stryker attack represents one of the most significant cyberattacks on a manufacturer to date, and its implications extend well beyond the medical device industry.

For Connecticut manufacturers, particularly those operating in defense, healthcare, and other critical supply chains, this incident is a stark reminder that nation-state cyber threats are enterprise-wide risks designed to cause maximum disruption. 

Not Ransomware, Something Worse 

Most manufacturers are familiar with ransomware, a type of malware in which adversaries deny access to data or systems through encryption, then demand payment for the decryption key.

Ransomware, while damaging and disruptive, is fundamentally a financial crime. The attacker wants to get paid, and there is generally a (theoretical) path to recovery, whether through paying the ransom, restoring from backups, or negotiating with the attackers. 

The Stryker attack was not a ransomware attack. It was a “wiper” attack, and the distinction is significant. 

Wiper attacks are designed for the single purpose of irreversibly destroying data and systems.

Where ransomware encrypts data and holds it hostage, wiper malware permanently deletes or corrupts data.

Where ransomware encrypts data and holds it hostage, wiper malware permanently deletes or corrupts data, destroys operating systems, and renders entire networks inoperable with no possibility of decryption.

The attacker(s) end is not money. It is chaos. Wiper attacks aim to disrupt operations and inflict lasting damage. 

In the Stryker case, the attackers leveraged the company’s own Microsoft Intune device management system to remotely wipe corporate devices, turning Stryker’s own internal administration tool into a weapon of mass disruption.

The hackers also deployed a malicious file to run commands that allowed them to conceal their activity within Stryker’s systems while the attack unfolded.

Two weeks after the incident, Stryker was still working to restore operations, rebuild wiped systems from backups, and bring manufacturing lines back online. 

Geopolitical Threat with Local Consequences 

Handala claimed responsibility for the Stryker attack on social media, stating the attack was retaliation for military strikes in the Middle East.

U.S. intelligence officials had previously warned about the possibility of Tehran-linked hackers retaliating against American infrastructure.

The U.S. Department of Justice subsequently seized four websites used by Iran’s Ministry of Intelligence and Security to spread threats and claim responsibility for hacking operations, including the Stryker attack. 

This incident illustrates a broader reality that manufacturers may be considered military targets by adversary nations.

State-sponsored cyber operations operate as a strategic arm of the military.

Cybercrime at its highest level operates like a business enterprise, but state-sponsored cyber operations operate as a strategic arm of the military.

An adversary motivated by geopolitical objectives will not negotiate. They will not offer a decryption key. They will seek to destroy, and the consequences for manufacturing targets in the defense supply chain, healthcare, energy, and other critical sectors can be severe. 

Connecticut manufacturers are not insulated from these risks.

The state is home to a significant number of defense contractors, medical device companies, and other precision manufacturers whose operations–and whose data–represent high-value targets.

As the Department of Defense’s Cybersecurity Maturity Model Certification program makes clear, cybersecurity compliance is now mandatory for defense contractors and subcontractors, and eligibility for future DoD contracts hinges on meeting the required CMMC level.  

Shoring Up Defenses: What Manufacturers Can Do Now

Although it may not be possible to prevent being victimized by a cyberattack, manufacturers can deploy several interventions to mitigate the likelihood and impact of an attack.

In the wake of the Stryker incident, manufacturers should consider the following steps: 

Reassess your backup and recovery strategy with wiper attacks in mind. A comprehensive data and system backup strategy is essential to the restoration of data and may spare leaders from catastrophic operational downtime. However, because wiper attacks may also target backup systems, manufacturers must go beyond standard backup practices. 

Consider the 3-2-1 backup rule: maintain at least three copies of your data, stored on at least two different media types, with at least one copy kept offsite or air-gapped from the network.

Regularly test and verify your backups through full restoration drills to ensure data integrity and recoverability. 

Build system redundancies for critical operations. The Stryker attack demonstrated that when a wiper takes down 200,000 devices simultaneously, the recovery timeline is measured in weeks, not hours or even days.

Manufacturers should evaluate whether their operations can sustain a prolonged system outage and invest in redundancies accordingly, ensuring that operational technology environments are segmented from corporate IT networks so that a compromise in one domain does not cascade across the entire enterprise. 

Organizations should also review and update their incident response and business continuity plans and consider walking through tabletop exercises to identify and resolve flaws before a real attack occurs. 

Harden your device management infrastructure. The Stryker attackers gained access and then weaponized the company’s own Microsoft Intune device management platform to execute the wipe. 

Any centralized management tool that has the ability to push changes to every endpoint in an organization can potentially be exploited by attackers. 

Manufacturers should review the security configurations of their device management, mobile device management, and endpoint management platforms with this risk in mind. 

Implementation of strict privileged access controls, multi-factor authentication for all administrative functions, and continuous system monitoring can mitigate risk.

The FBI has indicated that the Handala attackers may have obtained initial access through credentials stolen via infostealer malware, underscoring the importance of credential hygiene and endpoint protection. 

Perform a risk assessment now. The foundation of an effective and robust cybersecurity program is identification of risk and evaluation of the organization’s cybersecurity practices and ability to recover from an attack.

The U.S. Cybersecurity and Infrastructure Security Agency recommends the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity because it provides a prioritized, repeatable, and cost-effective approach to managing cybersecurity risk.

The NIST framework applies across all organizations, regardless of size or cybersecurity sophistication. For manufacturers in the defense supply chain, this work also supports readiness for CMMC certification. 

Build cybersecurity and training into your culture. Every employee with access to a manufacturer’s network has a role in protecting the organization from cyberattacks. 

When every piece of equipment, component, employee, partner, vendor, visitor, and electronic device represents a potential vulnerability, cybersecurity awareness must be built into the culture. 

Every employee should be trained and empowered to assist in risk mitigation efforts.

Manufacturers should provide regular training and education with respect to appropriate use of their network infrastructure, cybersecurity awareness, and best practices.

Cybersecurity is everyone’s job, but it is incumbent on the employer to make everyone aware of it. 

The Lesson from Stryker 

The Stryker attack demonstrates that a determined, state-sponsored adversary can wipe hundreds of thousands of devices, halt global manufacturing operations, delay surgeries, and force a Fortune 500 company into weeks of recovery and financial hardship, in a matter of hours and without financial motivation. 

This attack was about nihilistic destruction, and the tools used were not exotic zero-day exploits but a combination of stolen credentials and the company’s own device management infrastructure. 

Staying ahead of emerging cybersecurity threats can provide a meaningful competitive advantage and, in the case of wiper attacks, may mean the difference between operational continuity and catastrophic loss.

The cost of preparing now is manageable. The cost of rebuilding after a wiper attack is not. 

---

Fernández is chair of the firm’s manufacturing industry group. For more information about Shipman’s manufacturing practice, please contact Fernández (860.251.5353).