Stryker Recovered from an Iranian Wiper Attack. It Took Three Weeks and 80,000 Devices.

John Z Black Apr 3, 2026 Threat Intelligence #iran #handala #wiper #healthcare #stryker #nation-state #critical-infrastructure #fbi

On March 11, Iran’s Handala group used a compromised domain admin account to wipe nearly 80,000 devices across Stryker’s global network. Not encrypted for ransom. Wiped. Destroyed. This wasn’t about money. It was about damage.

Stryker makes surgical equipment and medical implants used in hospitals worldwide. When their systems went dark, manufacturing halted, orders stopped, and shipping froze. In Maryland, EMS crews lost the ability to transmit ECG data to hospitals digitally. The workaround in 2026? Radio.

Three weeks later, Stryker says they’re “fully operational.” That’s Fortune 500 recovery muscle at work. Most healthcare orgs don’t have that kind of bench.

The DOJ made it official on March 20: Handala isn’t an independent hacktivist group. Iran’s Ministry of Intelligence runs it. The FBI seized their leak sites and Director Patel said “we’re not done.” Court documents revealed Handala and two other personas are all operated by the same individuals. One intelligence operation, multiple masks.

The question every health system CISO should be asking: if someone wiped your environment tomorrow, how long until you’re back? And what happens to patients in the meantime?

Inside the three-week recovery from a state-backed wiper attack