A Stryker employee who asked not to be identified found a work-issued phone suddenly unusable, cutting off calls and messages. That disruption came as iran cyber attacks were claimed by a group tied to Iran’s intelligence apparatus, an episode that left a medical device maker’s communications stalled and raised questions about how deeply the intruders reached.
Stryker employees and the immediate device disruption
A staff member at Stryker, the Michigan-headquartered maker of medical equipment and technology, said employees’ work-issued phones stopped working and ground communications to a standstill. Stryker produced a public statement Wednesday saying the disruption was due to a cyberattack, that the company’s systems were not directly hacked, and that it had no indication of ransomware and believes the incident is contained.
Handala Team claim and Microsoft Intune access
Handala Team has claimed responsibility for the incident in posts on its Telegram and X accounts, and cybersecurity companies have linked the group to Iran’s intelligence operations. Public evidence points to a likely path of attack through Microsoft Intune, the corporate device management solution Stryker uses. Rafe Pilling, director of threat intelligence at Sophos, said Handala appears to have obtained access to the Intune management console and triggered remote wipe capabilities for some or all enrolled devices.
Iran Cyber Attacks and the pattern of wiper-style operations
Historically, Iran-linked actors have carried out so-called wiper attacks that aim to erase data wholesale, with notable past victims including Saudi Aramco in 2012 and the Sands Casino in 2014. Since the war began, established hacker groups sympathetic to Iranian leadership had mostly claimed minor incidents like briefly altering website appearances, and cybersecurity firms Google and the email security company Proofpoint have largely seen Iran’s hackers conducting espionage related to the war. That pattern appears to have shifted with this episode at Stryker, where device erasure actions resemble earlier wiper tactics more than simple defacements or spying.
Sophos analysis and what the remote-wipe feature means for employees
Sophos has tied Handala to Iran’s intelligence operations and described a plausible mechanism for the disruption: the Intune remote-wipe function, commonly used to retire, repurpose, reset, or securely erase devices when lost or stolen. If the feature was triggered remotely, employees would have seen devices restored to factory settings and lost local data and settings, which explains why the Stryker employee’s phone stopped working and why day-to-day coordination among colleagues was interrupted.
For employees relying on managed phones for scheduling, patient coordination or internal messaging, a sudden remote wipe can halt work. Stryker’s statement Wednesday said the company believes the incident is contained and that ransomware or malware were not factors, but it also acknowledged a global network disruption to its Microsoft environment. That acknowledgement confirms a corporate-level impact even as the company maintains it was not directly hacked.
Handala Team has regularly posted about operations on social networks, and those accounts have been removed in recent days in prior instances. Specific technical details of how access was gained remain unclear; public indicators focus attention on device management systems and the remote controls they provide. For employees at Stryker, the consequence was tangible and immediate: a quiet, unresponsive phone where work calls and messages once arrived.
For the Stryker employee whose phone stopped working, the next confirmed development is Stryker’s own statement Wednesday that the disruption was the result of a cyberattack, that its systems were not directly hacked, and that the company believes the incident is contained. That statement returns the story to the human scale of a single disabled device and sets the immediate milestone by which the company and affected staff will measure recovery.
