On March 11, an Iranian-linked hacking group called Handala logged into Stryker Corporation's internal network, accessed the company's own endpoint management software, and used it to wipe more than 200,000 devices. [1] They did not break through a firewall. They did not exploit a zero-day vulnerability. They logged in, sat down at the controls, and erased everything. The operation took hours. By the time Stryker's security team understood what was happening, the wiper malware had propagated across the company's global network, reaching manufacturing facilities, shipping systems, and the Cork, Ireland production site. [2]

Stryker is not a defense contractor. It is a medical technology company headquartered in Kalamazoo, Michigan, that makes surgical instruments, orthopedic implants, and hospital beds. It has no involvement in Operation Epic Fury. Handala said it chose Stryker as retaliation for the U.S. bombing of the girls' school in Minab on February 28. [3] The connection between a medical device manufacturer and a school bombing is, on its face, nonexistent. But that is the point. Handala's logic is collective punishment: American companies will pay for American bombs.

CNN reported that the attack appeared to be "the first significant cyber operation" of the war against a U.S. corporate target. [4] NBC News confirmed that the attack caused a "global network disruption." [4] TechCrunch reported that Stryker was "restoring systems after pro-Iran hackers wiped thousands of employee devices," and that the company had not provided a timeline for full recovery as of March 17. [5] Security Week's analysis concluded that the attackers "leveraged existing endpoint management software rather than malware to wipe devices" — meaning they turned Stryker's own IT tools against it. [6]

The Stryker attack is the most visible incident in what the Center for Strategic and International Studies has described as a fundamental shift in Iran's cyber posture since the war began. A CSIS analysis published this week documented a 700 percent increase in cyberattacks targeting Israel in the period following military strikes on Iranian territory — a figure originally compiled by cybersecurity firm Radware. [7] The CSIS report, titled "How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran?" noted that while the 2025 Twelve-Day War between Israel and Iran featured relatively restrained cyber operations, the current conflict has produced an "unprecedented acceleration" in both volume and destructiveness. [7]

A separate CSIS analysis, published March 20, warned that "data is now the front line of warfare." [8] The report documented that an IRGC-affiliated news outlet published a list of 29 "tech targets" Iran intends to strike across Bahrain, Israel, Qatar, and the United Arab Emirates. [8] The list includes data centers, submarine cable landing points, and cloud infrastructure operated by American companies.

Axios reported that Iranian state-linked media published an explicit list of major U.S. technology companies designated as targets, including Google, Microsoft, Palantir, and Amazon Web Services. [9] The list was framed not as a cyber threat but a military one — regional offices and data centers identified as "infrastructure supporting the war" and therefore legitimate targets. [10] Gizmodo reported that the list named specific office locations. [11]

The institutional response has been uneven. CISA told SC World that the Iran war has "yet to trigger increased cyberattacks against US" domestic infrastructure — a characterization that seems to exclude the Stryker attack entirely. [12] The Canadian Centre for Cyber Security took a different view, issuing a threat bulletin warning of "Iranian cyber threat response to US/Israel strikes." [13]

The gap between what has already happened and what agencies acknowledge reveals a definitional problem. Traditional cyber warfare targets critical infrastructure — power grids, water systems, military communications. What Iran is doing is different: attacking corporate targets chosen for symbolic rather than strategic value. Stryker was hit not because disabling its network would degrade military capability, but because a medical device company makes a satisfying target for a nation whose children were killed by American weapons.

Krebs on Security reported that Handala — also known as Void Manticore — has links to Iran's Ministry of Intelligence and Security, and that the group's previous operations have targeted Israeli organizations with similar wiper attacks. [1] The Stryker operation represents an expansion of the target set from Israeli to American companies. If the 29-company hit list is operational rather than rhetorical, Stryker may be the first of many.

The CSIS analysis drew a broader conclusion. Iran's cyber operations in this war are not calibrated responses. They are "unbridled escalation" in a domain where attribution is slow, consequences are diffuse, and the rules of engagement remain undefined. [14] A conventional missile strike on Ras Laffan produces immediate diplomatic consequences. A wiper attack on a Michigan medical company produces a TechCrunch article and a stock dip. The asymmetry is the strategy. Iran cannot match American air power. It can, however, reach into the American corporate network and delete things. And it has now demonstrated that it will.

Stryker remains in partial restoration as of Friday. The company has not disclosed whether patient data was compromised. Hospitals that depend on Stryker's surgical equipment and supply chain have reported delays but not, so far, patient harm. The 200,000 wiped devices are being rebuilt one by one. The war's cyber front is quiet the way a minefield is quiet — the damage is already planted, and the question is only which step triggers it next.

-- DAVID CHEN, Washington