Handala, a hacktivist group believed to be a front for Iranian state-sponsored hackers, claimed that it had breached Stryker in messages on its Telegram channel.
Staff at the Michigan-based firm claimed that the logo of an Iran-linked threat actor has begun popping up on login pages, while Stryker has said it is experiencing outages.
“Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained,” the company said on LinkedIn.
“Our teams are working rapidly to understand the impact of the attack on our systems.
“Stryker has business continuity measures in place to continue to support our customers and partners. We are committed to transparency and will keep stakeholders informed as we know more.”
The company has not attributed the attack to any specific threat actor.
Who is Handala?
Handala largely targets Israeli entities or organisations with links to Israel and its military. It’s known to use a wide range of tactics, techniques and procedures to gain access to its victims, including spear phishing. Though tracked as a ransomware operator by some, the group’s motivations are entirely political, and no ransom demands are ever made.
When Iran was bombed last year, Handala claimed to have carried out a wave of cyber attacks targeting Israeli organisations.
Petroleum conglomerate the Delek Group and its Delkol subsidiary were the first victims listed as part of Handala’s campaign, with the hackers claiming to have stolen more than two terabytes of data.
“Your fuel systems are exposed. and so are your secrets,” Handala said in a 14 June leak post.
“Over two terabytes of classified data are no longer in your hands. Your fuel stations are vulnerable. If you’re smart, you’ll act now. Fuel up immediately, before you’re left with nothing but empty roads and silent jets. Time is not on your side.”
The Israel Fuel Corporation, another Delek subsidiary, is one of Israel’s largest service station chains.
On the same day, the group listed Argentinian drone maker AeroDreams, Israeli construction firm Y.G. New Idan, and ISP 099 Primo Telecommunications.
AeroDreams’ website appears to be down at the time of writing, but Handala claims the company has links to the Israeli Air Force.
In the wake of the widespread CrowdStrike outage in 2024, the group was observed using emails claiming to be from the cyber security firm and offering a fix for the issue. However, in the guise of a file called CrowdStrike.exe, the hackers were able to deploy a malicious wiper program capable of deleting entire directories on an infected machine.
The group’s internet traffic appears to originate from Iranian IP addresses, and a report from the website Iran International links Handala to Iran’s Ministry of Intelligence.
While some of Handala’s victims have claimed the group exaggerates its activity – a common tactic for hacktivist groups – others have confirmed the hackers’ claims. In January 2025, Handala gained access to public address systems in Israeli kindergartens in order to broadcast red alert warnings and propaganda, an attack that Israel’s National Cyber Directorate later confirmed.
