Iran’s Silent Strike: The Stryker Cyberattack and the Future of Attribution, Retribution, and Deterrence

The modern threat to the United States homeland is no longer characterized only by bombs, border infiltration, or spectacular terrorist attacks. Danger increasingly emerges through ambiguous, deniable, and technologically mediated operations designed to impose disruption or destruction without crossing the threshold of conventional war. That was a central argument in Dr. Yayla’s three-part analysis, “Beyond the Proxy: Reassessing the Terrorism Threat to the U.S. Homeland in the War with Iran,” published in Homeland Security Today earlier in April. The warning bears repeating: adversaries such as Iran possess multiple pathways to pressure the United States beyond missiles or militias.

The March 11 cyberattack on Stryker Corporation has confirmed that warning. Stryker, a leading global medical device manufacturer, experienced one of the most significant politically motivated, destructive cyberattacks against a U.S. company. The attack caused massive disruption to the company’s global operations and affected many healthcare organizations that partner with Stryker. Current and former U.S. government officials described the incident as likely the most significant wartime cyberattack against the United States in history[1].

An Iranian hacker group named Handala Hack (a.k.a. Void Manticore) claimed responsibility for the attack on its Telegram and X accounts[2]. The group is an active threat actor that allegedly operates on behalf of Iran’s Ministry of Intelligence and Security[3].

Whether viewed as a cyber sabotage, coercive signaling, or a retaliatory strike, the attack demonstrates that Iran can reach the American homeland through private-sector targets in cyberspace. This attack is also a strong signal that Iran or other adversaries can inflict harm on businesses and potentially on critical infrastructure via cyberspace that has consequences in the physical domain. This article examines the Stryker incident through three lenses critical to national security policy: attribution, retribution, and deterrence, with a particular focus on cyberwarfare.

The Stryker Incident: More Than a Corporate Breach

The Stryker cyberattack unfolded differently from most other attacks you may encounter in the news. It was not a typical data breach incident or a ransomware attack that requests payment from the victim. In many cases, attackers demand a ransom to allow their victims to access their data or threaten to release it publicly. Such attacks are often financially motivated, with the attacker’s goal of making money. The Stryker incident had a different motivation: to cause massive disruption and destruction. The attack did not involve ransomware or other malware, according to Stryker[4]. The attackers did not request a ransom payment or take data hostage. The attack was politically motivated and retaliatory in nature. It was a destructive wiper operation.

Analysis of the attack suggests that attackers first compromised an administrator account with access to Microsoft Intune, a cloud-based endpoint management platform that organizations use to remotely manage corporate devices. The attackers then issued mass remote-wipe commands using Intune’s built-in function to simultaneously factory-reset devices across Stryker’s global workforce[5]. When a device is wiped, all data stored on it is permanently erased. Handala claimed to have wiped 200,000 devices[6], while other reports put the number at roughly 80,000 endpoint devices[7]. Such a large-scale wipe operation causes long-term disruption to any company’s network. A full restoration of all the devices impacted could take months.

Using wipers was a tactical decision, and Iran employed them in cyber operations during earlier conflicts. In 2012, Saudi Aramco and Qatari RasGas were targeted by a cyberattack involving the wiper malware Shamoon[8]. The malware was designed to remotely erase data from computer systems, an act of sabotage. U.S. intelligence officers attribute the attack to Iran, without offering specific evidence[9]. The same malware was employed again in 2016 and 2017, this time to target government and civil organizations in Saudi Arabia[10]. We saw another use of wipers in cyber operations during the Russia-Ukraine conflict. Ten days before the military invasion began in Ukraine, Russia used disk-wiping malware to attack Ukrainian businesses and organizations to make target systems inoperable[11].

Stryker was not an ordinary target. Many hospitals and other healthcare institutions rely on Stryker products, including orthopedic implants, surgical systems, defibrillators, and hospital beds. The company’s products reach more than 150 million patients annually across 61 countries[12]. A prolonged disruption at such a company directly impacts the supply chain and the healthcare delivery. A healthcare professional at a major U.S. university medical system stated they could not order surgical supplies they normally source from Stryker, calling it a “real-world supply-chain attack”[13].

Attribution: Who Really Attacked Stryker?

Attribution is often problematic in cyberattacks due to the difficulty of clearly identifying perpetrators. Nation-state actors rarely claim responsibility. They use hacker groups to deny their involvement. Spoofing the source of attack or concealing identifying attributes is relatively easier in cyberspace, making attribution even more challenging. Analysts distinguish between two complementary forms of attribution: technical attribution and strategic attribution. 

Technical Attribution

Technical attribution encompasses tactics, techniques, and procedures (TTPs) employed by the attacker. An analysis of malware signatures, domain names, IP addresses, command-and-control patterns, coding tradecraft, and the attack methodology can help us identify the perpetrator. In the Stryker case, investigators determined that the attackers gained initial access, likely through an adversary-in-the-middle phishing scheme, and then exploited Microsoft Intune to issue mass-wipe commands[14]. The attackers used Stryker’s own administrative architecture against itself.

The Stryker hack is an example of a living-off-the-land (LOTL) attack. LOTL is an advanced attack vector in which attackers use legitimate, native tools rather than malware to achieve their objectives. Those attacks are more difficult to detect and defend against, as the malicious activity resembles normal administrative behavior. In the case of Stryker, attackers misused Microsoft Intune’s built-in capabilities to wipe endpoint devices[15]. The Iranian hacker group Handala claimed responsibility for the attack.

Cyber threat intelligence (CTI) is a subfield of cybersecurity focused on exploring, understanding, and analyzing cyber threats and threat actors. To identify the perpetrator of a cyberattack, CTI analysts investigate the tactics, techniques, and procedures (TTPs) used in the attack and compare them against those of known threat actors. TTPs can be understood as attackers’ modus operandi; however, they are often not unique to a particular group. Several groups may use similar TTPs in their cyber operations and can learn from one another or use malware developed by other threat actors. The group Handala Hack is listed as “Void Manticore” in MITRE’s CTI list and reported to be operating on behalf of Iran’s Ministry of Intelligence and Security[16]. Their TTPs include a wide range of techniques for initial access, execution, persistence, privilege escalation, and other tactics, demonstrating the group’s sophisticated capabilities.

Strategic Attribution

Strategic attribution identifies the likely threat actor behind the attack by investigating the strategic benefits, geopolitical context, timing, target selection, and other related variables. The group claiming responsibility, Handala, has been assessed as a hacktivist persona linked to Iran’s Ministry of Intelligence and Security (MOIS). The group has been active since 2021 and has been involved in other allegedly state-sponsored activities. In 2022, Albanian government agencies have been targeted by a destructive wiping attack. The Iranian government was accused of orchestrating the attack to punish the Albanian government for hosting the People’s Mojahedin Organization of Iran (MEK), an exiled Iranian opposition group, in Albania. Reports indicate that Handala was the perpetrator of the attack, using the persona “Homeland Justice”[17]. The group is also involved in another destructive wiping operation against Israeli targets, using another persona, Karma[18]. These attacks suggest that the group acts as Iran’s agent in cyberwarfare campaigns.

Handala framed the Stryker attack as retaliation for a U.S. airstrike on a school in Iran during the early phases of the U.S.-Israeli military operations against Iran, which killed more than 170 people, most of them schoolgirls[19]. After the attack, Iranian officials stated that Tehran would target U.S. companies with ties to the U.S. military or Israel. Stryker is a medical contractor for the US military. It also acquired the Israeli orthopedic device company OrthoSpace in 2019[20]. It was a perfect strategic target for the Iranian government.

Iran has long been leveraging proxies in physical conflicts. This strategy benefits Iran’s interests by pressuring adversaries while preserving deniability and staying below the threshold for a military response. Cyber proxies can serve an identical purpose. They can advance Iranian strategic interests without necessarily provoking a retaliatory attack.

Retribution: How Should the United States Respond?

Well-established response frameworks exist for physical attack scenarios in which an adversary targets a U.S. target. However, the response options are not clear when a U.S. business’s computer systems are attacked remotely by an allegedly state-sponsored hacker group. This ambiguity creates gray zones that benefit state actors. The following discussion explores likely responses to current and similar attacks.

Option One: Law Enforcement

Law enforcement operations targeting technical infrastructure can hinder hacker groups’ activities. On March 19th, the FBI seized Handala’s data leak website and associated domains following the attack. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency advisory, informing businesses about the ongoing threat[21]. The Justice Department explicitly characterized the domains as being used on behalf of a foreign state actor, signaling prosecutorial seriousness. These domains were critical components of the threat actor’s cyber infrastructure, and the seizure can slow down their operations in the short term. Such crackdowns are necessary steps, but their deterrent effect is limited because threat actors can rapidly reestablish their infrastructure.

Option Two: Retaliation

Washington may choose retaliatory offensive cyberattacks against Iranian targets. However, this strategy is likely to escalate the cyber conflict, and U.S. companies would suffer more. Businesses and consumers in the U.S. are heavily dependent on information and communication technologies (ICT). An interruption in those services can significantly impact daily life. Critical infrastructure also requires uninterrupted ICT services to maintain critical business functions. The Colonial Pipeline attack of 2021 demonstrated the vulnerability of critical infrastructure and American society to cyberattacks[22]. Iran would have an advantage in any asymmetrical conflict, including cyber ones.

Option Three: Denial of benefits

Denying strategy focuses on improving cyber defenses, reducing the attack surface, and hardening systems to deny threat actors benefits. This option, if implemented successfully, can render cyberattacks fruitless and deter attackers. Unfortunately, it is very hard to achieve. Despite all the technological developments in cybersecurity, reducing risk to zero is seemingly impossible. Attackers are not short of targets in cyberspace. With adequate resources, they can find ways to compromise computers and networks in one way or another.

Option four: Integrated deterrence

Integrated deterrence employs a comprehensive approach, leveraging not only technical measures but also instruments of state power, such as diplomacy, economic sanctions, and international pressure[23]. This option can be an effective strategy when implemented properly, proportionately, and consistently. It can de-escalate cyber conflicts and deter future attacks.

Deterrence: Why Old Models Are Failing

Traditional deterrence strategies were devised to deal with identifiable state actors with tangible assets that can be held at risk. That strategy has worked for decades to prevent nuclear wars. However, it is not as useful in cyberwarfare. States can easily hide their activities behind proxies, strike at relatively low cost, and operate without being restricted by physical boundaries. The Stryker cyberattack is a living example of why old models of deterrence are failing. An effective deterrence requires a more comprehensive approach combining technical and political instruments:

1. Denial through resilience: Although achieving 100% immunity is not feasible, we can improve organizations’ resilience to cyberattacks to deny attackers benefits. Long-tested methods such as defense-in-depth, zero-trust access (ZTA), network segmentation, proper backup strategies, well-implemented multi-factor authentication, and disaster planning can help organizations reduce the likelihood of attacks and, more importantly, recover rapidly after an attack.
2. Rapid public attribution: When perpetrators do not claim responsibility, target states often avoid directly blaming other states for supporting the attack. The ambiguity can benefit aggressors and complicate the response. The Department of Justice’s naming of Iran’s Ministry of Intelligence and Security as the actor behind the attack after the Stryker incident cleared ambiguity and facilitated law enforcement efforts.
3. Public-private partnership: Most of the U.S. critical infrastructure is operated by private organizations. When there are no regulations requiring companies to invest more in cybersecurity, many act slowly and reluctantly, until one day they learn the importance of cybersecurity the hard way. Government agencies can work with the private sector, providing guidance and incentives to help build a modern, resilient cyber infrastructure.

Implications for the U.S. Homeland

The threat matrix is evolving. The older model of homeland threat, centered on sleeper cells, bomb plots, embassy attacks, and direct operatives, has not disappeared, but it now operates alongside a fundamentally different model built on cyber proxies, supply-chain sabotage, corporate disruption, and deniable digital auxiliaries. The table below illustrates this transition.Conclusion

The Stryker incident was not an isolated corporate breach. Officials described the attack as likely the most significant wartime cyberattack against the United States. It was a preview of how adversaries can inflict harm and apply pressure inside the U.S. through deniable, asymmetric means and via cyberspace. It also shows that adversaries can bypass traditional security controls, exploit misconfigurations, and turn legitimate administrative tools installed on the target system against the target. The use of wiping operations signals that future attacks will likely be destructive rather than merely disruptive, and that critical infrastructure will likely be the primary target in cyberwarfare.

Our dependency on information and communication technologies is making us more vulnerable to their disruption. Without an effective deterrent strategy, threat actors will likely employ cyber operations at an increasing scale. The US can mitigate the likelihood of these attacks by improving defensive capacity, increasing resilience, and employing a comprehensive deterrence strategy.

When missiles are costly, proxies are exposed, and keyboards become the weapon of choice, the battlefield extends from military installations to hospital supply rooms, surgical suites, and the administrative infrastructure of everyday American life. Defending that battlefield requires a national security posture tailored to the adversary that actually exists.

References

[1] Soufan Center. (2026, March 17). IntelBrief: Cyber operations as Iran’s asymmetric leverage. https://thesoufancenter.org/intelbrief-2026-march-17/

[2] Vicens, A.J. & Santhosh, Christy (March 11, 2026). Iran-linked hackers claim responsibility for attack on US medical device maker Stryker. Reuters. https://www.reuters.com/technology/stryker-shares-fall-after-report-suspected-iran-linked-cyberattack-2026-03-11/

[3] Check Point (March 12, 2026). Handala Hack – Unveiling Group’s Modus Operandi.  https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

[4] TechCrunch. (2026, March 11-12). Pro-Iran hacktivist group says it is behind attack on medical tech giant Stryker. https://techcrunch.com/2026/03/11/stryker-hack-pro-iran-hacktivist-group-handala-says-it-is-behind-attack/

[5] Alder, Steve (April 15, 2026). Stryker cyberattack has impacted first quarter earnings. HIPAA Journal. https://www.hipaajournal.com/stryker-cyberattack-iran/

[6] Institute for Security + Technology (IST) (March 17, 2026). The Fight Comes to Our Shores: Breaking Down the Cyber Attack on Stryker.  https://securityandtechnology.org/blog/the-fight-comes-to-our-shores/

[7] Alder, Steve (April 15, 2026). Stryker cyberattack has impacted first quarter earnings. HIPAA Journal. https://www.hipaajournal.com/stryker-cyberattack-iran/

[8] Council on Foreign Relations (2012). Compromise of Saudi Aramco and RasGas. https://www.cfr.org/cyber-operations/compromise-of-saudi-aramco-and-rasgas

[9] Perloth, N. (October 23, 2012). In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back. New York Times. https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html

[10] Albano, K. & Kessem, L. (2017). The full Shamoon: how the devastating malware was inserted into networks. https://www.ibm.com/think/x-force/the-full-shamoon-how-the-devastating-malware-was-inserted-into-networks

[11] Bastug, M. F. (2023). Are We Ready for the Current and Emerging Cyber Threats? https://orionpolicy.org/are-we-ready-for-the-current-and-emerging-cyber-threats/

[12] Al Jazeera. (2026, March 11). Iran-linked hackers hit medical giant Stryker in retaliatory cyberattack. Al Jazeera. https://www.aljazeera.com/news/2026/3/11/iran-linked-hackers-hit-medical-giant-stryker-in-retaliatory-cyberattack

[13] KrebsOnSecurity. (2026, March 11). Iran-backed hackers claim wiper attack on medtech firm Stryker. https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

[14] Safundzic, A. (April 9, 2026). The Stryker Hack: How One Compromised Admin Account Led to 200,000 Wiped Devices. Lumos. https://www.lumos.com/blog/stryker-hack

[15] Lomasky, A. (March 25, 2026). Unpacking the Stryker Cyberattack – How InTune was used to maliciously wipe 80,000 devices. PMMI. https://www.pmmi.org/blog/unpacking-the-stryker-cyberattack—how-intune-was-used-to-maliciously-wipe-80-000-devices

[16] MITRE ATT&CK (April 23, 2026). VOID MANTICORE. https://attack.mitre.org/groups/G1055/

[17] Check Point (May 20, 2024). Bad Karma, No Justice: Void Manticore Destructive Activities in Israel. https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/

[18] Ibid

[19] Al Jazeera. (2026, March 11). Iran-linked hackers hit medical giant Stryker in retaliatory cyberattack. Al Jazeera. https://www.aljazeera.com/news/2026/3/11/iran-linked-hackers-hit-medical-giant-stryker-in-retaliatory-cyberattack

[20] KrebsOnSecurity. (2026, March 11). Iran-backed hackers claim wiper attack on medtech firm Stryker. https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

[21] Department of Justice (March 19, 2026). Justice Department Disrupts Iranian Cyber Enabled Psychological Operations. Press Release. https://www.justice.gov/opa/pr/justice-department-disrupts-iranian-cyber-enabled-psychological-operations

[22] Bastug, Mehmet F. (July 2023, 2021). Rethinking Cybersecurity After Colonial Pipeline Hack. https://orionpolicy.org/rethinking-cybersecurity-after-colonial-pipeline-hack/

[23] James Van de Velde, “Cyber Deterrence Is Dead! Long Live “Integrated Deterrence”!”, Joint Force Quarterly 109 (2023):43.