The Portage, Michigan-based company said its teams were working to understand the full scope of the attack and that business continuity measures were in place to continue serving customers and partners. The company said it had no indication of ransomware or malware and believed the incident was contained. Employees were sent home from Stryker facilities Wednesday morning after receiving instructions not to connect to the company network through any device or application.
What happened inside Stryker’s systems
The outage began shortly after midnight Eastern time. Remote devices running Microsoft’s Windows operating system, including laptops and cellphones configured to connect to Stryker’s network, were wiped, according to reporting by the Wall Street Journal. The logo of an Iran-linked hacking group reportedly appeared on login pages as the disruption spread.
Stryker advised employees not to turn on company-issued devices and to disconnect from all networks immediately. The company also instructed staff to remove mobile device management applications and work profiles from personal cellphones. Stryker’s systems in Ireland were also affected, according to local media reports.
The company’s internal message to employees confirmed that security experts and law enforcement had been engaged. Stryker employs more than 53,000 people across 61 countries and recorded $22.6 billion in global sales in 2024. It serves more than 150 million patients annually through its medical and surgical equipment, which includes defibrillators, ambulance cots, orthopedic devices, and neurosurgical tools.
The Iran connection and what triggered it
The hacking group that claimed credit posted on social media Today that the Stryker attack was carried out in retaliation for a missile strike on an elementary school in Iran. Iranian state media has reported that the strike killed at least 168 children. The Pentagon said it was investigating the incident.
U.S. intelligence officials had previously warned that Tehran-linked hackers could retaliate following the U.S. and Israeli bombing campaign against Iran, which began in late February. Cybersecurity analysts said the Stryker attack appeared to be among the first significant pro-Iranian hacking operations against U.S. infrastructure since the conflict began.
Email security firm Proofpoint said Wednesday that its monitoring of known Iranian groups had identified only one hacking campaign targeting a U.S. organization since the war started, an attempted breach of a think tank employee, before the Stryker incident.
Health sector on alert as broader concerns mount
Cybersecurity executives across the health sector told CNN Today they were closely watching for any further impacts from the attack and any follow-on operations. It remained unclear whether the disruption had any immediate effect on Stryker’s ability to supply medical equipment to U.S. hospitals.
Cybersecurity professionals who have tracked nation-state threats to critical infrastructure noted that the health sector remains particularly exposed to attacks from adversaries with destructive intent rather than financial motivation. Iran, China, and Russia all represent persistent threats to sectors where operational disruptions carry direct consequences for patient safety.
Stryker shares fell more than 3% following disclosure of the attack. The company said its investigation was ongoing and that additional updates would be provided as more information became available.
