Summary
A major global disruption has hit Stryker, one of the world’s largest medical technology companies, after a cyberattack that Irish reporting described as a “wiper” incident — the destructive kind of attack designed to erase data rather than extort money. The incident has forced widespread shutdowns, with employees in Ireland describing locked-out systems, wiped devices, and instructions to avoid connecting to company networks until cleared.
Ireland is central to Stryker’s international footprint. The company’s biggest hub outside the U.S. is based in and around Cork, with multiple manufacturing sites and innovation centers that support the production of medical devices used globally. Reports from Cork said systems at the headquarters were shut down and some manufacturing technology was effectively disabled, creating immediate operational and financial pressure as teams tried to keep production running where possible.
Multiple sources in Cork reported that the attack left “anything connected to the network” offline. Support staff, administrative teams and engineers were reportedly told to go home as the incident response escalated. Some employees also said personal phones that had corporate email profiles connected through Microsoft apps were wiped, pushing internal communication into WhatsApp groups while the company assessed what was safe to use.
One detail stood out across accounts: login pages appearing on affected devices were defaced with the Handala logo, a banner associated with a pro-Palestinian hacktivist brand that several threat-intelligence discussions have linked to Iranian interests.
Wiper attacks are considered among the most serious forms of cyber incidents because the goal is often destruction and disruption — not negotiation. Irish reporting described the event as one where data on targeted systems is “wiped out” and cannot be retrieved, a pattern that aligns with politically motivated cyber operations during periods of escalating geopolitical conflict.
That framing is especially sensitive when the target is a global medical-device maker: even when patient-facing systems inside hospitals are not directly hit, manufacturing, distribution, customer support and quality systems can be thrown into chaos if corporate networks go dark.
Stryker confirmed it is dealing with a global network disruption affecting the Windows environment, saying teams are working to restore systems and operations as quickly as possible and that business continuity measures are in place to keep serving customers.
“We are currently experiencing a global network disruption affecting the Windows environment. Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we’re committed to continuing to serve our customers.”
Separate reporting described internal guidance telling staff not to power on company devices, disconnect from networks, avoid suspicious links, and remove work profiles from mobile devices as a precaution while the company worked with Microsoft on investigation and recovery.
In Cork, where Stryker operates key manufacturing lines, local reporting said the shutdown has been damaging because it disables the technology used to manufacture medical products and devices. The immediate priority was restoring production to machines knocked out by the incident. Some manufacturing equipment was believed to still be operating, but it was unclear how long those lines could continue without broader system recovery.
Irish outlets also highlighted the scale of the workforce tied to these operations — roughly 5,500 employees in Ireland, with about 4,000 based in Cork, across six manufacturing facilities and three innovation centers (Cork, Belfast, and Limerick).
Who is Handala — and why the name is showing up now
Handala is both a symbol and, in this context, a hacktivist label. The Handala character — a cartoon Palestinian boy created in 1969 by cartoonist Naji al-Ali — is widely associated with Palestinian resistance imagery, and Irish reporting noted the group uses this symbol.
The timing is also hard to ignore. The cyber incident is unfolding amid a broader wave of regional cyber activity tied to the war involving Iran, the U.S. and Israel — a period in which security researchers have warned that disruptive tactics (including defacement, DDoS and wiper activity) can surge alongside kinetic conflict.
On the same day, Israeli outlets reported a breach of the Academy of the Hebrew Language website, with a threatening message displayed alongside Handala branding.
Israeli reporting has also cited warnings from the Israeli National Cyber Directorate about attempts to intercept a wave of Iranian cyber activity targeting civilian companies in recent days — a backdrop that raises the stakes for any major multinational linked (directly or indirectly) to regional commerce and supply chains.
Ireland’s National Cyber Security Centre (NCSC) has been notified of the incident and is understood to be responding, according to Irish reporting.
The NCSC’s incident-response arm (CSIRT-IE) acts as a national point of contact for cyber incidents involving entities within Ireland, with a core mission focused on government bodies and critical national infrastructure — but also a broader role in national coordination and situational awareness during major events.
