From silence to Stryker: Iran's cyber retaliation begins

Author: Christopher Vos, Director - Cyber Model Development, Moody's - Insurance Solutions

 

Moody’s has been closely monitoring the cyber threat landscape since Operation Epic Fury began on February 28, 2026. The relative silence from the (re)insurance market perspective in the cyber domain has now been broken.

The first confirmed destructive cyber-attack from an Iranian threat group against a major Western corporation has now occurred.

 

Stryker wiper attack

On March 11, 2026, the threat group Handala conducted a destructive wiper attack against Stryker Corporation. Handala [a.k.a. Void Manticore] has been linked to Iran’s Ministry of Intelligence and Security and is operating under a hacktivist persona to obscure attribution.

Stryker is a Fortune 500 medical device manufacturer listed on the NYSE with an annual revenue of US$25 billion and 56,000 employees across 75 countries. Stryker confirmed the attack in an 8-K filing with the U.S. Securities and Exchange Commission (SEC) on March 11.

An announcement on Stryker’s website to customers stated it “… is experiencing a global network disruption to our Microsoft environment as a result of a cyber-attack.”

It has closed its Michigan headquarters, and staff across its 79 offices worldwide are unable to access company systems.

At Stryker’s facility in Cork, Ireland, its largest innovation and manufacturing hub outside the U.S., over 4,100 employees across six sites were reported to have been sent home.

Stryker acknowledged the incident as severe in internal communications to employees, stating to staff that it is "…experiencing a severe, global disruption impacting all Stryker laptops and systems that connect to our network.”

With Stryker’s whole global operation understood to have gone down in seconds after the attack, Handala claimed responsibility, stating it had compromised over 200,000 systems, displayed its logo on the login screens of infected company devices, and stolen 50 terabytes of ‘sensitive company data’. However, these details have not been independently confirmed.

The group said the cyber-attack is in retaliation for the destruction of the Shajareh Tayyebeh girls' elementary school in Minab, southern Iran, where it was reported that around 180 people were killed and 95 were injured, mainly schoolchildren.

Current reporting suggests that Handala targeted Stryker because of its US$450 million medical supply contract for the U.S. military and its 2019 acquisition of Orthospace, an Israeli medical technology firm.

 

Why was there (relative) silence—up until now? 

Three (non-mutually exclusive) hypotheses may explain the silence up to this point: 

• Capability degradation: Internet connectivity in Iran has dropped to 1-4% of normal levels, due to a combination of government-ordered shutdowns and U.S./Israeli cyberattacks on Iran's routing infrastructure, likely inhibiting at least a subset of Iranian threat groups. Furthermore, on March 4, the Israel Defense Forces struck the Islamic Revolutionary Guard Corps (IRGC) cyber warfare unit’s compound, likely damaging physical infrastructure and operational capacity.
• Covert pre-positioning: Iranian threat groups have been quietly gaining footholds within targets and preparing ahead of launching destructive attacks.  
• Kinetic primacy: While Iran retained substantial conventional strike capacity, with offensive missile and drone stockpiles still available and launch infrastructure largely intact, there may have been little incentive to expend scarce cyber capabilities, which are costly to develop, fragile to deploy, and produce largely reversible damage. Kinetic options deliver permanent, irreversible effects and were the regime's preferred instrument of retaliation.

 

What should (re)insurers watch out for? 

Iran's daily missile launch rate has declined sharply since the opening days of the conflict, suggesting progressive depletion of stockpiles and physical destruction of launchers. As kinetic capabilities diminish, cyber may transition from an auxiliary tool to one of the regime's few remaining means of asymmetric retaliation.

Based on our understanding of the Iranian cyber ecosystem and what we know about observed capabilities, we believe the most probable path to material insured cyber losses is not a single catastrophic event but many sector-specific attacks. This could be coordinated wipers, attacks on industrial control systems (ICS), and/or ransomware across critical infrastructure, government, and/or enterprises.  

(Re)insurers should monitor whether future Iranian cyberattack victims share the same profile as Stryker: U.S. military contracts, Israeli business ties, and/or defense-adjacent operations.

If this targeting pattern holds, it offers an early signal of the emerging footprint’s correlation structure. If the justification proves to be retrospective rather than determining target selection, the potential footprint broadens considerably.

Attacks by state-aligned groups operating under hacktivist personas raise complex questions about war exclusion wording in cyber policies. Depending on the policy, exclusions may turn on attribution to a state, the nature of the hostile act, the degree of impact on state-level essential services, or some combination of these.

An attack against an individual corporation, however severe, likely sits below the systemic thresholds most exclusions were designed to address. A more difficult question is whether a coordinated campaign of individual, sub-systemic attacks, spread across a variety of sectors and insureds, could collectively reach a point where exclusions trigger.

Bottom line: The Stryker wiper attack demonstrates that Iranian-linked groups retain the capability to conduct destructive cyber operations against major Western corporations despite the near-total internet blackout.

The central question is no longer whether Iran will retaliate in the cyber domain, but whether this is an isolated incident or the beginning of a broader campaign. Moody's will continue to monitor the situation, which remains highly dynamic.