The target was US medical technology company Stryker, which makes surgical and imaging equipment, defibrillators, hospital beds, joint-replacement systems and other medical devices — some of which the US military uses to treat wounded personnel. Iranian attackers wiped devices connected to the company’s systems and replaced login screens with the logo of the pro-Iranian group “Handala.”
The strike highlights a destructive tool that has become a staple of modern cyber conflict: the wiper attack. Unlike ransomware or espionage operations, wiper attacks are designed with a single purpose — to destroy. Rather than stealing information or extorting money, these attacks erase data, overwrite key system components, and render devices permanently unusable.
Iran long has exploited cyber weapons. In 2012, it launched a so-called Shamoon attack against Saudi Aramco, the world’s largest oil company. In Persian, Shamoon means “he has heard.” The attack introduced a virus into 30,000 Aramco computers, erasing files, overwriting the master boot record, and rendering the computers unable to boot.
A group calling itself the “Cutting Sword of Justice” claimed responsibility, framing the attack as retaliation for Saudi policies. It came months after a destructive intrusion against Iran’s own oil ministry Shamoon. Additional Iranian campaigns in 2016 and 2018 targeted energy-sector organizations in Saudi Arabia and the United Arab Emirates with modified versions of the same destructive malware.
Wiper malware occupies a distinct category within cyber operations. The majority of cyber intrusions aim to quietly collect intelligence. Wipers, by contrast, are loud and destructive. They function as instruments of sabotage, and have been used extensively by Russia in Ukraine during conflict.
Technically, wiper programs destroy data by targeting the core structures that allow computers to store and retrieve information. By overwriting elements such as the master boot record or file tables, the malware prevents systems from starting and makes data recovery almost impossible. The result ripples across an organization’s entire digital environment.
Wiper attacks allow states to retaliate, signal distain, or cause economic disruption below the level of armed conflict. These attacks communicate disdain while maintaining plausible deniability and limiting escalation risks.
What may make the present attack against Stryker particularly notable is how it appears to have spread through devices connected to the company’s corporate systems. Stryker and many other companies today rely on “bring your own device” policies that allow employees to access corporate networks using personal laptops and smartphones. These devices are often linked to corporate infrastructure through device management software or enterprise security tools.
On Reddit, Stryker employees expressed frustration over personal devices being wiped along with corporate systems. “Have lost access to my eSim,” one reported. “Unable to log into many things due to 2-factor authentication. Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams.”
Wiper attacks typically target institutional IT (i.e., servers, workstations, industrial systems). By extending to personal devices, the Stryker attack represents an important escalation.
For policymakers and companies alike, the Stryker incident underscores an important reality. Modern cyberattacks spread, putting whoever and whatever connected to the network at risk. Companies and organizations must wake up to the dangers. They should take measures to block destructive malware not only from their corporate systems but also to prevent the attacker reaching into their employees’ personal devices.
Emily Otto is a Fellow with the Tech Policy Program and Transatlantic Defense and Security Program at the Center for European Policy Analysis (CEPA). Currently, a PhD Student at Johns Hopkins SAIS, she served as a Cyber Operations Officer with the Cyber National Mission Force and the Cyber Protection Brigade under US Cyber Command.
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Tech 2030
A Roadmap for Europe-US Tech Cooperation
