WASHINGTON—Iran pulled off likely the most significant wartime cyberattack against the U.S. in history, leveraging its hacking powers to cause major disruptions at a global medical-equipment firm that struggled to bring itself back online in recent days.
The attack brought a conflict that until now had been largely confined to the Gulf region to the American homeland and offered a preview of the potential for how Iran may broaden its response to the U.S. and Israeli military campaign.
Stryker, the Michigan-based firm hit in the hack, said it experienced “global disruption” and quickly contained it. The company said it believed the incident had been limited to its internal Microsoft systems. The company added that some hospitals may be experiencing temporary pauses in transmissions of medical data, but that its connected products “are not impacted and are safe to use.” Microsoft hasn’t commented on the hack.
For years, U.S. national-security officials have worried that Iran, lacking the ability to reach the American homeland with intercontinental ballistic missiles, would turn to other forms of asymmetric warfare in retaliation for military strikes against the regime.
The two most alarming scenarios, officials often said, involved either inspiring individual acts of domestic terrorism or major disruptive cyberattacks on U.S. businesses or critical infrastructure.
With the Stryker hack, Iran had fulfilled the latter promise and made the use of cyber weapons part of its wartime effort to diminish U.S. resolve for continuing with the war, former officials and security experts said.
“This is the first extended conflict in which we have played a major role that really integrated cyber and kinetic operations together on both sides,” said Cynthia Kaiser, a former senior cyber official at the Federal Bureau of Investigation and now a senior vice president at cyber firm Halcyon. U.S. officials have said publicly that offensive cyber operations were part of the initial wave of military strikes late last month.
Stryker, which makes joint implants, robotic surgery systems and other medical devices and equipment, told its roughly 56,000 employees Wednesday to disconnect from all networks and avoid turning on company-issued devices. Employees across the globe, including in the U.S., Ireland and Australia, reported their complaints on a Reddit thread.
In online statements, some hospitals said they had to temporarily pause the use of a system that allows emergency-medical-service workers to transmit patients’ vital-sign data because of the hack. That system, Lifenet, was functioning normally, Stryker said.
Stryker said several hospitals and EMS providers independently chose to temporarily pause their use of the Lifenet system, but this wasn’t at the direction of the company and it wasn’t because of any disruption to the system as a result of the cyberattack.
Stryker said Sunday that electronic ordering systems were unavailable, but it was making steady progress on bringing operations back online. The company is giving priority to the systems that directly support customers, ordering and shipping.
“This event underscores the broader threat landscape companies face today,” said Stryker Chief Executive Kevin Lobo.
President Trump has offered mixed signals concerning his ultimate goals in Iran or when or how he sees U.S. and Israeli military operations coming to an end. Amid the uncertainty, former U.S. officials and security experts said more cyberattacks against U.S. networks should be expected.
“Iran, as far as we can tell, still has pretty formidable cyber capabilities,” despite the ongoing military pressure, Jen Easterly, the former director of the Cybersecurity and Infrastructure Security Agency during the Biden administration, said Wednesday during a talk at a WSJ Tech Live Cybersecurity event. Iranian hackers in the past have sought to go after critical infrastructure providers that operate water, power and healthcare systems, she said, but all private-sector businesses should consider themselves at risk.
“Every business leader should be saying, ‘What is the worst-case scenario in terms of disruption to my business?’” Easterly said.
Though not as adept as Chinese or Russian hackers, Iran’s diffuse network of digital warriors have long been feared by Western security officials as a more unpredictable cyber adversary—one that is willing to cause mayhem, especially when the regime feels threatened.
It has attempted to influence the U.S. presidential election during the last two cycles, including by attempting to leak hacked political emails, according to U.S. intelligence assessments, though its operations were often clunky or haphazard. Instead of bespoke hacking tools, Iran typically relies on more crude measures, such as spear-phishing campaigns, to get the job done.
But with some exceptions, Tehran’s past cyber aggression has often been more bark than bite, according to current and former officials and cybersecurity experts who track Iranian operations. Previous U.S. government warnings that Iran could retaliate against American interests with cyberattacks—including after last summer’s Midnight Hammer strikes against Iranian nuclear sites and the 2020 assassination of an Iranian military leader—weren’t followed by significant disruptions.
The group that claimed credit for the Stryker hack, Handala, poses as an independent hacktivist entity, but Western cybersecurity experts and U.S. officials say it works for the Iranian government. In research published Thursday, the Israeli cyber firm Check Point said Handala is actually affiliated with Iran’s Ministry of Intelligence and Security, or MOIS, Tehran’s central spy agency—a view shared by U.S. officials.
Handala is the main cyber offensive group for MOIS and “at the forefront of Iran’s national cyberwarfare,” said Gil Messing, chief of staff at Check Point, adding that it is second only to the Islamic Revolutionary Guard Corps in terms of offensive sophistication. Much of its past activity has focused on Israel and other countries in the Gulf region, but more recently it has expanded to focus on European and American targets.
“They represent much of Iran’s cyber capabilities and focus on the nation’s enemies,” Messing said.
Stryker said in a notice sent to employees Wednesday that it hadn’t identified the cause of the breach. Investigators believe one possibility is that hackers compromised the credentials of an employee or contractor, perhaps through a phishing attack. That would have enabled the hackers to access corporate controls for Microsoft Intune, a service that companies use to remotely manage devices on their network. Such access would make it possible to wipe data on potentially tens of thousands of devices.
Stryker, in internal communications, advised employees against clicking suspicious links and urged removal of mobile-device management apps and work profiles from cellphones immediately. Stryker staff found that cellphones and laptops running Microsoft’s Windows operating system had been wiped.
It remains unclear whether Stryker was a target of opportunity or one that the hackers deliberately chose to pursue. Handala said in a post on its Telegram channel that the hack was retaliation for a strike on an elementary school in Iran that state media there has said killed more than 160 people, including many children. The strike is being investigated by the Pentagon, which believes the U.S. is likely responsible, The Wall Street Journal has reported.
Reports of suspected Iran-linked hacker activity have circulated since the start of the current war, including the targeting of government email systems in Albania and an attempted intrusion into a nuclear research organization in Poland, as well as other activities in the Gulf region. None have been nearly as significant or damaging as the Stryker hack, experts said.
Iran historically was more interested in hiding its cyber operations. But more recently, Handala and other groups have sought to amplify their actual damage with threatening messages to the public in order to create a sense of vulnerability among victims and the broader public.
Write to Dustin Volz at dustin.volz@wsj.com and Peter Loftus at Peter.Loftus@wsj.com
