The first confirmed destructive cyber attack from an Iranian threat group against a major Western corporation has now occurred, according to a commentary released by Moody's.
On 11 March 2026, the threat group Handala conducted a destructive wiper attack against Stryker Corporation. Handala [a.k.a. Void Manticore] has been linked to Iran’s Ministry of Intelligence and Security and is operating under a hacktivist persona to obscure attribution.
Stryker is a Fortune 500 medical device manufacturer listed on the NYSE with an annual revenue of $25bn and 56,000 employees across 75 countries. Stryker confirmed the attack in an 8-K filing with the US Securities and Exchange Commission (SEC) on 11 March.
It has closed its Michigan headquarters, and staff across its 79 offices worldwide were unable to access company systems.
With Stryker’s whole global operation understood to have gone down in seconds after the attack, Handala claimed responsibility, stating it had compromised over 200,000 systems, displayed its logo on the login screens of infected company devices, and stolen 50 terabytes of “sensitive company data”. However, these details have not been independently confirmed.
What should (re)insurers watch out for?
Iran's daily missile launch rate has declined sharply since the opening days of the conflict, suggesting progressive depletion of stockpiles and physical destruction of launchers. “As kinetic capabilities diminish, cyber may transition from an auxiliary tool to one of the regime's few remaining means of asymmetric retaliation, “ wrote MrChristopher Vos, Director - Cyber Model Development, Moody's - Insurance Solutions
Mr Vos said, “Based on our understanding of the Iranian cyber ecosystem and what we know about observed capabilities, we believe the most probable path to material insured cyber losses is not a single catastrophic event but many sector-specific attacks. This could be coordinated wipers, attacks on industrial control systems (ICS), and/or ransomware across critical infrastructure, government, and/or enterprises.“
(Re)insurers should monitor whether future Iranian cyberattack victims share the same profile as Stryker: US military contracts, Israeli business ties, and/or defense-adjacent operations.
If this targeting pattern holds, it offers an early signal of the emerging footprint’s correlation structure. If the justification proves to be retrospective rather than determining target selection, the potential footprint broadens considerably.
Mr Vos also said, “Attacks by state-aligned groups operating under hacktivist personas raise complex questions about war exclusion wording in cyber policies. Depending on the policy, exclusions may turn on attribution to a state, the nature of the hostile act, the degree of impact on state-level essential services, or some combination of these.
“An attack against an individual corporation, however severe, likely sits below the systemic thresholds most exclusions were designed to address. A more difficult question is whether a coordinated campaign of individual, sub-systemic attacks, spread across a variety of sectors and insureds, could collectively reach a point where exclusions trigger.”
Bottom line
The Stryker wiper attack demonstrates that Iranian-linked groups retain the capability to conduct destructive cyber operations against major Western corporations despite the near-total internet blackout.
Mr Vos said, “The central question is no longer whether Iran will retaliate in the cyber domain, but whether this is an isolated incident or the beginning of a broader campaign. Moody's will continue to monitor the situation, which remains highly dynamic.”