Iran Hit Stryker. We Called It.

# Iran Hit Stryker. We Called It.

**Author:** Patrick Duggan (with Claude Code)

**Series:** DugganUSA Field Reports

What Happened

On March 11, 2026, Handala — an Iran-aligned hacking group with documented ties to Tehran — claimed responsibility for a cyberattack on Stryker Corporation, one of the largest medical device companies in the world.

Devices wiped. SEC notification filed. Recovery timeline unknown.

CNN, Bloomberg, NBC, Al Jazeera, and Time all confirmed the attribution. This was retaliation for Operation Epic Fury — the U.S.-Israeli joint offensive that launched February 28, 2026, which killed 170+ people including schoolgirls in a strike on a school in Minab, Iran.

Iran's internet dropped to 1-4% connectivity after the strikes. But the proxy groups kept operating. Unit 42 documented 60+ pro-Iran hacktivist groups active since February 28, targeting critical infrastructure across the U.S., Israel, and Gulf states.

Stryker was one of the targets. A medical device company. The company that makes the MAKO surgical robot.

We Called It

This morning — before we knew the Iran attribution was confirmed — we published an analysis of eight medical device companies scored against our AI Presence Management framework.

Stryker scored 46 out of 95. NPS of -67. The AI models actively don't recommend them.

Then we ran a certificate transparency lookup. 30 seconds. Public data.

**1,014 subdomains.** Including:

- 192 dev/staging/test environments (19% of their entire surface)

- MAKO surgical robot build servers and control planes

- An AI platform called AIDA with dev, test, and temp environments in public certificate records

- 47 external API endpoints

- 34 VPN and remote access portals

The company that Iran just hit had 192 non-production environments with public SSL certificates. The company that builds robots that operate on live patients had their robot infrastructure discoverable by anyone who typed a query into crt.sh.

The Correlation Is Now Causal

This morning we wrote: "The companies investing the least in how AI models perceive them are the ones getting hit the hardest. This isn't causation. But it's not coincidence either."

With the Iran attribution confirmed, we can update that assessment.

Stryker didn't get hit because their AIPM score was 46. They got hit because the same organizational neglect that produces a 46 — dev servers in public certs, no structured data, robots.txt wide open, no LD-JSON telling AI models who they are — also produces the kind of attack surface that 60 hacktivist groups can enumerate in an afternoon.

The score didn't cause the breach. The score and the breach had the same cause: not paying attention to the details.

Who Else Is Exposed

We scored the medical device vertical this morning. The bottom three all have recent breach histories:

| Company | AIPM Score | Structure | Breached |

|---------|-----------|-----------|----------|

| Baxter | 29 | 3/95 | 2022 infusion pump vulns |

| Abbott | 31 | 3/95 | 2022 pacemaker recalls |

| Philips | 31 | 3/95 | 2023 MRI/CT vulns |

| **Stryker** | **46** | **46** | **Active — Iran, March 2026** |

Philips has 1,284 subdomains and 77 internal infrastructure hostnames in public certificate records. Their AIPM structure score is 3 out of 95. Zero LD-JSON. Blocking AI crawlers.

Intuitive Surgical — the da Vinci robot company — has 6 subdomains. Structure score of 55. Zero recent breaches.

The Threat Landscape

Unit 42 published a threat brief on March 15: "Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran."

Key findings:

- **60+ pro-Iran hacktivist groups** active since Operation Epic Fury

- **Handala Hack** (MOIS-affiliated) claimed the Stryker attack

- **FAD Team** deploying wiper malware

- **DDoS, phishing, data exfiltration, website defacement, credential harvesting, and ransomware** all in play

- Pro-Russian groups (NoName057, Cardinal, Russian Legion) joining alongside Iranian groups

- Attacks spanning U.S., Israel, Kuwait, and Gulf states

The malware and IOCs from the brief are now indexed in our STIX feed.

What You Can Do

If you're a medical device company, a healthcare provider, or a security team protecting clinical infrastructure:

**Score yourself.** aipmsec.com — free, 15 seconds, no login. See what the AI models think about you and where your structure is weak.

**Check your certificate footprint.** Go to crt.sh and search your domain. Count your subdomains. If you have 100+ dev/staging/test environments in public certificate records, you have a problem.

**Pull our STIX feed.** 1,009,000+ indicators, updated daily, Splunk ES compatible. The Iran-linked IOCs are in there.

**Block the known infrastructure.** Our OPNsense blocklists are free, no API key required.

If Iran can hit Stryker, they can hit you. The question is whether your attack surface is as easy to enumerate as theirs was.

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*

The cheapest, fastest, most accurate threat feed on the internet.

275+ enterprises pulling daily. 1M+ IOCs. 17.4M indexed documents. We beat Zscaler by 43 days on NrodeCodeRAT. Starter tier $9/mo — less than any competitor’s sales demo.

Look up an IOC → · Audit your brand on AIPM → · See pricing →