Stryker, a global medical technology company based in Michigan, has fallen victim to a data-wiping attack. A hacktivist group affiliated with Iran’s intelligence services is claiming responsibility for the incident.
Reports coming from Ireland, Stryker’s largest base outside of the US, indicated that the company had sent home over 5,000 workers. Also, a voicemail message left on Stryker’s main US headquarters indicated that the company is currently dealing with a building emergency.
The company remains offline.
Stryker is a medical and surgical products company with global sales of $25 billion last year. In a statement posted on Telegram, an Iranian hacktivist collective known as Handala, also referred to as Handala Hack Team, said its attack on Stryker’s offices in 79 countries has forced them to shut down after the collective deleted data from over 200,000 systems, servers, and mobile devices.
In a statement on its website, Stryker said it is experiencing a global network disruption to its Microsoft environment as a result of a the attack. “We have no indication of ransomware or malware and believe the incident is contained.”
It added that its teams are working quickly to understand the impact of the attack on its systems. “Stryker has business continuity measures in place to continue to support our customers and partners. We are committed to transparency and will keep stakeholders informed as we know more.”
Handala said: “We announce to the world that, in relation for the brutal attack on the Minab school and in resonse to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success.”
Ripple Effects Across Healthcare
Chris Henderson, chief information security officer (CISO) at Huntress, commented: “This attack is significant for a few reasons. First, it’s destructive, not ransomware. Handala allegedly used Microsoft Intune, a legitimate IT management tool, to remotely wipe over 200,000 devices across Stryker’s global network. No malware needed when you compromise the right credentials.”
He added that the target matters. “Stryker manufactures critical medical devices used in operating rooms and ICUs worldwide. When a supplier of this scale goes offline, it doesn’t just impact their employees; it creates ripple effects across hospitals, surgical centres, and healthcare providers who depend on their equipment and support infrastructure.”
This goes to show geopolitical conflicts don’t stay overseas, Henderson said. “Nation-state actors are targeting American companies that support critical infrastructure, healthcare, energy, and manufacturing, because the disruption extends far beyond the initial victim. Hospitals are waiting for equipment, patients are unable to receive care, and supply chains are grinding to a halt. This is the reality of modern conflict, and healthcare organisations are directly in the crossfire whether they realise it or not.”
Part of a Broader Geopolitical Strategy
Muhammad Yahya Patel, vCISO and cybersecurity advisor for EMEA at Huntress, added: “Nation-state actors, like Handala, target healthcare infrastructure as part of a broader geopolitical strategy. The Stryker attack shows how quickly this can cripple operations across entire supply chains.”
Patel advised healthcare organisations to take the following actions:
- Implement phishing-resistant MFA for all administrative accounts, hardware security keys or passkeys, not SMS or app-based codes that can be socially engineered.
- Segment administrative privileges so no single account can wipe your entire device fleet or disable security controls. Use just-in-time access with time-bound permissions.
- Monitor for anomalous admin activity bulk device actions, policy changes outside business hours, or access from unusual locations should trigger immediate alerts.
- Enable conditional access policies that restrict administrative operations to specific trusted devices and known locations.
More Shots Are Coming
Lee Sult, Chief Investigator at Binalyze, said: “The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organizations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.
“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach, they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk.
Sult added that speed is everything when attacks like this happen. “Investigation can’t be an afterthought, organizations need to know if the attackers are still inside systems, which systems are impact, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.
“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organizations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35.”
Segregation of Duties and Privileges is Critical
Vincenzo Lozzo, CEO and Co-founder at SlashID added that the primary lesson in this incident is that in cloud environments, segregation of duties and privileges is even more critical. “In particular, the Microsoft bundled platform is a double-edged sword because it combines identity management with device management. This leads to a situation where if you compromise a global administrator in Entra, you can fully wipe all devices managed by Intune as well which seems to be exactly what happened in this case.”
Lozzo said to ensure that they are able to recover quickly from attacks like this, first, even though it is less evident than on-premises, organizations should frequently back up cloud environments. “Adopting Infrastructure as Code (IaC) practices can also help restore environments much more promptly. Further, segregation of privileges is paramount. If organizations do decide to adopt the Microsoft bundled platform, segmenting privileges so that global admins are only “break-glass” accounts and ensuring different accounts handle administrative functions for different parts of the platform is key.”
According to Lozzo, by far the biggest hurdle organizations encounter when implementing a BCDR plan is conducting accurate simulation exercises, particularly for corporate environments where there are often no accurate test environments available to use.
“When you scale this across dozens of countries, you also run into the massive logistical challenge of decentralized IT infrastructure, varying time zones, and fractured communication channels, making a coordinated global simulation, let alone a real recovery, incredibly difficult.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.