On Wednesday, March 11, Michigan-based Stryker, a medical device and technology manufacturer, experienced what the company described as a global network disruption to their Microsoft environment. This disruption was the result of a cyberattack, with the prominent Iranian hacker group Handala taking credit for the attack.
WATCH: Analyzing, Responding to the Inevitable Uptick in Iranian Cyberattacks
The group posted on social media that the hack was retaliation for a U.S. missile striking an Iranian elementary school, which reportedly killed at least 168 children. Handala described Stryker as a "Zionist-rooted corporation", and although unsubstantiated, it claimed to have impacted 200,000 systems while stealing 50 terabytes of data.
Stryker communicated to several media outlets that their business continuity teams had responded to the attack and were able to continue supporting users of the impacted systems and devices.
While it is important to note that Stryker has not released details of the hack, feedback obtained from customers and employees indicates that hackers gained access to the company’s Microsoft Intune account. From there, Handala appears to have accessed and reverted some employees’ devices back to factory settings.
It has been suggested, but not confirmed, that Stryker's Lifenet platform, which allows emergency responders to communicate patient data to hospitals, might have also been impacted.
David Lindner, Chief Information Security and Data Privacy Officer at Contrast Security, which offers cybersecurity detection and response solutions, offered the following thoughts on the attack.
“The Stryker attack should be a wake-up call for every CISO in critical manufacturing. Handala, an Iranian-linked group, didn't encrypt files and ask for Bitcoin. They wiped them. That distinction matters enormously. Wiper malware is a weapon, not a business model.
"With roughly 5,500 employees locked out across Ireland, the U.S., Australia, and India simultaneously, and manufacturing systems for orthopedic implants offline, this wasn't an IT incident. It was a coordinated act of sabotage. And it didn't happen in a vacuum.
"The same day, Iran's IRGC (Islamic Revolutionary Guard Corps) formally declared U.S. and Israeli economic interests as targets, naming Google, Microsoft, Palantir, IBM, Nvidia, and Oracle by name. Stryker, with deep U.S. ties and operations in Israel-adjacent markets, fits that targeting profile perfectly.
"The medical device industry has spent a decade treating cybersecurity as a compliance checkbox. The IRGC just published a target list. Those two facts don't coexist quietly for much longer.”
