Stryker, a leading medical device and equipment manufacturer headquartered in Portage, Michigan, is grappling with the aftermath of a significant cyberattack linked to Iran. The attack, which began shortly after midnight, has caused widespread outages across the company's systems and disrupted operations globally. A hacking group known as Handala has claimed responsibility for the incident.
Widespread Disruption Across Global Operations
Stryker, which operates in 61 countries and employs more than 56,000 people worldwide, disclosed the attack in a filing with the U.S. Securities and Exchange Commission (SEC). The company reported that it is experiencing "disruptions and limitations of access to certain of the Company’s information systems and business applications." The timeline for recovery remains uncertain, with Stryker noting it is still assessing the damage to its systems and data.
Unlike ransomware attacks, this incident appears to involve data theft and wiping. Stryker confirmed in its investigation that Windows-based devices, including mobile phones and laptops running Microsoft programs, had been remotely wiped. The company has not found signs of ransomware or malware but believes it has contained the breach.
An announcement from the Wall Street Journal revealed that Stryker’s login pages were defaced with Handala’s logo. Despite the disruption, Stryker assured stakeholders that business continuity measures are in place and pledged to maintain transparency throughout the investigation and recovery process.
sbb-itb-02f5876
Handala Claims Responsibility for the Attack
Handala, a hacking group linked to Iran, claimed responsibility for the attack in a post on X (formerly Twitter). In the post, the group stated that the cyber operation targeted 79 Stryker offices globally, impacting over 200,000 devices and wiping 50 terabytes of data. The group declared, "We announce to the world that, in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success."
While the exact method used to breach Stryker’s systems remains unclear, cybersecurity expert Kevin Beaumont suggested that the attackers likely gained access to Stryker’s Active Directory services. By leveraging Microsoft’s Intune endpoint management tool, the group appears to have remotely wiped devices, including personal devices covered under the company’s bring-your-own-device policy.
Hacktivism or State-Linked Cyber Operation?
Handala is widely believed to have ties to Iran’s Ministry of Intelligence and Security. Research by Palo Alto Networks indicates that the group likely serves as an arm of the ministry, operating under the guise of hacktivism to provide Tehran with plausible deniability. The attack on Stryker aligns with statements from Iranian officials, who earlier this week warned that they would retaliate against U.S. and Israeli economic targets in response to geopolitical tensions.
Stryker’s connections to Israel may have made it an appealing target. The company acquired OrthoSpace, an Israeli orthopedic device manufacturer, in 2019. Handala referred to Stryker as "a Zionist-rooted corporation" in its public statement.
Broader Implications for Cybersecurity
The attack highlights the growing use of cyber operations as a strategic response during periods of geopolitical conflict. "Attacks like this unfortunately aren’t surprising. Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire", said Skip Sorrels, Field CTO and CISO at Claroty. He emphasized the importance of cybersecurity in healthcare, adding, "Cybersecurity in healthcare must be treated as part of patient safety, with organizations prioritizing visibility into their cyber-physical systems and closing those ‘open doors’ before attackers find them."
Steve Povolny, Vice President of AI Strategy & Security Research at Exabeam, noted that cyber operations are becoming a preferred tool for asymmetric warfare. "Groups like Handala blur the line between hacktivism and state operations, giving governments plausible deniability while still achieving strategic signaling. The cautionary lesson for defenders is that these campaigns are rarely isolated events", he said. Povolny warned that such attacks often form part of broader efforts to disrupt industries critical to national stability, such as healthcare, energy, and manufacturing.
As the investigation continues, the attack on Stryker underscores the urgent need for organizations in critical industries to strengthen their cybersecurity defenses. While Stryker works to restore its systems and recover from this breach, the incident serves as a stark reminder of the escalating risks posed by state-linked cyber threats.
