Pro-Iranian hackers have claimed a major scalp after causing global disruption at Fortune 500 medical technology vendor Stryker.
The Handala group claimed in an online post that it wiped “over 200,000 systems, servers, and mobile devices” and exfiltrated 50TB of the firm’s data.
“Stryker’s offices in 79 countries have been forced to shut down,” the message claimed. “All the acquired data is now in the hands of the free people of the world, ready to be used for true advancement of humanity and the exposure of injustice and corruption.”
According to Stryker’s website, the maker of neurotechnology, orthopaedics and surgery equipment employs over 56,000 people in 61 countries, and posted sales of $22.6bn in 2024.
Stryker confirmed the attack in an 8-K filing with the SEC yesterday, noting that it led to “global disruption to the company’s Microsoft environment.” It added that there is no indication of ransomware or malware and the firm believes that the incident is contained.
“The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the company’s information systems and business applications supporting aspects of the company’s operations and corporate functions,” it continued.
“While the company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known. The company has business continuity measures in place to continue to support its customers and partners.”
Handala Is More Than a Hacktivist Group
The Handala site was down at the time of writing, but experts were quick to lay the blame with the Iranian regime, which is currently engaged in an existential war with the US and Israel.
“From our perspective tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement. However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism,” explained Kathryn Raines, cyber-threat intelligence team lead at Flashpoint.
“What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure – potentially weaponizing Microsoft Intune – to carry out destructive activity at scale.”
Huntress CISO, Chris Henderson, also suggested InTune may have been hijacked to wipe devices en masse, potentially after a credential compromise.
“This goes to show geopolitical conflicts don't stay overseas. Nation-state actors are targeting American companies that support critical infrastructure, healthcare, energy, and manufacturing, because the disruption extends far beyond the initial victim,” he added.
“Hospitals are waiting for equipment, patients are unable to receive care, and supply chains are grinding to a halt. This is the reality of modern conflict, and healthcare organisations are directly in the crossfire whether they realise it or not."
Image credit: JHVEPhoto / Shutterstock.com