Back
Technology

Stryker Global Networks Disrupted by Cyberattack; Iran-Linked Group Claims Responsibility

Generated on: Last updated: 3 sources
View source

Stryker Hit by Major Cyberattack, Iran-Linked Group Claims Responsibility

A global medical technology company, Stryker, experienced a significant cyberattack on its worldwide networks, beginning around midnight on Wednesday. An Iran-linked hacktivist group named Handala has claimed responsibility for the incident, stating it involved data wiping across numerous systems. Stryker has acknowledged a "global network disruption" impacting its Microsoft environment, asserting that there is no indication of ransomware or malware, and that the situation is believed to be contained.

Global Medical Tech Giant Paralyzed by Cyberattack

Stryker, a U.S.-based medical technology company with global operations, reported a disruption to its worldwide networks on Wednesday. Employees observed data being wiped from company computers in real-time, with reports indicating up to 95% of computers were affected in some departments. Stryker manufactures critical medical devices, including surgical tools and emergency service equipment, employing 56,000 people globally and generating approximately $25 billion in annual revenue.

"Employees observed data being wiped from company computers in real-time, with reports indicating up to 95% of computers were affected in some departments."

Widespread Operational Disruption

The cyberattack severely affected Stryker’s internal Microsoft environment, leading to information deletion from devices and rendering company phones inoperable. This brought work and internal communications to a near standstill across its global operations.

Regional Disruptions

  • In Ireland, home to Stryker's largest hub outside the U.S., over 5,000 workers were reportedly sent home. An employee at the Cork facility confirmed that work was halted and most company-assigned devices were wiped.
  • A voicemail at Stryker’s U.S. headquarters mentioned a "building emergency."
  • The attack is believed to have impacted Stryker’s operations across Europe, Asia, and the United States.

Supply Chain and Financial Outlook

In a filing with the SEC, Stryker stated that the full operational and financial impact is not yet known, and a complete restoration timeline remains unavailable. As of early Thursday ET, the company was actively working to restore its systems. Stryker affirmed that essential products such as Mako, Vocera, and LIFEPAK35 remain safe for use.

However, the disruption has immediate consequences for healthcare providers. One healthcare professional at a major U.S. university medical system reported being unable to order surgical supplies typically sourced from Stryker. The American Hospital Association (AHA) stated it is monitoring the situation, noting potential broader impacts if the disruption extends.

Handala Claims Responsibility, Citing Retaliation

A hacktivist group identified as Handala (also known as Handala Hack Team) claimed responsibility for the cyberattack through statements posted on Telegram and X. Handala asserted it had shut down Stryker’s offices in 79 countries, extracted 50 terabytes of "critical data," and wiped data from over 200,000 systems, servers, and mobile devices. Login pages on defaced devices reportedly displayed the Handala logo.

Palo Alto Networks has identified Handala as one of several Iran-linked hacker groups connected to Iran’s Ministry of Intelligence and Security (MOIS), operating as a persona of Void Manticore. Reports from Reddit users associated with Stryker and The Wall Street Journal also supported Handala's involvement.

Alleged Motivation

Handala stated the attack was in retaliation for a February 28 missile strike that allegedly impacted an Iranian school, resulting in an estimated 175 fatalities, predominantly children. The New York Times reported that a military investigation identified the United States as responsible for this Tomahawk missile strike. The group referred to the incident as a "new chapter in cyber warfare."

The group indicated that Stryker was targeted due to its work with the U.S. military, including a $450 million contract for medical devices, and its 2019 acquisition of OrthoSpace, an Israeli company. Handala's manifesto referred to Stryker as a "Zionist-rooted corporation."

Technical Insights and Stryker's Official Stance

Sources familiar with the incident suggested the perpetrators may have used Microsoft Intune, a cloud-based service, to issue a ‘remote wipe’ command to connected devices. A Reddit discussion thread involving individuals identifying as Stryker employees supported the Intune connection, with reports of instructions to urgently uninstall the service.

Stryker stated on its website and in an SEC filing that there is no indication of ransomware or malware, and they believe the incident is contained to its internal Microsoft environment.

Background of Handala Group and Broader Context

Handala emerged in late 2023, initially focusing on targets in Israel. The group has previously claimed responsibility for attacks on fuel systems in Jordan and an Israeli energy exploration company.

This incident follows previous cyberattacks attributed to Iran-linked groups targeting U.S. agencies and organizations. It marks a notable event amidst increased tensions between the two countries, highlighting the escalating nature of cyber warfare.