A cyber attack that continues to impact the Stryker medtech group’s business operations as of this writing has been linked to a pro-Palestine hacking group thought to be supported by the Iranian government.
The cyber attack was initially reported as involving wiper malware, but a March 13 update from Stryker indicates that they see no evidence of malware or ransomware and that the incident is contained. Nevertheless, the attack seems to have at least slowed the medtech firm’s shipping and had “minor impact” on its reprocessing program. It does not appear to have impacted use of its products or their internet connectivity, but the incident is still being investigated at this time.
Stryker medtech hack impacts business operations, hackers claim mass data theft
The cyber attack was first disclosed by Stryker on March 11, alongside media reports providing a greater degree of detail. For their part the medtech firm initially said that they did not believe ransomware or malware was involved, a position they have maintained in updates continuing through March 13.
While Stryker said that its medical products and LIFENET system are separate from the Microsoft business environment that was damaged and are safe to use, the cyber attack did have some customer impact. The medtech firm’s online ordering system was taken down and appears to remain down as of this writing, though the company says that it can continue to process orders by phone and email or through local sales reps. It also reports that its Sustainability Solutions reprocessing program may experience “minor interruptions” but does continue to function.
News reports say something different than the official updates. Some indicate that wiper malware was used to destroy the contents of hundreds of thousands of systems and mobile devices, and cite a statement from the hackers indicating that they additionally stole some 50 terabytes of data during the cyber attack. The attackers claim that Stryker offices in 79 countries have been forced to shut down; some individual employees of the medtech company, weighing in from several different parts of the world, have independently reported that their own devices and computers have been remotely wiped.
Ensar Seker, CISO at SOCRadar, notes that many of these claims have yet to be independently verified: “Claims like wiping 200,000 devices and extracting tens of terabytes of data should be treated cautiously until independently verified. Hacktivist groups often exaggerate operational impact for psychological effect. However, even if the scale is smaller than claimed, a wiper-style attack against a global medtech company is serious because it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains, and patient care environments.”
“What makes this incident notable is the alleged use of enterprise management infrastructure to execute a destructive campaign. If attackers gained access to tools such as mobile device or endpoint management platforms, they could push destructive commands at scale across thousands of systems almost instantly. That shifts the attack from traditional ransomware or espionage into a coordinated operational disruption, which is consistent with the tactics we increasingly see in geopolitically motivated hacktivism tied to regional conflicts,” noted Seker. “Groups like Handala represent the blurred line between hacktivism, state alignment, and information operations. Many of these actors position themselves as ideological collectives, but their campaigns often align with broader geopolitical narratives. Targeting a global medical technology provider may be intended less as a financially motivated attack and more as a symbolic demonstration that Western critical industries can be disrupted during geopolitical tensions.”
“Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets. Companies in healthcare, manufacturing, and critical supply chains should prioritize stronger identity security around administrative tools, strict segmentation of device-management platforms, and continuous monitoring for anomalous mass actions such as remote wipes or bulk configuration pushes. In many modern attacks, the damage is done not through sophisticated malware but through the abuse of legitimate enterprise management capabilities,” added Seker.
Cyber attack claimed by Iranian group known for past “protest” actions
The group that has claimed credit for the cyber attack calls itself “Handala.” The group poses as a pro-Palestine hacktivist entity, but security researchers believe it is linked to Iran and backed by the country’s Ministry of Intelligence and Security (MOIS). The threat actors have been active since at least 2023, engaging in prior malware wiper attacks against Israeli organizations.
The group left some concrete evidence of its involvement during the cyber attack by defacing a Entra login page with its logo. A note taking credit for the attack cites the February 28 airstrike on the Minab elementary school attributed to US forces as a motivation and calls the medtech firm a “key arm of the global Zionist lobby.” It also calls the company part of the “New Epstein chain,” though it is unclear exactly what this means. For its part, Stryker has confirmed the cyber attack in an SEC Form 8-K filing but has not yet confirmed the claims of data theft.
We don’t know much about the technical details of the breach at this point, but Vincenzo Iozzo (CEO and Co-founder at SlashID) notes that the Entra compromise provides some clues: “The primary lesson in this incident is that in cloud environments, segregation of duties and privileges is even more critical. In particular, the Microsoft bundled platform is a double-edged sword because it combines identity management with device management. This leads to a situation where if you compromise a global administrator in Entra, you can fully wipe all devices managed by Intune as well which seems to be exactly what happened in this case.”
“To ensure that they are able to recover quickly from attacks like this, first, even though it is less evident than on-premises, organizations should frequently back up cloud environments. Adopting Infrastructure as Code (IaC) practices can also help restore environments much more promptly. Further, segregation of privileges is paramount. If organizations do decide to adopt the Microsoft bundled platform, segmenting privileges so that global admins are only “break-glass” accounts and ensuring different accounts handle administrative functions for different parts of the platform is key,” advised Iozzo. “By far the biggest hurdle organizations encounter when implementing a BCDR plan is conducting accurate simulation exercises, especially for corporate environments where there are often no accurate test environments available to use. When you scale this across dozens of countries, you also run into the massive logistical challenge of decentralized IT infrastructure, varying time zones, and fractured communication channels, making a coordinated global simulation, let alone a real recovery, incredibly difficult.”
Though it is not as prolific or advanced as the Chinese and Russian hacking programs, Iran is one of the more active and sophisticated nations in terms of cyber intrusion and warfare. The government is thought to have really ramped up its offensive cyber program after the 2010 Stuxnet attack, in which the US and Israel heavily damaged its nuclear program with a targeted worm. By 2012 Iran had launched a major malware attack of its own (Shamoon) against Saudi Aramco and has been linked to repeated attacks on US banks.
But rather than espionage or theft, Iran’s cyber attacks very often seem to focus on intimidation and election interference. Iran-linked groups are thought to be behind a 2024 spearphishing campaign to breach the email accounts of US election officials, another attack that year that stole information from the Trump presidential campaign and attempted to pass it to Biden staffers, and a 2023 attack in Sweden in which a text messaging service was hacked to exhort vengeance against anyone that burns a Koran. The most advanced of their groups is likely TA455 or “Charming Kitten,” which targets the global aerospace industry for espionage purposes by posting fake job links on LinkedIn and using a custom malware called “SnailResin.” Iran is thought to have copied many techniques from North Korea’s state-backed hacking groups, and perhaps has had direct assistance from them in terms of training.
