A Major Medical Technology Company Under Siege
Stryker, a Kalamazoo, Michigan-based medical and surgical equipment manufacturer listed on the New York Stock Exchange as SYK, is grappling with what appears to be a large-scale destructive cyberattack. The company, which reported $25 billion in global sales last year and employs approximately 56,000 people across 61 countries, has been targeted by a hacktivist group with documented ties to Iranian intelligence.
News reports emerging from Ireland — Stryker's largest operational hub outside the United States — confirmed that more than 5,000 workers were sent home as a result of the ongoing incident. A call placed Wednesday morning to the media line at Stryker's Michigan headquarters reached a voicemail recording stating: "We are currently experiencing a building emergency. Please try your call again later."
Handala Claims Responsibility
A hacktivist collective known as Handala, also referred to as the Handala Hack Team, published a lengthy manifesto on Telegram claiming full responsibility for the attack. According to the group's statement, Stryker offices in 79 countries were forced to shut down after Handala wiped data from more than 200,000 systems, servers, and mobile devices.
"All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption."
The group framed the attack as retaliation for a February 28 missile strike that hit an Iranian school and killed at least 175 people, the majority of them children. The New York Times reported that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.
The Handala manifesto described Stryker as a "Zionist-rooted corporation," a characterization that may be connected to Stryker's 2019 acquisition of the Israeli company OrthoSpace.
Handala's Ties to Iranian Intelligence
Palo Alto Networks recently profiled Handala as one of several hacker groups linked to Iran's Ministry of Intelligence and Security (MOIS). According to Palo Alto's researchers, Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated threat actor.
The security firm noted that Handala's hack-and-leak operations are primarily focused on Israel, with occasional targeting outside that scope when it serves a particular agenda. Handala has also claimed credit for attacks against fuel systems in Jordan and an Israeli energy exploration company.
Palo Alto researchers described the group's recent methods as opportunistic:
"Recent observed activities are opportunistic and 'quick and dirty,' with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by 'proof' posts to amplify credibility and intimidate targets."
Microsoft Intune Allegedly Used as the Attack Vector
While wiper attacks typically rely on malicious software engineered to overwrite data on infected devices, a trusted source with knowledge of the incident — speaking on condition of anonymity — told KrebsOnSecurity that the attackers in this case appear to have leveraged a legitimate Microsoft service called Microsoft Intune to issue a remote wipe command across all connected devices.
Microsoft Intune is a cloud-based endpoint management solution used by IT departments to enforce security and data compliance policies. It provides administrators with a centralized, web-based console to monitor and manage devices regardless of their physical location — making it a potent tool if compromised by malicious actors.
This assessment is supported by a Reddit discussion about the Stryker outage, in which several users identifying themselves as Stryker employees stated they had been instructed to uninstall Intune urgently.
Ground-Level Impact in Ireland
Reports from the Irish Examiner painted a vivid picture of the chaos at Stryker's Cork headquarters. Staff are reportedly communicating via WhatsApp while awaiting word on when they can return to work. An unnamed employee told the publication that "anything connected to the network is down" and that "anyone with Microsoft Outlook on their personal phones had their devices wiped."
The Examiner further reported:
"Multiple sources have said that systems in the Cork headquarters have been 'shut down' and that Stryker devices held by employees have been wiped out. The login pages coming up on these devices have been defaced with the Handala logo."
Real-World Healthcare Supply Chain Disruptions
The attack has already begun reverberating through the broader U.S. healthcare system. One healthcare professional at a major university medical system — who requested anonymity because they were not authorized to speak publicly — told KrebsOnSecurity they are currently unable to order surgical supplies typically sourced through Stryker.
"This is a real-world supply chain attack," the professional said. "Pretty much every hospital in the U.S. that performs surgeries uses their supplies."
John Riggi, national advisor for the American Hospital Association (AHA), confirmed the organization is actively monitoring the situation. In a statement provided via email, Riggi said:
"We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations. As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends."
Emergency Medical Services Also Affected
A March 11 memo from Maryland's Institute for Emergency Medical Services Systems revealed that Stryker had informed the state that some of its computer systems had been impacted by a "global network disruption." In response, several hospitals proactively disconnected from Stryker's online services — including LifeNet, a platform that allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can receive faster treatment upon hospital arrival.
Timothy Chizmar, Maryland's EMS medical director, addressed the implications for front-line responders in the memo:
"As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection. The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG."
A Developing and High-Stakes Situation
The Stryker attack underscores a troubling escalation in the targeting of critical infrastructure and healthcare supply chains by state-linked threat actors. With Stryker supplying medical devices to virtually every surgical facility in the United States, the downstream consequences of this incident could grow significantly the longer systems remain offline. This story continues to develop as more details emerge.
Source: Krebs on Security