US medical company, Stryker, has been pwned in a cyber attack by Iran-backed cybercriminals. Here’s some details on this attack:
Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.
The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.
The hackers claim to have wiped more than 200,000 servers, mobile devices, and other systems, forcing Stryker to shut down offices in 79 countries. They also allegedly stole 50TB of data from the company’s systems.
Handala has been highly active since the start of the US-Israel-Iran conflict.
Lee Sult, Chief Investigator, Binalyze had this to say:
“The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organizations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.
“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach, they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk.
“Speed is everything when attacks like this happen. Investigation can’t be an afterthought, organizations need to know if the attackers are still inside systems, which systems are impact, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.
“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organizations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35. But it’s also about reinforcing the basics: software needs to be patched, phishing-resistant MFA enabled, and having a clear plan to isolate devices and systems when suspicious activity arises. In firefighting terms, it’s time to cancel vacations and pre-stage your fire companies near critical assets.”
The age of hybrid warfare has clearly begun. That means that every single one of us needs to re-evaluate how secure we are and take the steps required to make sure that it is as hard as possible for a threat actor to pwn you. Given the state of the world at the moment, this isn’t optional anymore.
UPDATE: Ensar Seker, CISO at SOCRadar, has provided the following commentary:
“Claims like wiping 200,000 devices and extracting tens of terabytes of data should be treated cautiously until independently verified. Hacktivist groups often exaggerate operational impact for psychological effect. However, even if the scale is smaller than claimed, a wiper-style attack against a global medical technology company is serious because it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains, and patient care environments.
What makes this incident notable is the alleged use of enterprise management infrastructure to execute a destructive campaign. If attackers gained access to tools such as mobile device or endpoint management platforms, they could push destructive commands at scale across thousands of systems almost instantly. That shifts the attack from traditional ransomware or espionage into a coordinated operational disruption, which is consistent with the tactics we increasingly see in geopolitically motivated hacktivism tied to regional conflicts.
Groups like Handala represent the blurred line between hacktivism, state alignment, and information operations. Many of these actors position themselves as ideological collectives, but their campaigns often align with broader geopolitical narratives. Targeting a global medical technology provider may be intended less as a financially motivated attack and more as a symbolic demonstration that Western critical industries can be disrupted during geopolitical tensions.
Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets. Companies in healthcare, manufacturing, and critical supply chains should prioritize stronger identity security around administrative tools, strict segmentation of device-management platforms, and continuous monitoring for anomalous mass actions such as remote wipes or bulk configuration pushes. In many modern attacks, the damage is done not through sophisticated malware but through the abuse of legitimate enterprise management capabilities.”
Like this:
Like Loading...
Related
This entry was posted on March 12, 2026 at 9:50 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Stryker Pwned By Iran Backed Hackers
US medical company, Stryker, has been pwned in a cyber attack by Iran-backed cybercriminals. Here’s some details on this attack:
Stryker is a Fortune 500 company that specializes in the manufacturing of surgical equipment, orthopedic implants, and neurotechnology. Headquartered in Michigan, the company employs approximately 56,000 people and reported over $25 billion in revenue for 2025. Its critical role in the healthcare supply chain makes it an essential partner for hospitals worldwide.
The Iran-linked hacker group named Handala has taken credit for the attack, claiming to have struck an “unprecedented blow” to the company.
The hackers claim to have wiped more than 200,000 servers, mobile devices, and other systems, forcing Stryker to shut down offices in 79 countries. They also allegedly stole 50TB of data from the company’s systems.
Handala has been highly active since the start of the US-Israel-Iran conflict.
Lee Sult, Chief Investigator, Binalyze had this to say:
“The Stryker attack looks to be the first drop of blood in the water as a result of nation-state and hacktivist activity off the back of the Iran conflict. This attack confirms Western organizations are not only in the adversary’s crosshairs, but the adversary can also make the shot. More shots are coming.
“An attack like this is about damage and spreading chaos. Handala is using a scorched earth approach, they get in fast, wipe devices, steal data, and leave chaos behind them. Thousands of employees locked out of devices isn’t just an operational crisis. It quickly becomes a financial, reputational, and potentially life-and-property risk.
“Speed is everything when attacks like this happen. Investigation can’t be an afterthought, organizations need to know if the attackers are still inside systems, which systems are impact, and how the attackers got in. The faster those questions are answered, the faster you can begin recovery.
“Stryker could be the first in a wave of attacks. Cyber assets friendly to the Iranian regime have regrouped and are actively circling their next target sets. Organizations need to be monitoring for IOCs linked to Iran-backed campaigns – including those seen in Operation Olalampo and APT35. But it’s also about reinforcing the basics: software needs to be patched, phishing-resistant MFA enabled, and having a clear plan to isolate devices and systems when suspicious activity arises. In firefighting terms, it’s time to cancel vacations and pre-stage your fire companies near critical assets.”
The age of hybrid warfare has clearly begun. That means that every single one of us needs to re-evaluate how secure we are and take the steps required to make sure that it is as hard as possible for a threat actor to pwn you. Given the state of the world at the moment, this isn’t optional anymore.
UPDATE: Ensar Seker, CISO at SOCRadar, has provided the following commentary:
“Claims like wiping 200,000 devices and extracting tens of terabytes of data should be treated cautiously until independently verified. Hacktivist groups often exaggerate operational impact for psychological effect. However, even if the scale is smaller than claimed, a wiper-style attack against a global medical technology company is serious because it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains, and patient care environments.
What makes this incident notable is the alleged use of enterprise management infrastructure to execute a destructive campaign. If attackers gained access to tools such as mobile device or endpoint management platforms, they could push destructive commands at scale across thousands of systems almost instantly. That shifts the attack from traditional ransomware or espionage into a coordinated operational disruption, which is consistent with the tactics we increasingly see in geopolitically motivated hacktivism tied to regional conflicts.
Groups like Handala represent the blurred line between hacktivism, state alignment, and information operations. Many of these actors position themselves as ideological collectives, but their campaigns often align with broader geopolitical narratives. Targeting a global medical technology provider may be intended less as a financially motivated attack and more as a symbolic demonstration that Western critical industries can be disrupted during geopolitical tensions.
Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets. Companies in healthcare, manufacturing, and critical supply chains should prioritize stronger identity security around administrative tools, strict segmentation of device-management platforms, and continuous monitoring for anomalous mass actions such as remote wipes or bulk configuration pushes. In many modern attacks, the damage is done not through sophisticated malware but through the abuse of legitimate enterprise management capabilities.”
Share this:
Like this:
Related
This entry was posted on March 12, 2026 at 9:50 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.