A sophisticated cyberattack, attributed to an Iran-backed hacktivist group known as Handala, has crippled operations at Stryker, a leading global medical technology company. The attackers claim to have executed a widespread data-wiping operation, impacting over 200,000 systems, servers, and mobile devices across Stryker’s facilities in 79 countries. This alleged attack has forced the company to send home more than 5,000 workers from its largest hub outside the United States, located in Ireland, and has prompted a "building emergency" notification at its U.S. headquarters in Kalamazoo, Michigan.

Stryker, a Fortune 500 company with reported global sales of $25 billion last year, is a critical supplier of medical and surgical equipment, employing approximately 56,000 individuals worldwide. The Handala group, which has been linked by cybersecurity researchers to Iran’s Ministry of Intelligence and Security (MOIS), posted a lengthy manifesto on Telegram detailing their alleged assault. The group stated that all "acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption."

The hacktivists assert that this wiper attack is a direct retaliation for a missile strike on February 28th that resulted in the deaths of at least 175 people, predominantly children, in Iran. While the initial reports did not definitively assign blame for the strike, The New York Times has since reported that an ongoing military investigation has concluded that the United States was responsible for the deadly Tomahawk missile strike. This contextualizes Handala’s actions as a retaliatory cyber response to a geopolitical event.

Palo Alto Networks, in a recent profile of Iranian cyber activities, identified Handala as one of several online personas likely maintained by Void Manticore, an entity associated with the MOIS. Handala emerged in late 2023 and has been observed to engage in "hack-and-leak" activities, primarily targeting Israel, but also extending its reach to other regions when serving specific agendas. The group has previously claimed responsibility for attacks on fuel systems in Jordan and an Israeli energy exploration company. Palo Alto researchers describe Handala’s recent activities as opportunistic, focusing on supply-chain vulnerabilities to reach downstream targets, followed by the release of "proof" posts to enhance credibility and intimidate victims.

The Handala manifesto specifically referred to Stryker as a "Zionist-rooted corporation," a descriptor that may allude to Stryker’s 2019 acquisition of the Israeli company OrthoSpace. This ideological framing further underscores the group’s motivations, which appear to be intertwined with geopolitical tensions and anti-Israeli sentiment.

The impact of the attack on Stryker’s operations is significant and has immediate implications for healthcare providers. Reports from Ireland indicate that company devices have been defaced with the Handala logo, and employees are using personal devices and platforms like WhatsApp for communication due to network outages. An unnamed employee quoted by the Irish Examiner stated that anything connected to the network is down, and even personal devices with Microsoft Outlook installed were wiped.

While traditional wiper attacks involve malicious software designed to overwrite data, credible sources familiar with the Stryker incident suggest a more sophisticated method was employed. It is believed that the attackers leveraged Microsoft Intune, a cloud-based device management service, to issue a "remote wipe" command across all connected devices. This hypothesis is supported by discussions on cybersecurity forums where alleged Stryker employees were reportedly advised to urgently uninstall Intune. Intune’s functionality allows IT administrators to enforce security policies and manage devices remotely, making it a potent tool for a large-scale, targeted disruption if compromised or misused.

The ripple effects of this cyberattack are extending into the healthcare supply chain. A healthcare professional from a major U.S. university medical system, speaking anonymously, confirmed that they are currently unable to order surgical supplies normally sourced through Stryker. This individual described the incident as a "real-world supply chain attack," emphasizing that "pretty much every hospital in the U.S. that performs surgeries uses their supplies."

The American Hospital Association (AHA) is actively monitoring the situation. John Riggi, national advisor for the AHA, stated that while they are aware of the cyberattack and exchanging information with the healthcare field and federal government, they have not yet seen any direct impacts or disruptions to U.S. hospitals. However, he cautioned that this could change as hospitals assess their reliance on Stryker’s services and if the attack’s duration extends.

Further complicating the situation, a memo from Maryland’s Institute for Emergency Medical Services Systems revealed that Stryker itself has acknowledged a "global network disruption" impacting some of its computer systems. In response, some hospitals have proactively disconnected from Stryker’s online services, including LifeNet, a critical platform that allows paramedics to transmit EKGs to emergency physicians for expedited treatment of heart attack patients. The memo details that while some hospitals have maintained their connection to LifeNet, others have temporarily suspended it as a precaution. This highlights the critical reliance of emergency medical services on these interconnected systems and the potential for cascading failures in the event of a major cyber incident.

The situation remains fluid, with ongoing investigations and assessments of the full scope of the damage and its implications for the healthcare sector. Updates will be provided as more information becomes available regarding the duration and extent of the disruption.