Iranian-Linked Hacktivists Claim Massive Data-Wiping Attack on Stryker
Stryker [NYSE: SYK], a global leader in medical technology, is grappling with a severe network disruption following a massive data-wiping attack claimed by the Iranian-linked hacktivist group Handala. The incident has reportedly forced the shutdown of offices across dozens of countries and triggered a “building emergency” at the company’s Michigan headquarters.
The attack surfaced early Wednesday when reports from Ireland—Stryker’s largest international hub—indicated that over 5,000 employees were sent home. Simultaneously, staff at the company’s Cork headquarters reported that corporate devices, including personal phones with Microsoft Outlook, were being remotely wiped and defaced with the Handala logo.
Scope and Attribution
In a manifesto posted to Telegram, Handala claimed to have erased data from more than 200,000 systems, servers, and mobile devices across 79 countries. The group, which security firm Palo Alto Networks identifies as a persona for the Iranian Ministry of Intelligence and Security (MOIS) actor Void Manticore, stated the attack was retaliation for a recent U.S. missile strike.
While Stryker’s official communications have been limited to a “building emergency” voicemail at its headquarters, internal reports suggest a sophisticated breach of administrative tools. Sources familiar with the incident indicate that the attackers likely leveraged Microsoft Intune—a cloud-based endpoint management solution—to broadcast “remote wipe” commands to the company’s global fleet of devices.
Healthcare and Supply Chain Impact
The disruption is already reverberating through the healthcare sector. Stryker, which recorded $25 billion in sales last year, is a critical supplier for nearly every surgical facility in the United States.
-
Supply Chain: Healthcare professionals at major U.S. medical systems report an inability to order essential surgical supplies.
-
Emergency Services: In Maryland, the Institute for Emergency Medical Services Systems notified hospitals that Stryker’s LIFENET system—used by paramedics to transmit EKGs to ER physicians—has been impacted. Some hospitals have proactively disconnected from Stryker’s network to prevent lateral movement of the malware.
John Riggi, national advisor for the American Hospital Association (AHA), stated that while the organization is monitoring the threat, the full extent of the impact on hospital operations will depend on the duration of the outage.
Security Implications for Enterprise Endpoint Management
This incident underscores a critical vulnerability in the centralized management of global IT infrastructure. By compromising a high-level administrative credential within a tool like Microsoft Intune, threat actors can bypass traditional malware delivery methods, instead using the organization’s own legitimate “kill switches” against itself. This “living off the land” technique renders traditional antivirus measures ineffective, as the wipe command is a native, authorized function of the operating system.
For the medical device industry, this represents a shift from data theft to functional sabotage. As Stryker works to restore its 200,000 compromised endpoints, the secondary effect on the healthcare supply chain may lead to surgical delays and a backlog in emergency diagnostic transmissions. This event will likely prompt a global re-evaluation of Privileged Access Management (PAM) and “manual override” safeguards for cloud-based MDM (Mobile Device Management) platforms in critical infrastructure sectors.
