{"id":15951,"date":"2026-03-12T19:10:16","date_gmt":"2026-03-12T19:10:16","guid":{"rendered":"https:\/\/newestek.com\/?p=15951"},"modified":"2026-03-12T19:10:16","modified_gmt":"2026-03-12T19:10:16","slug":"medical-giant-stryker-crippled-after-iranian-hackers-remotely-wipe-computers","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15951","title":{"rendered":"Medical giant Stryker crippled after Iranian hackers remotely wipe computers"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

A major cyberattack on US medical supplies giant Stryker has resulted in thousands of devices being remotely wiped, after a pro-Iranian hacking group may have compromised the company\u2019s Microsoft Intune management system.<\/p>\n

Details remain sketchy, but what appears to have happened on Wednesday at one of the world\u2019s largest medical supplies companies could, if confirmed, yet rival the scale of the infamous 2012 Shamoon incident<\/a> in which 30,000 computers belonging to Saudi Aramco were wiped. Stryker has 56,000 employees worldwide.<\/p>\n

In Ireland<\/a>, thousands of Stryker employees were unable to log into their computers, while others around the globe took to Reddit<\/a> and X<\/a> to complain that multiple devices had been wiped.<\/p>\n

\u2018No indication of malware\u2019<\/h2>\n

\u201cAt this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only,\u201d read the company\u2019s Thursday update<\/a>.<\/p>\n

A day earlier, the severity of the ongoing disruption caused Stryker to file a more detailed report<\/a> with the US Securities and Exchange Commission (SEC).<\/p>\n

\u201cThe incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company\u2019s information systems and business applications,\u201d Stryker said. \u201cWhile the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known.\u201d<\/p>\n

Such a filing is only a requirement where a publicly-traded company suffers an attack that investors might consider to be materially significant.<\/p>\n

The fact that multiple devices were affected, including BYOD mobile devices, points to a compromise of the company\u2019s Microsoft Intune management system. While this has not been confirmed, a successful Intune compromise would have allowed the attackers to wipe devices remotely, without having to deploy malware.<\/p>\n

Handala claims credit<\/h2>\n

The Handala threat group quickly claimed responsibility for the attack. While the group\u2019s involvement is just a claim for now, Stryker employees reportedly saw a version of the Handala logo<\/a> \u2013 a cartoon of a Palestinian boy with his back turned and hands crossed behind him \u2013 on affected devices.<\/p>\n

Handala\u2019s identity is hard to ascertain. Palo Alto has connected it to Iran\u2019s Ministry of Intelligence and Security (MOIS) via a second identity, Void Manticore. Other security vendors use different names, including Banished Kitten, and Storm-842.<\/p>\n

The group\u2019s political motivation is less mysterious. In a website statement<\/a>, the group styled the cyberattack as a response to the February 28 attack on a school in the Iranian city of Minab<\/a>, which killed up to 170 children and adults.<\/p>\n

\u201cWe announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,\u201d it said. \u201cIn this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.\u201d<\/p>\n

Critical flaw<\/h2>\n

If Intune was the route to compromise, the first job for Stryker\u2019s forensics team will be to work out how attackers got into the system.<\/p>\n

\u201cStryker uses Entra for authentication, which integrates everything into this with single sign-on, including the software that builds and updates all devices, including servers, laptops, and phones,\u201d commented Rob Demain<\/a>, CEO of security managed security company, e2e-assure.<\/p>\n

\u201cThis is a best practice design pattern, but with a critical flaw: if it\u2019s compromised, the attacker has access to wipe all devices, which seems to be what has happened here. Initial access is likely to be via credential theft, typically Adversary-in-the-Middle (AitM).\u201d<\/p>\n

Compromising such a critical system suggests a significant security failure, said Jon Abbott<\/a>, CEO and co-founder of security management company ThreatAware.<\/p>\n

\u201cThe attackers have either tricked the helpdesk into resetting admin credentials, as we saw with the Scattered Spider attacks, taken over an admin\u2019s machine, or spear phished an admin directly,\u201d said Abbott.\u00a0<\/p>\n

\u201cIt seems unlikely the attackers could have pulled this off without someone making a critical basic mistake. Anyone granting access to an admin account needs to step up their verification checks. Many of our clients now require three-way video calls before resetting admin credentials, bringing together the admin, their manager, and the service desk operator.\u201d\u00a0<\/p>\n

Security companies predicted<\/a> that pro-Iranian groups would target US companies with wiping attacks when the war started. This is a rise in threat level with a clear message: Iranian nation state actors are now aggressively targeting US companies and their supply chains, and will spare nobody. Every weakness and mistake will be leveraged.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

A major cyberattack on US medical supplies giant Stryker has resulted in thousands of devices being remotely wiped, after a pro-Iranian hacking group may have compromised the company\u2019s Microsoft Intune management system. Details remain sketchy, but what appears to have happened on Wednesday at one of the world\u2019s largest medical supplies companies could, if confirmed, yet rival the scale of the infamous 2012 Shamoon incident… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15951","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15951","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15951"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15951\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15951"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15951"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15951"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}