Medical technology giant Stryker is working to restore its computers and internal network following a cyberattack. The incident reportedly allowed pro-Iranian hackers to remotely wipe tens of thousands of employee devices. This hack caused widespread and ongoing disruption to the company’s operations and is considered the first major cyberattack in the United States carried out in response to the Trump administration’s war in Iran.
In a weekend update, Stryker stated the March 11 cyberattack was contained to its internal Microsoft environment. The company confirmed its internet-connected medical products remain safe to use. While the cause of the breach is still under investigation, Stryker said it has seen no indication of ransomware or malware. However, the company’s ability to process orders, manufacture, and ship devices continues to be disrupted.
A pro-Iran hacking group known as Handala claimed responsibility for the destructive breach. The group stated the attack was a response to a U.S. air strike on an Iranian school that killed at least 175 people, most of them children. The hackers also defaced the company’s login pages with their own logo.
Reports indicate the Handala hackers may have gained access using an internal Stryker administrator account. This account granted them extensive access to the company’s Windows network. The hackers allegedly accessed Stryker’s Microsoft InTune dashboards, which are used for the remote management of employee laptops and mobile devices, including the ability to delete data.
A successful compromise of these dashboards would have allowed the hackers to remotely wipe employee phones and laptops, including personal devices, without using any malware. Other reporting has confirmed the hackers targeted the InTune system.
A Stryker spokesperson did not respond to requests for comment on the breach, including whether the allegedly compromised account was protected with multi-factor authentication.
The initial method of network access remains unclear. Security researchers have suggested the Handala hackers may have relied on phishing to compromise Stryker’s network. The Iran-aligned group is known for using phishing techniques and destructive attacks, particularly targeting the healthcare and energy sectors. Infostealer malware, which steals passwords and credentials, may also have played a role.
Stryker employs 56,000 staff worldwide and operates in more than 60 countries.