Stryker hit by wipe attack
Medical‑device giant Stryker says it’s restoring systems after pro‑Iran hackers wiped thousands of employee devices, causing days of operational disruption even though hospitals weren’t directly impacted — a reminder that supply‑chain and vendor outages can cascade into critical services. (techcrunch.com)(reuters.com)
The attack was disclosed on March 11, 2026, and claimed by the pro‑Iran hacktivist persona Handala, which asserted it wiped roughly 200,000 systems and exfiltrated about 50 terabytes of data. (abcnews.com) Stryker said the activity was contained to its Microsoft corporate environment, that it activated its incident‑response plan on detection, and that it engaged external advisors while asserting its connected medical products were not impacted. (stryker.com) Multiple investigators report the likely vector was abuse of Microsoft Entra/Azure AD admin accounts and Intune MDM to issue legitimate remote‑wipe commands — a “living‑off‑the‑land” approach rather than bespoke malware. (labs.cloudsecurityalliance.org) Operational disruption included office closures and access loss for thousands of employees; Indian press reporting estimated about 5,500 Stryker staff in Ireland (nearly 4,000 in Cork) were affected while Stryker acknowledged order‑processing, manufacturing and shipping interruptions. (economictimes.indiatimes.com) U.S. federal response included a CISA investigation opened within days of the incident, and media reports say Stryker worked with Microsoft engineers and outside cyber‑response firms during restoration efforts. (nextgov.com) Stryker told investors and customers it had found no indication of ransomware or conventional malware in initial probes and had not provided a full timeline for complete restoration as of its March 15 update. (medtechdive.com)
