A hacktivist group with ties to Iran’s intelligence agencies has claimed responsibility for a widespread cyberattack targeting Stryker, a global medical technology company headquartered in Kalamazoo, Michigan. The attack, which reportedly began Wednesday, has disrupted operations across the company, sending over 5,000 employees home in Ireland and prompting a “building emergency” at its U.S. Headquarters. This incident highlights the growing threat of cyberattacks targeting critical infrastructure, particularly within the healthcare sector.
Stryker, a major supplier of medical devices with $25 billion in global sales last year, has experienced a significant network disruption. The group, known as Handala (as well referred to as Handala Hack Team), alleges it erased data from more than 200,000 systems, servers, and mobile devices in 79 countries. The motivation behind the attack, according to a manifesto posted on Telegram, is retaliation for a February 28 missile strike that reportedly killed at least 175 people, most of them children, in an Iranian school.
Attack Details and Attribution
Security researchers at Palo Alto Networks have linked Handala to Iran’s Ministry of Intelligence and Security (MOIS), identifying it as one of several online personas maintained by a MOIS-affiliated actor called Void Manticore. Palo Alto Networks notes that Handala surfaced in late 2023 and primarily focuses its hack-and-leak activity on Israel, occasionally expanding its targets based on specific agendas. The group has also claimed responsibility for recent attacks on fuel systems in Jordan and an Israeli energy exploration company.
The method of the attack appears to involve a “remote wipe” command issued through Microsoft Intune, a cloud-based service used by IT teams to manage and secure devices. A source familiar with the attack, speaking anonymously to KrebsOnSecurity, indicated this approach was used rather than traditional wiper malware. Reports from Stryker employees on Reddit corroborate this, with some stating they were instructed to uninstall Intune urgently.
Impact on Operations and Healthcare Providers
The cyberattack has already begun to impact Stryker’s operations and, potentially, healthcare providers that rely on its products. An unnamed healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies normally sourced through Stryker, describing the situation as a “real-world supply chain attack.” John Riggi, national advisor for the American Hospital Association (AHA), stated the AHA is actively monitoring the situation and exchanging information with the hospital field and federal government, but as of now, is not aware of widespread disruptions to U.S. Hospitals.
In Maryland, a March 11 memo from the Institute for Emergency Medical Services Systems indicated Stryker had reported a “global network disruption.” Some hospitals in the state have temporarily disconnected from Stryker’s online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians, potentially delaying critical care for heart attack patients. The memo advises paramedics to initiate radio consultation if they are unable to transmit ECGs.
Handala’s Motives and Previous Activity
Handala’s manifesto referenced Stryker as a “Zionist-rooted corporation,” likely referencing the company’s 2019 acquisition of the Israeli firm OrthoSpace. Palo Alto Networks researchers describe Handala’s activities as “opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds” to reach targets and amplify credibility through “proof” posts.
The claim that the February 28 missile strike was conducted by the United States is supported by reporting from The New York Times, which states an ongoing military investigation has determined U.S. Responsibility for the deadly Tomahawk missile strike.
Stryker currently employs 56,000 people across 61 countries, according to the company’s website. Employees at the company’s Cork, Ireland headquarters are reportedly communicating via WhatsApp for updates, with reports indicating systems are down and devices have been wiped, with login pages defaced with the Handala logo, according to the Irish Examiner.
As the investigation continues, the full extent of the damage and data compromise remains unclear. The incident underscores the vulnerability of medical device manufacturers to cyberattacks and the potential for disruption to healthcare services. Further analysis will be needed to determine the long-term impact of this attack and the effectiveness of Stryker’s response.
This is a developing story, and we will continue to provide updates as more information becomes available. Share your thoughts and experiences in the comments below.
