In today’s bulletin, Charlie discusses Stryker Corporation’s recent cyber attack and provides a timeline of events and the lessons we can learn from the attack.
Over the last couple of weeks, I have been doing some research into the Stryker attack. It was interesting to me for a number of reasons. I like writing case studies, as it is good to understand different incidents and to learn the lessons from the attack and then be able to pass them on to others through training and exercises. The incident is also interesting because the attack was a fallout of the Iranian war and because a state used cyber as part of hybrid warfare. There are a number of interesting differences in this cyber attack from the ‘normal’ ransomware attacks.
Who Are Stryker?
The Stryker Corporation is a leading global medical technology company that designs, manufactures, and supports solutions used across healthcare systems worldwide. Its products include surgical instruments, orthopaedic implants, neurotechnology and spinal devices, endoscopy and imaging systems, and patient-handling and emergency care equipment. It also provides a wide range of healthcare services, which include digital health solutions, clinical education and training, equipment maintenance, and ongoing technical and operational support for healthcare providers. This includes internal clinical communication systems used by hospital staff to coordinate care, respond to alerts, and manage workflows, so its services are integral to the delivery of care and support to patients in hospitals. Founded in 1941 and headquartered in Kalamazoo, Michigan, in the U.S., Stryker operates in over 75 countries and employs approximately 50,000 staff globally, playing a critical role in supporting patient care and clinical operations across the healthcare sector.
Attack Timeline
| Date (dd/mm/yy) | Event (Overview + Website Update Timings) | Impact |
|---|---|---|
| 06/03/26 (Fri) | Overview: Pre-incident warning issued by Israel’s National Cyber Directorate regarding Iranian cyber activity targeting organisations with wiper-style attacks. Threat Intelligence: “The National Cyber Command has received reports of several cases in which attackers gained access to corporate networks and deleted servers and workstations, with the aim of disrupting the operations of the attacked organisations. In some cases, the attacker had accessed data from legitimate corporate users, which was used to gain initial access to the network.” |
Demonstrates known threat activity prior to incident; highlights risk of credential compromise and destructive attacks; potential missed opportunity for heightened defensive posture. |
| 11/03/26 (Weds) | Overview: Cyber attack identified; global disruption to Microsoft environment; incident response activated; reported to SEC via initial Form 8-K. Initial detection and escalation of incident; news reports indicate over 5,000 workers sent home in Ireland, their largest hub outside the USA. | Immediate loss of corporate IT capability; regulatory disclosure triggered; large-scale workforce disruption at key manufacturing hub; global operational disruption begins. |
| 12/03/26 (Thu) | Overview: Initial public updates; confirmation that product manufacturing is not impacted; ordering and manufacturing disruption begins. Company Communications: 00:32 ET – Early update: disruption ongoing; no malware/ransomware; products safe 10:43 ET – Mako system update 14:24 ET – LIFEPAK / LIFENET update 21:13 ET – Media statement |
Order processing, manufacturing and shipping are disrupted; reliance on business continuity measures; reassurance messaging begins. |
| 13/03/26 (Fri) | Overview: Expanded customer communications; confirmation of unaffected clinical systems and cloud platforms. Company Communications: Multiple updates (15:11–18:50 ET): SurgiCount, ordering, OR systems, Vocera / care.ai, connected beds all confirmed unaffected. |
Strong reassurance of system segregation; confirms clinical systems and cloud platforms unaffected; manual workarounds introduced. |
| 15/03/26 (Sun) | Overview: Incident confirmed contained within Microsoft environment; restoration begins. Company Communications: 11:30 ET – No malware/ransomware; manual ordering; recovery underway. |
Gradual stabilisation; backlog management; partial restoration of commercial operations. |
| 19/03/26 (Thu) | Overview: Continued restoration; government engagement; prioritisation of customers, ordering and shipping systems; U.S. government cyber response escalates. DOJ action disrupting Iranian cyber-enabled psychological operations. Company Communications: 17:54 ET – Product assurance updates 18:05 ET – Strategic update: government engagement (FBI, CISA, HHS, DHS, H-ISAC); domain seizures |
External support increases confidence; links incident to broader nation-state activity; confirms no product impact; patient procedures delayed due to supply disruption. |
| 23/03/26 (Mon) | Overview: Investigation update; confirmation of attack method; follow-up SEC Form 8-K filed. Company Communications: 08:30 ET – Update with Palo Alto Networks Unit 42; malicious file identified; non-spreading; threat actor removed; assurance letter issued; manufacturing ramp up underway |
Confirms attack method; no data compromise; aligns technical clarity with regulatory disclosure; recovery accelerating. |
| 01/04/26 (Wed) | Overview: Full operational recovery across manufacturing; systems stabilised. Company Communications: 10:45 ET – Manufacturing restored; production nearing peak; ordering, distribution and commercial systems stable |
Supply stabilised; operations near normal; continued monitoring and recovery; patient care maintained as priority. |
Impact On The Company And Their Customers
The cyber attack had a significant impact on Stryker Corporation’s ability to deliver services to its customers and on its internal workforce. The disruption to its internal Microsoft environment halted production, disrupted ordering systems, and caused shipping delays, leading to shortages of medical products and the postponement of some surgical procedures. In certain cases, hospitals were forced to suspend connections to Stryker systems and rely on manual workarounds such as radio communication, highlighting the knock-on effect on clinical operations.
Internally, the impact on employees was immediate and widespread, with large numbers of devices wiped and rendered unusable, including laptops and some personal devices enrolled in the network, resulting in loss of data and productivity. Reports also indicated that over 5,000 staff were sent home from a major manufacturing site in Ireland, further disrupting operations. Overall, the attack caused both operational paralysis within the company and tangible downstream effects on healthcare delivery.
The cyber attack on Stryker Corporation directly impacted the NHS due to its reliance on Stryker products across multiple clinical areas. Disruption to production and distribution created supply constraints, with some product lines subject to controlled demand management and limited availability by NHS Supply Chain. NHS England indicated that existing stock may only cover a short period, after which further disruption was likely, requiring trusts to implement mitigation measures, such as mutual aid and prioritising critical procedures. The incident also introduced a risk to patient care, particularly in areas such as trauma, orthopaedics, and surgical services, where Stryker devices are widely used, highlighting the NHS’s dependency on key suppliers within its supply chain.
Who Were The Attackers?
The cyber attack on Stryker Corporation was attributed to the hacktivist group Handala, also known as the Handala Hack Team, which is widely assessed by the threat intelligence community to be a front for Iran’s Ministry of Intelligence and Security (MOIS). The group operates as a ‘faketivist’ persona, combining politically motivated messaging with destructive cyber capabilities, and has been linked to a broader cluster of Iranian state-aligned actors (including aliases such as Void Manticore, Cobalt Mystique, and Red Sandstorm).
In this incident, Handala claimed responsibility via its website and associated domains, stating the attack was retaliation for geopolitical events involving the United States and Israel. There were also reports that the group’s branding appeared directly within Stryker’s environment, with employees and social media posts indicating that the Handala name and logo were displayed on company login pages following the attack, reinforcing the psychological and attribution messaging of the operation.
As part of the wider response, U.S. authorities took action against the group’s online infrastructure: the Department of Justice seized four domains used by Iranian cyber actors, including those associated with Handala’s propaganda and claim activity, which had been used to publicise attacks and conduct psychological operations. This takedown formed part of a broader effort to disrupt Iranian cyber-enabled influence and disruption campaigns linked to the incident.
How The Attack Was Carried Out
The attack on Stryker Corporation was a large-scale, destructive cyber operation focused on the company’s internal Microsoft environment, most likely exploiting administrative control of its endpoint management system. The attackers are reported to have gained access to a Microsoft Intune administrator account, either through compromised credentials or privilege escalation, allowing them to use legitimate system functionality to issue remote wipe commands across the organisation.
This resulted in the deletion of data on tens to hundreds of thousands of devices, including laptops, servers, and mobile devices, with some personal devices enrolled in the network also affected. Rather than deploying traditional ransomware, the attackers used this native capability to cause immediate operational disruption, halting production and impacting ordering and shipping systems.
While early communications suggested no malware, subsequent investigation identified the use of a malicious file to execute commands and conceal activity within the environment, although it was not capable of spreading. The attack therefore combined misuse of trusted administrative tools with targeted destructive actions, achieving significant impact without relying on conventional malware propagation techniques.
What Can We Learn From This Attack?
- Privileged accounts were used to execute the attack, which is a similar method used in the Marks & Spencer and JLR attacks. Once you have access to these accounts, attackers can basically execute most attacks they want to carry out.
- The use of company tools, including Microsoft Intune, to execute the attack shows that you can use company tools to carry it out and that malware is not always required.
- As the attack deleted all company personal accounts for most staff, they could do nothing until their accounts were restored.
- Where an organisation provides a critical service, such as Stryker did in hospitals, you have to have a manual workaround to continue patient care, as this cannot be ‘parked’ until systems are restored. Many manual workarounds require additional staff, as manual tasks take longer. In health settings, if you lose access to IT, you may have difficulty accessing patient records, including their health history, diagnoses, test results, and current care requirements. This needs to be thought through when planning for a cyber incident.
- The current geopolitical instability caused by Iran and the potential closing of the Strait of Hormuz will have a wide range of impacts across supply chains, especially affecting just-in-time delivery. I would expect that organisations are likely increasing their stock levels, if they have not already, to prepare for supply chain disruption. If organisations are not already stockpiling essential supplies, these attacks should be a wake-up call to consider potential shocks to their supply chains and to take measures to reduce their vulnerability to supplier or route disruptions.
- In a wiper attack, there is no opportunity to pay a ransom to get your data back, so the importance of backups is again highlighted. The organisation was able to resume most operations within two weeks, which, to me, shows that they had good backups and that the two weeks were spent restoring systems. With over 50,000 employees, if they were rebuilding from scratch, this would have taken much longer and the impact on the organisation and its customers would have been far greater.
- Where your products and services are key to patient safety, you have to communicate early and often to provide reassurance. You can see in the attack timeline that on some days there were multiple communications on the company website about different products. Reassurance that Stryker’s products were safe and unaffected by the attack was a key message. This shows good practice and an understanding of the concern the attack would cause for customers.
- Their first communication was within hours of the attack, which shows good practice.
- Until you can reassure customers and suppliers that there is no longer an attacker in your systems and that you have contained and eradicated the threat, organisations will disconnect their systems from yours and may block incoming communications. This greatly impacts your ability to communicate and coordinate with customers. On the 23rd March, the company issued a letter from Palo Alto Networks Unit 42 confirming that the threat had been eradicated. This is the first time I have seen this in corporate communications, and it shows that rebuilding trust and restoring communication and workflow were key to recovery. By publicising the methods used in the attacks, they demonstrated that they understood how the attacks were conducted and reassured technical stakeholders that this was not a ransomware attack and that the method used to wipe data was unlikely to have further unknown impacts.
- The takedown of the attackers’ websites by the Department of Justice sent a message that attackers are not immune from being targeted themselves, and I suspect it also improved morale within Stryker by showing they were, in effect, ‘striking back’.
We have seen many nation-state attacks as part of the Ukraine war targeting critical infrastructure and corporations. Many of these attacks have not had a direct impact here in Europe or on our supply chains. If there is further conflict beyond the Iran war, then the use of cyber attacks as part of hybrid warfare may increase, so organisations need to be highly vigilant in detecting and responding to these attacks, while also ensuring resilience in their operations.
