Iranian-linked Handala group claims Stryker cyberattack

50TB of data stolen, 200,000+ systems wiped

SEC filing confirms major disruptions across global operations

A threat actor apparently linked to the Iranian regime claims to have struck an American medtech giant, sending it back to the age of pen and paper.

A group calling itself Handala (AKA Hatef, Hamsa) broke into Stryker, a Fortune 500 healthcare technology company with tens of billions in annual sales, stealing 50 terabytes of data and wiping “tens of thousands of systems and servers across the company’s network.”

"In this operation, over 200,000 systems, servers, and mobile devices have been wiped, and 50 terabytes of critical data have been extracted," the attackers allegedly said. "Stryker’s offices in 79 countries have been forced to shut down."

Confirming the blow

The eports have been confirmed by “people claiming to be Stryker employees” all over the world, who said their mobile devices were “remotely wiped in the middle of the night”, with an Entra login page also defaced.

Soon after news broke, Stryker filed a new 8-K form with the US Securities and Exchange Commission (SEC), which, although it does not have the cataclysmic tone of the media, does suggest a more serious breach.

“The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the company’s information systems and business applications supporting aspects of the company’s operations and corporate functions,” Stryker said in the filing. “While the company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known.”

In a later update posted on the company’s website, Stryker said it is still resolving the disruption, and currently has no reason to believe ransomware or malware were deployed. “We believe the situation is contained to our internal Microsoft environment only,” it said.

“Our products like Mako, Vocera and LIFEPAK35 are fully safe to use. “

Customers who made orders before the attack will see them shipped “as soon as our system communications are restored”, the company said, adding that any orders made after the attack “are being examined”.

Earliest reports on Handala date back to late 2023, and they are described as “hacktivists linked to Iran’s Ministry of Intelligence and Security”, targeting mostly Israeli organizations around the world.

Via BleepingComputer

