Iran-Backed Hackers Launch Wiper Attack on Medical Technology Giant Stryker

The US medical technology giant Stryker experienced a significant cyberattack where Iranian hackers, specifically the Handala group, claimed to have wiped data from over 200,000 systems across 79 countries. Analysis indicates the attackers likely used compromised credentials obtained through infostealer malware to gain initial access. The attackers reportedly compromised an Intune administrator account to create a new global admin account, which was then used to issue remote wipe commands to managed devices. Infostealer malware logs revealed that administrator and Microsoft service credentials, along with mobile device management (MDM) credentials associated with Stryker, had been previously harvested. While Handala claimed to have stolen data in addition to wiping devices, Stryker stated it found no evidence of malware deployment on its systems but acknowledged disruptions to order processing, manufacturing, and shipping. This attack demonstrates the severe impact of credential theft and the importance of implementing phishing-resistant multi-factor authentication, monitoring for infostealer infections, regularly rotating administrative credentials, and implementing conditional access policies. Organizations should also maintain offline backups that cannot be accessed through cloud management platforms.