Stryker Attack: How Hackers Wiped Thousands of Devices Without Malware
▼ Summary
– A cyberattack on Stryker remotely wiped tens of thousands of employee devices but was limited to its internal Microsoft environment and did not impact its medical products.
– The attack was claimed by the Handala hacktivist group, which used compromised administrator privileges to execute a mass wipe command via Microsoft Intune.
– Stryker confirms this was not a ransomware attack, no malware was deployed, and investigators found no evidence of data exfiltration despite hacker claims.
– The incident disrupted electronic ordering systems, forcing customers to place orders manually while restoration efforts focus on supply-chain and transactional services.
– Some employees lost personal data from enrolled devices, and the company is working with Microsoft and cybersecurity experts to recover its infrastructure.
A recent cyber incident at medical technology leader Stryker resulted in the remote erasure of tens of thousands of employee devices, though the company confirms its medical products remain safe for patient use. The attack, which disrupted internal corporate systems, was confined to Stryker’s Microsoft environment and did not involve any malware deployment. Electronic ordering systems remain offline, forcing customers to place orders manually through sales representatives while restoration efforts continue. The organization has clarified this was not a ransomware event and that no data exfiltration occurred, despite claims from the hacking group.
Investigations reveal the threat actor, identified as the Handala hacktivist group with suspected links to Iran, gained Global Admin privileges within Microsoft’s Intune endpoint management service. Using this access, they executed a wipe command that erased data from approximately 80,000 devices during a three-hour window. Some employees who had personal devices enrolled on the corporate network unfortunately lost personal data in this process. The attack did not impact any Stryker medical devices, connected technologies, or manufacturing systems, which continue to operate normally.
Stryker is working with the Microsoft Detection and Response Team (DART) and experts from Palo Alto Unit 42 to investigate the breach and restore services. The primary focus is on recovering shipping and transactional capabilities to minimize supply chain disruption. The company assures that all orders placed before the incident will be honored as systems come back online, and new orders will be processed once full functionality returns. Communication with sales and support teams remains open throughout the recovery period.
This incident underscores the severe impact of compromised administrative credentials in cloud environments. The ability to remotely wipe a vast fleet of devices without deploying traditional malware highlights a shift in attacker tactics, leveraging legitimate management tools for destruction. For organizations worldwide, it reinforces the critical need for robust identity and access management, especially for accounts with sweeping administrative powers. Regular audits of privileged accounts and implementing multi-factor authentication are essential defensive measures.
Stryker’s response has emphasized business continuity, with its global manufacturing sites adapting to potential operational delays. The company states its core transactional systems are on a clear path to recovery, aiming to quickly resume normal customer service and order fulfillment. While the cyberattack caused significant internal disruption, the containment to corporate IT systems prevented any compromise of medical devices, ensuring patient safety was never at risk.
(Source: Bleeping Computer)
