Medtech giant Stryker fully operational after data-wiping attack

Stryker Corporation, one of the world’s leading medical technology companies, says it’s fully operational three weeks after many of its systems were wiped out in a cyberattack claimed by the Iranian-linked Handala hacktivist group.

The Fortune 500 medtech giant has over 53,000 employees, makes a wide range of products (including neurotechnology and surgical equipment), and reported global sales of $22.6 billion in 2024.

The attackers began wiping Stryker’s systems on March 11, claiming they had stolen 50 terabytes of data before wiping nearly 80,000 devices early that morning, using a new Global Administrator account created after compromising a Windows domain admin account.

After the attack was disclosed, CISA and Microsoft released guidance on securing Intune and hardening Windows domains to block similar attacks, while the FBI seized two websites used by the Handala hackers.

On Wednesday, Stryker announced that it had restored enough systems to return to pre-attack operational levels and that production would quickly reach full capacity.

“As of this week, we are fully operational across our global manufacturing network. Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems,” Stryker said.

“Overall product supply remains healthy, with strong availability across most product lines, as we continue to meet customer demand and support patient care.”

“Our work continues around the clock in close partnership with third‑party cybersecurity experts, relevant government agencies and industry partners as our investigation progresses, reflecting a shared commitment to protecting the healthcare ecosystem and supporting ongoing recovery efforts,” it added.

This comes after the company said on March 23 that its teams were prioritizing the restoration of systems that directly support customer, ordering, and shipping operations.

Although it was initially believed the attackers hadn’t used any malicious tools during the breach, Stryker also revealed that security experts who helped with the investigation found a malicious file that helped the attackers hide malicious activity while inside the company’s network.

Handala (also known as Handala Hack Team, Hatef, Hamsa) surfaced in December 2023 as an Iranian-linked and pro-Palestinian hacktivist operation that has been targeting Israeli organizations with Windows and Linux data-wiping malware.

The hacktivist group has been linked to Iran’s Ministry of Intelligence and Security (MOIS) and is also known for leaking sensitive data stolen from victims’ compromised systems.

Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.

This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.

Get Your Copy Now