Iran-Backed Hackers Claim Wiper Attack on Medtech Firm Stryker
A hacktivist group with links to Iranâs intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Strykerâs largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Strykerâs main U.S. headquarters says the company is currently experiencing a building emergency.
Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Strykerâs offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices.
âAll the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,â a portion of the Handala statement reads.
The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.
Handala was one of several hacker groups recently profiled by Palo Alto Networks, which links it to Iranâs Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.
Strykerâs website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Strykerâs Michigan headquarters sent this author to a voicemail message that stated, âWe are currently experiencing a building emergency. Please try your call again later.â
A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that âanyone with Microsoft Outlook on their personal phones had their devices wiped.â
âMultiple sources have said that systems in the Cork headquarters have been âshut downâ and that Stryker devices held by employees have been wiped out,â the Examiner reported. âThe login pages coming up on these devices have been defaced with the Handala logo.â
Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a âremote wipeâ command against all connected devices.
Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently.
Palo Alto says Handalaâs hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company.
âRecent observed activities are opportunistic and âquick and dirty,â with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by âproofâ posts to amplify credibility and intimidate targets,â Palo Alto researchers wrote.
The Handala manifesto posted to Telegram referred to Stryker as a âZionist-rooted corporation,â which may be a reference to the companyâs 2019 acquisition of the Israeli company OrthoSpace.
Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.
âThis is a real-world supply chain attack,â the expert said, who asked to remain anonymous because they were not authorized to speak to the press. âPretty much every hospital in the U.S. that performs surgeries uses their supplies.â
John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet.
âWe are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,â Riggi said in an email. âAs of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.â
According to a March 11 memo from the state of Marylandâs Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a âglobal network disruption.â The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Strykerâs various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.
âAs a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,â wrote Timothy Chizmar, the stateâs EMS medical director. âThe Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.â
This is a developing story. Updates will be noted with a timestamp.
Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attackâs potential to turn into a supply-chain problem for the healthcare system.
Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Strykerâs online services.
If medical device companies are âfair gameâ, are drug manufacturers and hospitals next?
No honor among thieves??
Israel quite literally flattened most hospitals in Gaza strip. You think they wonât do the same in Iran?
What a ridiculous claim. Hamas was using hospitals as command centers,
Israel did not attack the Minab school Just more excuses for terrorism and extortion.
Bellingcat confirms it was a US Tomahawk, something that Israel does not possess.
Yes, I frequently store my ammo next to an MRI machine.
Oh look.A brainwashed zio.Israle BOMBED HOSPITALS SCHOOL MOSQES AND AID SITES.Please have several thousand seats
Well, people voted for Hamas in the last elections held and they knew what theyâre buying. So sit down son and enjoy the FO part of FAFO.
BIbi gave money to Hamas and undermined the PA. Read better child.
That doesnât make bombing schools, hospitals etc any less of a war crime.
There is no justification for Israeli genocidal tactics and disregard of laws.
Pointing this out is not supporting Hamas either.
seeing truth is not the same as being brainwashed
there are no good bombs and bad bombs
dehumanization of people is typical brainwash agenda
why kids in Ukraine or Gaza are worse than other kids
they are if your set of rules are from hell
Couldnât agree more.
The US killed 175 mostly children. Was that fair game?
LOL put all your security on the cloudâŚ.
âMicrosoft service called Microsoft Intune to issue a âremote wipeâ command against all connected devices.â
Every vendor that has moved to a cloud based console has been compromised
Personally we quit using every security vendor that has moved to a cloud based console,
If I can access it on the web, so can someone else
I will stick will old school VPN and inside network pleaseâŚâŚ
people with VPN on their devices were wiped, and you have it wrong.
Being connected to a cloud does not make you vulnerable, being connected to any network (even âinsideâ) does⌠good luck out there
Theyâre talking about using SaaS cloud consoles that directly control their entire device fleet, as opposed to only site-accessible compartmentalized consoles behind a specific private self-run VPN. That is actually not wrong, thatâs absolutely the smarter play if less convenient and potentially overlook-able unless IT stays on toes. Calling a person a clown off the bat online because you havenât even considered fully what theyâre saying is pretty juvenile IMO, but we all have to grow up sometime I guess.
Itâs never as simple as **cloud bad!** Iâve been in situations where similar wipe threats happened entirely âinside networkâ. The root-cause analysis usually points to at least two larger procedural issues:
* Errors that are not caught, causing operations to continue when they should have been stopped
* Operations that happen at scale without human oversight/approval
This company of 50k+ employees (or, maybe worse, the garbage Microsoft software they used and is used by *many* other organizations) had a way to blow away their entire IT infrastructure? Thatâs bonkers! Something right out of SpaceBalls: âThank you for pressing the self destruct button.â
Thank you Ronald. Iâve been concerned about this from the start of âcloudâ services. The company I was at got on that train. I think everyone for the most part has. It is just too much exposure.
I sent one of their recruiters a resume and an offer to help on LI đ
I see all those funding cuts for national cybersecurity are working outâŚ
The US brought back 4 avenger-class minesweepers from the mideast, they arrived in Philadelphia the same day Iran started mining the strait. If this isnât the smartest and most deeply thought-out administration in American history, itâs certainly the one with the most brightly colored hats.
Yeah, because those ships are THIRTY YEARS OLD and we already have replacements that are ALREADY ACTIVE in the straight of hormuz called Littoral Combat Ships. For all the budget discussion around them, their entire mission set was designed around defense in littoral waters, such as the Strait of Hormuz. Your comment simply does not make sense to anyone actively monitoring the situation.
Not going to age well that commentâŚ.crude carriers sail in the deep watersâŚwhich is what this is all about!
Remember itâs not the physical space which needs to be cleared of minesâŚitâs the mindset of the insurance marketâŚwelcome to asymmetrical warfare đ
Littoral ships have no problems operating in deep water. They are not designed to engage true deep water navy ships in combat is all, ie they canât hold deep water by themselves against a real navy. For that there is the rest of the US navy and navy airforce, and they have already sunk most of the Iranian navy.
The main danger isnât mines, ie to set a proper minefield that would requires a proper minesweep to clear, requires a minelaying ship to sail uncontested through the area. For what can be placed now, the remote mine removing submersible that the littoral ships can bring is sufficient.
The current danger from Iran is not navy ships, its fast attack boats, and sea drones which have similar performance to fast attack boats. The avengers have .50cal machine guns which are only intended for defensive purposes. Equivalent soviet 12.7mm guns in the russian black sea fleet has proven very unreliable at defeating Ukrainian sea drones. At best all they have done is occasionally protect the vessel they are floating on, and can do nothing about drones targeting other vessels.
What the littoral ships have is a 57mm automatic bofors, in an unmanned, fully stabilized, computer controlled radar guided mount. Which is probably the best solution to asymmetric drone and boat style naval warfare currently available.
Littoral combat ships have been marred by serious engine defects, shortened replenishment schedules and have no history of achieving anything significant in any theater yet. Theyâre expensive comparatively for what they are and have no track record of volume success in de-mining anything at all, anywhere. They may be theoretically capable to do that but itâs certainly not going to be as effective as a purpose-built minesweeper FLEET of smaller vessels in coordination that already existed there. Mines can be laid in an afternoon to meet your description of âproperâ minefield that would take _months_ to remove. LCS have never been tested against significant drone attacks, and as capable (theoretically) as Bofors guns might be against such threats attacking the ship _itself_ theyâre next to useless for theater protection. Certainly a sufficiently sized swarm of inexpensive drones would be expected to achieve hits against a much, much more expensive ad hoc minesweeper role. Itâs a jack of trades and an expensive one thatâs never been tested, lest of all significantly damaged or having achieved a significant objective requiring ASAP minesweeping. Having so few of them as we do increases the chance that one being damaged or disabled would severely compromise the minesweeping role in theater. The longer the strait remains closed, the more incompetent the administration looks as the western economies all share the burdens. LCS isnât going to dent that outcome if Iran successfully mines it.
The T-64 began its design process circa late 1950s, T-64A entered service circa 1967 and its first combat engagement was 1992. ie if you donât fight a war, your gear doesnât get âprovenâ. This is the opportunity that will allow littoral ships to prove useful or not.
At this point in time, actual estimates of mines laid vary between 10 and 0, and estimates of sunken known minelaying ships to be something like 14. The resources required to enforce a fully closed strait doesnât exist, its just a passage that is currently too risky for commercial insurance.
The US has more than one integrated MCM platform, including helicopter and remote submersible based systems, none of which hard require either littorals or avengers to be present. The main threat is not mines, its speed boat based drones and actual projectiles including actual antiship missiles. All an avenger can do against those threats is float there and take hits, casualties and sink.
I would not expect that swarming sea drones is an easy task, nor are they particularly cheap and I would also expect that such a swarm would be visible being prepared on the coast, which would invite all sorts of counters, not limited to aircraft or missiles/shellfire from the navy.
Launching individual sea drones stealthily is much more feasible, which is why the attack pattern looks like it does, most at the bend, but some all up and down the iranian coast.
Itâs the worst test case scenario for finding out if your kit is up to task or not.
yahoo.com/news/articles/u-navy-minesweepers-assigned-middle-210524347.html
They still float, werenât rusting to death, and were capable minesweeping craft in-theater as opposed to whatever theyâre hastily bringing in RN to replace them, after the fact, because Trump apparently didnât consider the ramifications of the Strait of Hormuz before he set it on fire at Bibiâs beckon.
Littoral combat ships have never been proven minesweepers at volume in an active theater scenario. Avenger class vessels are exactly that, and already there. Making the point about the mindless timing of their withdrawal from theater RIGHT AS THEY BECOME CRUCIAL ASSETS because of a decision to go to war (of choice) should be obvious to most, but Iâll cede that you sure donât seem to get it.
Littoral ships are also riddled with shakedown issues and are vastly more expensive than projected, so your particular points of choice to try to explain away this tactical blunder in a war (of choice) rife with strategic blunders as far as the eye can see are pretty evenly self-blunted. Bravo sir, you could be Trumpâs next Secretary of Doing War Badly, youâve got the posturing down pat.
The littoral ships have been around for quite a while now, in the class that had the gearbox issue, that has been fixed, and the early hulls which would have been difficult to bring up to standard are in reserve. As I said in my other post, there isnât a volume demining problem at this point in time. The fact that too much was spent on procurement is a general US procurement issue, its not an active service issue.
IMO no military can ever guess what its dimwit political leadership will do and at some point the equipment has to be modernized and changeovers have to occur.
Theyâve been having their engines fail with seawater in oil for a while now, among other failures youâre trying to rose-color over. The math remains unchanged.
They pulled minesweepers out of the theater right as they might have become crucially integral to the âplanâ that has nothing to do with strategic thought.
What would Iran have to gain from mining the Strait? As it stands, they already have the capability to attack any ships passing through the Strait as seen with the Thai ships this past week.
Additionally, their biggest trade partner, China, uses the Strait, so WHY would they mine it and risk their biggest leverage in this conflict? The backing of China, and control of this Strait is the biggest leverage Iran has.
Also, this administration is run by a bunch of p*dophiles protecting other p*dophiles, it will go down as the most shameful in modern American history.
Ah! Now I understand what all those weird requests from IR domains were. And to think, we are just getting started. Itâs going to be a fun March, with the Ides coming up and Microsoft in some areas an already open bookâŚ
Thanks for the post and my group also thanks you, one team one goal.
PleaseJustFixIT.org #HealthSupport #OneTeam
Karma is a b. Stryker has been getting business unethically for years. Made my day.
Love this comment !!! So true.
How have they been doing business unethically? Iâm not disagreeing. I genuinely do not know
Ah, what was Strykerâs MS Secure Score? Everyone with an MS 365 tenant should be concerned and hoping they didnât miss the same control that Stryker did.
Itâs unlikely Stryker will release their own Secure Score to the public, but it seems like the Stryker breach occurred due to privilege escalation due to a lack of governance controls. MS 365 users should probably be fine as long as theyâre keeping an eye on their device management.
Its likely that Strykerâs breach was likely due to their own fault since the breach occurred probably to a phishing attack or something that obtained an admins credentials. Microsoft 365 was not the vulnerability issue.
Letâs not forget this story wouldnât have been written if the orange one hadnât started a war with Iran. But wait, wasnât he supposed to be âThe President of peaceâ, âI will focus on Americaâ, âIf Iâm not elected, Kamala will start wars all over the worldâ. Heâs showing his enjoyment of watching people die and inflicting suffering. And how can ANYONE believe this will end well considering he bankrupted 3 casinos. This is just the beginning of the pain the world will experience because of the actions of someone mentally ill who should be in a nursing home and not POTUS.
I like turtles
I also like turtles.
George died in 2009. Clearly the person this is about has been soulless since 2002/2003.
I think that turtles are fortunate to have a hard shell to protect them. Their domes are way better and cooler than any of our protective domes.
Pity that we have to work to protect their breeding sites.
Finding it harder and harder to not want to decimate and dismantle Israelâs âcybersecurityâ âprogramâ my own self.
âA source familiar with the attack told BleepingComputer that the threat actor used the wipe command in Intune, Microsoftâs cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11â
https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/
This article about bot control issues is a sobering reminder why automated systems need proper safeguards â especially in funded accounts where youâre operating under strict drawdown rules. I learned the hard way that one poorly-configured EA can blow a challenge, so I switched to Ratio X Toolbox which gives you multiple bots for different market regimes instead of relying on a single system that can malfunction. The stress testing features actually helped me understand my max daily loss limits before hitting real money. Have you found that diversifying across different EA types helps you survive the drawdown phases of prop firm challenges?
Hey, howza boutta plug for some crap product and some totally non-profound âcodedâ language. We need more tension, poorly done feints, and discussions of clipper ships. Otherwise, we are not fully populating the cyber-landscape with fully-featured, complex threat actors.
my sec+ training says this is nation/state sponsored. not hacktivist.
This attack shows the security vulnerability and the sophistication of Iran hacking attack.
It only works when Iâm Nepal.
It seems to work fine in Brampton or any other VPN people think they all live in
I personally am voting for âstrips you can wind thereâ, though you need that nonexistent time machine for that movie, too.
AI is the baby. Hail Satan! Welcome to a brand new day, Revelations Jayna!
How it works
Once you click Generate, Ollama reads this article and crafts 5 comprehension questions. Your answers are graded against the article content â general knowledge won't be enough. Score 70+ to count toward your certificate.
Questions are cached â you'll always get the same 5 for this article.