Leading global medical technology corporation Stryker has been forced offline following a devastating cyberattack claimed by the Iranian-linked hacktivist group Handala. The group, which has expressed pro-Palestinian sentiments, deployed wiper malware designed to erase data, causing widespread disruption. Stryker, a Fortune 500 company with over 53,000 employees and reported 2024 sales of $22.6 billion, manufactures critical surgical and neurotechnology equipment. The attackers boast of having exfiltrated 50 terabytes of sensitive data before wiping "over 200,000 systems, servers, and mobile devices," an action they describe as "an unprecedented blow" that has forced the closure of Stryker's offices across 79 countries.
Reports from individuals claiming to be Stryker employees in the United States, Ireland, Costa Rica, and Australia corroborate the attack's severity. They describe managed Windows and mobile devices being remotely wiped overnight. The attackers further demonstrated their access by defacing the company's Microsoft Entra login portal to display the Handala group's logo. An employee detailed to BleepingComputer that the incident began in the early hours of Wednesday, targeting devices enrolled in the company's mobile device management (MDM) system. Stryker has since confirmed it is managing a "disruptive cybersecurity incident," taking systems offline as a containment measure while an investigation is underway.
This sophisticated attack highlights the growing threat of state-aligned hacktivist groups targeting critical infrastructure, including healthcare technology. The use of wiper malware, intended for destruction rather than ransom, signifies a shift towards operations aimed at causing maximum operational disruption and reputational damage. The scale of the claimed data theft—50 terabytes—suggests a prolonged period of undetected access prior to the destructive phase, a common tactic to maximize impact. The incident underscores the urgent need for robust segmentation, advanced threat detection, and comprehensive backup strategies that are isolated from primary networks.
The broader cybersecurity landscape remains volatile, as illustrated by other recent threats. Microsoft warns that nation-state actors are now abusing artificial intelligence at every stage of the attack lifecycle, from reconnaissance to sophisticated social engineering. Simultaneously, administrators are urged to patch a critical SQL injection flaw in the Elementor Ally WordPress plugin, impacting over 250,000 sites, and CISA has mandated federal agencies to address an n8n RCE vulnerability under active exploitation. These developments, coupled with phishing campaigns abusing .arpa DNS and IPv6 to evade filters and fake Claude AI coding guides pushing infostealers, paint a picture of a multi-front threat environment where vigilance and prompt patching are paramount.
