Full Report
Stryker Corporation, one of the world's leading medical technology companies, says it's fully operational three weeks after many of its systems were wiped out in a cyberattack claimed by the Iranian-linked Handala hacktivist group. [...]
Analysis Summary
# Incident Report: Stryker Corporation Data-Wiping Cyberattack
## Executive Summary
Stryker Corporation, a global medical technology leader, suffered a catastrophic cyberattack involving data exfiltration and large-scale system wiping by the Iranian-linked group Handala. The attack compromised 80,000 devices and allegedly resulted in the theft of 50TB of data, leading to a three-week operational shutdown. The company has since restored global manufacturing and commercial systems to reach full operational capacity as of April 2026.
## Incident Details
- **Discovery Date:** March 11, 2026
- **Incident Date:** March 11, 2026
- **Affected Organization:** Stryker Corporation
- **Sector:** Medical Technology / Healthcare
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Early morning, March 11, 2026
- **Vector:** Compromise of a Windows Domain Admin account.
- **Details:** Attackers gained high-level access to the Windows domain, which was subsequently used to create a new Global Administrator account in the environment.
### Lateral Movement
- Attackers utilized the compromised domain admin credentials to traverse the network and gain control over management systems, including Microsoft Intune, to facilitate mass deployment of malicious actions.
### Data Exfiltration/Impact
- **Data Theft:** Attackers claim to have exfiltrated 50 terabytes of sensitive data.
- **System Destruction:** Nearly 80,000 devices were wiped across the global network, rendering them inoperable.
### Detection & Response
- **Detection:** Immediate as systems were wiped and the Handala group publicly claimed credit.
- **Response:** Stryker engaged third-party cybersecurity experts, the FBI, and CISA. The company prioritized restoring ordering and shipping systems before bringing manufacturing back online. The FBI successfully seized two of Handala's data leak websites.
## Attack Methodology
- **Initial Access:** Credential compromise of a Windows Domain Administrator.
- **Persistence:** Created a new Global Administrator account.
- **Defense Evasion:** Utilized a specific (undisclosed) malicious file designed to hide activity from security monitoring tools.
- **Collection:** Scoped and gathered 50TB of data.
- **Exfiltration:** Transferred data to external sites (subsequently seized by the FBI).
- **Impact:** Used administrative access and management tools (Intune) to execute wiper malware or commands across 80,000 endpoints.
## Impact Assessment
- **Financial:** Global sales of $22.6B (2024) suggests significant daily revenue loss during the three-week outage; recovery and forensic costs are expected to be substantial.
- **Data Breach:** High; 50TB of data allegedly stolen by an Iranian-linked MOIS threat actor.
- **Operational:** Critical; total disruption of global manufacturing, ordering, and distribution for 21 days.
- **Reputational:** High; significant media coverage and scrutiny from federal agencies (CISA/FBI).
## Indicators of Compromise
- **Network Indicators:** Handala data leak sites (Seized by FBI - hxxps[://]handala-leak[.]site - *Example defanged format*).
- **File Indicators:** "A malicious file" (specific hash not disclosed in article) used for hiding internal activity.
- **Behavioral Indicators:** Creation of unauthorized Global Administrator accounts; mass unauthorized commands pushed via Microsoft Intune.
## Response Actions
- **Containment:** Isolation of affected network segments and shutdown of compromised admin accounts.
- **Eradication:** Removal of wiper artifacts and the "hiding" malicious file.
- **Recovery:** Three-week phased restoration of manufacturing and commercial systems; global manufacturing returned to peak capacity by April 2.
## Lessons Learned
- **Identity is the Perimeter:** High-level administrative accounts (Domain Admin/Global Admin) remain the primary "keys to the kingdom."
- **Management Tool Risks:** Centralized management tools like Microsoft Intune can be weaponized to distribute wiper malware at scale if the management console is compromised.
- **Persistence Monitoring:** Organizations must monitor for the creation of new high-privilege accounts, even within "authorized" administrative sessions.
## Recommendations
- **Privileged Access Management (PAM):** Implement strict MFA and "Just-In-Time" access for all Domain and Global Admin accounts.
- **Hardening Intune:** Follow CISA/Microsoft guidance to secure Intune environments, including restricting who can push mass scripts or wipe commands.
- **Immutable Backups:** Ensure offline or immutable backups are available to recover from large-scale wiping events without paying a ransom.
- **Enhanced EDR:** Configure Endpoint Detection and Response tools to alert on the deletion of high volumes of system files or unauthorized administrative tool usage.