Stryker Fully Operational After Iranian-Linked Cyberattack; CISA and Microsoft Issued Guidance
**Stryker Corporation**, a leading medical technology company, has announced it is fully operational following a devastating cyberattack attributed to the Iranian-linked **Handala** hacktivist group. The attack, which involved the wiping of numerous systems, prompted immediate action from **CISA** and **Microsoft**, who released guidance on securing **Intune** and hardening Windows domains.
**Stryker Corporation**, a **Fortune 500** medtech giant with over 53,000 employees and $22.6 billion in global sales in 2024, faced a significant disruption after a cyberattack claimed by **Handala**. The group, reportedly linked to Iran, initiated the attack on March 11th.
### Attack Details
The attackers claimed to have exfiltrated 50 terabytes of data before wiping nearly 80,000 devices. They allegedly gained initial access by compromising a Windows domain admin account and creating a new Global Administrator account.
### Response and Mitigation
Following the incident, **CISA** and **Microsoft** issued critical guidance to organizations on securing **Microsoft Intune** environments and bolstering Windows domain security to prevent similar attacks. The **FBI** also took action, seizing two websites used by the **Handala** hackers.
### Recovery and Current Status
On Wednesday, **Stryker** announced the restoration of its systems to pre-attack operational levels, with production rapidly approaching full capacity.
"As of this week, we are fully operational across our global manufacturing network. Production is moving rapidly toward peak capacity with discipline and stability, supported by restored commercial, ordering and distribution systems," **Stryker** stated.
The company also emphasized its ongoing collaboration with third-party cybersecurity experts, government agencies, and industry partners to enhance security and support recovery efforts.
### Discovery of Malicious File
Initially, it was believed that the attackers did not deploy any malicious tools during the breach. However, **Stryker** later revealed that security experts discovered a malicious file used by the attackers to conceal their activities within the network.
### Handala Hacktivist Group
**Handala**, also known as Handala Hack Team, Hatef, and Hamsa, emerged in December 2023. The group, linked to Iran's Ministry of Intelligence and Security (**MOIS**), has targeted Israeli organizations with Windows and Linux data-wiping malware and is known for leaking stolen sensitive data.
<div>
<h2>Automated Pentesting Covers Only 1 of 6 Surfaces.</h2>
<p>Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.</p>
<p>This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.</p>
</div>