On Wednesday, security professionals received warnings about potential retaliatory hacks following US and Israeli airstrikes on Iran two weeks prior. Stryker, a multinational medical device manufacturer, confirmed an attack that temporarily shut down much of its network infrastructure.
Initial indications came from social media posts by purported Stryker employees or their family members reporting wiped phones and computers. The Irish Examiner reported similar claims, citing anonymous sources who also witnessed login pages displaying the Handala Hack group’s logo on affected devices. On Thursday, Stryker announced it was responding to a 'global network disruption' in its Microsoft environment due to a cyberattack.
Stryker stated that no ransomware or malware had been involved, and responders believed the incident was contained and limited to the internal Microsoft network. The company's Lifepak, Lifenet, and Mako devices—which monitor heart attacks, manage patient information, and perform surgeries—remained operational. However, Stryker did not specify a timeline for restoring normal day-to-day activities.
Security experts suspect that Iran-sponsored hackers used wiper malware to destroy data, as they have a long history of doing so. Notable examples include the Shamoon wiper targeting Saudi Aramco in 2012 and again in 2016. Another possibility is that the attackers used Intune, a Microsoft tool for remote administration, to issue deletion commands across Stryker’s Windows network.
Handala Hack, an Iranian-aligned group named after a character in Palestinian political cartoons, has been active since at least 2023. The group uses both custom-built and publicly available tools, as well as manual techniques for data wiping. They often rely on underground criminal services to obtain initial access to targets.