Iranian “Hacktivist” Group Likely Behind Cyber Attack on Stryker Medtech Firm

A Iran-linked “hacktivist” group that has been active since at least 2023 has struck again, this time causing damage to the business operations of major medtech firm Stryker. The damage appears to be concentrated on the business end, particularly the company’s ordering systems, but the cyber attack appears to have been highly effective in wiping employee devices.

Iran-backed group poses as pro-Palestine hacktivists for cyber attacks

The “Handala” group has taken  credit for the cyber attack, providing some further evidence by defacing an Entra login page with their logo. This group postures as if it does independent pro-Palestine and anti-Israel hacktivism, but security researchers have previously linked it to Iran’s Ministry of Intelligence and Security (MOIS). It has been known to engage in similar destructive wiping attacks against Israeli targets.

The hackers accuse the medtech firm of being a “key part” of “global Zionist” forces and also claim that the cyber attack is in response to the February 28 airstrike on the Minab elementary school. Iran’s hacking teams are considered among the more advanced in the world, with the country pouring considerable resources into cyber attacks and espionage after being hit with the Stuxnet worm in 2010.

There has not been much technical detail about the cyber attack released as of yet, but Microsoft Entra does seem to be the focal point given a number of independent reports from employees of their work and connected personal devices being wiped. The attackers may well have compromised a global administrator account, which would have given them broad power to wipe managed devices.

Medtech business says breach is contained, medical products safe to use

Stryker has confirmed the cyber attack in an SEC Form 8-K filing and is providing ongoing updates about it, but what they are saying somewhat conflicts with media reports. They have maintained from the beginning (and continue to maintain) that they see no use of malware, yet there are widespread reports of device wiping.

The medtech firm has issued assurances that its medical products and LIFENET system are safe to use and not impacted. The cyber attack instead seems to have mostly hurt its online ordering system, with some additional damage to its reprocessing program. Both continue to operate but with at least “minor” interruptions, and as of this writing the online ordering system is down and clients must place orders via phone or email (or through a sales rep).

The attackers paint a different and more destructive picture of the incident. They claim that in addition to wiping hundreds of thousands of devices and shutting down offices in 79 countries, they also absconded with some 50 terabytes of stolen data. The medtech firm says at this time that it sees no signs of malware, but the cyber attack is still under investigation.

It is important to note that there is not yet independent verification of any of the specifics of damage, and Stryker has done little more than confirm that there was a cyber attack. Most of the details come from the claims of the hackers, which could very well be exaggerated. However, the group does operate its own data leak portal and has dumped victim information in the past.