Stryker tells SEC that timeline for recovery from cyberattack unknown

Medical device company Stryker provided a fuller assessment of its recent cyber incident in a notice to the Securities Exchange Commission (SEC) on Wednesday evening. 

The attack came to light on Wednesday morning after employees took to social media to complain of phones, laptops and computers that had been wiped clean of all information. The company’s 5,500 employees were locked out of company systems across Ireland, the US, Australia and India

In an 8-K filing with the SEC, Stryker confirmed that the cyberattack caused a global disruption to the company’s Microsoft environment and said external cybersecurity experts were brought in to “assess and to contain the threat.”

“The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications supporting aspects of the Company’s operations and corporate functions,” company officials said. 

“While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known. The Company has business continuity measures in place to continue to support its customers and partners.”

Stryker said it is still unclear whether the cyberattack will have financial impacts on the company. It is one of the largest medical device makers in the U.S., reporting more than $25 billion in revenue last year. 

The SEC filing reiterates that the incident did not involve ransomware or malware. Several cybersecurity experts said it is likely that the hackers behind the attack used the native features and tooling in Microsoft Intune to cause damage. 

Microsoft Intune is a cloud-based unified endpoint management system that allows teams to secure and manage access to organizational resources across Windows, macOS, Linux, iOS and Android devices.

Employees of Stryker reported that all of their devices with Microsoft Intune had been wiped clean. 

“What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure — potentially weaponizing Microsoft Intune — to carry out destructive activity at scale,” said Kathryn Raines, cyber threat intelligence lead at cybersecurity firm Flashpoint.

Microsoft declined to comment on the situation when contacted by Recorded Future News.

Handala vs. APT34

The incident appeared to be the first evidence of  potential cyber fallout from the war between the U.S. and Iran. Since the beginning of the conflict, experts warned that cyberattacks by both Iranian state-backed groups and hacktivists would likely come as part of the response to airstrikes launched by U.S. and Israeli forces. 

Several alleged Iranian groups have defaced websites, conducted relatively minor espionage incursions and launched distributed denial-of-service (DDoS) attacks in recent days, but no major incidents were reported until the Handala group took credit for the attack against Stryker. 

Handala has existed since 2023 and is known to deploy the Hatef wiper malware as well as the Rhadamanthys stealer malware during its attacks, according to cybersecurity firm Optiv.

The group previously focused its efforts on attacking significant targets in Israel, generally opting to steal information before launching wiper malware. Optiv said Handala typically gains initial access through phishing emails or by impersonating legitimate organizations.

Handala has made several unverified claims of attacks on organizations since the onset of the conflict with the U.S., including the targeting of government organizations in Jordan and Israel. 

Optiv and several other cyber research firms claimed there is significant overlap between Handala and a state-backed group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) known as APT34.

Flashpoint’s Raines said they have been tracking Handala for the last year and found that the group presents itself as a grassroots resistance movement. But its tactics and targeting are “far more consistent with activity linked to Iranian state actors than with independent hacktivism.” 

APT34 was previously accused of increasing its attacks on government agencies in Saudi Arabia, Iraq, the Kurdistan Regional Government, the United Arab Emirates (UAE) and the broader Gulf region between 2023 and 2025.