Stryker: Cyber Incident 'Contained,' Restoration Continues

Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime , Healthcare Stryker: Cyber Incident 'Contained,' Restoration Continues March 11 Attack Claimed by Iranian Hacktivist Group Handala Marianne Kolbasuk McGee (HealthInfoSec) • March 23, 2026     Credit Eligible Get Permission Medical device maker Stryker has told regulators that a March 11 cyber incident - claimed by Iranian hacktivist group Handala - is now "contained." (Image: Stryker) Medical tech maker Stryker on Monday told investors it has contained a March 11 hacking incident and is "working around the clock" to prioritize restoring IT systems that directly support customers, ordering and shipping. See Also: The Healthcare CISO's Guide to Medical IoT Security Iranian hacktivist group Handala - widely suspected of being a front for Iranian intelligence - claimed responsibility for the attack, boasting that it permanently deleted more than 12 petabytes of Stryker data and stole 50 terabytes of data. Stryker has not publicly commented on Handala's claims but has said that the company believed that neither malware nor ransomware was involved in the incident. In a regulatory filing for investors, Stryker said an investigation by security firm Palo Alto Networks' Unit 42 found the threat actor "used a malicious file to run commands which allowed it to hide its activity while in its systems, but that the file was not capable of spreading - either inside or outside of the company's environment." "As of the date of this report, the company's investigation has not identified malicious activity directed towards its customers, suppliers, vendors or partners," the Medtech firm said. Stryker also submitted a letter from Palo Alto Networks stating the incident impacted Stryker's "Entra ID environment, servers and workstations" (see: Medtech Firm Stryker Disrupted by Pro-Iran Hackers). The U.S. Department of Justice said FBI agents seized on Thursday its web domains associated with Iranian intelligence after Handala earlier in the week posted documents and screenshots it said came from inside Stryker's IT systems (see: FBI Seizes Iranian Online Leak Sites After Stryker Hack). Unit 42 said forensic evidence sifting and threat hunting it performed across the medical device maker's infrastructure identified "no current evidence of active, uncontained, persistent unauthorized access within the Stryker environment." "All known indicators of compromise associated with this specific incident have been successfully identified and addressed," Palo Alto Networks said, adding that Stryker has engaged Microsoft to assist with recovery of the identity infrastructure and has reported that existing accounts have been secured. "Stryker is rebuilding impacted systems or restoring from backups predating the known window of compromise to further prevent threat actor re-entry. Those impacted systems not yet rebuilt/restored, have been isolated from the network," Palo Alto Networks said. Stryker on Monday in an update said it is working closely with its global manufacturing sites as operations continue to stabilize. Some experts had predicted potential shortages and delays of Stryker products to healthcare provider organizations the longer the IT outage persisted (see: Health Sector Braces for Stryker Hack Supply Chain Shock). "Manufacturing capability is ramping quickly as critical lines and plants are brought back online, prioritizing patient needs. This is a 24/7 effort and the first priority of our entire organization," Stryker said on Monday. Stryker is among the top global manufacturers of medical devices, earning $25.1 billion in sales in 2025, producing equipment that spans robotic surgery systems to hospital beds. Since the United States and Israel began a protracted bombing campaign against Iran on Feb. 28, Handala has been especially active. Besides claiming responsibility for the Stryker assault, Handala posted what it said were 100,000 emails of a former Israeli intelligence agent now at a think tank, subscribers to the Telegram channel belonging to a pseudonymous Iranian netizen and the putative identities of senior Israeli military officers. It posted what it says was 851 gigabytes of confidential data from members of the Sanzer Hasidic Jewish community. The U.S. Cybersecurity Infrastructure and Security Agency and FBI published Wednesday an alert urging U.S.-based organizations to harden their endpoint management system configurations. With reporting by Information Security Media Group's David Perera in Northern Virginia.