Security & Infrastructure Tools
Stryker attack wiped tens of thousands of devices, no malware needed
Stryker’s recent cyberattack, allegedly linked to the Handala hacktivist group, caused a remote wipe of tens of thousands of employee devices via Microsoft Intune, without deploying malware or encrypting data. The attack was limited to Stryker’s internal Microsoft environment and did not affect its medical products; however, electronic ordering systems went offline and customers must place orders manually through sales reps while restoration efforts focus on resuming shipping and transactional services.
Last week, medical technology giant Stryker experienced a cyber‑attack that targeted its internal Microsoft environment. The incident did not involve any malware or ransomware; instead, attackers remotely wiped tens of thousands of employee devices using the “wipe” command in Microsoft Intune. According to Stryker’s update on Sunday, all its medical devices remain safe to use, but electronic ordering systems are offline and customers must place orders manually through sales representatives.
The attack was attributed to the Handala hacktivist group, believed to be linked to Iran. The attackers claimed they wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data, but investigators found no evidence of exfiltration. Employees in multiple countries reported that their managed devices were remotely wiped overnight, and some personal devices enrolled in the company network lost personal data during the process.
A source familiar with the incident told BleepingComputer that the threat actor compromised an administrator account and created a new Global Administrator account before executing the wipe command. The Microsoft Detection and Response Team (DART) is collaborating with Palo Alto Unit 42 to investigate the attack. Stryker’s statement emphasizes that the attack was limited exclusively to its internal Microsoft corporate environment and did not impact any of its products, whether connected or otherwise.
Restoration efforts are underway, focusing on resuming shipping and transactional services. Customers are encouraged to maintain normal communication with company personnel while infrastructure is steadily recovered. Any order placed before the cyber‑attack will be honored as systems are restored; orders placed during the disruption will be processed when systems return online, ensuring supply flow resumes to normal.
Stryker’s current priority is to restore its supply‑chain system and resume customer orders and shipping. “Our core transactional systems are already on a clear path to full recovery,” the company says.