Sign in Subscribe

Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems

Kim Zetter

3 min read
comment-1 Created with Sketch Beta.
Iranian Hacktivists Strike Medical Device Maker Stryker in "Severe" Attack that Wiped Systems

Stryker, a leading maker of medical devices, was hit early this morning with a cyberattack that has reportedly caused the company's systems to shut down globally. The company has acknowledged the attack and called it "severe" in communication with employees.

A known Iranian hacktivist group named Handala posted messages on hacked systems and on social media taking credit for the hit, which they say is partly in retaliation for the US bombing of an all-girls school in Iran, which occurred on the first day of the US-Israeli assault on that country.

Message purportedly from Handala taking credit for the hacking operation against Stryker.

Workers at Stryker in the US, Australia, India, Ireland and elsewhere began posting to a Reddit forum early this morning talking about what occurred, and the first media reports about the hack came out of Ireland, where the company has a division. According to the latter reports, the company's internal login and admin pages were defaced with the logo of Handala and a message from the hackers was posted on systems claiming they hit more than 200,000 Stryker servers, systems and employee devices – many of which have been wiped – and that they stole 50 terabytes of data.

Stryker released a statement acknowledging that it is "experiencing a global network disruption affecting the Windows environment. Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we’re committed to continuing to serve our customers."

In a message sent to employees, the company said it was experiencing "a severe, global disruption impacting all Stryker laptops and systems that connect to our network."

Stryker, which employs 56,000 people globally, makes surgical and imaging equipment, defibrillators, hospital beds, joint-replacement systems and other medical devices – including systems used by the US military to treat wounded personnel. In 2020, Stryker signed a $225 million contract with the Defense Logistics Agency to supply medical, patient monitoring, and other equipment to the US military. Last year, the military extended the contract in a $450 million deal. Notably, the company has the same name as a model of armored combat carriers used by the US Army to transport troops in battle, though the medical device company does not produce the troop carriers.

According to unconfirmed posts on Reddit by Stryker workers and those purporting to have knowledge of the hack, the cyberattack struck around 3:30 am EDT today. One Reddit post says it hit at 12:30 am EST.

According to one poster, the hackers pushed out an operating system reset to computers and phones that connect to the company's network and wiped "many" servers clean. As a result, workers could not log into their accounts or use company applications.

"The entire company is at a complete stop," one wrote. "Also, the servers at the DataCenter are inaccessible."

According to the person who posted this message, the hackers gained access to administrator accounts and put "their signature Handala artwork on every login page." They also sent emails to a number of company executives taking ownership of the cyberattack.

Another poster on Reddit wrote that "many colleagues phones have been wiped," and they were instructed to remove "intune, company portal, teams, VPN" from their personal devices. The author of the post indicated that they were unable to log into many of their accounts because they used their phone to provide two-factor authentication codes to log into those accounts.

"Have lost all personal data from personal devices that were enrolled and now unable to access emails and teams," the poster, who said they were based in Australia, wrote.

Wiper attacks are one of the most common types of destructive cyberattacks that occur. Iran was behind one of the most famous wiping attacks, the Shamoon attack that struck Saudi Aramco in 2012. The attack erased data from more than 30,000 systems belonging to the Saudi Arabian oil company. Wipers have also been deployed extensively by Russia against targets in Ukraine, and earlier this year, Russian hackers are believed to be behind a wiper that was used in a cyberattack that targeted energy grid systems in Poland. North Korea also used a wiper attack in its infamous hack of Sony in 2014.

Notably, Iran's Islamic Revolutionary Guard Corps has warned that the offices and infrastructure of US companies with links to Israel and whose technology has been used to assist military operations will be targets for physical attack. The list includes potential infrastructure used for cloud-based services operated by companies such as Google, Palantir, Microsoft, IBM, Nvidia and Oracle.

This is a developing story so more information is likely to become available later.

See also:

Cyberattack Targeting Poland's Energy Grid Used a Wiper

Second Wiper Attack Strikes Systems in Ukraine

Dozens of Computers in Ukraine Wiped with Destructive Malware in Coordinated Attack

Share this post: