https://www.wsj.com/tech/cybersecurity/stryker-says-cyberattack-disruption-is-continuing-6b0d9a38

Stryker is a huge medical device company.

Stryker said a cyberattack related to the Iranian conflict is still disrupting its operations, including order processing, manufacturing and shipping.

Stryker experienced a global disruption to its Microsoft systems following a cyberattack Wednesday, which resulted in the company asking 56,000 employees to disconnect from all networks and avoid turning on company devices.

The hackers behind the attack said they were retaliating on behalf of Iran, The Wall Street Journal reported Wednesday.

https://www.nbcnews.com/world/iran/iran-appears-conducted-significant-cyberattack-us-company-first-war-st-rcna263084

Since the war started, some established hacker groups sympathetic to Iranian leadership have claimed minor attacks, but most have been relegated to briefly altering the appearance of a website, and none have appeared to have had major impact. Some tech and cybersecurity companies, including Google, and the email cybersecurity company Proofpoint have told NBC News that they have largely seen Iran’s hackers conducting espionage related to the war.

But that appears to have changed Wednesday, with what appears to have been a different type of attack that also deleted information from devices. A Stryker employee, who requested to not be identified because they are not authorized to speak for the company, said that employees’ work-issued phones stopped working, grinding work and communications with colleagues to a standstill.

Handala Team, which cybersecurity companies say has ties to Iran’s Intelligence Ministry, has claimed responsibility for the Stryker hack in statements on its Telegram and X accounts. The group routinely brags about its exploits on the social media platforms, which have in recent days taken down previous versions of their accounts.

Specifics of how the hack was conducted are not clear. But public evidence of the hack points to the likelihood that hackers gained access to the company’s Microsoft Intune account, which the employee confirmed Stryker uses. From there, Handala appears to have wiped some employees’ devices back to factory settings, an expert said.

“They seem to have obtained access to the Microsoft Intune management console. This is a solution for managing corporate devices,” said Rafe Pilling, the director of threat intelligence at the cybersecurity company Sophos, which has linked Handala to Iran’s inteligence operations.

“One of the features is the ability to remotely wipe a device if it’s lost/stolen etc. Looks like they triggered that for some or all of the enrolled devices,” he said in a written exchange.

Microsoft’s website describes the remote wipe feature as “commonly used when a device needs to be retired, repurposed, reset for troubleshooting, or securely erased if lost or stolen.”

In a statement on its website Wednesday, Stryker said that the disruption was due to a cyberattack but that its own systems were not directly hacked and that ransomware — a common type of cybercrime that can also significantly disrupt companies’ networks — was not a factor.

“Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained,” the statement said.

The company did not respond to a request for further details. Microsoft did not respond to a request for comment.

https://www.beckershospitalreview.com/healthcare-information-technology/cybersecurity/stryker-updates-hospitals-on-platforms-unaffected-by-cyberattack/

A few of Stryker’s platforms were not affected by the cyberattack:

Stryker updates hospitals on platforms unaffected by cyberattack

Stryker said several surgical technology platforms remain unaffected as the company continues responding to a cyberattack that disrupted its Microsoft-based internal environment beginning March 11.

Here are updates about the cyberattack:

In a March 13 update posted to Stryker’s website, the medical technology company said its Surgical Visualization Platforms, Connected OR Hub and several endoscopy cloud and server products have not been impacted by the incident.

The products include Studio3, Datamediator, Hospital Status and Cisco Codecs….

It turns out Stryker had an earlier breach 10 months ago, which was not reported for 6 months.

https://technologymatch.com/blog/the-stryker-cyberattack-what-this-means-for-your-security-architecture

Stryker had a prior 2024 breach involving unauthorized access for approximately one month from May to June 2024, with personally identifiable information including medical records exfiltrated. That breach was not disclosed until December 2024.

A six-month gap between breach discovery and public disclosure raises questions about detection capability and incident response maturity that go beyond the March 2026 attack.

Did the breach affect patient care? Yes, although the full extent of problems has not been revealed.

Maryland’s Institute for Emergency Medical Services Systems notified hospitals that Stryker’s Lifenet electrocardiogram transmission system was non-functional across most of the state. When prehospital ECG data cannot reach the receiving hospital before an ambulance arrives, preparation time for time-sensitive cardiac conditions shrinks.

Stryker itself has emphasized those parts of the company that are still functional. The American Hospital Association claimed there were no hospital care issues due to the hack, which is hard to believe, since there are media reports of delayed and postponed surgeries: “At this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and the supply chain related to Stryker and as the duration of the attack extends.”

Stryker’s stock value has dropped 9% from its peak Tuesday, since the hack was revealed.