Security professionals had already put organizations on alert for retaliatory cyberattacks following US and Israeli airstrikes on Iran two weeks ago. On Wednesday, those warnings materialized when Stryker, a multinational medical device manufacturer, confirmed a cyberattack had taken down much of its infrastructure.
The first signs came not from the company but from social media. Posts attributed to Stryker employees or their family members described workers’ phones and computers being wiped. A report published Wednesday by an Irish news outlet, citing multiple anonymous sources, corroborated those accounts and added a significant detail: some employees reportedly saw login pages on wiped devices displaying the logo of Handala Hack.
What Stryker Has Confirmed
The company described the incident Thursday as a “global network disruption to our Microsoft environment as a result of a cyber attack.” Responders say they have found no indication that ransomware or malware were involved — notable given that those are the most common causes of such outages. The company also says it believes the incident is now contained to the internal Microsoft environment.
In a Securities and Exchange Commission filing on Wednesday, Stryker stated it had no timeline for recovering normal day-to-day activities. On the question of patient safety, the company confirmed that Lifepak, Lifenet, and Mako devices — used for monitoring and controlling heart attacks, managing and transmitting patient information in real time, and performing surgeries — were all functioning normally.
How the Attack May Have Been Carried Out
The precise method of entry remains unknown. What is emerging, however, is a picture built from social media posts and a named source cited in a separate security-focused report: the data wiping may have been executed through InTune, a Microsoft tool that allows administrators to remotely control large fleets of machines from a single interface. If accurate, this would suggest attackers gained access to that interface — possibly through an access broker — and issued deletion commands across the company’s Windows network.
Security firm Check Point tracks Handala Hack under the internal name “Void Manticore.” According to the firm, the group historically uses a mix of custom-built tools, publicly available software, and manual hands-on techniques for wiping data. Check Point researchers also noted that the group frequently relies on underground criminal services to gain initial access to targets.
Iran-aligned hackers have a documented history with wiper malware. The Shamoon wiper, linked — though not conclusively — to Iran, struck Saudi Aramco in 2012 and hit Saudi Arabian organizations again four years later. A separate wiper called ZeroCleare, also linked to Iran, was reported by researchers in 2019. That said, Stryker‘s own finding of no malware suggests the current attack may have followed a different path.
Handala Hack has existed since at least 2023. The group takes its name from a character in the political cartoons of Palestinian artist Naji al-Ali and maintains multiple online personas. Check Point and other security firms have assessed it as affiliated with Iran’s Ministry of Intelligence and Security. Around the time the Stryker attack became public, posts to a Telegram account and website controlled by the group claimed responsibility.
Stryker has not provided a timeline for restoring normal operations, as stated in its SEC filing.
This article is a curated summary based on third-party sources. Source: Read the original article
