Stryker says it is restoring systems after pro-Iranian hackers wiped thousands of employee devices

Medical technology giant Stryker said it is in the process of restoring its computers and internal network after a cyberattack that reportedly allowed pro-Iranian hackers to remotely wipe tens of thousands of employee devices.

The hack, which led to widespread ongoing disruption of the company’s operations, is believed to be the first major cyberattack in the United States in response to the Trump administration’s war in Iran.

Stryker said in an update over the weekend that the March 11 cyberattack was contained within the company’s internal Microsoft environment, and that its Internet-connected medical products are “safe to use.”

While the cause of the breach remains under investigation, the medical device technology manufacturer said it saw no indication of ransomware or malware. Stryker said its ability to process orders, manufacture or ship devices remains idled.

A pro-Iranian hacking group called Handala claimed responsibility for the devastating hack, claiming that the hack was in response to a US airstrike on an Iranian school that killed at least 175 people, most of them children. The hackers also defaced the company’s login pages with its own logo.

According to Bleeping Computer, the Handala hackers may have hacked using an internal Stryker administrator account, giving them near-unlimited access to the company’s Windows network. The hackers allegedly gained access to the company’s Microsoft Intune dashboards, which allow for remote management of employees’ laptops and mobile devices, such as deleting data if an employee’s device is lost or stolen.

A successful compromise of the company’s Intune dashboards would have allowed hackers to remotely wipe employee phones and laptops, including personal devices, without using malware.

The Wall Street Journal also reported that hackers targeted Intune.

A Stryker spokesperson did not respond to a request for comment or questions about the breach, including whether the account allegedly compromised was protected with multi-factor authentication.

It is unclear how the hackers gained access to the Stryker network initially. Security researchers at Palo Alto Networks said the Handala hackers may have relied on phishing to infiltrate the Stryker network. IBM said the Iran-aligned hacking group is known for using phishing techniques and destructive attacks, including targeting the healthcare and energy sectors. It could also be caused by Infostealer malware, which can steal someone’s passwords and credentials.

Stryker has 56,000 employees around the world and operates in more than 60 countries, according to Reuters.