Stryker Confirms Cyberattack Contained, Systems Restoration Now Underway

Hackers weaponized Stryker Corporation's own device-management software to detonate a mass wipe across its global network on March 11, shutting down the Portage, Michigan-based medical device giant's operations in locations worldwide for nearly two weeks. Now, the company says the damage is contained.

Included in a regulatory filing was an assurance letter from Palo Alto Networks' Unit 42, which is assisting Stryker with its investigation of the attack. In that letter, dated March 20, Unit 42 said forensic evidence sifting and threat hunting it performed across the medical device maker's infrastructure identified "no current evidence of active, uncontained, persistent unauthorized access within the Stryker environment." "All known indicators of compromise associated with this specific incident have been successfully identified and addressed," Palo Alto Networks said, adding that Stryker has engaged Microsoft to assist with recovery of the identity infrastructure and that existing accounts have been secured.

In a regulatory filing for investors, Stryker said the investigation found the threat actor "used a malicious file to run commands which allowed it to hide its activity while in its systems, but that the file was not capable of spreading, either inside or outside of the company's environment." The attack's vector, as reported, was more direct than a traditional exploit chain: the attack centered around the attacker gaining access to Stryker's Microsoft Intune mobile device management console and issuing a mass wipe to every enrolled device.

Iranian hacktivist group Handala claimed responsibility for the attack. Medical tech maker Stryker on Monday told investors it has contained the March 11 hacking incident and is "working around the clock" to prioritize restoring IT systems that directly support customers, ordering and shipping. Since the United States and Israel began a protracted bombing campaign against Iran on Feb. 28, Handala has been especially active. Handala has been active since 2023 and is assessed by Palo Alto Networks' Unit 42 as one of several online personas maintained by Void Manticore, a threat actor affiliated with Iran's Ministry of Intelligence and Security.

On the recovery side, Stryker described the rebuild as an around-the-clock operation. Stryker is rebuilding impacted systems or restoring from backups predating the known window of compromise to further prevent threat actor re-entry. "Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts," the company said. "We are grateful for the partnership and collaboration with government agencies and industry partners."

Manufacturing capacity, a particular concern for hospitals relying on Stryker's surgical equipment and orthopedic implants, is moving back toward normal. "There is nothing more important to us than the customers and patients we serve, and we recognize the criticality of every procedure to every patient," Stryker said. "Manufacturing capability is ramping quickly as critical lines and plants are brought back online, prioritizing patient needs. This is a 24/7 effort and the first priority of our entire organization." Stryker also confirmed there remains no evidence of the threat actor accessing customer, supplier, vendor, or partner systems.

The U.S. government has officially linked Handala to Iran's Ministry of Intelligence and Security and has taken down several websites used by the threat actor. The FBI issued an alert sharing information about attacks allegedly carried out by the group, including the malware they use. The Cybersecurity and Infrastructure Security Agency urged security teams across the country to harden their endpoint security, due to concerns that other Microsoft Intune environments could also be targeted.

Stryker employs approximately 56,000 people and reported over $25 billion in revenue for 2025. The company has not provided a timeline for full restoration and has not yet determined whether the attack will have a material impact on operations, questions that will weigh heavily on investors as the company works to quantify nearly two weeks of disrupted manufacturing and shipping across its global footprint.