The news: A pro-Iranian hacking group—Handala—claims to have erased 200,000 devices and stolen 50 terabytes of data from medical equipment giant Stryker, forcing office shutdowns across 79 countries, per PCMag. It stated the attack was in retaliation to US strikes on Iran. 

• Ransomware gangs lock data and demand payment. Handala erases it and takes the data. Its wiper attacks target Windows and Linux environments to inflict maximum operational damage, not financial gain.
• Phishing attacks, which are the No. 2 type of cyberattack targeting end users behind malware, per Fortinet, are the likely starting point for this type of exploit.

Stryker, which makes medical equipment across orthopaedics, medical-surgical, and neurotechnology/spine, confirmed it was “experiencing a global network disruption to our Microsoft environment as a result of a cyberattack.” 

The hackers targeted employee systems and ordering platforms, not medical devices, but the event halted operations for thousands of employees.

Zooming in: By compromising Stryker’s Microsoft Intune environment—a cloud endpoint management platform—Handala effectively weaponized the company’s own IT network, remotely issuing wipe commands and factory resetting tens of thousands of Intune‑managed laptops and mobile devices.

Medical devices themselves—surgical robots, defibrillators, imaging systems—typically run on secure, proprietary platforms with strict regulatory oversight from the FDA and other bodies. 

Recovery will require rebuilding thousands of devices from scratch—reimaging hardware, reinstalling applications, and restoring data from backups—a process that could take weeks for an organization of Stryker’s scale, even with business continuity measures and cybersecurity training in place.

Implications for brands: Malware, phishing, web, and password attacks are usually propagated through individual user accounts, indicating a company’s security is only as good as its weakest link.

• Brands should enforce dedicated, heavily secured administrative environments that are separate from corporate networks and employee-accessible activities.
• Train employees on what to look out for in case of a phishing attack, and provide methods for reporting suspected phishing emails.
• Require strong multi-factor authentication (MFA), like a FIDO2 security key or platform passkey, to log into an account with biometrics or a PIN instead of passwords at every stage. 

Marketing and sales leaders must demand a seat at the table for IT resilience planning. Customer-facing systems—ordering portals, sales tools, communication platforms—should require the same hardening as regulated medical devices.