'It's destructive, not ransomware': Security experts weigh in on motivation behind Stryker cyber attack

(Image credit: Getty Images)

Security experts have warned that the cyber attack on Stryker signals a step change in politically-motivated attacks, with a particular focus on destruction rather than extortion.

Operations at the medical technology firm have been severely impacted in a cyber attack claimed by Iranian-linked threat group, Handala. The group claims to have wiped thousands of systems across the company’s global operations and stolen around 50 terabytes of data.

“In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted,” the group claimed in a statement online.

Stryker develops a range of products, including surgical equipment, neurotechnology, and orthopedic implants, with offices in 79 countries and over 50,000 employees worldwide.

The impact of the attack has been felt globally, with reports suggesting operations in Ireland have been severely disrupted.

Stryker employs around 4,000 employees in Cork, which the company describes as its “biggest innovation and manufacturing hub outside the US”.

"Nobody can work,” a source told the Irish Mirror. “The entire company has been brought to a standstill”

Stryker confirms attack

Stryker has confirmed it is dealing with “global network disruption” across its Microsoft environment, which is believed to be the entry point for the group.

One employee told BleepingComputer that staff have been ordered to remove work-related applications from personal devices, in particular the company portal for mobile device management software Microsoft Intune and Microsoft Teams.

Targeting of Microsoft products is a common tactic for Handala, which has been active since at least December 2023.

A 2024 threat intelligence report from Cisco Talos and Splunk’s Threat Research Team specifically highlighted the group’s activities on this front, typically using “wiper” malware to destroy company data.

“The Handala Hacking Team is notable for employing a wide range of sophisticated tactics and techniques, including data theft, phishing extortion, website defacement, and destructive attacks leveraging custom wiper malware that targets Windows and Linux environments,” the duo said in a blog post.

“The target matters”

Stryker noted in its statement that there’s “no indication of ransomware” involved in the attack. However, this aspect of the attack provides an insight into the underlying motivations, according to Huntress CISO Chris Henderson.

In this instance, the attack is “destructive, not ransomware” and is a politically-motivated attack aimed solely at causing widespread disruption.

“The target matters. Stryker manufactures critical medical devices used in operating rooms and ICUs worldwide,” Henderson said.

“When a supplier of this scale goes offline, it doesn't just impact their employees; it creates ripple effects across hospitals, surgical centers, and healthcare providers who depend on their equipment and support infrastructure.”

Skip Sorrells, Field CTO-CISO at Claroty, echoed Henderson’s comments, noting that even prior to the Iran conflict hacktivist activities have been ramping up globally.

Security agencies including CISA and the UK's National Cyber Security Centre (NCSC) have issued repeated warnings over the rise of hacktivist groups over the last two years.

In particular, pro-Russian hacktivist groups identified by the NCSC were found to be targeting local government agencies and critical infrastructure. Critical sectors like healthcare are now firmly in the crosshairs, according to Sorrells.

“Attacks like this unfortunately aren’t surprising,” he said. “Even before the latest geopolitical tensions, hacktivist activity targeting healthcare and other critical infrastructure had been steadily increasing, and that trend makes organizations like medical device manufacturers and hospitals more likely to be caught in the crossfire.”

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.