Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach

Summary

Iranian-linked hacker group Handala breached US medical technology giant Stryker in March 2025, wiping over 200,000 devices and disrupting manufacturing and shipping operations worldwide. Evidence suggests attackers obtained compromised administrator credentials from infostealer malware logs, then abused a Microsoft Intune instance to create rogue admin accounts and deploy wiper functionality.

Full text

Newly uncovered evidence suggests that the recent cyberattack targeting US medical technology giant Stryker involved compromised credentials obtained via infostealer malware. The attack on Stryker, a major manufacturer of surgical equipment and orthopedic implants for hospitals worldwide, came to light on March 11, with the Iran-linked hacker group Handala immediately taking credit. Handala, which is believed to be an anti-Israel hacktivist persona under the control of Iran’s Ministry of Intelligence and Security (MOIS), claimed to have wiped more than 200,000 devices, forcing Stryker to shut down offices in dozens of countries. The hackers also claimed to have stolen a significant amount of data. While some early reports indicated that the hackers used wiper malware in the attack — Handala has been known to use such malware — Stryker said it found no evidence of malware being deployed on its systems. According to some reports, the attackers wiped systems by abusing Stryker’s Microsoft Intune instance, which is used to remotely manage desktop and mobile endpoints and applications within the organization. Bleeping Computer reported earlier this week that the attackers compromised an Intune administrator account and created a new global admin account, which they used to wipe managed devices.Advertisement. Scroll to continue reading. Alon Gal, CTO of threat intelligence firm Hudson Rock, has now found evidence that the compromised credentials may have been obtained by information-stealer malware. An analysis of infostealer malware logs, which contain information stolen by such malware, revealed that credentials for Stryker administrator accounts were harvested, alongside dozens of other Microsoft service credentials and mobile device management (MDM) credentials associated with the medtech company. “Handala really aren’t sophisticated and likely just used infostealer logs for the Stryker breach,” Gal explained in a LinkedIn post. “Most of these creds are months if not years old, which would have given Stryker more than enough time to reset and avoid a breach,” he added. Latest developments related to Stryker hack Stryker said the cybersecurity incident only impacted its Windows environment, but admitted that it has caused disruptions to order processing, manufacturing, and shipping. In its latest update, shared on March 15, the company said it has been restoring impacted systems, with a focus on those supporting customers, ordering, and shipping. Stryker said all its products are safe to use, and the presence of its sales representatives in hospitals and facilities does not pose a risk. Nextgov/FCW reported that the cybersecurity agency CISA and the FBI have engaged with Stryker executives amid the investigation into the incident. While pro-Iran hackers have ramped up attacks against Israel, the US, and other allies after the war began, this appears to be the most significant attack against the United States. Handala has been highly active since the start of the conflict, particularly against Israel, claiming to have hacked a wide range of organizations. However, its claims are often difficult to fully verify. Forbes reported on Tuesday that two leaders of Iranian cyber operations have been killed in the recent airstrikes. One of them is Mohammad Mehdi Farhadi Ramin, charged by the US in 2020 for his role in state-sponsored hacking, and Yahya Hosseiny Panjaki, who oversaw the MOIS unit that controlled hacker groups such as Handala. Related: Iran-Linked Hackers Take Aim at US and Other Targets, Raising Risk of Cyberattacks During War Related: Threat Actor Targeting VPN Users in New Credential Theft Campaign Related: ForceMemo: Python Repositories Compromised in GlassWorm Aftermath Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationStarbucks Data Breach Impacts EmployeesIran-Linked Hacker Attack on Stryker Disrupted Manufacturing and ShippingAuthorities Disrupt SocksEscort Proxy Service Powered by AVrecon BotnetApple Updates Legacy iOS Versions to Patch Coruna ExploitsMeta Launches New Protection Tools as It Helps Disrupt Scam Centers Latest News Apple Debuts Background Security Improvements With Fresh WebKit PatchesResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchTech Giants Invest $12.5 Million in Open Source SecurityUK Companies House Exposed Details of Millions of Firms Surf AI Raises $57 Million for Agentic Security Operations PlatformRobotic Surgery Giant Intuitive Discloses Cyberattack174 Vulnerabilities Targeted by RondoDox BotnetGoogle, Meta, Microsoft Among Signatories of Pact to Combat Scams Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveNudge Security has appointed Patrick Dillon as Chief Revenue Officer.Arctic Wolf has named Will May as its Chief Revenue Officer.Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — infostealer malware (unspecified family)