Last week’s cyberattack on medical technology giant Stryker was limited to its internal Microsoft environment and remotely wiped tens of thousands of employee devices.
The organization says in an update on Sunday that all its medical devices are safe to use but electronic ordering systems remain offline, and customers must place orders manually through sales representatives.
Stryker emphasizes that the incident was not a ransomware attack and that the threat actor did not deploy any malware on its systems.
Last week, Stryker was the target of a cyberattack claimed by the Handala hacktivist group, believed to be linked to Iran.
The attacker alleged that they wiped “over 200,000 systems, servers, and mobile devices” and stole 50 terabytes of data. However, investigators did not find any indication that data was exfiltrated.
Following the disruption, Stryker employees in multiple countries started to complain that their managed devices had been remotely wiped overnight.
Some employees had their personal devices enrolled in the company network and lost personal data during the wiping process.
Hackers had Global Admin privileges
A source familiar with the attack told BleepingComputer that the threat actor used the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11.
The attacker carried out the action after compromising an administrator account and creating a new Global Administrator account.
The investigation is being conducted by the Microsoft Detection and Response Team (DART) in collaboration with cybersecurity experts from Palo Alto Unit 42.
Stryker’s update highlights that the attack did not impact any of its products, connected or otherwise, and was limited exclusively to the internal Microsoft corporate environment.
“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company says.
Restoration efforts are currently underway, the main focus being on resuming shipping and transactional services. Customers are encouraged to maintain normal communication with company personnel while the infrastructure is steadily recovered.
Any order placed before the cyberattack will be honored as systems are restored, while those placed during the disruption will be processed when systems are back online, and the supply flow resumes to normal.
The company is working with its global manufacturing sites to deal with potential operational impact.
Stryker’s current priority is to restore the supply-chain system and resume customer orders and shipping. “Our core transactional systems are already on a clear path to full recovery,” the company says.
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.