Medical tech giant Stryker said it’s in the process of restoring its computers and internal network following a cyberattack that reportedly allowed pro-Iranian hackers to remotely wipe tens of thousands of employee devices.
The hack, which brought ongoing widespread disruption to the company’s operations, is thought to be the first major cyberattack in the United States in response to the Trump administration’s war in Iran.
Stryker said in an update over the weekend that the March 11 cyberattack was contained to the company’s internal Microsoft environment, and that its internet-connected medical products are “safe to use.”
While the cause of the breach is still under investigation, the medical device tech maker said it has seen no indication of ransomware or malware. Stryker said its ability to process orders, manufacture, or ship devices continues to be disrupted.
A pro-Iran hacking group called Handala took credit for the destructive breach, claiming its hack was in response to a U.S. air strike on an Iranian school that killed at least 175 people, mostly children. The hackers also defaced the company’s login pages with its own logo.
According to Bleeping Computer, the Handala hackers may have broken in using an internal Stryker administrator account that granted them near-unlimited access to the company’s Windows network. The hackers allegedly accessed the company’s Microsoft InTune dashboards, which allows the remote management of employee laptops and mobile devices, such as deleting data in case an employee’s device is lost or stolen.
A successful compromise of the company’s InTune dashboards would have allowed the hackers to remotely wipe employee phones and laptops, including personal devices, without using malware.
The Wall Street Journal also reported that the hackers targeted InTune.
A spokesperson for Stryker did not respond to a request for comment or questions about the breach, including whether the allegedly compromised account was protected with multi-factor authentication.
It’s unclear how the hackers obtained their access to Stryker’s network to begin with. Security researchers with Palo Alto Networks said the Handala hackers may have relied on phishing to compromise Stryker’s network. IBM said the Iran-aligned hacking group is known for using phishing techniques and destructive attacks, including targeting the healthcare and energy sectors. Infostealer malware, which can steal a person’s passwords and credentials, may also be to blame.
Stryker has 56,000 staff around the world and operates in more than 60 countries, according to Reuters.