On March 10, the Iranian intelligence linked Handala collective claimed a destructive wiper attack on Stryker Medical which shutdown operations across 79 countries, affecting 56,000 employeees worldwide. Handala claimed to have stolen 50 terabytes of data, compromised 200,000 devices as part of their effort. Stryker’s manufacturing line in Ireland was paralyzed and the company sent a message to all employees to not turn on their laptops or phones. Handala in messages sent via their Telegram channel, explianed that this attack against Stryker was retribution for the destruction of a school in the southern Iranian city of Minabas as part of Epic Fury.
Stryker and the military medical supply chain
Stryker holds multiple Department of Defense contracts worth hundreds of millions. Patient monitoring systems. Orthopedic implants for military trauma. Surgical equipment for forward operating bases. The Defense Health Agency relies on Stryker for inventory replenishment to military hospitals treating wounded soldiers. The Veterans Affairs system depends on Stryker supplies. Within hours, the company filed the obligatory SEC filings and published a statement, “Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained.”
The secondary and tertiary effects of having had the company’s infrastructure breached lies, in a word. “trust.”
Companies that are in Stryker’s supply chain or their customers are, as a caution, now isolating Stryker from engagment. Be it API calls for those integrated logistics, financial with banks, or customer orders for hospiitals and DOD facilities. All should be isolating Stryker at this time given the potential for downstream compromise.
While Stryker advised in their statement that they have the situation controlled. That said, should Stryker recovery stretches from days into weeks, military hospitals may find themselves faced with an inventory crisis. Highly specialized surgical tools and neurotechnology parts that only Stryker manufactures become unavailable. Field medics deployed across the Middle East rely on Stryker portable trauma gear.
Stryker recently launched its connected SmartHospital Platform. Networked beds. Robotic surgery arms. If Handala was sophisticated enough to wipe personal mobile phones of thousands of employees, destory the content of hundreds of servers, the DoD must now ask: Are those connected devices in military hospitals also vulnerable?
Handala
The Handala group posted a manifesto on Telegram claiming responsibility, posted on X (formerly Twitter) claiming credit, displayed its logo on defaced employee login pages, and described the attack in its manifesto as an “unprecedented blow” against Stryker. According to Palo Alto Networks Unit 42 cybersecurity research, Handala is confirmed to be linked to Iran’s Ministry of Intelligence and Security (MOIS). Specifically, Handala is assessed to be one of several online personas maintained by “Void Manticore,” a MOIS-affiliated actor. Handala surfaced in late 2023 during the Israel-Hamas war.
According to Palo Alto researchers, Handala is primarily focused on Israel-targeting hack-and-leak operations, with occasional targeting outside Israel when it serves a specific geopolitical agenda. Recent operations include fuel system attacks in Jordan and targeting of Israeli energy companies. The group conducts “quick and dirty,” opportunistic operations with a noted focus on supply-chain footholds to reach downstream victims.
FSO’s take note
How long the disruption will last, and how wide spread (secondary and tertiarty) is to be determine. If your entity has engagment with Stryker, outreach to their information security team prior to re-engagement is prudent. The clean up and restoration will no doubt take place, the company notes in their public statements that they have a business continutiy plan in place.
The attack on Stryker drives home the point, the adversary, in this case Handala, chooses the target. We can only be prepared to repell that adversary. Handala in their statement on March 11, laid down their marker, “This is only the beginning of a new chapter in cyber warfare.”
