An Iranian-linked group claimed responsibility Wednesday for a cyberattack against Michigan-based medical giant Stryker Corp., an incident that cybersecurity experts said could be one unprecedented in size and scope.
A global outage afflicted the company in the early hours of Wednesday, with employees and contractors saying that the logo of Handala, a pro-Palestinian hacking group, had appeared on the company’s login pages, according to a report in the Wall Street Journal. Cellphones, laptops and other remote devices of employees running Microsoft Windows operating system and that use Stryker’s platforms had been wiped, according to the report.
Handala, which has claimed multiple attacks on targets in Israel and around the world, said in a message posted in its Telegram channel that the attack was in response to a strike on the Minab school in Iran that killed scores of children “and ongoing cyber assaults.”
Stryker is “experiencing a global network disruption to our Microsoft environment as a result of a cyberattack,” a spokesperson said. “We have no indication of ransomware or malware and believe the incident is contained.”
The spokesperson did not comment on who might be behind the attack. Calls to the company’s global headquarters in Portage, just south of Kalamazoo, were answered with a recording that said the company is “currently experiencing a building emergency.”
The attack on a large U.S. company could mark a major escalation amid the Iran war following a military campaign in the country by the United States and Israel that began on Feb. 28, according to the experts.
“There’s a lot of different examples of these kinds of attacks,” said Thomas Holt, director of Michigan State University’s Center for Cybercrime Investigation & Training, “but not one that has this extreme of a global set of effects.”
Handala emerged around 2023 and has been linked to Iran’s Ministry of Intelligence and Security by threat intelligence companies. In recent weeks, it has taken credit for attacks on Israeli businesses and others in the Middle East.
The group, in a statement, attacked Stryker and stated it was retaliating for the strike on the Shajareh Tayyebeh girls’ elementary school in southern Iran’s Minab that killed 175 people who were mostly children and for ongoing attacks on the infrastructure of the Axis of Resistance, which is made up of terrorist organizations in the region. It claimed to have wiped more than 200,000 systems, servers and mobile devices and extracted 50 terabytes of data, saying it will make the information public.
Stryker is one of the world’s largest manufacturers of medical technology, reporting $25 billion in revenue last year and employing about 56,000 people around the world. It produces equipment used in hospitals and surgical settings, especially in orthopedics and neurosurgery. Products include joint replacement implants, surgical instruments, hospital beds and robotic-assisted surgery technology.
Stryker shares fell 3% following the report of the attack. In Wednesday trading, Stryker shares slid 3.6% to close at $345.78, but moved higher after hours.
U.S. Bill Huizenga of Holland Township in a post on social media platform X said he’d had conversations with Stryker and the Trump administration.
“Early reports are connecting this attack (to) a group linked to Iran,” Huizenga said. “If true, this continues to demonstrate the threat the Iranian regime poses to America, our allies, and our interests. Cyber attacks from foreign adversaries, especially Iran, exemplify why funding for the Department of Homeland Security, which has been passed by the House, should be passed by the Senate without further delay.”
It’s likely the hackers were simply able to identify a vulnerability in Stryker’s network that resulted in it falling victim, experts said, though creating challenges for obtaining or using medical equipment, especially in the military, could be another reason for the cyberattack, Holt said. It wasn’t immediately clear if Stryker-produced equipment was or could be affected by the attack.
It also wasn’t clear if the effects could spread beyond Stryker’s network. Javed Ali, associate professor of practice at the University of Michigan’s Ford School of Public Policy, noted that Russia, about a decade ago, created a “global malware epidemic” when it released malware on a small target that wasn’t confined. If Stryker caught the attack early enough, it could limit its spread.
The attack is also a likely indicator that other attempts are being made, and companies and the public should practice good “cyber hygiene.” That includes being wary of clicking links and opening attachments from emails and texts from unfamiliar senders, Ali said.
“Having that awareness for all of this is a good common-sense thing to do,” Ali said. “It doesn’t make you 100% immune, but it helps to minimize as much risk as possible.”
Having recent backups of devices will protect an individual or company from losing everything if the technology is wiped, Holt said. Companies should evaluate and shore up any known vulnerabilities, ensure software is up-to-date and put hardened firewalls in place. Additionally, it’s wise for anyone to have a strategy in place if they become susceptible to a cyberattack so they won’t be caught without alternatives.
The likelihood of the United States responding to the cyberattack is high, Holt said, though what that could look like remains unclear. Missile strikes and other physical attacks have already affected aspects of Iran’s electrical grid and internet access, which could limit the impact of a U.S. cyberattack in retaliation.
A White House official in a statement said the Trump administration is always monitoring for potential cyber threats and driving a response through regulatory and law enforcement agencies. The Pentagon declined to comment.
Iran has used cyberattacks against the United States for at least 15 years, Ali said, a part of its unconventional, asymmetric war strategy, given Iran’s limited military resources in comparison to the United States’ military superpowers. Accessing devices and destroying data, however, represents a higher-end capability, Ali said. He noted in 2014, an Iranian attack on casino giant Las Vegas Sands Corp. paralyzed computer networks after owner Sheldon Adelson made comments about using nuclear weapons against Iran.
Iran has its own cyber threat infrastructure, but often also uses other hacking groups with aligned ideology and who may be supported by part of the Iranian regime. The strategy helps create a cover of plausible deniability for countries, the experts noted.
“The fact that this happened suggests there has been or will be attempts against others,” Holt said. “There probably is more to come.”
bnoble@detroitnews.com
@BreanaCNoble
Reuters contributed.