Iranian Cyberattack on Medtech Giant Stryker Linked to Stolen Credentials and Infostealer Malware

New evidence shows the Stryker breach involved infostealer malware and Intune abuse. Read how Iran-linked Handala hackers disrupted the medtech giant’s operations.

By: AXL Media

Published: Mar 18, 2026, 9:47 AM EDT

Source: Information for this report was sourced from SecurityWeek

Infostealer Logs Identified as Primary Breach Vector

A technical analysis of the recent security breach at Stryker has shifted the focus from complex wiper malware to the exploitation of basic credential theft. According to data released by threat intelligence firm Hudson Rock, the attackers likely gained initial access using administrator credentials previously harvested by information-stealer malware. This type of malware quietly exfiltrates login data from infected devices, which is then sold or traded in underground "logs." Forensic experts noted that many of the compromised Stryker credentials were months or even years old, suggesting that a lack of password hygiene and account rotation allowed the attackers a persistent point of entry.

Abuse of Microsoft Intune to Sabotage Global Systems

The most destructive phase of the attack involved the reported subversion of Stryker’s Microsoft Intune instance, a cloud-based service used for mobile device management (MDM) and endpoint security. By compromising a high-level administrator account, the Handala hackers were able to create new global admin accounts and remotely trigger "wipe" commands across more than 200,000 devices. While Stryker initially reported finding no evidence of traditional malware being deployed within its environment, the abuse of legitimate administrative tools effectively achieved the same goal as a wiper attack, paralyzing offices and manufacturing plants in dozens of countries.

Operational Impact on Medical Supply Chains

The cybersecurity incident, which came to light on March 11, has had a measurable impact on Stryker’s ability to process orders and ship critical surgical equipment. In a series of status updates, the medtech giant admitted that while its Windows environment was the primary target, the resulting downtime trickled down into its manufacturing and logistics divisions. By March 15, the company reported it had begun a phased restoration of customer-facing systems. Stryker has maintained that its physical products remain safe for clinical use and that sales representatives present in hospitals do not pose a digital risk to those facilities.