SECURITYWEEK reports that Stryker’s cyberattack, claimed by the Iran-linked Handala group, involved compromised credentials harvested from infostealer logs and used to access administrator accounts. Newly uncovered evidence, described by Alon Gal of Hudson Rock, suggests the credentials came from information-stealer malware and included dozens of Microsoft service and MDM credentials.
Handala had previously claimed to have wiped more than 200,000 devices and to have forced shutdowns across several countries, though Stryker said there was no evidence of malware deployed on its systems. The breach came to light on 11 March, and Stryker has since been restoring impacted systems, focusing on those supporting customers, ordering, and shipping; an update released on 15 March stated that all products remain safe to use.
According to Bleeping Computer, administrators’ credentials were compromised via Intune admin access, with a later report noting the attackers created a new global admin account to wipe devices. The incident prompted engagement from US agencies and follows broader Iran-linked cyber activity in the region, with Handala’s claims challenging to verify fully.