No restoration timeline for medical device maker Stryker after cyberattack

The cyberattack on Michigan-based medical device maker Stryker that saw more than 200,000 systems, servers and mobile devices disrupted by the pro-Palestinian, Iran-linked group Handala moved forward over the last 24 hours.

In an  8-K filing with the SEC, Stryker told the federal government that at this point it was unsure how long the recovery would take.

"While the company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known," the Stryker told the SEC.

The company posted Thursday evening that the incident disrupted its order processing, manufacturing and shipping operations.

“The recovery timeline is not unknown because of servers,” said Collin Hogue-Spears, senior director of solution management at Black Duck. “It’s unknown because of factories. Restoring endpoints is an IT project with a finish line. Recovering months of lost production across surgical devices and medical consumables is a supply chain deficit that compounds daily, and no server restore closes it."

Hogue-Spears pointed out that every day manufacturing sits idle, the backlog of unfulfilled hospital orders grows. Medical devices ship with batch certifications, sterilization records, and regulatory traceability documentation. Hogue-Spears said if the wipe destroyed those records, finished product can sit non-shippable until manual recertification clears each batch — and that does not account for anything perishable.

“Most hospital procurement in this category runs lean,” said Hogue-Spears. “Extended disruption forces substitutions — and in MedTech, substitutions tend to stick.”

Megan Biedermann, security analyst at Blackpoint Cyber, said the use of a wiper by Handala illustrates the threat actor’s intent to destroy, rather than encrypt, all available data.

“The successful deployment of wiper-based malware could easily result in weeks or months of recovery and significant revenue loss, depending on the data loss prevention mechanisms in place at the time of the attack,” said Biedermann. “The worst case scenario for any organization is critical data loss with no viable backups. The larger the operation, the longer it would take to build from scratch.”

Biedermann added that impacted operations for a medtech company means a decrease in availability and an overall increase in price for the important devices and products that let healthcare facilities offer medical care effectively and safely. “Depending on the size and scope of the impact, it could represent a substantial blow in their supply chain,” said Biedermann.

Denis Calderone, chief technology officer at Suzu Labs, said it’s important to reiterate that Handala didn't deploy traditional malware: they apparently used Stryker's own Microsoft Intune environment to wipe devices at scale.

“That's why the SEC filing says no ransomware or malware was detected,” said Calderone. “The endpoint management platform was the weapon.”

Calderone said Intune has a feature built specifically to prevent this: Multi-Admin Approval for device wipes requires a second administrator to explicitly approve any wipe or retire command before it executes. Calderone said if that's enabled, a single compromised admin account can't mass-wipe the fleet. The requesting admin has to provide business justification, the action goes into an approval workflow, and a separate approver has to sign off.

“This isn't a third-party add-on,” said Calderone. “It's native to Intune, sitting right there in Tenant Administration. On top of that, organizations should be stripping wipe permissions from most admin accounts through RBAC custom roles, enforcing phishing-resistant MFA on anyone who does have those permissions, locking down the admin portal with conditional access policies, and alerting on any bulk device commands, especially off-hours.”