Photo: Tima Miroshnichenko/Pexels
Medical device giant Stryker has confirmed that a March 11 cyberattack claimed by an Iran-linked group is now contained after investigators discovered and neutralized a hidden malicious file used by the threat actors to run device wiping commands.
While the incident forced some procedure delays, the company said there was no evidence that healthcare customers' networks had been breached.
WHY IT MATTERS
"Early in our investigation, we believed there was no indication of ransomware or malware," Stryker officials said in a new customer update on its website Monday.
They said that, working with Palo Alto Networks' Unit 42 threat response team, among others, the company has found where the threat actors' disruptive activity was hidden.
"We identified that the threat actor used a malicious file to run commands, which allowed them to hide their activity while in our systems," according to Stryker. "To be clear, this file was not capable of spreading – either inside or outside of our environment."
The company added that the investigation did not find malicious activity directed toward customers, suppliers, vendors and partners.
Stryker posted a general assurance letter affirming that the cyberattack that began on March 11 is contained. Unit 42's letter stated that the investigation did not identify any evidence of unauthorized access to any systems outside of Stryker's.
In the letter, which was also filed with the U.S. Securities and Exchange Commission on Monday, Unit 42 said it had "identified and neutralized suspected malicious binaries and unauthorized persistence mechanisms," and thus completed threat-hunting and forensic analyses.
"As of the date of this letter, within the scope of our services, Unit 42 has not identified evidence of unauthorized activity related to the Security Incident since 2026-03-11," said Stryker officials. "Currently available evidence indicates that the identified unauthorized activity has been contained and the immediate risk to Stryker's operational environment has been mitigated."
With the infrastructure review complete, Unit 42 will continue to monitor Stryker's environment as it rebuilds impacted systems or restores from backups, Unit 42 said.
"Those impacted systems not yet rebuilt/restored have been isolated from the network."
THE LARGER TREND
Last week, the U.S. Department of Justice announced multiple court-authorized domain seizures related to hacktivist activity "conducted by the Islamic Republic of Iran's Ministry of Intelligence and Security," including Handala-Hack[.]to and Handala-Redwanted[.]to, allegedly tied to the Stryker cyberattack claimed by Handala.
The incident disrupted certain information systems and business applications supporting Stryker's operations and corporate functions, the company told the SEC in its original March 11 filing.
Last week, Stryker acknowledged that some patients' procedures had to be rescheduled because of the attack.
"Some of our customers who utilize our personalized implants are experiencing some disruptions," Stryker had said.
ON THE RECORD
"There is nothing more important to us than the customers and patients we serve, and we recognize the criticality of every procedure to every patient," said Stryker in the new update. "Manufacturing capability is ramping quickly as critical lines and plants are brought back online, prioritizing patient needs. This is a 24/7 effort and the first priority of our entire organization."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
