On March 11, 2026, Stryker — one of the world’s largest medical technology companies, with operations spanning dozens of countries — confirmed it had been the target of a significant cyberattack. The group responsible, Handala, is widely believed to be a hacktivist operation controlled by Iran’s Ministry of Intelligence and Security (MOIS). The attack disrupted order processing, manufacturing, and shipping across Stryker’s global operations.
It’s a headline that might feel distant from the day-to-day concerns of a small or mid-sized business. But the way this attack happened carries lessons that apply directly to organizations of every size — including yours.
What Actually Happened
When the attack first came to light, Stryker stated there was no evidence of ransomware or traditional malware being deployed on its systems. That initial assessment turned out to be incomplete.
Further investigation — conducted alongside Palo Alto Networks Unit 42 and federal authorities — revealed that the attackers had used a malicious file to run commands on Stryker’s systems while concealing their activity. More significantly, investigators identified the likely entry point: the attackers are believed to have used credentials stolen by infostealer malware to gain access to Stryker’s Microsoft Intune environment.
Microsoft Intune is a cloud-based platform used by organizations to remotely manage and control desktops, laptops, and mobile devices. Once inside that environment, the attackers were able to use Stryker’s own device management tools against them — remotely wiping systems at scale across the organization.
Stryker has stated that the malicious file found was not capable of spreading inside or outside their environment, and that no malicious activity was directed toward customers, suppliers, vendors, or partners. The company reports meaningful progress in restoring impacted systems and is working with US government agencies in the ongoing investigation.
Why This Matters to Your Business
You may not be a multinational medical technology company, but the attack vectors used against Stryker are not exclusive to large enterprises. In fact, smaller businesses are often more vulnerable because they have fewer layers of protection in place.
Stolen credentials are the front door.
The most likely explanation for how the attackers got in is that credentials were stolen through infostealer malware — software designed to quietly harvest usernames and passwords from compromised devices. This type of malware often arrives through phishing emails, malicious downloads, or compromised websites. Once attackers have working credentials, they don’t need to “hack” anything. They simply log in.
This is why strong, unique passwords and multi-factor authentication (MFA) on every account — especially administrative tools — are non-negotiable. A stolen password without MFA is an open door.
Your management tools can be used against you.
Stryker’s own device management platform became the weapon. Microsoft Intune, NinjaRMM, ConnectWise, and similar tools give IT teams broad, powerful access to endpoints across an organization — which is exactly what makes them attractive targets for attackers. If an unauthorized party gains access to these platforms, the damage can be fast, widespread, and difficult to reverse.
This is why access to administrative and management platforms must be tightly controlled, monitored, and protected with the highest levels of authentication available.
Attackers don’t always announce themselves.
In the early stages of the investigation, Stryker found no evidence of malware. The malicious file was only uncovered deeper into the investigation. This is increasingly common with sophisticated attackers — they move quietly, hide their activity, and do their damage before anyone knows they were there. Perimeter defenses alone are not enough. Businesses need the ability to detect unusual activity inside their environment, not just at the gate.
Nation-state tactics are trickling down.
The tools and techniques used by groups like Handala — infostealer malware, credential abuse, living off the land using legitimate software — are not unique to government-sponsored hackers. Cybercriminal groups routinely adopt and adapt the same methods. The sophistication of the threat landscape that enterprise companies face today is the threat landscape that small businesses will face tomorrow.
What You Should Be Doing Now
Is multi-factor authentication enabled across your organization?
Every account — email, Microsoft 365, remote access tools, and especially any administrative platforms — should require MFA. This single control would have made credential theft far less useful to the attackers in this case.
Who has administrative access to your management tools?
Platforms used to remotely manage devices are high-value targets. Access should be limited to only those who need it, monitored for unusual activity, and protected with the strongest available authentication.
Do you have visibility into unusual activity on your network?
If an attacker logged into your environment with stolen credentials tonight, would you know? Many businesses would not. Endpoint detection and response (EDR) tools, log monitoring, and security alerting are how organizations catch threats that have already made it past the perimeter.
Are your employees aware of infostealer risks?
Infostealer malware often arrives through phishing emails, fake software downloads, and malicious browser extensions. Regular employee awareness training reduces the likelihood that a credential-stealing infection takes hold in the first place.
Do you have a response plan?
Stryker had the resources to bring in Palo Alto Networks Unit 42 and work directly with federal agencies. Most small businesses don’t have those relationships established in advance. Knowing who to call, what to do, and how to communicate with clients before an incident happens makes an enormous difference in the outcome.
The Bottom Line
The Stryker attack is a high-profile reminder that sophisticated cyber threats are not hypothetical — they are happening to real organizations right now, with real operational and financial consequences. The methods used were not exotic or unprecedented. They were the same credential-based, management tool-abusing techniques that security professionals have been warning about for years.
The businesses that weather these incidents best are not the ones that never get targeted. They are the ones that have made it harder to get in, faster to detect, and less catastrophic when something does go wrong.
If you have questions about how your business is protected against the threats highlighted in this incident, Harrison Ward Technology is here to help. We can assess your current security posture, review administrative access controls, and ensure the right monitoring is in place — before you need it.
Have questions about your security posture? Contact us today.
Comments are closed