Following its recent cybersecurity incident, medical technology giant Stryker said it found no indication of ransomware or malware. As the investigation progressed, alongside Palo Alto Networks’ Unit 42 and other experts, the company determined that the threat actor used a malicious file to execute commands, enabling them to conceal activity within its systems. The file was not capable of spreading, either within or outside the environment.
“Our internal teams continue to work around the clock with external partners to make meaningful progress on our restoration efforts. We are grateful for the partnership and collaboration with government agencies and industry partners,” Stryker wrote in its latest update. “We believe the incident is contained, and we are prioritizing restoration of systems that directly support customers, ordering and shipping. Our internal teams, in partnership with third-party experts, reacted quickly to not only regain access but to remove the unauthorized party from our environment.”
The update noted that, most importantly, the investigation has not identified any malicious activity directed towards customers, suppliers, vendors, or partners.
Unit 42’s latest findings are included in a General Assurance Letter that reaffirms Stryker’s belief that this incident is contained and that analysis has not identified any evidence of the threat actor accessing customer, supplier, vendor and partner systems as a result of this incident. “There is nothing more important to us than the customers and patients we serve, and we recognize the criticality of every procedure to every patient. We are working closely with our global manufacturing sites as operations continue to stabilize. Manufacturing capability is ramping quickly as critical lines and plants are brought back online, prioritizing patient needs. This is a 24/7 effort and the first priority of our entire organization.”
Stryker had previously mentioned that it is “in close contact with the White House National Cyber Director, FBI, CISA, DHA, HHS and H-ISAC, and appreciate the ongoing support they have been giving us. We’re grateful to the government for their efforts to seize domains linked to the purported threat actors. Protecting the healthcare ecosystem against cyber threats is a priority that requires extensive public-private partnership. True to our commitment to transparency and a collective cyber defense, we are committed to sharing meaningful intelligence that strengthens the resilience of patient care worldwide.”
Earlier this month, a suspected Iran-linked cyberattack disrupted global operations at Stryker, knocking internal systems offline and forcing the company to limit access to parts of its network. The intrusion, claimed by the pro-Iranian hacking persona Handala, is reported to have wiped corporate devices tied to the company’s Microsoft environment, prompting a rapid incident response to contain the breach and restore services. The disruption lands against a backdrop of escalating geopolitical tension following recent U.S. and Israeli strikes in Iran, raising the risk that state-aligned cyber actors may widen retaliatory campaigns to include Western enterprises and critical supply chains.
Resecurity warns that the Iran conflict has rapidly evolved into a multi-domain confrontation where kinetic military operations are tightly integrated with cyber, electronic, and information warfare, marking a shift in how modern conflicts unfold. The analysis highlights sustained missile and drone strikes occurring alongside coordinated cyber campaigns driven by state-linked actors and proxy groups targeting critical infrastructure, enterprises, and government systems. This convergence is expected to persist, with cyber operations increasingly used to disrupt services, gather intelligence, and amplify geopolitical impact, even as physical hostilities continue across the region.
