Stryker Vendor Cyber Rating & Cyber Score

Description: Iranian-Backed Hackers Breach FBI Director’s Personal Email, Leak Private Photos On March 27, 2026, the Iranian-linked hacktivist group Handala Hack Team claimed responsibility for accessing the personal emails of FBI Director Kash Patel, publishing alleged photos and documents as proof. The leaked images dated between 2010 and 2019 depict Patel in personal settings, including vacations and social gatherings. The U.S. Justice Department confirmed the breach, verifying the authenticity of the materials. Handala framed the attack as retaliation for the ongoing U.S.-Iran conflict and the FBI’s $10 million bounty for information on its members. The group boasted of bypassing the FBI’s security systems, though officials clarified that only Patel’s personal Gmail account not government systems was compromised. The incident highlights persistent risks tied to officials using personal emails for professional matters. About Handala Hack Team Active since 2023 and linked to Iran’s Ministry of Intelligence and Security, Handala specializes in disruptive cyberattacks, often targeting Israeli and Western entities. The group has previously breached Lockheed Martin and executed a 200,000-user data wipe at medical tech firm Stryker, leveraging malware designed to delete or expose sensitive data. The breach underscores vulnerabilities in personal email security, even among high-profile officials.

Description: Loblaw Faces Alleged Massive Data Breach as Threat Actor Demands Response A threat actor operating under the handle *"igotafeeling"* on the *DarkWeb Informer* forum has claimed to have breached Loblaw, Canada’s largest food and pharmacy retailer, which owns brands like *President’s Choice, No Frills, Shoppers Drug Mart, Real Canadian Superstore*, and the *PC Optimum* loyalty program. The actor alleges possession of over 1.8 billion records, including: - 75.1 million Salesforce customer records (names, emails, phone numbers, addresses, loyalty IDs, and health card numbers) - 724.9 million Shoppers Drug Mart records (passwords, tokens, loyalty IDs, payment details, and full credit card numbers with expiry dates) - 129.9 million pharmacy fill requests (prescription numbers and patient IDs) - 120.4 million e-commerce fraud-feed records (payment card BINs, last-four digits, and expiry dates) - 20.2 million Delivery Ops Portal records (orders, deliveries, and postal codes) - 3,014 GitLab projects containing Loblaw’s full source code - 19.3 million Oracle identity records (MFA device details and credentials) - 55.3 million marketing and email records across 673 tables The threat actor has given Loblaw until March 19 to respond, accusing the company of *"ghosting"* them and dismissing customer and investor concerns. They have also invited media organizations to verify the data’s authenticity. In response, Loblaw issued a March 12 press release, labeling the incident a *"low-level data breach"* and stating that only *"basic customer information"* (names, phone numbers, and emails) may have been accessed. The company explicitly denied evidence of financial or credit card data compromise directly contradicting the threat actor’s claims. While the breach remains unverified, the scale of the alleged exposure if confirmed would rank among the largest in Canadian history. The situation mirrors past high-profile breaches (e.g., *T-Mobile, Equifax, Capital One*), where initial corporate statements downplayed impact before later revelations proved otherwise. Loblaw customers with *PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories* may be affected if the claims hold true. The deadline for Loblaw’s response is six days away.

Description: Stryker Hit by Global Cyberattack Disrupting Medical Technology Services On March 11, Stryker, a leading medical technology provider serving hospitals worldwide, confirmed a global cyberattack that disrupted its operations. The company reported that its Microsoft environment was compromised but found no evidence of ransomware or malware. Stryker stated the incident had been contained. John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk, acknowledged the attack, noting ongoing collaboration with hospitals and federal agencies to assess the threat’s scope. While no direct disruptions to U.S. hospital operations have been reported, Riggi warned that impacts could emerge as hospitals evaluate Stryker’s services, technology, and supply chain particularly if the disruption persists. The incident highlights the vulnerability of critical healthcare infrastructure to cyber threats, even in the absence of traditional ransomware tactics. Further details on the attack’s origin and full impact remain under investigation.

Description: Stryker Hit by Destructive Cyberattack Linked to Iranian-Backed Group A global medical technology firm, Stryker, suffered a devastating wiper cyberattack on Wednesday, suspected to be orchestrated by Handala Hack, a group with ties to the Iranian regime. The attack targeted the company’s Cork, Ireland headquarters, where up to 5,000 employees including 4,000 in Cork are based, crippling critical IT systems and manufacturing operations. The National Cyber Security Centre (NCSC) in Dublin is responding to the incident, which involved the permanent deletion of data from infected systems a hallmark of wiper attacks, typically politically motivated rather than financially driven. Devices connected to Stryker’s network, including employee phones with Outlook installed, were wiped, and login screens were defaced with the Handala logo, a symbol of Palestinian resistance. The attack has disrupted production of Stryker’s medical devices, with some manufacturing machines still operational but their long-term functionality uncertain. Staff were instructed to avoid connecting to the company’s network via any device, including mobile apps like Microsoft Teams and Outlook, while recovery efforts continue. Employees have been sent home, relying on WhatsApp groups for updates. Stryker, which operates six manufacturing sites and three innovation centers in Ireland, is one of the country’s largest medical tech employers. The company confirmed the incident in a staff memo, stating that security experts and law enforcement are involved in the response, emphasizing that sites and personnel remain safe while efforts focus on restoring systems. Handala Hack, linked to Iran’s cyber warfare campaigns, has recently targeted Israeli, Jordanian, and Saudi oil and gas facilities, as well as the Academy of the Hebrew Language, according to Israeli media. The Israeli National Cyber Directorate has warned of a surge in Iranian cyberattacks against civilian companies, suggesting Stryker may have been targeted due to its business ties with Israel. The attack underscores Iran’s expanding cyber-economic warfare, extending beyond regional conflicts to global operations. With Ireland serving as Stryker’s largest hub outside the U.S., the incident highlights the growing threat of state-backed cyber sabotage in critical industries.

Description: Iranian-Linked Pay2Key Ransomware Targets U.S. Healthcare Organization Amid Rising Cyber Conflict In late February, an unnamed U.S. healthcare organization fell victim to a ransomware attack by Pay2Key, a strain linked to Iranian state-affiliated cyber actors. The incident, investigated by Beazley Security and Halcyon Ransomware Research Center, revealed significant upgrades to the ransomware, making it harder to detect and more destructive. Unlike typical financially motivated attacks, this intrusion showed no evidence of data exfiltration a departure from previous Pay2Key operations, which U.S. intelligence agencies had tied to espionage. Researchers noted the group’s activity surged following recent U.S.-Iran military tensions, suggesting motivations beyond profit, including strategic disruption. The attackers compromised an administrative account days before deploying the ransomware, then attempted to erase logs to cover their tracks. Cynthia Kaiser, Halcyon’s senior vice president and former FBI Cyber Division official, questioned whether the attack was timed to exploit geopolitical chaos, emphasizing the group’s dual role as both a state-aligned actor and a ransomware-as-a-service (RaaS) operator. Pay2Key has undergone significant shifts in recent months. In mid-2025, the group marketed itself on Russian cybercriminal forums, briefly offering to sell its operations for 0.15 BTC while recruiting affiliates with an 80% ransom split up from 70%. Despite internal upheaval, the group remains active, with Morphisec tracking $4 million in ransom payments over four months and a total of $8 million from 170 victims since then. First identified in 2020, Pay2Key has targeted organizations in the U.S., Israel, Azerbaijan, and the UAE, with ransom payments traced to Excoino, an Iranian cryptocurrency exchange requiring national ID verification. A 2024 U.S. advisory highlighted its coordination with other ransomware gangs, reinforcing its ties to Iranian government operations. The healthcare attack preceded a high-profile wiper attack on Stryker, a U.S. medical device company, claimed by the Iranian group Handala, which wiped 200,000 devices. Kaiser warned that unreported Iranian cyberattacks are likely ongoing, with a mix of ransomware, wiper malware, and critical infrastructure targeting expected as tensions persist.

Description: Stryker Cyberattack Disrupts Global Medical Equipment Operations U.S.-based medical technology giant Stryker confirmed that a cyberattack disrupted its global networks, impacting operations across its systems. The incident, disclosed in recent reports, highlights growing cybersecurity threats targeting critical healthcare infrastructure. Stryker, a leading manufacturer of surgical equipment, implants, and medical devices, has not released details on the nature of the attack, its origin, or whether ransomware or data exfiltration was involved. The company has not specified the duration of the disruption or the extent of the operational impact, though such incidents often lead to delays in production, supply chain interruptions, and potential risks to patient care. The attack underscores the vulnerability of healthcare and medical device companies to cyber threats, which have increasingly become high-value targets for malicious actors. No further updates on recovery efforts or regulatory responses have been provided at this time.

Description: Stryker Hit by Suspected Iran-Linked Cyberattack, Causing Global Outages Medical technology giant Stryker suffered a global system outage on March 10, 2025, following a suspected cyberattack linked to an Iran-backed hacking group. The incident began shortly after midnight on the U.S. East Coast, disrupting operations across the company’s network. According to reports, remote devices running Microsoft Windows including laptops and mobile devices connected to Stryker’s systems were wiped, rendering them inoperable. Employees and contractors reported seeing the logo of Handala, a pro-Palestinian hacking group with alleged ties to Iran, on login screens, though Reuters could not independently verify the claim. The attack triggered a 3% drop in Stryker’s stock price after *The Wall Street Journal* first reported the breach. The company has not yet issued an official response to requests for comment. Stryker, a major supplier of medical equipment, operates globally, with facilities including a plant in Carrigtwohill, Ireland. The full extent of the disruption and potential data compromise remains unclear.

Description: Pro-Iranian Hackers Claim Breach of FBI Director’s Personal Account A pro-Iranian hacking group, Handala, announced on Friday that it had compromised an account belonging to FBI Director Kash Patel, releasing decades-old personal photographs, a resume, and other documents online. The group, which has ties to Iran and Palestine, posted a statement alongside the materials, taunting Patel and declaring him among their "successfully hacked victims." The leaked files including images of Patel with a vintage sports car and a cigar appear to date back over a decade, primarily involving personal travel and business records. The FBI confirmed awareness of the incident, stating that the exposed data was historical and contained no classified or government information. The bureau added that it had taken steps to mitigate risks from the breach. The timing of the hack remains unclear, though reports from December 2024 indicated Patel had been previously warned by the FBI about Iranian targeting efforts. Handala, which has escalated its cyber operations in recent months, recently claimed responsibility for disrupting systems at Stryker, a Michigan-based medical technology firm, in retaliation for alleged U.S. airstrikes linked to Iranian civilian casualties. The group has been a persistent threat, with the U.S. Justice Department seizing four web domains tied to its operations last week as part of efforts to counter Iranian cyber campaigns. The Trump administration has also offered a $10 million reward for information leading to the identification of Handala members. The incident underscores the growing role of proxy hacking groups in Iran’s broader cyber conflict with Western targets.

Description: The Vermont Office of the Attorney General reported that Stryker Corporation experienced a cybersecurity incident on June 10, 2024. The breach involved unauthorized access to Stryker internal systems between May 14, 2024, and June 10, 2024, affecting an unspecified number of individuals and potentially compromising personal information including names. A notification letter was included with the report.

Description: Iranian Threat Actor Handala Hack Launches Destructive Cyberattacks Across Israel, Albania, and the U.S. A cyber threat group linked to Iran’s Ministry of Intelligence and Security (MOIS), known as Handala Hack (also tracked as Void Manticore, Red Sandstorm, and Banished Kitten), has executed a series of data-destructive attacks targeting organizations in Israel, Albania, and the United States. Unlike traditional espionage-focused operations, the group’s campaigns are designed to permanently erase data, making recovery nearly impossible. Active since late 2023, Handala Hack operates under multiple public-facing personas, including Homeland Justice (used since mid-2022 against Albanian government and telecom sectors) and Karma (now largely replaced by Handala). Recent attacks expanded to the U.S., with medical technology firm Stryker among the confirmed victims. ### Attack Methods and Evolution Check Point researchers identified consistent yet evolving tactics in the group’s operations. While core techniques such as compromised VPN credentials, RDP exploitation, and simultaneous wiper deployments have remained stable since 2024, newer campaigns incorporate: - NetBird, a legitimate peer-to-peer networking tool, to tunnel traffic within victim networks. - An AI-assisted PowerShell script as part of its wiping toolkit. - A decline in operational security, with attacks traced directly to Iranian IP addresses instead of commercial VPNs. ### Multi-Layered Destruction Handala Hack’s destructive phase employs four simultaneous wiping techniques to maximize damage: 1. Handala Wiper – A custom tool distributed via Group Policy logon scripts (`handala.bat`), overwriting files and corrupting Master Boot Records (MBR). The executable runs remotely from domain controllers, evading detection. 2. AI-PowerShell Wiper – Deletes user directory files and floods drives with a propaganda image (`handala.gif`). 3. VeraCrypt Abuse – Legitimate encryption software is downloaded via the victim’s browser to lock drives and prevent recovery. 4. Manual Deletion – Attackers delete virtual machines and files over RDP, a tactic documented in leaked videos. ### Tactical Execution Intrusions typically begin with compromised VPN credentials, obtained through brute-force attacks or supply chain breaches. Once inside, operators use RDP to navigate manually, deploying multiple attacker-controlled machines within a single environment to accelerate destruction. The group’s lack of operational discipline including direct use of Iranian IPs has made attribution easier. The attacks reflect a shift from espionage to pure sabotage, with no financial or intelligence-gathering motives. Instead, the focus is on maximizing disruption across critical sectors.

Description: Stryker Hit by Cyberattack Claimed by Pro-Iran Hacking Group Handala Medical technology firm Stryker, a leading manufacturer of surgical tools and medical implants based in Kalamazoo, Michigan, confirmed a cyberattack on Wednesday that disrupted its global Microsoft environment. The company stated it had no evidence of ransomware or malware and believed the incident was contained, though it is still assessing the impact. Continuity measures remain in place to support customers and partners. The pro-Iran hacking group Handala claimed responsibility for the attack, alleging it wiped over 200,000 systems, servers, and mobile devices and exfiltrated 50 terabytes of critical data. The group cited retaliation for the ongoing regional conflict and a February 28 airstrike on a girls' elementary school in Minab, Iran, which killed 168 people, as motivations. While the attack’s origins remain unconfirmed, U.S. military operations were reported near the site. Stryker has not disclosed further details, and U.S. officials have not commented on the incident. The investigation is ongoing.

Description: Iran-Linked Hackers Leak FBI Director Kash Patel’s Personal Emails in Cyber Espionage Campaign On March 27, 2026, the Iran-backed hacking group Handala Hack Team publicly released a trove of personal emails belonging to FBI Director Kash Patel, marking a high-profile breach in a series of cyber operations attributed to Iranian state-linked actors. The leaked correspondence, spanning from 2010 to 2019, includes a mix of personal and professional communications tied to Patel’s Gmail account, which had been previously exposed in other data breaches. Western cybersecurity researchers identify Handala as one of several personas used by Iranian government cyberintelligence units, which have recently escalated attacks on Western targets. Earlier this year, the group claimed responsibility for hacking Stryker, a U.S. medical devices manufacturer, further demonstrating its focus on high-value entities. The hackers published photographs of Patel alongside the leaked documents, declaring him among their "successfully hacked victims." A U.S. Justice Department official confirmed the breach, stating that the released material appeared authentic. While the full extent of the compromise remains unclear, the incident underscores the persistent threat posed by state-sponsored cyber espionage, particularly from Iranian-linked groups targeting U.S. officials and critical infrastructure.