Stryker Vendor Cyber Rating & Cyber Score

stryker.com
ISOSOC2 Type 1SOC2 Type 2PCI DSSHIPAAGDPR

Stryker is a global leader in medical technologies and, together with our customers, we are driven to make healthcare better. We offer innovative products and services in MedSurg, Neurotechnology and Orthopaedics that help improve patient and healthcare outcomes. Alongside its customers around the world, Stryker impacts more than 150 million patients annually. More information is available at stryker.com and careers.stryker.com. Facts: ● 2024 Sales: $22.6 billion ● Industry: Medical Instruments & Supplies ● Employees: 53,000 worldwide ● 40 years of sales growth leading up to 2020 ● 44+ Manufacturing and R&D Locations Worldwide ● $1.5 billion spent on research and development in 2024 ● ~14,200 patents owned globally in 2024 ● Products sold in ~75 countries ● Fortune 500 Company ● 7 consecutive years as one of Fortune's World's Best Workplaces Stryker’s social media community guidelines: https://www.stryker.com/content/m/legal/social-media-community-guidelines/en/index.html Notice Regarding Employee Conduct on Facebook/LinkedIn Meta/LinkedIn does not permit employers to verify or validate “employees” in the (META: “Works at” LinkedIn: “Experience”) section of users’ profiles. Please be aware that the views expressed by individuals on their personal accounts and do not necessarily represent the views of our company. If you encounter any issues with a person claiming to be our employee, we recommend using the “Report Profile” feature. If you’d like to report concerns to our Ethics Hotline, you may do so at: https://app.convercent.com/en-us/LandingPage/b6bb4e84-9fcb-ea11-a974-000d3ab9f296

Stryker A.I CyberSecurity Scoring

Stryker

Company Details

Linkedin ID:

stryker

Website:

http://www.stryker.com

Employees number:

50,225

Number of followers:

1,694,532

NAICS:

3391

Industry Type:

Medical Equipment Manufacturing

Homepage:

stryker.com

IP Addresses:

310

Company ID:

STR_3135691

Scan Status:

In-progress

AI scoreStryker Risk Score (AI oriented)

Between 650 and 699

https://images.rankiteo.com/companyimages/stryker.jpeg
Stryker Medical Equipment Manufacturing
Updated:
  • Powered by our proprietary A.I cyber incident model
  • Insurance preferes TPRM score to calculate premium
Get a Score Increase
globalscoreStryker Global Score (TPRM)

XXXX

https://images.rankiteo.com/companyimages/stryker.jpeg
Stryker Medical Equipment Manufacturing
  • Instant access to detailed risk factors
  • Benchmark vs. industry & size peers
  • Vulnerabilities
  • Findings

Stryker

Weak
Current Score
667
B (Weak)
01000
12 incidents
-29.25 avg impact

Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.

APRIL 2026
667
MARCH 2026
677
Cyber Attack
27 Mar 2026 • Stryker and U.S. Justice Department: FBI director emails breached by Iran-linked hackers — what happened and how to protect yourself
Iranian-Backed Hackers Breach FBI Director’s Personal Email, Leak Private Photos

**Iranian-Backed Hackers Breach FBI Director’s Personal Email, Leak Private Photos** On March 27, 2026, the Iranian-linked hacktivist group **Handala Hack Team** claimed responsibility for accessing the personal emails of **FBI Director Kash Patel**, publishing alleged photos and documents as proof. The leaked images dated between 2010 and 2019 depict Patel in personal settings, including vacations and social gatherings. The U.S. Justice Department confirmed the breach, verifying the authenticity of the materials. Handala framed the attack as retaliation for the ongoing **U.S.-Iran conflict** and the FBI’s **$10 million bounty** for information on its members. The group boasted of bypassing the FBI’s security systems, though officials clarified that **only Patel’s personal Gmail account** not government systems was compromised. The incident highlights persistent risks tied to officials using personal emails for professional matters. **About Handala Hack Team** Active since 2023 and linked to **Iran’s Ministry of Intelligence and Security**, Handala specializes in **disruptive cyberattacks**, often targeting Israeli and Western entities. The group has previously breached **Lockheed Martin** and executed a **200,000-user data wipe** at medical tech firm **Stryker**, leveraging malware designed to delete or expose sensitive data. The breach underscores vulnerabilities in personal email security, even among high-profile officials.

666
critical -11
CRISTR1774636436
Incident Details -
Type
Data Breach
Attack Vector
Personal Email Compromise
Motivation
Retaliation for U.S.-Iran conflict Response to FBI's $10 million bounty
Impact
Data Compromised: Personal photos and documents Systems Affected: Personal Gmail account Brand Reputation Impact: High (FBI Director's personal data exposed) Identity Theft Risk: High (personal photos and documents exposed)
Response
Law Enforcement Notified: U.S. Justice Department confirmed the breach
Data Breach
Type Of Data Compromised: Personal photos and documents Sensitivity Of Data: High (personal and potentially sensitive images) Data Exfiltration: Yes (leaked publicly) Images Documents Personally Identifiable Information: Yes (personal photos, potential metadata)
Lessons Learned
Highlights risks of high-profile officials using personal emails for professional matters and the need for enhanced personal email security.
Recommendations
Implement stricter personal email security protocols for government officials, including multi-factor authentication and regular security audits.
Investigation Status
['Confirmed by U.S. Justice Department']
Initial Access Broker
Entry Point: Personal Gmail account High Value Targets: FBI Director
Post Incident Analysis
Root Causes: Lack of robust personal email security for high-profile officials Corrective Actions: Enhance personal email security measures for government officials
References
Blog URL Source URL
MARCH 2026
737
Breach
13 Mar 2026 • Shoppers Drug Mart, President’s Choice, Loblaw, No Frills and PC Optimum: “Threat Actor” on the dark web claims Loblaw’s “low-level” data breach is a much larger threat
Alleged Massive Data Breach at Loblaw

**Loblaw Faces Alleged Massive Data Breach as Threat Actor Demands Response** A threat actor operating under the handle *"igotafeeling"* on the *DarkWeb Informer* forum has claimed to have breached **Loblaw**, Canada’s largest food and pharmacy retailer, which owns brands like *President’s Choice, No Frills, Shoppers Drug Mart, Real Canadian Superstore*, and the *PC Optimum* loyalty program. The actor alleges possession of **over 1.8 billion records**, including: - **75.1 million Salesforce customer records** (names, emails, phone numbers, addresses, loyalty IDs, and health card numbers) - **724.9 million Shoppers Drug Mart records** (passwords, tokens, loyalty IDs, payment details, and full credit card numbers with expiry dates) - **129.9 million pharmacy fill requests** (prescription numbers and patient IDs) - **120.4 million e-commerce fraud-feed records** (payment card BINs, last-four digits, and expiry dates) - **20.2 million Delivery Ops Portal records** (orders, deliveries, and postal codes) - **3,014 GitLab projects** containing Loblaw’s full source code - **19.3 million Oracle identity records** (MFA device details and credentials) - **55.3 million marketing and email records** across 673 tables The threat actor has given Loblaw until **March 19** to respond, accusing the company of *"ghosting"* them and dismissing customer and investor concerns. They have also invited media organizations to verify the data’s authenticity. In response, Loblaw issued a **March 12 press release**, labeling the incident a *"low-level data breach"* and stating that only *"basic customer information"* (names, phone numbers, and emails) may have been accessed. The company explicitly denied evidence of financial or credit card data compromise directly contradicting the threat actor’s claims. While the breach remains **unverified**, the scale of the alleged exposure if confirmed would rank among the largest in Canadian history. The situation mirrors past high-profile breaches (e.g., *T-Mobile, Equifax, Capital One*), where initial corporate statements downplayed impact before later revelations proved otherwise. Loblaw customers with *PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories* may be affected if the claims hold true. The deadline for Loblaw’s response is **six days away**.

675
critical -62
NO-SHOPRELOB1773534483
Incident Details -
Type
Data Breach
Motivation
Extortion (response demanded by March 19)
Impact
Data Compromised: Over 1.8 billion records allegedly exposed Salesforce Shoppers Drug Mart systems GitLab projects Oracle identity systems E-commerce platforms Brand Reputation Impact: Potential significant impact if claims are verified Identity Theft Risk: High (health card numbers, prescription IDs, PII) Payment Information Risk: High (full credit card numbers with expiry dates)
Response
Communication Strategy: Press release downplaying the breach and denying financial data compromise
Data Breach
Customer records (names, emails, phone numbers, addresses, loyalty IDs) Health card numbers Pharmacy fill requests (prescription numbers, patient IDs) Payment details (full credit card numbers with expiry dates, BINs, last-four digits) Source code (GitLab projects) MFA device details and credentials (Oracle identity records) Marketing and email records Number Of Records Exposed: 1.8 billion (alleged) Sensitivity Of Data: High (PII, financial data, health information, source code) Data Exfiltration: Alleged (data sold on dark web if claims are true) Personally Identifiable Information: Yes (names, emails, phone numbers, addresses, health card numbers, prescription IDs)
Investigation Status
Unverified (allegations under scrutiny)
Customer Advisories
Loblaw customers with PC Optimum accounts, Shoppers Drug Mart loyalty cards, or prescription histories advised to monitor for potential fraud
Initial Access Broker
Data Sold On Dark Web: Alleged (if claims are verified)
References
Blog URL Source URL
MARCH 2026
759
Cyber Attack
11 Mar 2026 • Stryker: Cork-based Stryker hit with cyber attack linked to Iranian-backed group
Stryker Hit by Destructive Cyberattack Linked to Iranian-Backed Group

**Stryker Hit by Destructive Cyberattack Linked to Iranian-Backed Group** A global medical technology firm, **Stryker**, suffered a devastating **wiper cyberattack** on **Wednesday**, suspected to be orchestrated by **Handala Hack**, a group with ties to the **Iranian regime**. The attack targeted the company’s **Cork, Ireland headquarters**, where up to **5,000 employees** including **4,000 in Cork** are based, crippling critical IT systems and manufacturing operations. The **National Cyber Security Centre (NCSC) in Dublin** is responding to the incident, which involved the **permanent deletion of data** from infected systems a hallmark of wiper attacks, typically politically motivated rather than financially driven. Devices connected to Stryker’s network, including employee phones with **Outlook installed**, were wiped, and login screens were defaced with the **Handala logo**, a symbol of Palestinian resistance. The attack has **disrupted production** of Stryker’s medical devices, with some manufacturing machines still operational but their long-term functionality uncertain. Staff were instructed to **avoid connecting to the company’s network** via any device, including mobile apps like **Microsoft Teams and Outlook**, while recovery efforts continue. Employees have been sent home, relying on **WhatsApp groups** for updates. Stryker, which operates **six manufacturing sites and three innovation centers** in Ireland, is one of the country’s largest medical tech employers. The company confirmed the incident in a staff memo, stating that **security experts and law enforcement** are involved in the response, emphasizing that **sites and personnel remain safe** while efforts focus on restoring systems. **Handala Hack**, linked to Iran’s cyber warfare campaigns, has recently targeted **Israeli, Jordanian, and Saudi oil and gas facilities**, as well as the **Academy of the Hebrew Language**, according to Israeli media. The **Israeli National Cyber Directorate** has warned of a surge in Iranian cyberattacks against civilian companies, suggesting Stryker may have been targeted due to its **business ties with Israel**. The attack underscores Iran’s expanding **cyber-economic warfare**, extending beyond regional conflicts to global operations. With Ireland serving as Stryker’s **largest hub outside the U.S.**, the incident highlights the growing threat of **state-backed cyber sabotage** in critical industries.

737
critical -22
STR1773240573
Incident Details -
Type
Wiper Attack
Motivation
Politically motivated (suspected state-backed cyber sabotage)
Impact
Data Compromised: Permanent deletion of data from infected systems Systems Affected: IT systems, manufacturing operations, employee devices (Outlook, Microsoft Teams) Operational Impact: Disrupted production of medical devices, employees sent home, reliance on WhatsApp for updates
Response
Third Party Assistance: Security experts Containment Measures: Employees instructed to avoid connecting to the company’s network via any device Remediation Measures: Restoring systems Communication Strategy: Staff memo, WhatsApp groups for updates
Data Breach
Type Of Data Compromised: System data (permanently deleted)
Regulatory Compliance
Regulatory Notifications: National Cyber Security Centre (NCSC) in Dublin
Investigation Status
['Ongoing']
Stakeholder Advisories
Sites and personnel remain safe; focus on restoring systems
References
Blog URL Source URL
Cyber Attack
11 Mar 2026 • Stryker: Medical technology company Stryker disrupted globally by cyberattack
Stryker Hit by Global Cyberattack Disrupting Medical Technology Services

**Stryker Hit by Global Cyberattack Disrupting Medical Technology Services** On March 11, Stryker, a leading medical technology provider serving hospitals worldwide, confirmed a global cyberattack that disrupted its operations. The company reported that its Microsoft environment was compromised but found no evidence of ransomware or malware. Stryker stated the incident had been contained. John Riggi, the American Hospital Association’s (AHA) national advisor for cybersecurity and risk, acknowledged the attack, noting ongoing collaboration with hospitals and federal agencies to assess the threat’s scope. While no direct disruptions to U.S. hospital operations have been reported, Riggi warned that impacts could emerge as hospitals evaluate Stryker’s services, technology, and supply chain particularly if the disruption persists. The incident highlights the vulnerability of critical healthcare infrastructure to cyber threats, even in the absence of traditional ransomware tactics. Further details on the attack’s origin and full impact remain under investigation.

737
critical -22
STR1773354343
Incident Details -
Type
Cyberattack
Impact
Systems Affected: Microsoft environment Operational Impact: Disrupted operations
Response
Containment Measures: Incident contained
Investigation Status
['Ongoing']
Stakeholder Advisories
Collaboration with hospitals and federal agencies to assess the threat’s scope
References
Blog URL Source URL
FEBRUARY 2026
779
Cyber Attack
01 Feb 2026 • Stryker: Iran-linked ransomware gang targeted US healthcare org amid military conflict
Iranian-Linked Pay2Key Ransomware Targets U.S. Healthcare Organization

**Iranian-Linked Pay2Key Ransomware Targets U.S. Healthcare Organization Amid Rising Cyber Conflict** In late February, an unnamed U.S. healthcare organization fell victim to a ransomware attack by **Pay2Key**, a strain linked to Iranian state-affiliated cyber actors. The incident, investigated by **Beazley Security** and **Halcyon Ransomware Research Center**, revealed significant upgrades to the ransomware, making it harder to detect and more destructive. Unlike typical financially motivated attacks, this intrusion showed no evidence of data exfiltration a departure from previous Pay2Key operations, which U.S. intelligence agencies had tied to espionage. Researchers noted the group’s activity surged following recent **U.S.-Iran military tensions**, suggesting motivations beyond profit, including **strategic disruption**. The attackers compromised an administrative account days before deploying the ransomware, then attempted to erase logs to cover their tracks. **Cynthia Kaiser**, Halcyon’s senior vice president and former FBI Cyber Division official, questioned whether the attack was timed to exploit geopolitical chaos, emphasizing the group’s dual role as both a **state-aligned actor** and a **ransomware-as-a-service (RaaS) operator**. Pay2Key has undergone significant shifts in recent months. In mid-2025, the group marketed itself on **Russian cybercriminal forums**, briefly offering to sell its operations for **0.15 BTC** while recruiting affiliates with an **80% ransom split** up from 70%. Despite internal upheaval, the group remains active, with **Morphisec tracking $4 million in ransom payments over four months** and a total of **$8 million from 170 victims** since then. First identified in **2020**, Pay2Key has targeted organizations in the **U.S., Israel, Azerbaijan, and the UAE**, with ransom payments traced to **Excoino**, an Iranian cryptocurrency exchange requiring national ID verification. A **2024 U.S. advisory** highlighted its coordination with other ransomware gangs, reinforcing its ties to **Iranian government operations**. The healthcare attack preceded a high-profile **wiper attack on Stryker**, a U.S. medical device company, claimed by the Iranian group **Handala**, which wiped **200,000 devices**. Kaiser warned that **unreported Iranian cyberattacks are likely ongoing**, with a mix of **ransomware, wiper malware, and critical infrastructure targeting** expected as tensions persist.

757
critical -22
STR1774369485
Incident Details -
Type
Ransomware
Attack Vector
Compromised administrative account
Motivation
Strategic disruption Geopolitical tensions
Impact
Operational Impact: Disruption of healthcare services
Response
Beazley Security Halcyon Ransomware Research Center
Data Breach
Data Exfiltration: No evidence of data exfiltration Data Encryption: Yes
Lessons Learned
The attack highlights the dual role of state-aligned ransomware groups in both financial extortion and geopolitical disruption. Organizations must account for evolving tactics, including log erasure and timing attacks to exploit chaos.
Recommendations
Enhance monitoring for administrative account compromises Prepare for ransomware attacks with no data exfiltration but destructive encryption Account for geopolitical risks in cybersecurity planning Collaborate with third-party threat intelligence providers
Investigation Status
['Ongoing']
Stakeholder Advisories
Cynthia Kaiser (Halcyon) warned of unreported Iranian cyberattacks and the mix of ransomware, wiper malware, and critical infrastructure targeting.
Initial Access Broker
Entry Point: Compromised administrative account Reconnaissance Period: Days before ransomware deployment
Post Incident Analysis
Compromised administrative account Lack of detection for upgraded ransomware strain Geopolitical timing to exploit chaos Improve administrative account security Enhance detection for ransomware upgrades Monitor for geopolitically motivated attacks
References
Blog URL Source URL
Cyber Attack
01 Feb 2026 • Stryker: U.S. medical equipment company Stryker says cyberattack disrupted its global networks
Stryker Cyberattack Disrupts Global Medical Equipment Operations

**Stryker Cyberattack Disrupts Global Medical Equipment Operations** U.S.-based medical technology giant **Stryker** confirmed that a **cyberattack** disrupted its global networks, impacting operations across its systems. The incident, disclosed in recent reports, highlights growing cybersecurity threats targeting critical healthcare infrastructure. Stryker, a leading manufacturer of surgical equipment, implants, and medical devices, has not released details on the nature of the attack, its origin, or whether ransomware or data exfiltration was involved. The company has not specified the duration of the disruption or the extent of the operational impact, though such incidents often lead to delays in production, supply chain interruptions, and potential risks to patient care. The attack underscores the vulnerability of healthcare and medical device companies to cyber threats, which have increasingly become high-value targets for malicious actors. No further updates on recovery efforts or regulatory responses have been provided at this time.

757
critical -22
STR1773260617
Incident Details -
Type
cyberattack
Impact
Systems Affected: global networks Operational Impact: delays in production, supply chain interruptions, potential risks to patient care
References
Blog URL Source URL
JANUARY 2026
779
DECEMBER 2025
778
NOVEMBER 2025
777
OCTOBER 2025
776
SEPTEMBER 2025
774
AUGUST 2025
773
JULY 2025
772
JUNE 2025
770
MAY 2025
769
MARCH 2025
777
Cyber Attack
28 Mar 2025 • Stryker: Stryker shares fall after report on suspected Iran-linked cyberattack
Stryker Hit by Suspected Iran-Linked Cyberattack, Causing Global Outages

**Stryker Hit by Suspected Iran-Linked Cyberattack, Causing Global Outages** Medical technology giant **Stryker** suffered a **global system outage** on **March 10, 2025**, following a suspected **cyberattack linked to an Iran-backed hacking group**. The incident began **shortly after midnight on the U.S. East Coast**, disrupting operations across the company’s network. According to reports, **remote devices running Microsoft Windows** including laptops and mobile devices connected to Stryker’s systems were **wiped**, rendering them inoperable. Employees and contractors reported seeing the **logo of Handala**, a **pro-Palestinian hacking group with alleged ties to Iran**, on login screens, though Reuters could not independently verify the claim. The attack triggered a **3% drop in Stryker’s stock price** after *The Wall Street Journal* first reported the breach. The company has not yet issued an official response to requests for comment. Stryker, a major supplier of medical equipment, operates globally, with facilities including a plant in **Carrigtwohill, Ireland**. The full extent of the disruption and potential data compromise remains unclear.

766
critical -11
STR1773246684
Incident Details -
Type
Cyberattack
Attack Vector
Unknown
Motivation
Political (pro-Palestinian)
Impact
Systems Affected: Remote devices running Microsoft Windows (laptops, mobile devices) Downtime: Global system outage Operational Impact: Disrupted operations across the company’s network Brand Reputation Impact: 3% drop in stock price
Investigation Status
['Ongoing']
References
Blog URL Source URL
DECEMBER 2024
783
Cyber Attack
05 Dec 2024 • Stryker and Federal Bureau of Investigation: Pro-Iranian group claims credit for hacking into FBI Director Patel's personal account
Pro-Iranian Hackers Claim Breach of FBI Director’s Personal Account

**Pro-Iranian Hackers Claim Breach of FBI Director’s Personal Account** A pro-Iranian hacking group, **Handala**, announced on Friday that it had compromised an account belonging to **FBI Director Kash Patel**, releasing decades-old personal photographs, a resume, and other documents online. The group, which has ties to Iran and Palestine, posted a statement alongside the materials, taunting Patel and declaring him among their "successfully hacked victims." The leaked files including images of Patel with a vintage sports car and a cigar appear to date back over a decade, primarily involving personal travel and business records. The **FBI confirmed** awareness of the incident, stating that the exposed data was historical and contained no classified or government information. The bureau added that it had taken steps to mitigate risks from the breach. The timing of the hack remains unclear, though reports from **December 2024** indicated Patel had been previously warned by the FBI about Iranian targeting efforts. Handala, which has escalated its cyber operations in recent months, recently claimed responsibility for disrupting systems at **Stryker**, a Michigan-based medical technology firm, in retaliation for alleged U.S. airstrikes linked to Iranian civilian casualties. The group has been a persistent threat, with the **U.S. Justice Department** seizing four web domains tied to its operations last week as part of efforts to counter Iranian cyber campaigns. The **Trump administration** has also offered a **$10 million reward** for information leading to the identification of Handala members. The incident underscores the growing role of proxy hacking groups in Iran’s broader cyber conflict with Western targets.

772
critical -11
STRFBI1774644063
Incident Details -
Type
Data Breach
Motivation
Retaliation for alleged U.S. airstrikes linked to Iranian civilian casualties, cyber conflict with Western targets
Impact
Data Compromised: Personal photographs, resume, and other personal documents Brand Reputation Impact: Potential reputational harm to FBI Director Identity Theft Risk: Possible risk due to exposure of personal documents
Response
Incident Response Plan Activated: Yes Containment Measures: Steps taken to mitigate risks from the breach Communication Strategy: FBI issued a public statement
Data Breach
Type Of Data Compromised: Personal photographs, resume, personal documents Sensitivity Of Data: Low (historical, no classified or government information) Data Exfiltration: Yes Images Documents Personally Identifiable Information: Yes
Investigation Status
['Ongoing']
Initial Access Broker
High Value Targets: FBI Director
References
Blog URL Source URL
MAY 2024
812
Breach
01 May 2024 • Stryker Corporation
Stryker Corporation Cybersecurity Incident

The Vermont Office of the Attorney General reported that Stryker Corporation experienced a cybersecurity incident on June 10, 2024. The breach involved unauthorized access to Stryker internal systems between May 14, 2024, and June 10, 2024, affecting an unspecified number of individuals and potentially compromising personal information including names. A notification letter was included with the report.

775
high -37
STR200080525
Incident Details -
Type
Data Breach
Attack Vector
Unauthorized Access
Impact
Names
Data Breach
Personal Information Names
References
Blog URL Source URL
JANUARY 2024
820
Cyber Attack
01 Jan 2024 • Stryker: Handala Hack Uses RDP, NetBird, and Parallel Wipers in MOIS-Linked Destructive Intrusions
Iranian Threat Actor Handala Hack Launches Destructive Cyberattacks Across Israel, Albania, and the U.S.

**Iranian Threat Actor Handala Hack Launches Destructive Cyberattacks Across Israel, Albania, and the U.S.** A cyber threat group linked to Iran’s Ministry of Intelligence and Security (MOIS), known as **Handala Hack** (also tracked as **Void Manticore**, **Red Sandstorm**, and **Banished Kitten**), has executed a series of **data-destructive attacks** targeting organizations in **Israel, Albania, and the United States**. Unlike traditional espionage-focused operations, the group’s campaigns are designed to **permanently erase data**, making recovery nearly impossible. Active since **late 2023**, Handala Hack operates under multiple public-facing personas, including **Homeland Justice** (used since mid-2022 against Albanian government and telecom sectors) and **Karma** (now largely replaced by Handala). Recent attacks expanded to the U.S., with **medical technology firm Stryker** among the confirmed victims. ### **Attack Methods and Evolution** Check Point researchers identified **consistent yet evolving tactics** in the group’s operations. While core techniques such as **compromised VPN credentials, RDP exploitation, and simultaneous wiper deployments** have remained stable since 2024, newer campaigns incorporate: - **NetBird**, a legitimate peer-to-peer networking tool, to **tunnel traffic** within victim networks. - An **AI-assisted PowerShell script** as part of its wiping toolkit. - A **decline in operational security**, with attacks traced directly to **Iranian IP addresses** instead of commercial VPNs. ### **Multi-Layered Destruction** Handala Hack’s **destructive phase** employs **four simultaneous wiping techniques** to maximize damage: 1. **Handala Wiper** – A custom tool distributed via **Group Policy logon scripts** (`handala.bat`), overwriting files and corrupting **Master Boot Records (MBR)**. The executable runs remotely from domain controllers, evading detection. 2. **AI-PowerShell Wiper** – Deletes user directory files and floods drives with a **propaganda image** (`handala.gif`). 3. **VeraCrypt Abuse** – Legitimate encryption software is downloaded via the victim’s browser to **lock drives** and prevent recovery. 4. **Manual Deletion** – Attackers **delete virtual machines and files over RDP**, a tactic documented in leaked videos. ### **Tactical Execution** Intrusions typically begin with **compromised VPN credentials**, obtained through **brute-force attacks or supply chain breaches**. Once inside, operators use **RDP to navigate manually**, deploying **multiple attacker-controlled machines** within a single environment to accelerate destruction. The group’s **lack of operational discipline** including direct use of Iranian IPs has made attribution easier. The attacks reflect a **shift from espionage to pure sabotage**, with no financial or intelligence-gathering motives. Instead, the focus is on **maximizing disruption** across critical sectors.

809
critical -11
STR1773714231
Incident Details -
Type
Data Destruction / Wiper Attack
Attack Vector
Compromised VPN credentials RDP exploitation Group Policy logon scripts AI-assisted PowerShell scripts
Motivation
Sabotage and disruption
Impact
Data Compromised: Permanent data erasure Master Boot Records (MBR) User directories Virtual machines Encrypted drives Operational Impact: Severe disruption across critical sectors
Data Breach
Type Of Data Compromised: Permanently erased data Data Encryption: VeraCrypt abuse for drive encryption
Initial Access Broker
Entry Point: Compromised VPN credentials
Post Incident Analysis
Compromised VPN credentials RDP exploitation Lack of operational security (direct use of Iranian IPs)
References
Blog URL Source URL
MAY 2023
834
Cyber Attack
03 May 2023 • Stryker: Pro-Iran hacking group claims responsibility for cyberattack on Stryker
Stryker Hit by Cyberattack Claimed by Pro-Iran Hacking Group Handala

**Stryker Hit by Cyberattack Claimed by Pro-Iran Hacking Group Handala** Medical technology firm **Stryker**, a leading manufacturer of surgical tools and medical implants based in **Kalamazoo, Michigan**, confirmed a **cyberattack** on **Wednesday** that disrupted its global Microsoft environment. The company stated it had **no evidence of ransomware or malware** and believed the incident was **contained**, though it is still assessing the impact. Continuity measures remain in place to support customers and partners. The **pro-Iran hacking group Handala** claimed responsibility for the attack, alleging it **wiped over 200,000 systems, servers, and mobile devices** and **exfiltrated 50 terabytes of critical data**. The group cited **retaliation for the ongoing regional conflict** and a **February 28 airstrike** on a girls' elementary school in **Minab, Iran**, which killed **168 people**, as motivations. While the attack’s origins remain unconfirmed, U.S. military operations were reported near the site. Stryker has not disclosed further details, and **U.S. officials have not commented** on the incident. The investigation is ongoing.

818
critical -16
STR1773268034
Incident Details -
Type
Cyberattack
Motivation
Retaliation for ongoing regional conflict February 28 airstrike on a girls' elementary school in Minab, Iran
Impact
Data Compromised: 50 terabytes Systems Affected: 200,000 systems, servers, and mobile devices Operational Impact: Disrupted global Microsoft environment
Response
Containment Measures: Incident believed to be contained Recovery Measures: Continuity measures in place to support customers and partners
Data Breach
Type Of Data Compromised: Critical data Data Exfiltration: 50 terabytes
Investigation Status
['Ongoing']
References
Blog URL Source URL
JANUARY 2010
833
Cyber Attack
01 Jan 2010 • Stryker and Federal Bureau of Investigation: FBI Director Kash Patel’s email leaked by Iran-backed hackers
Iran-Linked Hackers Leak FBI Director Kash Patel’s Personal Emails in Cyber Espionage Campaign

**Iran-Linked Hackers Leak FBI Director Kash Patel’s Personal Emails in Cyber Espionage Campaign** On **March 27, 2026**, the **Iran-backed hacking group Handala Hack Team** publicly released a trove of personal emails belonging to **FBI Director Kash Patel**, marking a high-profile breach in a series of cyber operations attributed to Iranian state-linked actors. The leaked correspondence, spanning from **2010 to 2019**, includes a mix of personal and professional communications tied to Patel’s **Gmail account**, which had been previously exposed in other data breaches. Western cybersecurity researchers identify **Handala** as one of several personas used by **Iranian government cyberintelligence units**, which have recently escalated attacks on Western targets. Earlier this year, the group claimed responsibility for hacking **Stryker**, a U.S. medical devices manufacturer, further demonstrating its focus on high-value entities. The hackers published **photographs of Patel** alongside the leaked documents, declaring him among their "successfully hacked victims." A **U.S. Justice Department official** confirmed the breach, stating that the released material appeared authentic. While the full extent of the compromise remains unclear, the incident underscores the persistent threat posed by state-sponsored cyber espionage, particularly from Iranian-linked groups targeting U.S. officials and critical infrastructure.

818
critical -15
FEDSTR1774629686
Incident Details -
Type
Cyber Espionage
Attack Vector
Email Compromise
Vulnerability Exploited
Previously exposed data breach (Gmail account)
Motivation
Cyber Espionage, Intelligence Gathering
Impact
Data Compromised: Personal and professional emails (2010-2019) Systems Affected: Personal email account (Gmail) Brand Reputation Impact: High (FBI Director) Identity Theft Risk: High
Response
Law Enforcement Notified: U.S. Justice Department
Data Breach
Type Of Data Compromised: Emails, Personal Photographs Sensitivity Of Data: High (Personal and Professional Communications) Data Exfiltration: Yes Emails Images Personally Identifiable Information: Yes
Investigation Status
['Ongoing']
Initial Access Broker
Entry Point: Previously exposed Gmail account High Value Targets: FBI Director
Post Incident Analysis
Root Causes: Exploitation of previously breached data
References
Blog URL Source URL

Frequently Asked Questions

According to Rankiteo, the current A.I.-based Cyber Score for Stryker is 667, which corresponds to a Weak rating.

According to Rankiteo, the A.I. Rankiteo Cyber Score for March 2026 was 759.

According to Rankiteo, the A.I. Rankiteo Cyber Score for February 2026 was 757.

According to Rankiteo, the A.I. Rankiteo Cyber Score for January 2026 was 779.

According to Rankiteo, the A.I. Rankiteo Cyber Score for December 2025 was 778.

According to Rankiteo, the A.I. Rankiteo Cyber Score for November 2025 was 777.

According to Rankiteo, the A.I. Rankiteo Cyber Score for October 2025 was 776.

According to Rankiteo, the A.I. Rankiteo Cyber Score for September 2025 was 774.

According to Rankiteo, the A.I. Rankiteo Cyber Score for August 2025 was 773.

According to Rankiteo, the A.I. Rankiteo Cyber Score for July 2025 was 772.

According to Rankiteo, the A.I. Rankiteo Cyber Score for June 2025 was 770.

According to Rankiteo, the A.I. Rankiteo Cyber Score for May 2025 was 769.

Over the past 12 months, the average per-incident point impact on Stryker’s A.I Rankiteo Cyber Score has been -29.25 points.

You can access Stryker’s cyber incident details on Rankiteo by visiting the following link: https://www.rankiteo.com/company/stryker.

You can find the summary of the A.I Rankiteo Risk Scoring methodology on Rankiteo by visiting the following link: Rankiteo Algorithm.

You can view Stryker’s profile page on Rankiteo by visiting the following link: https://www.rankiteo.com/company/stryker.

With scores of 18.5/20 from OpenAI ChatGPT, 20/20 from Mistral AI, and 17/20 from Claude AI, the A.I. Rankiteo Risk Scoring methodology is validated as a market leader.