Stryker Attack Mirrors Tactics Used in Iran‑Aligned Hacks

While struggling to log in to their work computers last week, some employees of the medical technology company Stryker Corp. were met by an unfamiliar black-and-white cartoon figure: the logo of a shadowy pro-Iranian hacking group.

The image that greeted victims of the crippling cyberattack, according to screenshots reviewed by Bloomberg News, represents Handala, a digital sabotage persona that seeks to disrupt organizations tied to Israel or the US military.

The group said in an online post Wednesday that it attacked Stryker as retaliation for a US missile strike that allegedly hit an Iranian school. Neither Stryker nor any cybersecurity firms have confirmed that pro-Iranian hackers were behind the breach.

Handala personifies recent pro-Iranian cyber activity, with tactics that have advanced from crude defacing of websites into more potent sabotage and well-timed politically motivated attacks. The group has focused on symbolic targets, breaching victims and then leaking data to maximize their psychological effect. If confirmed, Handala’s role in the Stryker incident would represent its largest incursion yet.

The attack resulted in the deletion of data on some devices, according to a person familiar with the matter who wasn’t authorized to publicly discuss the incident. The company said in a corporate filing Wednesday evening that it expects the breach to continue disrupting operations and that “the timeline for a full restoration is not yet known.”

Stryker added in a statement early Thursday that the company was working urgently to restore its electronic ordering system.

It’s relatively rare for hackers to launch so-called wiper attacks that scrub data from affected devices and are often the work of state-sponsored cyberespionage groups. Russian hackers infamously launched wiper attacks on Ukrainian targets at the outset of the 2022 invasion, while North Korean hackers used the same tactic against Sony Pictures in 2014.

The intensity of the attack against Stryker corresponds with urgent warnings that cybersecurity specialists have previously issued about Handala. If verified, this week’s breach would potentially mark the first known major cyber disruption of an American organization since joint US-Israeli strikes against Iran began nearly two weeks ago.

Justin Moore, a senior manager of threat intelligence at Palo Alto Networks Inc., said that the gang operates as a state-directed front for Iran’s Ministry of Intelligence and Security, and that its tradecraft has significantly evolved over the past two years into more disruptive attacks.

In some cases, Handala targeted high-profile Israeli politicians, he said. Handala said it leaked sensitive personal information from former Israeli Prime Minister Naftali Bennett after it breached his phone. It also targeted Israel’s Soreq Nuclear Research Center, leaking photos from inside the facility and publishing a list of scientists who were allegedly working on a particle accelerator project.

“What makes Handala particularly dangerous is their transformation over the past two years into a primary cyber-retaliatory arm for the Iranian regime,” Moore said. “Through this evolution, they have combined the noisy, chaotic playbook of a hacktivist group with the destructive capabilities of a nation-state.”

Handala suggested it had attacked Stryker because of the company’s connections to Israel. In 2019, Stryker acquired the Israeli company OrthoSpace. Stryker has also previously worked with the US military: Last year, it won a $450 million contract to supply medical devices to the US Department of Defense.

However, hacks are often acts of simple opportunism, with attackers choosing targets primarily because their systems are vulnerable.

Handala takes its name from Handala, a pro-Palestinian political cartoon that shows a young boy, according to the cybersecurity firm Check Point Software Technologies Ltd. The Handala cartoon is often used as a protest symbol.

After claiming responsibility for the Stryker attack, Handala also said it was behind another disruption at the payments company Verifone. A Verifone spokesperson told Bloomberg that no breach had occurred and that screenshots published by Handala showing apparent internal access weren’t from a recent incident.

Handala also said it was responsible for a hack on the website of Israel’s Academy of the Hebrew Language. Attackers defaced the school’s website with threats and a cartoon depicting pro-Palestinian messaging, according to Israel’s Channel 12 media outlet.

Poland’s National Centre for Nuclear Research also stopped an attempted cyberattack in recent days that one government minister suggested to local media outlets was tied to Iran.

State-sponsored Iranian hacking groups failed to play a meaningful part of the war in the initial days after the US and Israel started bombing Iran. In one case, the hackers’ digital infrastructure disappeared from the internet at the same time Israel said it bombed a Tehran building that housed the country’s cyber warfare headquarters.

However, threat analysts who specialize in Iranian espionage tactics have said that the government in Tehran has long outsourced its cyber operations to proxy groups and front organizations, which launch attacks on Iran’s behalf.

Cybersecurity specialists have warned that pro-Iranian groups would combine disruptive attacks with propaganda and disinformation meant to overstate their prowess. Activist hacking groups would play a particular role in any conflict, said John Hultquist, chief analyst with Alphabet Inc.’s Google Threat Intelligence Group.

That strategy aligns with Iran’s broader approach to fighting the war.

The Islamic Revolutionary Guard Corps has launched missiles against targets throughout the Middle East, regardless of their level of direct involvement in the fighting. The Iranian state-linked media outlet Tasnim published a list of US companies whose offices and products that were considered to be legitimate targets in the conflict, including American technology firms, according to Al Jazeera.

One of the companies named on that list, Microsoft Corp., works with Stryker, and the medical technology company said its Microsoft platform experienced a “global disruption” in the cyberattack. Microsoft declined to comment on the Stryker situation.

Photo: The Stryker Corp. headquarters in Portage, Michigan. (Bloomberg)