Labels

SECURITY:OUTAGE: STRYKER, Microsoft Intune Disruption (11 March 2026)

Stryker logo, from seeklogo.com

logo from seeklogo.com

REVISIONS

  • Thurs 2 Apr 2026:
    • On Stryker's official blog post (4/1/26), they have been made significant progress on operations globally and continue to move back to peak capacity.
  • Tue Mar 31 2026:
    • Stryker's official blogpost (3/23/26) announced they believe the incident is contained and prioritizing restoration of systems that directly support customers, ordering, and shipping.2
  • Mon Mar 16 2026: As of writing this blog post, disruptions are ongoing to the Stryker, Microsoft Intune environment (15-16 March 2026).

BACKGROUND

On 11 March 2026, Stryker experienced a global network disruption to their Microsoft (Intune) environment. The Handala Group claimed responsibility for the attack suggested by posts allegedly by them on social media and logos on locked login screens that were affected by the cyber attack. The Handala group is said to be linked to Iranian cyber threat groups and the attacks were in direct response to retaliatory actions3.

  • 200,000 Stryker "systems, servers, and mobile devices" wiped
  • exfiltrating 50TB of company data
  • 79 Stryker offices worldwide forced to shutdown

Stryker announced the attack was not a ransomware attack where no malware was deployed to their systems. Here is the latest excerpt from Stryker's official blog post2:

03/15/2026 11:30 a.m. ET

We wanted to provide you the latest update on the Stryker network disruption and progress on our restoration.  

Safety of our products

All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use. This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise. Stryker, much like any Fortune 300 company, has embedded policies and procedures for cybersecurity assurances for our products in the field. This process at Stryker provides additional assurances that no potential vulnerabilities or risk of exploitation related to our connected products exist. Per our standard protocols, we have leveraged this process to confirm that our connected products were not impacted by the incident and remain safe to use.  

Communicating with your Stryker Sales Representatives

It is completely safe for Stryker sales representatives to be onsite in hospitals and facilities. It is also safe for you to communicate by phone or e-mail with Stryker personnel. The event only affected Stryker’s internal Microsoft corporate environment. This was not a ransomware attack, and no malware was deployed to our systems. The incident has been contained, and we are now in the restoration process, which is progressing steadily.  

Supply, ordering and shipping

We are working closely with our global manufacturing sites to manage operations and mitigate potential impacts, supported by our robust resiliency and business continuity plans. While electronic ordering systems are currently unavailable, we are actively bringing those systems back online. In the meantime, your Stryker Sales Representatives will be working with you and your distributors directly in an effort to bring you replenishment product through manual ordering where that option exists. Orders placed prior to the disruption will be reconciled as systems are restored, and electronic orders placed during the disruption will process once systems are back online, and supply is flowing normally.  

Next steps

We are prioritizing restoration of systems that directly support customers, ordering and shipping. Our core transactional systems are already on a clear path to full recovery, and we will continue to provide updates as progress is made. There is nothing more important to us than the customers and patients we serve, and we are grateful for your continued support and partnership.

Attackers were able to exploit Stryker's Microsoft Intune system that bypassed traditional security protections. John Collins, director at Halcyon, in the Medtechdive article points to remote wipe commands in the Base64 encoded payload that Microsoft Intune uses to transmit data4. (Base64 encodes data into ascii format (english alphanumeric symbols) helping preserve data integrity when being transmitted. Base64 does NOT encrypt data during transmission and can increase the size of a file that has been encoded into Base64. Here is an example of "Hello World" in Base64: SGVsbG8gV29ybGQK.)

The obvious caveat to this magnitude of a security breach comes down to the most obvious reason from having products and services requiring internet to work and communicate with each other remotely. Organizations, large and small, should at a minimum maintain backups along with alternative methods of communication, data access, to help prevent large scale disruptions such as this one.

This blog is not about politics, however, allegedly this recent cyber attack on Stryker could have been a direct result of the growing tensions in the Middle East. Geopolitics aside, the situation also exemplifies how integrated economies are across the world and regardless of industries, will be impacted by events in any given region in the world.

REFERENCES

  1. Stryker logo from seeklogo.com

  2. Stryker official blog posts: "Customer Updates: Stryker Network Disruption" 2

  3. DarkReading: "Why Stryker's Outage Is A Disaster Recovery Wake-Up Call"

  4. Medtechdive: "Stryker's manufacturing, shipping disrupted after cyberattack"

Labels:

Comments

Post a Comment