Handala, a hacktivist group believed to be a front for Iranian state-sponsored hackers, claimed that it had breached Stryker in messages on its Telegram channel.
Staff at the Michigan-based firm claimed that the logo of an Iran-linked threat actor has begun popping up on login pages, while Stryker has said it is experiencing outages.
“Stryker is experiencing a global network disruption to our Microsoft environment as a result of a cyber attack. We have no indication of ransomware or malware and believe the incident is contained,” the company said on LinkedIn.
“Our teams are working rapidly to understand the impact of the attack on our systems.
“Stryker has business continuity measures in place to continue to support our customers and partners. We are committed to transparency and will keep stakeholders informed as we know more.”
The company has not attributed the attack to any specific threat actor.
Speaking with Cyber Daily, CEO of ThreatLocker Danny Jenkins provided some guidance on how businesses should act to protect themselves from cyber incidents.
"While the details of how this attack unfolded are currently unknown, the two most common vectors of attacks on private sector organizations are malware, credential theft via phishing, or a combination of the two. Once inside an organization, attackers will move laterally within systems to achieve their goals. In this case disruption appears to be the motivation, but other attacks often include data encryption or exfiltration," he said.
"To protect themselves, there are two basic steps organizations should take. First, as outlined in the Australian Essential Eight, they should implement application Allowlisting. This technology stops the vast majority of malware and ransomware because it prevents any unrecognized code or software from executing or installing if it is not on a pre-approved list. Unknown software is blocked because it is unknown, stopping an attack before it happens.
"To help limit the damage of credential theft, organizations need to add hardware and network verification into their user logins. Today’s phishing attacks are aided by AI and can be extremely believable, sometimes fooling even the most vigilant employees. By adding device and network criteria, an attacker cannot access networks or cloud systems without the user’s device."
Who is Handala?
Handala largely targets Israeli entities or organisations with links to Israel and its military. It’s known to use a wide range of tactics, techniques and procedures to gain access to its victims, including spear phishing. Though tracked as a ransomware operator by some, the group’s motivations are entirely political, and no ransom demands are ever made.
When Iran was bombed last year, Handala claimed to have carried out a wave of cyber attacks targeting Israeli organisations.
Petroleum conglomerate the Delek Group and its Delkol subsidiary were the first victims listed as part of Handala’s campaign, with the hackers claiming to have stolen more than two terabytes of data.
“Your fuel systems are exposed. and so are your secrets,” Handala said in a 14 June leak post.
“Over two terabytes of classified data are no longer in your hands. Your fuel stations are vulnerable. If you’re smart, you’ll act now. Fuel up immediately, before you’re left with nothing but empty roads and silent jets. Time is not on your side.”
The Israel Fuel Corporation, another Delek subsidiary, is one of Israel’s largest service station chains.
On the same day, the group listed Argentinian drone maker AeroDreams, Israeli construction firm Y.G. New Idan, and ISP 099 Primo Telecommunications.
AeroDreams’ website appears to be down at the time of writing, but Handala claims the company has links to the Israeli Air Force.
In the wake of the widespread CrowdStrike outage in 2024, the group was observed using emails claiming to be from the cyber security firm and offering a fix for the issue. However, in the guise of a file called CrowdStrike.exe, the hackers were able to deploy a malicious wiper program capable of deleting entire directories on an infected machine.
The group’s internet traffic appears to originate from Iranian IP addresses, and a report from the website Iran International links Handala to Iran’s Ministry of Intelligence.
While some of Handala’s victims have claimed the group exaggerates its activity – a common tactic for hacktivist groups – others have confirmed the hackers’ claims. In January 2025, Handala gained access to public address systems in Israeli kindergartens in order to broadcast red alert warnings and propaganda, an attack that Israel’s National Cyber Directorate later confirmed.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
