Stryker said Wednesday that last week’s cyberattack has now delayed some surgeries, as CISA warns attackers are targeting Microsoft endpoint management systems used by US organizations.

Surgeries delayed as Stryker disruption spreads

The attack on Stryker’s global network decimated internal systems tied to its Microsoft environment, limiting employee access to business operations, devices and services.

The US medical technology firm told Bloomberg the delays are due to “disruptions to ordering, manufacturing, and shipping.”

A spokesperson for the company further explained that the system disruption had “temporarily impacted the ability to deliver personalized inventory, resulting in some patient-specific cases being rescheduled,” Bloomberg first reported.

Reuters separately reported that the March 11th breach has also affected Stryker’s ability to process orders, manufacture products, and ship goods to customers.

The Michigan-based medtech firm produces a range of robotic surgical systems, surgical equipment, and personalized implants, and provides IT services for more than 150 million patients each year.

The company said it had “no indication of ransomware or malware” and believes the incident is contained to its internal network.

Still, the incident remains under investigation as federal agencies and the company continue response and recovery efforts.

In an update on its website, Stryker said that all products across its global portfolio, “including connected, digital, and life-saving technologies, remain safe to use,” with the surgical delays being blamed on delivery hold-ups of custom patient implants.

Bloomberg specifically mentioned a small number of cases being delayed at CommonSpirit Health, one of the largest US hospital systems, and at least one instance at an unnamed hospital in Tennessee that was supposed to operate on a five-year-old “to replace a part of her skull that’s full of holes and soft spots” using a customized Stryker implant.

That surgery has been rescheduled to next month, the news outlet said.

CISA flags Microsoft systems as key risk

Meanwhile, in a CISA alert issued Wednesday, the cybersecurity watchdog said it is “aware of malicious cyber activity targeting endpoint management systems of US organizations” tied to the incident, which has been claimed by the pro-Iranian hacker group Handala.

The US Cybersecurity and Infrastructure Security Agency (CISA) said it is coordinating with federal partners, including the FBI, to identify additional threats and determine mitigation actions.

To defend against similar threats, the agency urged organizations to adopt Microsoft’s best practices for securing endpoint management systems, including Intune.

Microsoft Intune is a cloud-based system used by organizations to manage, secure, and remotely control employee devices and apps, including laptops and desktops, mobile devices, and corporate data on those devices.

In fact, some employees reported having their personal phones wiped as they were holding them during the attack, due to the use of Microsoft's Outlook.

Among the recommendations, CISA says organizations should:

• apply the principle of least privilege when assigning administrative roles
• use role-based access control (RBAC) to limit permissions
• enforce phishing-resistant multi-factor authentication (MFA)
• strengthen privileged access protections using Microsoft Entra ID features, including conditional access and risk-based controls
• require multiple administrators to approve high-impact actions, such as device wiping, configuration changes, and script execution
• deploy privileged identity management (PIM)
• align endpoint configurations with zero-trust security principles

The agency also pointed organizations to Microsoft guidance on securing Intune, implementing RBAC, and enabling multi-admin approval workflows.

Handala claims it wiped 12 petabytes of data

The pro-Iranian hacktivist group Handala claimed responsibility for the attack shortly after the incident became public, saying on Monday it wiped a massive 12 petabytes of data from the company's servers using Stryker’s own Microsoft software.

"In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted," Handala wrote on its victim blog site.

The group also said the attack forced the closure of 79 offices worldwide, although that information has not been confirmed.

Handala additionally claimed attacks on payments processing giant Verifone the same day as Stryker, framing both as retaliation against US companies with strong ties to Israel. Verifone has denied any breach of its systems to Cybernews.

Stryker says it has contained the attack on its Microsoft environment and is now in the process of restoring its systems, without revealing the exact data impacted.

“Our core transactional systems are already on a clear path to full recovery, and we will continue to provide updates as progress is made,” the company said over the weekend.

“We are actively bringing our electronic ordering systems back online, with previous orders expected to be reconciled once systems are fully restored,” it said.

Handala, which has been active since 2023, is one of dozens of pro-Iranian hacker collectives that have escalated attacks since the US-Israeli war against the Islamic Republic began on February 28th.

---

Unlock more exclusive Cybernews content on YouTube.