CISA, FBI have engaged with Stryker staff after cyberattack, official says
CISA Acting Director Nick Andersen (right) speaks with Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure (left), at a McCrary Institute event on March 17, 2026. David DiMolfetta/Staff
Industry groups are seeing a “steady state” of Iran-linked hacking activity but observers should still keep their eyes peeled, CISA’s Nick Andersen said.
The Cybersecurity and Infrastructure Security Agency and the FBI have engaged with executives at Stryker as they work to assess and mitigate the fallout from a major hack of the medical technology giant last week that an Iran-aligned group took credit for, a top official said.
“We’ve engaged with them. Our teams have worked with them, as well as some of the FBI teams, and our regional personnel have been engaged with them,” Nick Andersen, CISA’s acting director, told reporters after he spoke at a McCrary Institute event on Tuesday. He didn’t provide other updates.
The worldwide cyberattack wiped employees’ phones and prevented workers from accessing their computers and other remote work tools. The logo of Handala, a pro-Iran and pro-Palestinian hacking group, appeared on employee login pages, and the hacking collective’s X account also claimed responsibility.
Andersen added that CISA is engaging further with sector-based industry groups on foreign cyber threats. On Iran, “we still are seeing a steady state. [The groups have] not seen an increase in the rise of threat actor activity, which is fantastic,” he said.
But he cautioned that “we just can’t take our eyes off of the fact that other adversaries continue to make maneuvers in this space. Cybercriminal groups continue to make moves within this space. It’s not just about one nation-state at one particular point in time.”
Stryker, one of the largest medical tech providers in the world, said last week it believed the incident was contained but the effects of the hack may continue causing “disruptions and limitations of access” to certain company information systems and applications supporting parts of their operations and functions.
Pro-Iran hacking groups frequently target the computer systems of nations considered adversaries to Tehran, namely the U.S. and Israel. In late 2023, during the Israel-Hamas war, another Iran-aligned hacking group defaced the interfaces of Pennsylvania water treatment systems that contained Israel-made Unitronics equipment.
Stryker acquired the Israeli medical technology firm OrthoSpace in 2019. It also has significant contracts with both the U.S. departments of Defense and Veterans Affairs.
It’s widely believed that a wiper attack was used against Stryker’s devices after the Handala group compromised a company Microsoft Intune administrative account. Intune is used to manage users’ access to company resources across their devices, and it can be used to remotely access specific computers or factory reset machines.
“The real failure here is that our core systems still rely on ‘God-like’ administrative keys that lack deep cryptographic validation,” said Denis Mandich, a former CIA official and co-founder of Qrypt. “We are essentially giving attackers a single point of failure that allows one compromised credential to execute a global factory reset.”
“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use,” the company said in a Sunday statement, but it added that there may be supply chain disruptions as ordering systems come back online. The company also said the incident “was not a ransomware attack, and there is no evidence of malware deployed to our systems.”