News + Resources

What happened?

“On March 11, 2026, Stryker Corporation (“we” or the “Company”) identified a cybersecurity incident affecting certain information technology systems of the Company that has resulted in a global disruption to the Company’s Microsoft environment.”  

With these 34 (and a few other) words, the huge US medical equipment manufacturer Stryker confirmed to the New York Stock Exchange on 11 March 2026 that it had fallen victim to a serious cyber-attack. The responsibility was later claimed by the pro-Iranian hacking group, Handala. 

While the attack does not appear to have touched patient facing services, by market close on 13 March, $8.6bn had been wiped off Stryker’s market capitalisations (around 6.3%) as investors took fright. Stryker themselves said the breach would likely have a material financial impact on the company. As far as we know, the company carried no cyber insurance.

Gallagher Re has issued a report into the breach, which is instructive:

• Handala spear-phished their way to a very privileged set of credentials with insufficiently strong MFA;
• The credentials were sufficiently privileged to allow Handala to compromise the central security, identify and admin control of the entire network, effectively turning the protections into weapons which they then turned on the company;
• Segregation of Stryker’s network was insufficient, thereby maximising the ’blast radius’ of the attack;
• 200,000 devices were wiped using the installed MDM capability (InTune) – around 4 times the number wiped in the APMoller attack in 2017;
• Stryker have been silent on the status of their back ups – if they have been wiped, restoration of activity will be lengthier.

Astaara’s view: why shipowners and operators should care

Handala is a known Iranian proxy. They are out for revenge.

• If you are not with the regime, you are against it – almost anyone is a target;  
• This is war: these attackers cannot be parlayed with. Once they are in, you are done.

Good cyber hygiene is more than just about external perimeter security and the deployment of technology: 

• It is also about your people being aware of the threat, your policies and procedures being up to the task, and your architectures being secure by default. 
• While Stryker appeared secure from the outside, once inside, Handala made out like a fox in a hen house, destroying everything that they could see, which was too much;

Credentials offering permanent privileged access-all-areas are the loaded weapon under the pillow of cyber security – lethal.  

• Separate the weapon from the ammunition; give the gun cupboard keys to different people: only load the weapon when you need to use it; and make the bullets limited in range;

Do not over-centralise. This was a major single point of failure. Do not use one product to do another’s job: ID management is not the same as a PAM tool:

– An ID solution is about who you are; 

– A PAM tool is about what you do. Least privilege applies more strongly the more senior the role.

Segregate and segment your networks, physically where possible, to ensure your most critical data and systems cannot be accessed by a single log-in or unauthenticated user.

Please get in contact with us should you wish to discuss this or any cyber related or insurance issue.