John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Stryker’s forensic investigation has turned up something new. Working with Palo Alto Networks Unit 42, the medical device company found “a malicious file used to run commands and conceal activity within Stryker’s systems.” Production recovery is underway.
The wording matters. “Malicious file” and “malware” aren’t the same thing, and Stryker’s initial statement that no malware was found was technically accurate.
The original Handala attack, claimed by the Iran-linked group as retaliation for a US missile strike, was a control-plane operation. Over 200,000 devices were remotely wiped through Microsoft Intune, a legitimate MDM tool. No traditional malware. The attacker used Stryker’s own device management infrastructure against it.
The newly discovered file is a separate forensic finding. Something was placed in the environment specifically to run commands and hide activity. That’s a different artifact from the wipe itself. Its discovery suggests the investigation is still uncovering the full picture.
Recovery is staged. “Core transactional systems on a clear path to full recovery” leaves room for other systems still working through it. That’s realistic, not alarming, for a company of Stryker’s size. Unit 42’s involvement means this is being treated as a serious forensic engagement. Additional findings are possible.
Short version: a malicious file was found, production is coming back online, and the investigation isn’t finished.