SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
Shadowy hacker cyber attack on hospital mobile device management
#
DR
#
Ransomware
#
IoT Security

Stryker probes global cyber attack via MDM systems

Fri, 13th Mar 2026
Author image
By Mark Tarre, News Chief

Medical technology company Stryker is investigating a cyber attack that disrupted parts of its internal network after attackers accessed corporate systems linked to its Microsoft environment and mobile device management tools used to control employee devices.

The company said the incident caused a global network disruption affecting internal systems. It said there was no indication of ransomware or malware and that the issue was contained to its internal Microsoft environment.

Stryker said it activated its incident response plan and began an investigation with the support of external cybersecurity specialists, law enforcement and government partners.

The company said the incident affected some business operations, including order processing, manufacturing and shipping, while systems were being restored. It said orders entered before the disruption remain visible in its systems, while newer orders are being reviewed as communications are brought back online.

Stryker said business continuity measures were put in place to support customers and partners during the disruption and allow healthcare providers to continue operating.

The company also said connected products were not affected and remain safe to use, including devices that operate independently from its corporate network.

It said certain clinical and communication systems continued to function normally, and that medical devices such as LIFEPAK units, the LIFENET system and the Mako surgical platform were not impacted because they operate separately from the affected environment.

The investigation remains in its early stages and the company said it is still assessing the scope and nature of the incident.

Security researchers have linked the activity to techniques associated with Iranian-aligned groups and said the intrusion involved misuse of mobile device management systems, although the company has not publicly confirmed attribution.

MDM abuse

Security researchers said the incident highlights the risks tied to mobile device management platforms, which allow organisations to control employee smartphones, tablets and applications from a central console.

MDM systems are widely used to enforce security settings, deploy software and manage large fleets of devices, including bring-your-own-device environments.

Researchers said the same centralised control can become a high-value target if attackers gain access to the management platform.

"The Stryker attack is what we expected from a regime with few cards to play, and no real consequences for playing the hand they have. While Mobile Device Management (MDM) is a pillar of cybersecurity it is also a widely detested technology by employees who value their personal sovereignty over their phones. Many MDMs allow for real-time GPS tracking, making employees feel constantly surveilled, especially during off-hours. Often, companies aren't transparent about what they actually monitor, leading to "privacy anxiety" where employees assume the worst. This attack will not make MDM solutions any more popular," said Ted Miracco, CEO, Approov.

"The vast powers inherent in this MDM software, sometimes called the nuclear option, were cleverly hijacked by a nation-state willing to employ a scorched-earth strategy that will harm both impacted corporations and individuals who relinquished control of their BYOD devices to their employer or contractor," said Miracco.

Researchers said a compromised MDM environment can allow attackers to send commands to large numbers of devices, deploy malicious software, wipe data or disrupt applications across an organisation.

They said access to device management systems can also expose configuration data that helps attackers move deeper inside corporate networks.

Geopolitical risk

Cybersecurity analysts said the incident comes amid increased activity by Iranian-aligned groups targeting healthcare, industrial firms and critical infrastructure.

Recent campaigns linked to these groups have focused on disruption rather than financial gain.

"The Stryker incident is a reminder that organizations should expect cyber activity to escalate alongside geopolitical tensions. Iranian-aligned groups and their proxies have historically relied on disruptive techniques such as wiper malware and data-destruction attacks that are designed to cause operational impact rather than generate ransom payments," said Sunil Gottumukkala, CEO, Averlon.

"The companies that fare best in this environment are the ones that treat cyber incidents as inevitable and invest in preparation, visibility into their exposure, and the ability to recover quickly," said Gottumukkala.

Analysts said such activity often increases during periods of political tension and may involve both direct state operators and affiliated groups.

Healthcare exposure

Security specialists said healthcare providers and medical device manufacturers face additional challenges because of legacy systems, complex supply chains and strict safety requirements.

These factors can slow patching cycles and make architectural changes more difficult than in other sectors.

"As 2026 progresses, the healthcare and energy sectors remain squarely in the crosshairs. Iranian state actors and their proxies have been quick to adopt new tools, including AI-driven social engineering, to gain that critical first foothold. The Stryker attack won't go unnoticed by other state-sponsored groups; expect MDM abuse and wiper deployments to show up with increasing regularity across the threat landscape," said Damon Small, Xcape.

"Regulators are already moving. Cybersecurity requirements for medical device manufacturers and critical infrastructure providers are tightening, with mandatory testing, continuous patching, and network segmentation shifting from recommended guidance to enforceable obligation. The policy world is catching up to what the security community has known for years: this isn't just an IT problem," said Small.

"For practitioners, the strategic question has shifted. Stopping every breach is no longer a realistic goal. The real measure of a mature security program is resilience. Can your organization absorb the hit, maintain critical operations, and keep its mission intact when a determined adversary is doing everything they can to tear it apart?" said Small.

Resilience focus

Security teams reviewing the incident said organisations should reassess identity controls, device enrolment procedures and the separation of management systems from production networks.

They said backup systems should be isolated so destructive attacks cannot spread across the entire environment.

"Defenders should focus on hardening the identity perimeter and ensuring that backup architectures are physically or logically segmented from the primary network to prevent wiper propagation. Organisations must also validate their incident response plans against "scorched earth" scenarios where local recovery is impossible," said Small.

"In a world of wipers, your "incident response" is just a long-form obituary for your data if you haven't tested a bare-metal recovery this year," said Small.

Related stories
Automotive microcontroller market set to hit USD $15.1bn
Vodafone & Google Cloud launch AI & security tools
BlackBox Hosting partners Everpure for sovereign cloud
Locai Labs deploys AI coding assistant at First Light Fusion
Infosecurity Europe adds AI summit amid cyber defence shift

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
Exclusive: Google Cloud on the road to autonomous SecOps
Zapier expands AI governance controls for enterprise users
Avatier launches offline card after Stryker cyberattack