The recent security incident that disrupted tens of thousands of systems at medical technology provider Stryker demonstrates the necessity of tested business continuity and disaster recovery (BCDR) plans.
The threat group Handala claimed responsibility for the event, stating their actions were politically motivated retribution related to a recent airstrike on a school in Iran and the company's alleged ties to Israel. In a social media post on X, the group asserted it had deployed destructive malware across approximately 200,000 Stryker systems, servers, and mobile devices, alongside the unauthorized exfiltration of 50TB of company data. The group claimed this forced the shutdown of Stryker's offices in 79 countries.
Stryker, an organization reporting $25 billion in revenue, characterized the Wednesday event as a "global network disruption to its Microsoft environment," which it currently believes is contained. The company continues to evaluate the scope of the incident and has activated its business continuity procedures to support customers and partners. Stryker updated its message on Thursday to indicate it was still working on restoring systems. Notably, the company confirmed that its medical devices. Including its Mako robot-assisted surgical platform, Vocera real-time communication platform, and LIFEPAK advanced life support monitors and defibrillators—remain safe to use.
While Stryker did not immediately comment on the threat group's specific claims regarding system counts or data exposure, multiple media outlets reported that affected employees in the US and other locations were sent home after their company-managed mobile devices and phones were reset to factory settings.
Security researchers have observed an increase in politically motivated cyber activity targeting U.S. corporate assets since the U.S. and Israel launched military operations in the region. The destructive malware event at Stryker is a high-profile example of this trend, and researchers anticipate similar events may follow. Threat intelligence from Flashpoint indicates that state-affiliated actors, such as the Islamic Revolutionary Guard Corps (IRGC), have issued threats against other large technology providers, including Amazon, Google, Microsoft, Oracle, Palantir, and Nvidia.
Events involving destructive malware show that business continuity can quickly falter if recovery relies on the same infrastructure that was just compromised. Kim Larsen, group chief information security officer (CISO) at Keepit, notes that resilience is largely theoretical if an organization's identity layer, endpoints, and backups fail simultaneously. Global organizations often face additional friction because data is fragmented across various platforms, regions, and regulatory boundaries. Data sovereignty constraints and operational uncertainty can delay restoration when rapid response is essential, Larsen explains.
To improve resilience, Vincenzo Iozzo, CEO and co-founder of SlashID, advises organizations to maintain frequent backups of cloud environments. Transitioning to Infrastructure as Code (IaC) practices can significantly accelerate the restoration of these environments. Furthermore, strict privilege segregation is critical. Routine administration should be restricted to lower-privilege accounts for specific functions, while global admin access. Especially in cloud infrastructure—should be limited to a small number of strictly monitored "break-glass" accounts.
Traditional BCDR planning often assumes that corporate communications, identity infrastructure, and the management plane will remain operational during an incident. Collin Hogue-Spears, senior director of solution management at Black Duck, points out that destructive malware negates these three assumptions simultaneously. Security leaders must design recovery plans around a total-loss scenario rather than a standard, recoverable ransomware event.
This approach requires immutable backups isolated from the primary identity plane, out-of-band communication channels independent of corporate infrastructure, and recovery runbooks engineered to operate without functioning endpoints on day one. Hogue-Spears notes that if a disaster recovery test has never started with the premise that every device is inaccessible and email is unavailable, the organization remains untested for this specific class of threat.
For multinational operations, the primary challenge is often governance rather than technical restoration. Security and IT leaders must coordinate parallel recovery efforts across countries with distinct legal requirements, differing infrastructure maturity, and separate decision-making authorities. Prioritizing which locations and critical functions are restored first is a crucial leadership decision that must be made before an incident occurs.
Organizations should establish regional recovery teams with the authority to act swiftly and prepare notification workflows tailored to local regulatory mandates in every country of operation. As Hogue-Spears notes, treating operations across 79 countries as a single recovery zone often results in 79 separate, uncoordinated recovery efforts. The most difficult aspect of multinational BCDR is determining the sequence of restoration at the leadership level.
Editor's Note: The original reporter of this story disclosed having a family member employed by Stryker. The author, Jai Vijayan, has over 20 years of experience in IT trade journalism.