Key Takeaways
1. The cyberattack on Stryker may have begun with stolen credentials from infostealer malware, not a software vulnerability.
2. Alon Gal from Hudson Rock found Stryker administrator credentials in infostealer logs, indicating a possible long exposure period.
3. Stryker has not confirmed the method of attack and continues to investigate the incident’s scope and effects.
4. There are reports that Stryker-related credentials were found in infostealer logs for much of 2025, suggesting prior exposure.
5. The situation remains unclear as Stryker’s investigation is ongoing, with no official verification of the attack method yet.
New information suggests that the cyberattack affecting Stryker, a major player in medical technology, might have started with stolen credentials obtained through infostealer malware, rather than through a software vulnerability.
SecurityWeek shared on March 18 that Alon Gal, CTO of Hudson Rock, discovered Stryker administrator credentials within infostealer logs. These logs also contained other credentials related to Microsoft services and mobile device management linked to Stryker.
Lack of Confirmation
However, this does not confirm a forensic conclusion, and Stryker has yet to verify this method of attack. In a filing with the SEC on March 11, the company acknowledged a cybersecurity incident impacting specific IT systems that resulted in a worldwide disruption to its Microsoft environment. At that time, Stryker indicated there was no evidence of ransomware or malware, and investigations were still in progress.
New Insights on Attack Method
Recent reports are significant because they present a detailed theory regarding how attackers might have accessed Stryker’s systems. Earlier, SecurityWeek had mentioned that the attackers could have exploited Stryker’s Microsoft Intune environment after breaching an administrator account, subsequently creating a new global admin account, allegedly used to erase managed devices.
Hudson Rock’s findings offer a potential upstream explanation: the credentials may have been circulating in infostealer logs prior to the cyber incident. Gal noted that the credentials connected to Stryker seemed to be several months or even years old, indicating that the exposure period might have started long before the incident on March 11.
Ongoing Investigation
In addition, a post from Lunar Cyber on March 12 mentioned that it spotted Stryker-related credentials in infostealer logs for much of 2025, revealing around 14 credential sets that compromised Microsoft 365 and other third-party portals.
While this does not prove that the credentials were utilized in the breach, it does bolster the likelihood that Stryker-related access data was exposed prior to the incident being made public. Stryker’s filing continues to assert that the complete scope, nature, and effects of the incident are still unclear.
At this point, the best way to understand the situation is that new reports have connected the Stryker breach to possibly stolen credentials. However, Stryker’s investigation is ongoing, and the precise method of intrusion has not been officially verified.
Source:
Link