Stryker Restores Most Manufacturing After Cyberattack That Disrupted Ordering and Shipping

What happened

Stryker restored most manufacturing operations after a March 11 cyberattack disrupted its internal Microsoft environment and affected order processing, shipping, and manufacturing across the company. The company said its electronic ordering system has now been restored for customers and that operations are steadily improving toward full capacity, though it has not given a timeline for full recovery. In a March 23 filing, Stryker said its investigation with cybersecurity experts, including Palo Alto Networks’ Unit 42, found that a threat actor used a malicious file to run commands and hide activity inside the company’s systems. Stryker also said the file was not capable of spreading either inside or outside its environment. As of that filing, the company said it had not identified malicious activity directed at customers, suppliers, vendors, or partners.

Who is affected

The direct impact fell on Stryker operations, particularly manufacturing, ordering, and shipping systems disrupted by the attack. Stryker said its electronic ordering system for customers has been restored, and as of its March 23 filing, the company had not identified malicious activity directed toward customers, suppliers, vendors, or partners.

Why CISOs should care

This incident matters because it shows how a single malicious file used for command execution and concealment can disrupt manufacturing and fulfillment operations without becoming a self-spreading event. It also highlights the importance of clearly distinguishing between internal operational disruption and any evidence of downstream malicious activity affecting customers or third parties.

3 practical actions

1. Separate propagation risk from operational impact: Make sure incident assessments clearly distinguish whether a malicious file can spread versus whether it can still materially disrupt manufacturing, ordering, or shipping systems.
2. Verify third-party impact before broad escalation: Confirm whether any malicious activity actually reached customers, suppliers, vendors, or partners before expanding external-impact claims.
3. Use recovery milestones that matter to the business: Track restoration of ordering, manufacturing, and fulfillment systems as core operational recovery benchmarks, not just technical containment milestones.

For more news about disruptive intrusions affecting business operations, click Cyberattack to read more.