Iran-linked group claims wiper attack and takedown of medical device maker Stryker

The pro-Palestinian, Iran-linked group Handala claimed responsibility for a cyberattack on Michigan-based Stryker that disrupted the medical device manufacturer’s network.

In a March 12 statement to its customers, Stryker said it had “no indication that it was malware or ransomware” and the organization believed the situation was contained to the company’s internal Microsoft environment only.

Despite the company’s statement, Handala reportedly claimed it stole 50 terabytes of data, wiping more than 200,000 systems, servers and mobile devices that Handala said forced Stryker to shut down its operations.

Denis Calderone, principal and CTO at Suzu Labs, said this cyberattack represents the second clear example since the Iran war started nearly two weeks ago of targeting against U.S. companies with close ties to Israel.

Calderone said last week we saw MuddyWater hit a U.S. defense-aerospace supplier targeting its Israeli operations, and now Handala attacked a company with DOD contracts and an Israeli medical tech acquisition.

Related reading:

“These groups are selecting targets based on Israeli business relationships, and Handala is almost certainly a front for Void Manticore, linked to Iran's Ministry of Intelligence,” said Calderone. “Calling them hacktivists understates what they are.”

Collin Hogue-Spears, senior director of solution management at Black Duck, said this latest operation wiped over 200,000 systems across 79 countries to punish a surgical equipment maker for its U.S. defense ties and its acquisition of the Israeli orthopedic company OrthoSpace Ltd. “The attack was retaliatory, not financial,” said Hogue-Spears.

Hogue-Spears said one technical assessment describes the attacker gaining access to the company's Microsoft Intune console, the mobile device management (MDM) platform that enrolls and controls its entire device fleet, and issuing a mass wipe to every enrolled device.

“The weapon was not custom malware deployed endpoint-by-endpoint,” said Hogue-Spears. “The weapon was the management plane, doing exactly what it was designed to do under adversary control. Handala did not need a zero-day. They needed one set of privileged credentials and the tools Stryker already paid for.”

Duncan Greatwood, chief executive officer at Xage Security, added that the disruption at Stryker marks a significant escalation in the targeting of healthcare infrastructure. Just as we have seen with recent attacks on the energy sector, Greatwood said medical technology leaders are now high-leverage targets where attackers aim to create operational paralysis.

“When a global company responsible for life-saving surgical equipment is disabled in this way, the consequences reach far beyond a typical corporate network,” said Greatwood. “Despite the current aerial campaign, the balance of probabilities suggests that the Iranian regime will survive in some form. With its conventional military capabilities having been largely destroyed, the regime is likely to further focus on unconventional means of attacking the United States, including carrying out and sponsoring disruptive cyberattacks.”

Rob Gregory, chief information security officer at Optiv, said the Stryker attack reminder us that cyber incidents don’t always start with malware: they can start with stolen credentials and trusted tools such as Microsoft Intune being turned against the business.

Here are some tips from Gregory on how teams should proceed: