Michigan-based Stryker said it contained the cyberattack believed to be carried out by the Iran-linked group Handala, according to a March 17 Reuters report.While the hackers claimed to have wiped more than 200,000 systems, servers, and mobile devices, published reports over the last day cited that 80,000 employee devices were wiped worldwide.The attack centers around the attacker gaining access to Stryker’s Microsoft Intune mobile device management (MDM) console, and issuing a mass wipe to every enrolled device.Security experts pointed out that while the attack has been contained, Stryker, a large medical device maker with $22.6 billion in sales, sustained a great deal of financial damage and operations disruption.
Related reading:
Denis Calderone, principal and CTO at Suzu Labs, said Stryker’s IT team can simply reprovision rather than replace most of the 80,000 devices that were wiped, but that's still a massive undertaking.“They’re looking at re-imaging, re-enrolling in management systems, reinstalling applications, restoring user data where possible,” said Calderone. “Using common TCO calculators, we'd figure the cost per device to reprovision and re-enroll to be somewhere between $300 and $500. At 80,000 devices, that's $24 [million] to $40 million just to get the endpoints back in working order.”Incident response costs from Microsoft DART and Palo Alto Unit 42 — the team conducting the follow-up investigation — are also expensive, added Calderone, and could easily run several million more. Those costs don't include lost productivity, temporary equipment, and the internal IT overtime required to get all those Stryker employees back online, he continued.Damon Small, a board member at Xcape, Inc., said the Stryker incident highlightedscsc a terrifying reality for the industry: when an attacker gains Global Administrator privileges, they can execute absolute destruction in minutes that takes months of capital and labor to repair.“For security professionals, this serves as a stark reminder that ‘containment’ is a hollow victory if the recovery costs and operational downtime already exceed the impact of a traditional data breach,” said Small. “Defenders must move beyond malware detection to enforce strict hardware security keys for administrative accounts and implement ‘break-glass’ protocols that can instantly lock down MDM platforms during anomalous mass-action events.”John Watters, managing partner and CEO at iCOUNTER, added that when a company the size of Stryker says order processing, manufacturing, and shipping were disrupted, we should think beyond IT cleanup.Watters said IBM pegs the average healthcare breach at $9.77 million, and that’s before we layer in the downstream cost of supply-chain delays, overtime, expedited logistics, and customer disruption.“This is exactly why third-party and supplier cyber risk has become so consequential,” said Watters. “One successful attack on a critical vendor can create an eight-figure recovery event and ripple into patient-care operations downstream.”Rajeev Raghunarayan, head of GTM at Averlon, said the real costs in incidents like this aren’t the number of devices impacted. It’s the blast radius: how far the attack spread before it was contained determines whether it stays an IT issue or becomes a broader operational disruption.
“By the time an attack is contained, much of the damage is already done,” said Raghunarayan. “In sectors like healthcare and medical technology, that goes beyond rebuilding systems and restoring operations. It can disrupt supply chains and critical processes where availability directly affects patient care.”
“By the time an attack is contained, much of the damage is already done,” said Raghunarayan. “In sectors like healthcare and medical technology, that goes beyond rebuilding systems and restoring operations. It can disrupt supply chains and critical processes where availability directly affects patient care.”
