A major cyberattack on US medical supplies giant Stryker has resulted in thousands of devices being remotely wiped, after a pro-Iranian hacking group may have compromised the company’s Microsoft Intune management system.
Details remain sketchy, but what appears to have happened on Wednesday at one of the world’s largest medical supplies companies could, if confirmed, yet rival the scale of the infamous 2012 Shamoon incident in which 30,000 computers belonging to Saudi Aramco were wiped. Stryker has 56,000 employees worldwide.
In Ireland, thousands of Stryker employees were unable to log into their computers, while others around the globe took to Reddit and X to complain that multiple devices had been wiped.
‘No indication of malware’
“At this time, there is no indication of malware or ransomware and we believe the situation is contained to our internal Microsoft environment only,” read the company’s Thursday update.
A day earlier, the severity of the ongoing disruption caused Stryker to file a more detailed report with the US Securities and Exchange Commission (SEC).
“The incident has caused, and is expected to continue to cause, disruptions and limitations of access to certain of the Company’s information systems and business applications,” Stryker said. “While the Company is working diligently to restore affected functions and systems access, the timeline for a full restoration is not yet known.”
Such a filing is only a requirement where a publicly-traded company suffers an attack that investors might consider to be materially significant.
The fact that multiple devices were affected, including BYOD mobile devices, points to a compromise of the company’s Microsoft Intune management system. While this has not been confirmed, a successful Intune compromise would have allowed the attackers to wipe devices remotely, without having to deploy malware.
Handala claims credit
The Handala threat group quickly claimed responsibility for the attack. While the group’s involvement is just a claim for now, Stryker employees reportedly saw a version of the Handala logo – a cartoon of a Palestinian boy with his back turned and hands crossed behind him – on affected devices.
Handala’s identity is hard to ascertain. Palo Alto has connected it to Iran’s Ministry of Intelligence and Security (MOIS) via a second identity, Void Manticore. Other security vendors use different names, including Banished Kitten, and Storm-842.
The group’s political motivation is less mysterious. In a website statement, the group styled the cyberattack as a response to the February 28 attack on a school in the Iranian city of Minab, which killed up to 170 children and adults.
“We announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success,” it said. “In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted.”
Critical flaw
If Intune was the route to compromise, the first job for Stryker’s forensics team will be to work out how attackers got into the system.
“Stryker uses Entra for authentication, which integrates everything into this with single sign-on, including the software that builds and updates all devices, including servers, laptops, and phones,” commented Rob Demain, CEO of security managed security company, e2e-assure.
“This is a best practice design pattern, but with a critical flaw: if it’s compromised, the attacker has access to wipe all devices, which seems to be what has happened here. Initial access is likely to be via credential theft, typically Adversary-in-the-Middle (AitM).”
Compromising such a critical system suggests a significant security failure, said Jon Abbott, CEO and co-founder of security management company ThreatAware.
“The attackers have either tricked the helpdesk into resetting admin credentials, as we saw with the Scattered Spider attacks, taken over an admin’s machine, or spear phished an admin directly,” said Abbott.
“It seems unlikely the attackers could have pulled this off without someone making a critical basic mistake. Anyone granting access to an admin account needs to step up their verification checks. Many of our clients now require three-way video calls before resetting admin credentials, bringing together the admin, their manager, and the service desk operator.”
Security companies predicted that pro-Iranian groups would target US companies with wiping attacks when the war started. This is a rise in threat level with a clear message: Iranian nation state actors are now aggressively targeting US companies and their supply chains, and will spare nobody. Every weakness and mistake will be leveraged.
