Recent findings indicate that Iranian hackers utilized compromised credentials obtained through infostealer malware in a significant cyberattack on Stryker, a leading US medical technology company. The breach, which surfaced on March 11, was attributed to the hacker group Handala, known for its ties to Iran’s Ministry of Intelligence and Security (MOIS).
Stryker, renowned for its production of surgical equipment and orthopedic implants, faced substantial disruption after Handala claimed responsibility for the attack. The group alleged wiping over 200,000 devices, forcing the company to close offices across numerous countries. Claims of data theft were also made by the hackers.
Details of the Stryker Cyberattack
Initial reports suggested the use of wiper malware, a tactic previously associated with Handala. However, Stryker confirmed that no such malware was found in their systems. Instead, it appears the attackers exploited Stryker’s Microsoft Intune platform, used for managing desktop and mobile devices, to erase data.
According to Bleeping Computer, the hackers managed to compromise an Intune administrator account and subsequently created a global admin account, which facilitated the device wipe. This method underscores the importance of securing administrative access within organizations.
Role of Infostealer Malware
Alon Gal, CTO of Hudson Rock, a threat intelligence firm, uncovered evidence of credentials being obtained via infostealer malware. Analysis of malware logs revealed that credentials for Stryker’s administrator accounts, along with other Microsoft services and mobile device management credentials, were compromised.
Gal noted that these credentials were not freshly obtained; they were months, if not years, old, suggesting Stryker had ample time to reset them and potentially prevent the breach. This highlights the ongoing risks posed by outdated but still active credentials.
Impact and Response
Stryker reported that the cyberattack affected only its Windows environment, leading to disruptions in order processing, manufacturing, and shipping. The company has been actively restoring impacted systems, prioritizing those crucial for customer service and logistics.
The US cybersecurity agency CISA and the FBI have engaged with Stryker to investigate the incident further. Despite the attack, Stryker assured that all its products remain safe for use, and the presence of sales representatives in medical facilities poses no risk.
While pro-Iranian hackers have intensified attacks against US and Israeli targets, this incident marks one of the most significant breaches against the United States. Handala has been particularly active since the onset of regional conflicts, though their claims often lack complete verification.
Notably, Forbes reported the deaths of two Iranian cyber operation leaders in recent airstrikes, which included individuals linked to state-sponsored hacking activities. This development may impact the future operations of groups like Handala.
