Medical technology leader Stryker has provided an update on its investigation into a recent cyberattack with links to Iran, announcing the identification of a malicious file utilized by the attackers. This development marks a significant step in understanding the breach.
Details of the Cyberattack
First discovered on March 11, the cyberattack was claimed by the hacker group Handala, which is believed to be associated with Iran’s Ministry of Intelligence and Security (MOIS). The group asserted that they had erased data from over 200,000 devices, prompting Stryker to close offices globally.
Initial reports suggested the employment of wiper malware by Handala, a known tactic of the group. However, Stryker’s investigation found no traces of traditional malware or ransomware within its networks.
Investigation Findings and Methods
According to Stryker, the attackers likely compromised systems by exploiting Stryker’s Microsoft Intune setup, enabling remote management of devices and applications. Access may have been gained using credentials acquired through infostealer malware.
The attack significantly affected Stryker’s operations, including order processing, manufacturing, and shipping. The company indicated that substantial progress has been made in system restoration efforts.
Stryker, in collaboration with Palo Alto Networks Unit 42 and other cybersecurity experts, identified a malicious file that allowed the attackers to execute commands and remain undetected. This file, however, did not have the capability to propagate within or outside Stryker’s environment.
Security Measures and Government Involvement
Stryker emphasized that no malicious activity was directed at its customers, suppliers, or partners. The findings suggest the use of customized tools by the hackers rather than reliance on pre-existing malware.
The US government has officially recognized Handala’s connection to Iran’s MOIS, taking down several websites linked to the group. The FBI has issued alerts on the types of malware used by MOIS-affiliated hackers, including those masquerading as legitimate applications.
While Stryker collaborates with US authorities in investigating the incident, the FBI’s malware descriptions may not directly relate to this case if no malware was indeed used against the company.
As Stryker continues to work towards full recovery, the company remains vigilant, taking lessons from the investigation to bolster its cybersecurity measures against future threats.
