Medical gadget firm Stryker supplied a fuller evaluation of its latest cyber incident in a discover to the Securities Trade Fee (SEC) on Wednesday night.
The assault got here to gentle on Wednesday morning after staff took to social media to complain of telephones, laptops and computer systems that had been cleaned of all data. The corporate’s 5,500 staff had been locked out of firm techniques throughout Eire, the US, Australia and India
In an 8-Ok submitting with the SEC, Stryker confirmed that the cyberattack triggered a world disruption to the corporate’s Microsoft atmosphere and stated exterior cybersecurity consultants had been introduced in to “assess and to include the risk.”
“The incident has triggered, and is anticipated to proceed to trigger, disruptions and limitations of entry to sure of the Firm’s data techniques and enterprise functions supporting features of the Firm’s operations and company capabilities,” firm officers stated.
“Whereas the Firm is working diligently to revive affected capabilities and techniques entry, the timeline for a full restoration shouldn’t be but identified. The Firm has enterprise continuity measures in place to proceed to assist its prospects and companions.”
Stryker stated it’s nonetheless unclear whether or not the cyberattack can have monetary impacts on the corporate. It is likely one of the largest medical gadget makers within the U.S., reporting greater than $25 billion in income final yr.
The SEC submitting reiterates that the incident didn’t contain ransomware or malware. A number of cybersecurity consultants stated it’s possible that the hackers behind the assault used the native options and tooling in Microsoft Intune to trigger harm.
Microsoft Intune is a cloud-based unified endpoint administration system that enables groups to safe and handle entry to organizational sources throughout Home windows, macOS, Linux, iOS and Android units.
Staff of Stryker reported that every one of their units with Microsoft Intune had been cleaned.
“What makes the Stryker incident significantly regarding is the obvious use of enterprise administration infrastructure — doubtlessly weaponizing Microsoft Intune — to hold out harmful exercise at scale,” stated Kathryn Raines, cyber risk intelligence lead at cybersecurity agency Flashpoint.
Microsoft declined to touch upon the state of affairs when contacted by Recorded Future Information.
Handala vs. APT34
The incident seemed to be the primary proof of potential cyber fallout from the warfare between the U.S. and Iran. For the reason that starting of the battle, consultants warned that cyberattacks by each Iranian state-backed teams and hacktivists would possible come as a part of the response to airstrikes launched by U.S. and Israeli forces.
A number of alleged Iranian teams have defaced web sites, performed comparatively minor espionage incursions and launched distributed denial-of-service (DDoS) assaults in latest days, however no main incidents had been reported till the Handala group took credit score for the assault in opposition to Stryker.
Handala has existed since 2023 and is thought to deploy the Hatef wiper malware in addition to the Rhadamanthys stealer malware throughout its assaults, in keeping with cybersecurity agency Optiv.
The group beforehand centered its efforts on attacking vital targets in Israel, usually opting to steal data earlier than launching wiper malware. Optiv stated Handala usually positive factors preliminary entry by way of phishing emails or by impersonating legit organizations.
Handala has made a number of unverified claims of assaults on organizations because the onset of the battle with the U.S., together with the concentrating on of presidency organizations in Jordan and Israel.
Optiv and several other different cyber analysis companies claimed there may be vital overlap between Handala and a state-backed group linked to Iran’s Islamic Revolutionary Guard Corps (IRGC) generally known as APT34.
Flashpoint’s Raines stated they’ve been monitoring Handala for the final yr and located that the group presents itself as a grassroots resistance motion. However its techniques and concentrating on are “much more in step with exercise linked to Iranian state actors than with unbiased hacktivism.”
APT34 was beforehand accused of accelerating its assaults on authorities businesses in Saudi Arabia, Iraq, the Kurdistan Regional Authorities, the United Arab Emirates (UAE) and the broader Gulf area between 2023 and 2025.
Recorded Future
Intelligence Cloud.
Be taught extra.
