The Last Word

Medtech Cybersecurity Enters a ‘New Era’

The days of quick, “hit-and-run” cyberattacks may indeed be waning, as hackers no longer need to rely solely on ransomware or custom malware.

Author Image

By: Michael Barbella

Managing Editor

Photo: Daria/stock.adobe.com

For want of a nail, the kingdom was lost…for the choice of attack, a frailty was found. 

It arrived without warning—as ambushes often do—quietly, almost imperceptibly, aimed directly at the heart of operations. It was the cruelest kind of ambush: one that was conducted under the mask of familiarity, and its devastation was both sweeping and severe.

The damage stemmed from a routine software command that, in the wrong hands, became a weapon of mass disruption.

Select Wipe.

Thus began an operational nightmare for Stryker Corp. that has yet to completely dissipate.

The ordeal began in the early hours of March 11, after the multinational firm discovered that hackers had breached its digital network and accessed a cloud-based device management platform to wipe data from internal network servers, desktop computers, and mobile phones. 

The pro-Palestinian group Handala—widely believed to operate as a front for Iran’s Ministry of Intelligence and Security—quickly claimed responsibility for the cyberattack, describing it as retaliation for a first-day strike in the Iran War that killed 156 people, including 120 schoolchildren. Handala reportedly targeted Stryker for its role in the “global Zionist lobby.” 

“The Zionist-rooted corporation, Stryker, one of the key arms of the global Zionist lobby and a central ring in the ‘New Epstein’ chain, has been struck with an unprecedented blow,” Handala stated in its social media post about the attack. “Stryker’s offices in 79 countries have been forced to shut down. All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption.”

Handala measured the success of its attack by the wreckage it left behind at Stryker: more than 200,000 systems and devices wiped clean or reset, and roughly 50 terabytes of stolen data, including potentially sensitive corporate and R&D information.

Stryker never substantiated Handala’s numeric claims, emphasizing instead that none of its products were compromised in the attack. “This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products…Stryker, much like any Fortune 300 company, has embedded policies and procedures for cybersecurity assurances for our products in the field. This process at Stryker provides additional assurances that no potential vulnerabilities or risk of exploitation related to our connected products exist.” 

Clearly, Stryker’s products were insulated from malevolent exploitation, but its network remained vulnerable. Published reports cited employee accounts of real-time device disabling, Microsoft server inaccessibility, and Handala branding on some login screens. One media outlet said up to 95% of devices in some Stryker departments were erased before anyone could react. 

Stryker’s investigation found no evidence of ransomware or malware, suggesting the incident was intended solely to destroy data rather than extort money from the company. Neither Stryker nor the various U.S. agencies investigating the attack disclosed Handala’s strategy for gaining access to Microsoft Intune (perhaps they’re still unsure?). Global cybersecurity firm Palo Alto Networks, however, suspects the group may have relied on either phishing or infostealer malware to obtain the Intune credentials.

Microsoft Intune is a program used by tens of thousands of companies worldwide to manage and secure employees’ digital devices. Ironically, one of its features is a security measure that allows administrators to remotely wipe data from a device (in case it is lost or stolen). Upon gaining access to Intune, Handala used that remote wipe feature to erase data from all digital devices simultaneously.

Although Stryker quickly contained the attack, cybersecurity experts say the incident is indicative of a shift in tactics and intent by potential hackers. Handala itself said as much in its social media post following the Stryker breach: “This is only the beginning of a new chapter in cyber warfare. To all those plotting attacks on the infrastructure of the Axis of Resistance: The era of hit-and-run is over!”

The days of quick, “hit-and-run” cyberattacks may indeed be waning, as hackers no longer need to rely solely on ransomware or custom malware to access secured networks. As Stryker’s experience proved, attackers can hide behind trusted administrative accounts to wreak havoc on a company’s operations.

“The Stryker incident will be referenced in security circles for years—not because it was shocking, but because it was inevitable,” Sabrina Hafner, director of Quality and Marketing for IT consulting, network engineering, and cybersecurity firm Northern Technologies Group, wrote in a March 31 blog. “The combination of identity-based attack techniques and cloud-managed infrastructure has created conditions where a single stolen credential can trigger catastrophic consequences across an entire global organization. No organization is immune to that reality.” 

Even so, recovery remains possible.

Keep Up With Our Content. Subscribe To Orthopedic Design & Technology Newsletters

Topics