Devastating Stryker Attack Erases Thousands of Devices Without Malware

An unprecedented cyberattack targeted medical technology giant Stryker last week, resulting in the remote wiping of tens of thousands of employee devices within its internal Microsoft environment.

Despite the significant impact on its electronic ordering systems, Stryker assures the safety of its medical devices for use. However, customers are currently required to place orders manually through sales representatives due to the offline ordering systems.

It is important to note that the cyber incident at Stryker was not classified as a ransomware attack, and no malware was deployed by the threat actor on the company’s systems.

The attack on Stryker was attributed to the Handala hacktivist group, allegedly linked to Iran, claiming to have wiped out “over 200,000 systems, servers, and mobile devices” and accessed 50 terabytes of data. Nevertheless, investigations did not find evidence of data exfiltration.

Following the disruption, Stryker employees worldwide reported the remote wiping of their managed devices overnight, with some individuals losing personal data from their personal devices connected to the company network.

Hackers Exploited Global Admin Privileges

According to sources familiar with the incident, the threat actor utilized the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data from nearly 80,000 devices between 5:00 and 8:00 a.m. UTC on March 11. The attacker gained access by compromising an administrator account and creating a new Global Administrator account.

The investigation into the cyberattack is being led by the Microsoft Detection and Response Team (DART) in conjunction with cybersecurity experts from Palo Alto Unit 42.

Stryker emphasizes that the attack solely affected its internal Microsoft corporate environment and did not impact any of its products, emphasizing that all Stryker products, including connected and digital technologies, are safe for use.

Efforts are underway to restore operations, focusing on resuming shipping and transactional services. Customers are advised to stay in communication with company representatives during the recovery process.

Any orders placed before the cyber incident will be fulfilled as systems are restored. Orders made during the disruption will be processed once systems are back online and supply chains return to normal operations.

Stryker is collaborating with its global manufacturing sites to address any potential operational disruptions resulting from the cyberattack.

The primary objective for Stryker currently is to restore the supply chain system and resume customer orders and shipping services. The company assures that its core transactional systems are on track for full recovery.