2 days ago
Stryker announced that a cyberattack impacting the company this week has disrupted its manufacturing and shipping operations. The medtech company shared this update Thursday night in a statement posted on its website. While the company did not provide specific details on the attack’s effects on its systems, it confirmed disruptions to order processing, manufacturing, and shipping.
“However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care,” Stryker stated.
The company emphasized that the incident is contained within its internal Microsoft environment, with no malware or ransomware detected.
In a Thursday filing with the Securities and Exchange Commission, Stryker said it does not believe patient-related services or connected products were affected by the incident.
Dave Nathans, Stryker’s Chief Information Security Officer, provided an update on Thursday to certain customers and members of the cybersecurity community, according to the SEC filing. The company is collaborating with law enforcement and government agencies to share intelligence about the incident.
CEO Kevin Lobo, in a letter to employees posted on LinkedIn Thursday, said Stryker has fully contained the attack and is now in the restoration phase.
J.P. Morgan analysts, who spoke with Stryker about the attack, noted in a Thursday note to investors that procedures worldwide continued despite the incident. They expressed the view that any impact would likely be minor, though spotty disruptions could occur as systems are restored. They added that if a material impact arises, Stryker is obligated to disclose it once estimable and known.
Based in Portage, Michigan, Stryker is a medtech company specializing in surgical equipment and orthopedics, including joint implants and surgical robots. The company employs 56,000 people and operates in 61 countries.
On Wednesday, Stryker identified a cyberattack that caused a global network disruption within its Microsoft environment. The company activated its cybersecurity response plan and launched an investigation with external advisors and cybersecurity experts.
In a Wednesday SEC filing, Stryker stated it was not yet aware of the full scope of the attack’s financial and operational impact. It also noted there is no timeline for full system restoration and it has not determined whether the attack will have a material impact.
The attack has been claimed by an Iran-linked threat actor known as Handala, according to Check Point Research. The group claims to have wiped thousands of servers and mobile devices and exfiltrated 50 terabytes of critical data. It is unknown whether any customer data was affected.
Handala presents itself as a pro-Iran hacktivist group, but researchers at Palo Alto Networks have linked it to the Iranian Ministry of Intelligence and Security.
Handala is among several state-backed or hacktivist groups targeting companies, government agencies, and organizations in Israel, the U.S., and the Persian Gulf region. Their attacks have ranged from phishing and distributed denial-of-service to malware attacks.
Researchers suspect, based on company statements, threat actor claims, and open-source reporting, that the Stryker attack involved abusing Microsoft Intune to deploy a wiper attack capable of bypassing traditional endpoint security protections.
Halcyon researchers explained that the attack affected all phones and workstations using an Intune base64-encoded string. Johnny Collins, Director of Intelligence Operations at Halcyon, said via email, “Intune is a device management component of Microsoft used to push software or manage devices that are usually base64-encoded. In this case, the encoded payload contained remote wipe commands, effectively wiping the affected devices.”
A Microsoft spokesperson declined to comment on Thursday but said the company would provide updates if additional information becomes available.
The Cybersecurity and Infrastructure Security Agency (CISA) announced on Thursday that it is investigating the Stryker incident.
