The cyberattack on medical technology firm Stryker last week involved threat actors using Microsoft Intune to remotely erase tens of thousands of employee devices without deploying any malware. The intrusion targeted Stryker's internal Microsoft corporate environment exclusively, leaving all medical devices and patient-care technologies unaffected and safe for continued use. The attacker compromised an administrator account and created a new Global Administrator account before executing wipe commands between 5:00 and 8:00 a.m. UTC on March 11.
The Handala hacktivist group, believed to have Iranian connections, claimed responsibility for the attack and alleged they wiped over 200,000 systems and stole 50 terabytes of data. However, investigators from Microsoft's DART team and Palo Alto Unit 42 found no evidence supporting the data theft claims. Some employees reported that personally owned devices enrolled in the company network also lost personal data during the remote wiping process.
Stryker confirmed that electronic ordering systems remain offline, requiring customers to place orders manually through sales representatives while restoration efforts focus on resuming shipping and transactional services. The company emphasized that this was not a ransomware attack and that all products across their global portfolio remain safe to use. Orders placed before the attack will be honored as systems are restored, and those submitted during the disruption will be processed once infrastructure recovery is complete. Stryker continues working with global manufacturing sites to address operational impacts while prioritizing supply-chain system restoration.
Read more...