Stryker cyberattack: Cyberthreat actor used malicious file to mask intrusion

Stryker is continuing its restoration efforts after a cyberattack disrupted its operations beginning March 11. In its latest update to customers, Stryker revealed that the cyberthreat actor responsible for the attack used a malicious file to run commands, allowing them to hide their activity within its systems. Previously, Stryker had said that there was no indication of ransomware or malware.  

"To be clear, this file was not capable of spreading -- either inside or outside of our environment," Stryker said in a March 23 statement on its website. "Most importantly, at no point has our investigation identified malicious activity directed towards our customers, suppliers, vendors or partners." 

Stryker engaged Palo Alto Networks Unit 42 to investigate the incident. Unit 42 provided Stryker with a letter detailing its findings, which Stryker published on its site. 

"This letter reaffirms our belief that this incident is contained and that analysis has not identified any evidence of the threat actor accessing customer, supplier, vendor and partner systems as a result of this incident," Stryker stated. 

According to the letter, dated March 20, Unit 42 was tasked with threat hunting and forensic analysis, containment and eradication and infrastructure review. There is no evidence of active, uncontained unauthorized access within the Stryker environment, and all known indicators of compromise have been addressed, Unit 42 said.  

As previously reported, the cyberthreat actor gained access to Stryker's systems via its Microsoft Intune environment. Unit 42 said that Stryker has worked with Microsoft to recover its identity infrastructure and secure existing accounts.  

Additionally, Stryker is working with Unit 42 to rebuild impacted systems from backups. The impacted systems have been isolated from the network to prevent threat actors from re-entry as the rebuilding efforts continue. 

Unit 42 said that it has not identified evidence of unauthorized activity related to this cyberattack since March 11.  

"Currently available evidence indicates that the identified unauthorized activity has been contained and the immediate risk to Stryker's operational environment has been mitigated," Unit 42 said. 

The company has engaged with the White House's national cyber director, the FBI, HHS, the Cybersecurity and Infrastructure Security Agency and the Health Information Sharing and Analysis Center on investigation and recovery efforts. 

"We’re grateful to the government for their efforts to seize domains linked to the purported threat actors. Protecting the healthcare ecosystem against cyber threats is a priority that requires extensive public-private partnership," Stryker said.  

"True to our commitment to transparency and a collective cyber defense, we are committed to sharing meaningful intelligence that strengthens the resilience of patient care worldwide." 

Stryker noted that manufacturing capability is ramping up quickly as operations stabilize and plants are brought back online. 

"This is a 24/7 effort and the first priority of our entire organization," Stryker said. 

Jill Hughes has covered health tech news since 2021.