News brief: Stryker recovering after large-scale cyberattack

More than a week after the blistering March 11 cyberattack on Stryker, the Michigan-based medtech company continues to restore systems to resume normal operations. 

The attack, claimed by Iran-linked threat actor Handala, affected the company's ordering, processing, shipping and manufacturing. In a post on X, Handala asserted that it wiped data from 200,000 systems, servers, laptops and mobile devices, stealing 50 TB of data and forcing offices in 79 countries to close. The post claimed, "All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity." 

Representatives for Stryker maintained that no malware or ransomware was involved, and that the incident was contained to the company's internal Microsoft environment. Security experts have since raised concerns about endpoint management tools such as Microsoft Intune, which was used during the attack. 
 
This week's news is proof that any organization is at risk of cyberattacks and emphasizes the need for security teams to focus not only on prevention, but also on proactive disaster recovery (DR) efforts that, in a worst-case scenario, can swiftly restore systems and help ensure business continuity. 

Stryker's manufacturing, shipping disrupted after cyberattack 

The cyberattack on Stryker disrupted the company's manufacturing and shipping operations, raising concerns about the ripple effects of such incidents on supply chains. The disruption underscores the vulnerability of critical operational systems to cyberthreats and the growing risks for manufacturers reliant on interconnected systems. 
 
Stryker stated, "We are working diligently to restore our systems and, above all, we are committed to ensuring our customers can continue to deliver seamless patient care." 

Read the full article by Ricky Zipp and David Jones on Cybersecurity Dive. 

Stryker attack raises concerns about role of device management tools 

The Stryker cyberattack exposed security concerns about Microsoft Intune, a widely used device management tool. Handala hackers used Intune to remotely wipe data from thousands of devices, disrupting Stryker's internal operations. 

Researchers from anti-ransomware vendor Halcyon reported that the payload used by the attackers included remote wipe commands, which deleted data from affected devices. To conduct such an attack, the researchers said, the malicious actor would need Intune administrator or global administrator privileges. While Stryker confirmed that its medical devices and patient services remained unaffected, the attack underscores significant concerns about the security of device management tools. 

Read the full article by David Jones on Cybersecurity Dive. 

Stryker's outage is a DR wake-up call 

The Stryker outage serves as a stark reminder of the importance of DR planning. The attack highlighted gaps in preparedness and the critical need for resilient recovery strategies. 

The incident also underscores the need for enterprises to reassess their DR frameworks to mitigate operational and reputational damage. Global organizations such as Stryker are susceptible to significant damage from attacks because their data tends to be fragmented and complex, which can slow recovery after an incident. 

Read the full article by Jai Vijayan on Dark Reading. 

Stryker begins restoring systems after cyberattack 

According to a company statement, recovery efforts at Stryker are "progressing steadily." The medical device manufacturer reported that the incident has been contained and that it has implemented measures to address the delays caused by the event, though it has not disclosed specific details about the attack or its origins. 

Stryker did not provide a timeline for the full resumption of operations. A spokesperson for the company said, "We are actively bringing our systems back online and are prioritizing systems that directly support customers, ordering and shipping." 

Read the full article by Ricky Zipp on Cybersecurity Dive. 

CISA urges enhanced endpoint security 

CISA has called on U.S. organizations to strengthen endpoint security following the Stryker cyberattack. In collaboration with Microsoft and Stryker, CISA advised implementing role-based access control, privileged identity management, phishing-resistant MFA and secondary administrative approval for high-level changes. 

Read the full article by David Jones on Cybersecurity Dive.