The cyberattack severely impacting operations at Michigan-based medical technology manufacturer Stryker is a significant escalation of malicious activity related to the U.S. military attacks on Iran. It also demonstrates that cyberattacks against critical manufacturing organizations are as likely to come from opportunistic hacktivist groups sympathetic to geopolitical causes as they would from state actors.
A hacktivist group known as Handala, sympathetic to Iran, has claimed responsibility for the disruptive Stryker attack that has disabled potentially tens of thousands of internal servers and endpoints, grinding global operations to a halt. Kinetic conflicts commonly motivate threat actors to target critical infrastructure supply chains in particular; this should also be particularly concerning to cyber-physical systems (CPS) asset owners and operators.
Audit Exposed CPS Connectivity, Access
Given the breadth of legacy technology still present on operational technology (OT) and healthcare networks—including insecure protocols that lack basic security capabilities such as authentication—organizations should be auditing how CPS is connected online. Hacktivist groups are notorious for using low-tech attacks to gain access to networks, using tools such as internet-scanning services to enumerate exposed assets for targeting at scale.
In the case of Stryker, reports indicate that the hacktivists were able to compromise native features in Microsoft Intune, an endpoint management tool that manages access to resources on desktop and mobile devices. According to The Record, Stryker employees reported that all devices with Intune installed had been wiped, indicating that a wipe command was issued through the tool. Stryker added in a statement that it did not believe ransomware or malware was used in the attack, and said the attack had been contained.
Disruptive Cyberattacks Impact Manufacturing Continuity
While Stryker is a medical technology manufacturer, the implications of this attack and global outage are applicable across critical infrastructure organizations, especially those heavy in CPS assets. Stryker manufactures devices and equipment used in hospitals including surgical instruments, robotic assisted surgery systems, and hospital beds; the company reports more than $25 billion in annual revenue, and operates globally.
The outage has significantly impacted manufacturing continuity as servers and applications that control production lines have been shut down worldwide. Endpoints were also defaced with the Handala logo. Beyond internal production, the outage also impacts the healthcare supply chain and inventory levels could soon be diminished; ordering systems are also out delaying or canceling deliveries.
Handala, meanwhile, said on its website that the Stryker incident was in retaliation for the attack on the elementary school in Minab, Iran that left 175 dead, many of them children. A Wired article suggests that the hacktivist group could be a front for Iran’s Ministry of Intelligence (MOIS). It’s conceivable that this group could be posing as a hacktivist outfit intent on noisy attacks capitalizing on geopolitical conflict. Handala has claimed responsibility for other destructive attacks targeting Israeli interests, including businesses and political agencies.
Protect Internet-Facing CPS
Since our research indicates that hacktivist groups are intent on leveraging exposed CPS as a network foothold, organizations should be looking at how assets are protected.
Leverage asset inventories to determine which CPS are internet-facing; OT assets at lower levels of the Purdue Model, for example, should not be connected to the public internet. The same applies to legacy medical devices.
Change default, known, or weak credentials; assets should be communicating online behind a purpose-built secure access solution. This lessens the risk posed by these exposures significantly, especially since assets running insecure-by-design OT or healthcare protocols can be easily enumerated online and targeted.
Understand what protocols are transmitting asset data on your networks, and whether they can be securely configured, or whether a compensating control can be applied to reduce the attack surface and lower risk.
For Claroty Customers
Our research team is closely monitoring the Stryker incident; while we have yet to see evidence of impacts or risks to Stryker medical devices specifically, healthcare organizations should prepare for supply chain disruptions.
In the meantime, Claroty customers can:
Track and isolate connections to the Stryker environment in Claroty xDome. Stryker devices and applications—and those from its subsidiary technologies from Vocera, Physio-Control, Mobius Imaging, Sage, and Care AI—applications can call home and provide a bridge for threat actors to come into the environment.
Isolate Stryker devices through segmentation or network controls to ensure that any affected device does not spread to other devices. Claroty xDome can provide context on which assets and network switch ports to secure, as well as provide policy recommendations for allowed traffic.
Contact the manufacturer for information about its ongoing service interruptions and any related patching for their devices, should a vulnerability surface.
Expect ongoing updates in Claroty xDome Threat Center, which brings context to information on CPS threats. The Claroty Threat Intelligence team is actively monitoring the evolving situation, and relevant advisories will be published in the Threat Center as new information emerges.
