Stryker hack could set stage for more pro-Iran cyber sabotage

Cybersecurity experts say the recent hack of medical technology giant Stryker may be an early indicator of wider, pro-Iran cyber sabotage activity.

Pro-Iran and pro-Palestinian hacking group Handala claimed responsibility for the cyberattack, which saw the hacking collective apparently deploy wiper malware targeting Microsoft InTune management services installed on employees’ phones, including their personal devices.

Pro-Iran hacking groups frequently target systems in the U.S. and Israel, as seen in late 2023 when a group defaced water treatment systems in Pennsylvania that utilized Israel-made Unitronics equipment. Stryker acquired the Israeli medical technology company OrthoSpace in 2019 and holds significant contracts with the departments of Defense and Veterans Affairs.

The Unit 42 threat intelligence arm of Palo Alto Networks is “tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the U.S.,” the company said in a Thursday blog post.

“The reported wiper attack … may represent a similar dynamic, an early signal of activity that could expand beyond a single target,” said Justin Kohler, a former Air Force analyst and chief product officer at SpecterOps. “Organizations need to assume that attackers will gain a foothold and focus on proactively shutting down the attack paths adversaries rely on to escalate privileges, move laterally and expand their impact.”

A wiper-style attack on a company like Stryker is dangerous because “it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains and patient care environments,” said Ensar Seker, chief information security officer at SOCRadar.

The hack has challenged notions that direct physical targeting of apparent Iran state-funded cyberwarfare infrastructure would reduce the likelihood of any successful hacking attempts tied to the war. Pro-Iran hacking groups, until recently, have typically made overstated, unverifiable or false claims about their wartime activities.

“Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets,” Seker added.

The Cybersecurity and Infrastructure Security Agency said Thursday it is investigating the Stryker incident. The war, which broke out Feb. 28, was expected to test the strength of U.S. cyberdefenses.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cybersecurity panel, told reporters Thursday that his team was in touch with Stryker and evaluating how they’re working with federal responders, as well as how the hack may have impacted others that rely on the company’s devices.

“We want to understand from CISA … what is the vulnerability status right now for companies in the United States because of Iran’s capabilities?” he said, referring to workforce reduction mechanisms put in place over the last year within the Department of Homeland Security cyber agency that have shed around a third of its staff.

Complicating matters is an ongoing DHS shutdown, which has further reduced the number of working employees at CISA. Those employees are also not getting paid while the shutdown continues.