A couple of weeks ago, we predicted that the attacks on Iran would result in significant cyber retaliation.
The specific point we made was that global unrest demonstrates just how closely national security is tied to geopolitical positions and public statements. During periods of heightened international tension, countries that are aggressors or take visible stances of support can become targets for cyber activity.
And when a missile hit an Iranian school on February 28 and killed at least 175 people – mostly children – it prompted Handala, a hacktivist group with links to Iran’s intelligence agencies, to focus its attention on the US.
Specifically, a global medical technology company called Stryker.
Styker is by no means small fry in the industry. According to their website, “Stryker is one of the world’s leading medical technology companies. Alongside our customers around the world, we impact more than 150 million patients annually.”
Based in Michigan, Stryker [NYSE:SYK] reported $25 billion in global sales of medical and surgical equipment last year.
So, what was the damage done to Stryker by the March 11 cyber-attack?
The fallout
Handala claimed in a Telegram post to have wiped over 200,000 systems, servers, and mobile devices, extracted 50 terabytes of critical data, and closed down Stryker offices in 79 countries.
The data they acquired, says Handala, is now in the hands of the free people of the world, “ready to be used for the true advancement of humanity and the exposure of injustice and corruption.”
In terms of the immediate impact on Stryker employees, it appears that anyone with Microsoft Outlook on their personal phone had all their data wiped, forcing them to use WhatsApp for communication. Stryker advised employees not to turn on company-issued devices and to disconnect from all networks immediately, and thousands upon thousands of staff were initially sent home. The attack impacted the order processing, manufacturing, and shipping of its connected medical devices, hospital beds, and orthopaedic implants.
There are myriad online articles detailing the immediate and long-term fallout of the attack, and as you no doubt have mastered the Art of Googling by now, we will leave you to do a deep dive if you want to know more.
Suffice to say, in early April, Stryker announced that it had recovered use of the systems impacted by the attack and is once again fully operational across its manufacturing network.
However, the beleaguered company is now facing legal action over the theft of sensitive employee data, with employees filing lawsuits alleging it failed to protect their personal data. And while the overall financial and reputational impact of the attack is yet to be determined, Stryker is – not unexpectedly – battling drops in stock value. There are also predictions of an 8 billion loss in the company’s market value.
How was Stryker hacked?
In a sentence: Handala compromised a Windows domain admin account and used it to set up a new Global Administrator account to remotely wipe 80,000 Windows devices using Microsoft InTune.
One of Intunes’ strongest capabilities (to remotely wipe every enrolled device) turned out to be – when in the wrong hands – a weapon.
How the Windows domain admin account was compromised is still under investigation. Theories as to how Handala got in include Adversary-in-the-Middle (AiTM) phishing, VPN brute-force attacks and lateral movement, and a supply chain compromise via a third-party vendor.
Regardless of how Stryker was compromised, Check Point Research has stated that initial access was established well before the destructive phase, with network access dating back several months. In other words, this was no random spur-of-the-moment attack. Handala had control of Stryker well in advance of choosing to flex their cyber muscles. The attack was already primed, but the destruction of a school and its pupils pulled the trigger.
Post-attack, Microsoft released guidance for customers on hardening security for Windows domains and securing Intune. (And if you’d like to talk about this, then let’s chat, pronto.)
In the line of fire
Cyberattacks have a broad impact. Rarely do they confine themselves to doing a minimum of damage.
In Stryker’s case, it endangered plants, field service and support. The 50 terabytes of stolen data likely contain sensitive information that can be weaponised for phishing, payment fraud, fake recalls, and network intrusions. And of course, due to Stryker’s BYOD policy, staff lost the personal information they had on their devices – from photos to MFA apps, password managers to financial records.
If this can teach up one important lesson, what would it be?
We’d say the lesson is that in times of geopolitical uncertainty, it’s better to be consciously overprotective and proactive. Even if you’re not in a country that’s presenting itself as a very large target. The very fact that Handala already had its cunning plan primed months in advance of the actual attack means that laying low doesn’t take you off the target board.
In plain words (as we do): It’s better to be safe than sorry.
Hacktivism gives countries at war plausible deniability. And they’re often just the tip of a cyber iceberg. You can count on a trail of destruction across industries that support national stability, such as healthcare, logistics, fuel, power, supply chains, and manufacturing. Even if you wouldn’t normally see yourself as a target, you’re not off the hook. Others may not view you as harmless in the cyber conflict arena.
Despite all the bluster, there’s not necessarily a speedy end in sight to the Iranian conflict. And even though, as a nation, we’re keeping a low profile, that doesn’t mean any of us are exempt from cyber-attacks.
So we’ll say it again (and as many times more as we think you need to hear it): Given the uncertainty ahead, Australian organisations should be seriously considering the use of an onshore Managed Detection and Response (MDR) provider to strengthen their ability to detect and respond, but also navigate the rapidly evolving digital landscape ahead!
