Iran-Backed Hackers Sue Wiper Attack on Medtech Firm Stryker – Krebs on Security
A hacktivist group with links to Iran’s intelligence agency says it is behind a data-wiping attack. The Strykera global medical technology company based in Michigan. News reports out of Ireland, Stryker’s biggest base outside the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s US headquarters says the company is currently experiencing a construction emergency.
In a lengthy statement posted on Telegram, the Iranian hacktivist group known as Handala (aka Handala Hack Team) said Stryker’s offices in 79 countries were forced to close after the group wiped data from more than 200,000 systems, servers and mobile devices.
A manifesto posted by Iran-backed hacktivist group Handala calls for a massive data-wiping attack against medical technology maker Stryker.
“All the information obtained is now in the hands of the free people of the world, ready to be used for the true development of humanity and the exposure of injustice and corruption,” said part of Handala’s statement.
The group said the wiper attack was in retaliation for the February 28 strike that attacked a school in Iran and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined that the United States is responsible for the deadly Tomahawk missile strike.
Handala was one of the recently profiled Iran-linked hacker groups Palo Alto Networkslinking it to Iran Ministry of Intelligence and Security (MOIS). Palo Alto claims that Handala appeared in late 2023 and is considered one of the few cybernetic beings kept by the Void Manticore, an actor affiliated with MOIS.
Stryker’s website says the company has 56,000 employees in 61 countries. A call placed Wednesday morning to the press at Stryker’s Michigan headquarters sent this writer to a voicemail message that read, “We are currently experiencing a building emergency. Please try your call again later.”
A report Wednesday morning from the Irish explorer he said Stryker workers are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee as saying that anything connected to the network is down, and that “anyone with Microsoft Outlook on their phone has had their stuff wiped.”
“Multiple sources said the systems at the Cork headquarters had been ‘shut down’ and that Stryker equipment operated by staff had been wiped,” the Examiner reported. “Login pages from these devices are marked with the Handala logo.”
Wiper attacks often involve malicious software designed to overwrite any data present on infected devices. But a reliable source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity that the perpetrators in this case appear to be using a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command on all connected devices.
Intune is a cloud-based solution designed for IT teams to enforce data security and compliance policies, and provides a single, web-based management console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion about the Stryker outage, where several users claiming to be Stryker employees said they were told to uninstall Intune immediately.
Palo Alto says Handala’s hacking and leaking operations are mostly focused on Israel, sometimes targeting outside that scope when serving a specific agenda. The security firm said Handala was also credited with recent attacks on oil systems in Jordan and an Israeli energy exploration company.
“The activities recently observed are opportunistic and ‘quick and dirty,’ with an apparent focus on supply chain manipulation (eg, IT/service providers) to reach downstream victims, followed by the posting of ‘evidence’ to increase credibility and intimidate the target,” the Palo Alto researchers wrote.
Handala’s manifesto posted on Telegram refers to Stryker as a “Zionist-oriented organization,” which may be a reference to the company’s acquisition of Israeli company OrthoSpace in 2019.
This is a developing story. Updates will be noted with a time stamp.
