- Handala hackers hit Stryker via compromised Intune admin
- Tens of thousands of devices wiped, but no data theft confirmed
- Medical products remain safe; order systems offline and only manually
When cybercriminals hit Stryker last week and wiped out tens of thousands of electronic devices, they did it without using malware. Instead, they used Intune, Microsoft’s cloud-based endpoint management service, sources said.
Last week, a hacker collective calling itself Handala (AKA HAtef, Hamsa) said it broke into Stryker, a Fortune 500 healthcare company with tens of billions in annual sales. They claimed to have stolen 50 terabytes of data and wiped “tens of thousands of systems and servers across the company’s network.”
“In this operation, over 200,000 systems, servers and mobile devices have been wiped and 50 terabytes of critical data has been extracted,” the attackers reportedly said at the time. “Stryker’s offices in 79 countries have been forced to close.”
The article continues below
Abusing Intune
Stryker soon confirmed the reports with an 8-K filing. Several employees also confirmed that their electronic devices were wiped overnight.
Then a “source familiar with the attack” said. Bleeping Computer that Handala managed to compromise an Intune administrator account and used it to create a new Global Administrator account. With the master account, they initiated the wipe command and deleted data from nearly 80,000 devices in a matter of hours. The investigators have also disputed Handala’s claims of data exfiltration, saying they found no evidence that any data was removed at all.
In a subsequent update, Stryker said its medical devices are safe to use, but electronic ordering systems are offline, meaning customers can only place orders manually through sales representatives.
“All Stryker products across our global portfolio, including connected, digital and life-saving technologies, remain safe to use,” the company said. “This event was contained within Stryker’s internal Microsoft environment and, as a result, did not affect any of our products – connected or otherwise.”
Although unconfirmed, reports say Handala are “hacktivists linked to Iran’s Ministry of Intelligence and Security” who mainly target Israeli organizations around the world.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
