Stryker Cyber Attack: What Healthcare and Other Organizations Need to Know

Stryker, a medical device supplier based in Michigan, was impacted by a cyber attack, according to CNN and the Guardian, which was confirmed by Stryker^1,2,3. According to Optiv’s gTIC, the attack was claimed to be carried out by an Iranian-linked hacktivist group called Handala Hack, who also operate under the aliases Void Manticore and Storm-842.⁴

The threat actor claimed that thousands of systems and mobile devices were wiped and that approximately 50 terabytes (TB) of data were exfiltrated.⁴

Stryker claims that the incident is now contained and that there is no indication of ransomware at this time.¹

How the Stryker Cyber Attack Occurred

The threat actor was able to compromise an administrative level account within Stryker’s Microsoft environment and claims that it was able to conduct a complete remote wipe of all connected devices. This was not a typical ransomware attack, but rather a disruptive ‘hack-and-leak’ attack.^3,4

Impact on Hospitals and Emergency Systems

This is still being investigated by Stryker and users of their equipment as well as hospital systems, but the only major finding thus far was the impact to LIFENET, which is used by emergency responders to communicate with hospitals and was non-functional for some users on March 11^th.²

According to Stryker, the LIFENET system is functioning as expected as of the afternoon of March 12^th.¹

CISA launched an investigation to help with the incident response for Stryker.⁶

Industries That May Face Similar Cyber Risks

Due to the hacktivist motivations of the threat actor, it is believed any organizations or portfolio companies with ties to the government (especially in defense-related industries), as well as those within critical infrastructure (power/water) or healthcare, are the most likely targets of these disruption attacks. Adjacent industries such as finance and telecommunications should also continue to be vigilant.⁵

Immediate Steps Organizations Can Take

As always, it is helpful to reassess your security posture and take proactive measures to reduce your overall exposure and the likelihood of your networks being targeted. Threat actors not only target specific industries and companies but also are opportunistic in seeking organizations to compromise. Here are some recommended next steps to consider:

• Ensure that if you have any Stryker-based medical devices, refer to Stryker’s webpage regarding potential impacts such as LIFENET and the Mako System.
• Confirm whether your Stryker devices are still connected and functioning properly; have them reviewed by your security and clinical teams and isolate them if possible.
• Ensure that you have proper alerting setup and logs sent to your SIEM for any suspicious use or logins to the global admin (GA) or domain admin (DA) accounts within your environment. These accounts should be tightly controlled with MFA as well.
• Conduct phishing and social engineering training regularly and create additional validation requirements for MFA or password resets, including (but not limited to): video validation, manager approvals, calling back on a known good number, government ID validation and passphrases.
• Test your Business Continuity (BC) and Disaster Recovery (DR) plans regularly. As supply chain attacks continue to increase in number, organizations should have fallback and downtime procedures for when one of their vendors or partner services become unavailable or unresponsive.

If you believe you may have been impacted by either the Stryker event or any other incident, please reach out to your Alliant Broker or Account Executive for immediate assistance.

Cyber Insurance Considerations Following a Cyber Incident

Policyholders should review notification requirements and panel vendor provisions (breach counsel, incident response, forensics) so that an urgent response does not inadvertently create coverage friction.

If your organization has elevated geopolitical exposure, consider a quick coverage check-up with your broker to confirm current wording, applicable sub-limits, reporting timelines and any conditions tied to response vendors.

Contact Alliant Cyber for additional insight.