Mastodawn

Thomas C Mar 12

Breaking, new, by me: Iran-backed Hackers Claim Wiper Attack on Medtech Firm Stryker

A hacktivist group with links to Iran's intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker's largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker's main U.S. headquarters says the company is currently experiencing a building emergency.

From the story:

"Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices."

"Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently."

https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/

#stryker #handala #intune #wiper #cybersecurity

BrianKrebs Mar 12

Added this as an update to the story on the wiper attack on medtech giant Stryker, which doesn't just sell medical devices: A number of hospitals have opted to disconnect from Stryker's online services to minimize risk from the attack, including LifeNet, a service used by countless hospitals to send EKGs etc. from emergency responders to the emergency room in advance of the patient arriving (to speed up treatment, minimize heart tissue damage, etc). Some states, e.g., Maryland, actually require the transmission of this information, and are asking providers who have disconnected from LifeNet to start using the phone to describe the results of EKGs recorded by emergency personnel in the field.

Craig Brozefsky Mar 12

@briankrebs that mitigation from outside, seems at odds with the described attack. Im curious now about how that transfer occurs where it could be a lateral movement vector.

@briankrebs sales people for them make a bundle, will likely make less until the cyber incident fades into obscurity #we can rebuild him

BrianKrebs Mar 12

@gary_alderson well, we have the technology....

@briankrebs #oscar goldman

@gary_alderson Yeah, okay. Bye.

ℂ𝕖𝕝𝕖𝕤𝕥𝕖@world: /# ▯Mar 12

@briankrebs I might be naive, but how bout printing the ECG diagram and sending it using "traditional" ways if necessary?
That's at least what I'd do here in Germany should our electronic services fail. That's what, I assume, everyone did before monitors became IoT devices.

Of course it's not as "sexy" as pressing a button and it's there, but I mean... if you need to send it, you send it.

Nonetheless, the attack on Stryker is a huge disruption.

I’m assuming because this is for when someone is in an ambulance being driven to the hospital, so time is of the essence. I’m guessing that for just sharing data what you said works fine.

CC: @[email protected]

ℂ𝕖𝕝𝕖𝕤𝕥𝕖@world: /# ▯Mar 12

@ben @briankrebs
I also meant in the ambulance. I'd just take a photo of the print with the work provided phone and send it to the hospital. That's what I meant with "traditional" method. Not courier pidgeon or postal service xD

@rogue_cells Send it how?

Also lol, it’s kind of funny that you wrote “ECG” despite being German and then Krebs wrote “EKG” despite not ;)

CC: @[email protected]

@rogue_cells @briankrebs as far as I understand, the ECG data must arrive at the emergency room before the patient arrives there. If printed on paper, what would be a faster courier than the ambulance that made the EGC and also carries the patient?

ℂ𝕖𝕝𝕖𝕤𝕥𝕖@world: /# ▯Mar 12

@corvus_ch @briankrebs I'd print it and take a photo with the phone.
We use that to send photos to our emergency doctors sometimes when we're not sure.

But I'm also in a different country, dunno if that's OK everywhere. We're using work provided phones and cut off the PII.

That's what I meant with more traditional methods.

But we also don't have to send the ECG to the hospitals prior to arrival - usually.

@rogue_cells What's "traditional" here?

ShadowNetworks Mar 12

@briankrebs having worked in healthcare IT, private run ambulances along with undercutting ACA really put us into relying on third-parties to transfer patient data, instead of straight from ambulance to care point. One would think with 5G and EPIC/Cerner/Meditech, we could resolve this problem without need to tie back to the manufacturer. /rant /sigh

adison verlice Mar 12

@briankrebs wouldn't this violate HIPAA laws sense they're going over the public switched telephone network?

Howitzer105mm Mar 12

@adisonverlice @briankrebs Is that worse than sending messages about patients over unencrypted pagers?

adison verlice Mar 12

@Howitzer105mm probably equal in terms of severity

adison verlice Mar 12

@Howitzer105mm severity, that is, being pretty fuckin horrible

adison verlice Mar 12

@Howitzer105mm the only reason I say pretty equal being pagers are also connected to the public switched telephone network. so yeah, both are fucking horrible. nott to mention most law enforcement don't seam to have any secure menas of communication outside of their department apart from that law enforcement agency and probably other law enforcement agencies around the state and federal. they're definitely not going to have one with hospitals, o no, heaven forbid we have that...because security is clearly not important, right? we totally haven't had NHS, HHS, etc, breeches before, have we? nope, aside from the huge snowflake breech that impacted UK health providers, apart from the United healthcare breech, o and I forgot the breech from a childrens hospital from ransomware, and maybe around 226 healthcare breeches, we've never had a HIPAA violating breech, nope, absolutely not

Howitzer105mm Mar 12

@adisonverlice What? No mention of the damage coming from the tech bros Demon Machines?

adison verlice Mar 12

@Howitzer105mm nope. never.
and that was sarcasm.
personally I think HIPAA should be modified to require some kind of encryption when sending patient information, which includes health records. especially now when we're being asked to send information over the phone because lifenet was hacked

@adisonverlice Holy shit, your writing is crap.

@adisonverlice @briankrebs Why would you think this violates HIPAA? Phone calls between providers for treatment purposes don't require patient authorization or spy-level encryption. Just follow 'minimum necessary' guideline. And don't do it while livestreaming or in front of an hot mic at a football stadium. If voice calls are not clear, you can write notes with a Magic Marker and fax it over PSTN if you have to.

adison verlice Mar 12

@hal8999 aw. personally I don't think that's ideal but ok then

@adisonverlice 1) No. 2) *since

stony kark Mar 12

@briankrebs lol fuck that could be really bad news. In my region some paramedics are qualified to interpret 12-leads, but there's not enough to go around. Rural communities would suffer the most. Hope we don't use Lifenet!

Jack 👾Mar 11

@briankrebs luckily everything was perfected backed up.

𝙲:\𝚝𝚛𝚊𝚗𝚔𝚣𝚎𝚗> █Mar 11

@notasnek @briankrebs Do we know if they have compromised the entire MS365 tenant ? If so OneDrive backups are probably gone as well.

Hasani Hunter Mar 11

@briankrebs And that is why you don’t tie personal devices to corporate systems allowing them to remote wipe your devices

Dave Slusher - SFFH Mar 11

@hasani @briankrebs

Work: If you don't accept these terms that allow us to wipe your device, you won't be able to access Exchange via mobile.
Me: Win-win, mother fuckers!

AlexanderMars Mar 12

@geniodiabolico holy shit, never install corporate spyware from your employer on a personal device. If your employer won't provide a device then use a cheap second device.

Dave Slusher - SFFH Mar 12

@AlexanderMars That was literally the point of my post.

Cassandrich Mar 11

@briankrebs LMAO MDM = FAFO

@dalias Curious if you could share a TL;DR of what an IT admin might consider as an alternative to MDM? Just manage remote machines manually?

Cassandrich Mar 11

@dusk @briankrebs Well one level of MDM that's always inherently malicious is BYOD: taking backdoor control of people's personal devices so you can store sensitive work-related data on them. This is just completely unethical and should not even be on the table.

I'm not sure if that was involved here, but I thought I'd put it out there first.

Cassandrich Mar 11

@dusk @briankrebs As for company-owned devices, provision them centrally but don't leave backdoor access. Use encryption at rest to protect against theft rather than relying on ability to wipe after-the-fact (which won't work anyway if the thief is competent and wants the data). Expect devices to be returned upon leaving the company or for service/overhaul, or if you want to do it remotely, set it up so the user has to initiate the listening process to give you control rather than having an ambient backdoor.

@dalias @briankrebs

Brilliant, thx!!

𝙲:\𝚝𝚛𝚊𝚗𝚔𝚣𝚎𝚗> █Mar 11

@dalias @briankrebs In the company I used to work for, we used Intune (a little) because it was already included in what we payed to MS, so might as well use it right ? In light of this, I'm thinking having your MDM solution this tightly integrated to the rest of your ecosystem (and particularily to your backup) is a disaster waiting to happen.
But is there an MDM solution that doesn't suck ?

Cassandrich Mar 11

@trkzn @briankrebs There probably isn't, because the folks who design MDM and the folks who buy MDM have really bad ideas about how it should work based on power trip fantasies not real world threat analysis and making fair and resilient power relationships.

Play Ball and Fight Fascists Mar 11

This is arguably quite bad, but damn, why not wipe out the student loan servicers....

Elmar Iachi Mar 11

@briankrebs Intune, also known as: Palpatine as a Service.

BrianKrebs Mar 11

@Elmar_Iachi hahahahahah. thanks for the laugh. i needed that.

@briankrebs apparently, they're claiming Verifone now as well.

Cedar Fen Farm Cedar Fen Farm Mar 11

@Fringedcrow @briankrebs

https://www.livemint.com/news/us-news/stryker-cyberattack-iranian-group-handala-responsibility-erased-200000-systems-extracted-50-terabytes-of-data-11773248213202.html

Stryker cyberattack: Iranian group claims responsibility - 'Erased 200,000 systems, extracted 50 terabytes of data'

In a statement, Handala referred to the US missile attack on a girls' school in Minab city of Iran, that killed dozens, as one of the reasons for the hacking.

mint

QwikStop Haderach Mar 12

@Fringedcrow @briankrebs Neat graphics, this may be sophisticated, I don’t know, but until the full Trumpstein photos and videos and files are exposed on a Times Square billboard I’ll still yawn.

@Fringedcrow
"We could have taken entire countries offline."

There was a graph, some weeks ago, showing the vulnerability of a lot of countries, because of their dependency on "Big Tech".
Interesting, in context with such a bold statement.

(It's not that I'm looking forward to seeing such a widespread attack, but ...)

@briankrebs

F4GRX SÃ©bastien Mar 11

@briankrebs the cure to NAS!

SofaKingHigh Mar 11

@briankrebs man it would be “so horrible” if someone somehow wiped out debt like that, so so so horrible, I could barely imagine it, and if anyone needs me I’ll be struggling to imagine it for the rest of the day

hiphopheaven Mar 11

@briankrebs the usa and iarael killed internstional laws

Stefan Ihringer Mar 11

@briankrebs Medical companies should not be called like a weapon system or some sci-fi shit.

stony kark Mar 11

@briankrebs Serves them right. Their new stretchers are garbage.

Hummingbird Security Mar 11

@briankrebs Thanks for raising awareness on this.

ṫẎℭỚ◎ᾔ ṫ◎ℳ Mar 11

@briankrebs The hacker's ripped out Stryker's🏥 appendix.

TheNovemberFella ✊🏳️‍🌈 🇺🇦☸️🛰️🚀Mar 11

@briankrebs #Microslop strikes again! 😅 #HackMicrosoft

SpaceLifeForm Mar 11

Windows. No surprise.

Violet Madder Mar 12

OH MY.

You know, in the back of my brain I've been tensing up with sick dread waiting for the next 9/11 to hit...

I gotta say, I LIKE THIS MUCH BETTER.

Androcat Mar 12

@briankrebs Intune the attack vector, nice.