Iran appears to have carried out a significant cyberattack on a US company, the first since the war began
A hacking group linked to Iran says it is responsible for a cyberattack on a medical technology company in what appears to be Iran’s first significant hacking of a US company since the war between the two countries began.
The company, Stryker, headquartered in Michigan, manufactures a variety of medical devices and technologies.
Historically, Iran has carried out the most infamous “wiper” cyber attacks against the country’s enemies, aiming to simply erase all information from the computer network. Victims include Saudi Aramco, the national oil company of Saudi Arabia, in 2012, and Sands Casino in 2014.
Since the start of the war, some established criminal groups sympathetic to Iran’s leadership have launched smaller attacks, but most have been reduced to briefly changing the look of a website, and none have appeared to have much impact. Other technology and cybersecurity companies, including Google, and email cybersecurity firm Proofpoint told NBC News that they have seen more Iranian hackers carrying out war-related espionage.
But that appears to have changed on Wednesday, with what appears to be a different type of attack that also wiped data from the devices. A Stryker employee, who asked not to be identified because they are not authorized to speak with the company, said that the calls to the employees have stopped, and they have stopped working and communicating with their colleagues.
The Handala team claimed responsibility for Stryker’s hacking in statements on its Telegram and X accounts. The group often boasts about their activities on social media, which in recent days has taken down previous versions of their accounts.
Details of how the hack was carried out are unclear. But public evidence of the hack indicates that the hackers gained access to the company’s Microsoft Intune account, which an employee confirmed Stryker was using. From there, Handala appears to have wiped some employees’ devices back to factory settings, the expert said.
“It looks like they got access to the Microsoft Intune management console. This is a corporate device management solution,” said Rafe Pilling, director of threat intelligence at cybersecurity firm Sophos, which arrested Handala at Iran’s Ministry of Intelligence.
“One of the features is the ability to remotely wipe a device if it’s lost/stolen etc. They seem to have enabled that for some or all registered devices,” he said.
Microsoft’s website describes the remote wipe feature as “commonly used when a device needs to be stopped, reused, reset to resolve a problem, or securely wiped if lost or stolen.”
In a statement on its website on Wednesday, Stryker said the disruption was due to a cyberattack but that its systems were not directly hacked and that ransomware – a common form of cybercrime that can seriously disrupt corporate networks – was not a contributing factor.
“Stryker is experiencing a global network disruption in our Microsoft environment due to a cyber attack. We have no signs of ransomware or malware and believe the incident is contained,” the statement said.
The company did not respond to a request for more information. Microsoft did not respond to a request for comment.
