Stryker said the cyberattack that hit the company this week has disrupted its manufacturing and shipping operations.
The medtech company released the information Thursday night in a statement posted to its website. Stryker did not detail the attack’s impact on its systems, but wrote in the statement that the incident has caused disruptions to order processing, manufacturing and shipping.
“However, we are working diligently to restore our systems and above all, we are committed to ensuring our customers can continue to deliver seamless patient care,” the company said.
Stryker maintained that the incident is contained to its internal Microsoft environment, and there is no malware or ransomware detected.
In a Thursday filing with the Securities and Exchange Commission, Stryker said that it does not believe its patient-related services have been disrupted or that its connected products were impacted by the incident.
Dave Nathans, Stryker’s chief information security officer, provided an update on Thursday to certain customers and other members of the cybersecurity community regarding the attack, according to the filing.
Stryker is collaborating with law enforcement and government agencies to share intelligence about the incident.
CEO Kevin Lobo, in a letter to employees posted on LinkedIn Thursday, said Stryker has fully contained the attack, and the company is in the restoration phase.
In a Thursday note to investors, J.P. Morgan analysts said they spoke with Stryker about the attack.
“Procedures around the world still took place yesterday, and while management isn’t yet ready to comment on whether or not there will be an impact, our impression is that it will ultimately be minor,” the analysts wrote. “There could be the potential for spotty disruptions as systems are restored, and if a material impact does occur, Stryker has an obligation to disclose it when it is estimable and known. So, while this clearly wasn’t a good event, it is far, far from being a highly impactful negative event, in our view.”
Stryker, based in Portage, Michigan, is a medtech company that specializes in surgical equipment and orthopedics, including manufacturing joint implants and surgical robots. The company has 56,000 employees and operates in 61 countries.
On Wednesday, Stryker identified a cyberattack that led to a global network disruption of its Microsoft environment. The company activated its cybersecurity response plan and launched an investigation with external advisors and cybersecurity experts.
Stryker said that it is not aware of the full scope of the attack’s impact, including financial and operational effects, in a Wednesday filing with the SEC. The company added that it does not have a timeline for full restoration of its systems, and it has not determined whether the attack will have a material impact.
The attack has been claimed by an Iran-linked threat actor tracked as Handala, according to Check Point Research. The group claimed that it has wiped thousands of servers and mobile devices and also claims to have exfiltrated 50 terabytes of critical data. It is not known whether any customer data was affected.
Handala has positioned itself as a pro-Iran hacktivist, but researchers at Palo Alto Networks have linked the group to the Iranian Ministry of Intelligence and Security.
Handala is one of several state-backed or hacktivist groups that have targeted companies, government agencies or other organizations in Israel, the U.S. or the Persian Gulf region. The attacks have varied in complexity from phishing to distributed denial of service and malware attacks.
Researchers suspect, based on statements by the company, claims by the threat actor and open source reporting that the Stryker attack involved abusing Microsoft Intune to create a wiper attack that would bypass traditional endpoint security protections.
Researchers at Halcyon said the attack impacted all phones and workstations with an InTune base 64 string.
“InTune is a device management component of Microsoft used to push software or manage devices that are usually base64-encoded,” Johnny Collins, director, intelligence operations at Halcyon said via email. “In this case, the encoded payload contained remote wipe commands, effectively wiping the affected devices.”
A spokesperson for Microsoft declined to comment on Thursday, but said the company would provide an update if additional information was developed.
The Cybersecurity and Infrastructure Security Agency on Thursday said it was investigating the Stryker incident.
