Hacker group behind Stryker attack forced to 'reorganise' after key figures killed in military action

Stryker, which has more than 56,000 employees worldwide, was hit by the group on March 11.

It is thought that no similar incidents have been reported since to authorities in Ireland, although there are some indications of cyber “scanning” going on.

Intelligence officials believe it is likely that further incidents, including the targeting of US multinationals, will happen. Officials believe that such incidents could affect Ireland.

Outside of the US, Stryker has its largest manufacturing and research facility in Cork — where it employs over 4,000 people. An additional 1,400 people are based in plants in Limerick and Belfast.

The Handala attack disabled all remote devices connected to Stryker IT systems, affecting all employees and customer digital ordering systems.

Mobile device management targeted

Production at the Cork plants was also brought to a halt or at least partially. 

As of last Friday, some employees told the Irish Examiner that production was still down.

While it was initially believed that Stryker suffered a “wiper” attack — in which the computer network is disabled or wiped out — cyber intelligence sources said this was not the case.

Sources said the network itself was not affected, adding that the damage was mainly confined to Stryker’s mobile device management system.

These sources said the attack focused on its Microsoft "Intune instance", which is a cloud-based system for managing connections between remote personal devices and the network. These systems are widely used by companies to enable remote access to the IT system. 

It is suspected that the group managed to obtain or steal credentials of someone with admin access to the management system, removing all devices connected to the network.

'Incident has been contained'

The most recent statement from Stryker said its teams have “continued to work around the clock” with external partners to make “significant progress” on restoring systems.

“We believe the incident has been contained, and we are prioritising restoration of systems that directly support customers, ordering, and shipping,” it said in a statement.

It said the attack was “contained to Stryker’s internal Microsoft environment”, adding that the incident “did not affect” the security or safety of its products or devices.

It said teams are working “as quickly and safely as possible” to reconcile orders, manufacture products, and deliver to customers.

Irish intelligence agencies believe that more multinational US corporations, including those with bases in Ireland, will be targeted by Iranian-backed hacker groups.

It is also possible these groups might broaden their potential targets, as they have done in attacks on neighbouring Middle Eastern countries that have US military bases.

Cyberattacks by Iranian groups have stepped up in response to the Israeli and US bombing of Iranian military and intelligence sites, including in urban areas with large civilian populations.

In its claim of responsibility, Handala specifically mentioned the bombing of a school in the south of Iran. The bombing claimed the lives of 175 civilians — most of them children.

The US has been blamed for the attack, and a preliminary US military investigation has reportedly determined this to be correct.

• Cormac O'Keeffe is the Security Correspondent with the Irish Examiner.