The Cybersecurity and Infrastructure Security Agency is urging U.S. organizations to harden their endpoint management system configurations after a cyberattack on Stryker Corporation.
CISA said on March 11, Stryker was the victim of a cyberattack targeting their endpoint management system which affected their Microsoft environment. The attack against the medical device maker delayed surgeries for some patients after it temporarily affected the company’s ability to deliver personalized inventory, a Stryker spokesperson told Bloomberg News.
Iranian-linked hacking group Handala claimed responsibility for the incident. Stryker said later the attack caused widespread disruption to its business including its ability to process orders, make products and ship them to customers. Since then, the company said the attack has been contained and that no patient-related services or connected medical devices were affected.
CISA is recommending organizations take several steps, including using the principles of least privilege when designing administrative roles; enforcing phishing-resistant multi-factor authentication and privileged access hygiene and configuring access policies to require multi-admin approval in Microsoft Intune, as a way to protect their systems.
The FBI and CISA are working with other federal partners to identify additional threats and to determine mitigation actions, the agency said.
In a statement, Stryker said it has ensured there is no lasting threat to customers.
“All Stryker products across our global portfolio, including connected, digital, and life-saving technologies, remain safe to use. This event was contained to Stryker’s internal Microsoft environment, and as a result it did not affect any of our products—connected or otherwise. Stryker, much like any Fortune 300 company, has embedded policies and procedures for cybersecurity assurances for our products in the field,” the company said in a statement on its website. “This process at Stryker provides additional assurances that no potential vulnerabilities or risk of exploitation related to our connected products exist. Per our standard protocols, we have leveraged this process to confirm that our connected products were not impacted by the incident and remain safe to use.”