Malware Wiper Attack Disables Over 200,000 Stryker Devices, Disrupts Hospital Communications
What Happened — Iranian‑linked threat actors leveraged Microsoft Intune’s native wipe function and a malicious payload to erase data on more than 200 000 Stryker endpoints across the U.S., Ireland, India and other regions. The wipe forced Stryker to shut down production lines and caused hospitals in Maryland to suspend connections to critical communication devices.
Why It Matters for TPRM —
- A supply‑chain breach in a medical‑device vendor can cascade to downstream health‑care providers, jeopardizing patient safety.
- The use of native cloud‑admin tools (Intune) highlights the risk of over‑privileged accounts in third‑party environments.
- Restoration from backups may be lengthy; meanwhile, business continuity and regulatory compliance are at risk.
Who Is Affected — Health‑care providers, hospitals, emergency medical services, and any organization that integrates Stryker’s bedside sensors, hands‑free communication gear, or related IoT devices.
Recommended Actions —
- Verify that any Stryker‑supplied hardware or software in your environment is running the latest firmware and has been restored from a clean backup.
- Review the vendor’s incident‑response report and confirm that privileged access to Microsoft Intune has been hardened.
- Update third‑party risk assessments to reflect the increased likelihood of supply‑chain attacks on medical‑device manufacturers.
Technical Notes — Attack vector: malicious file executed via compromised Intune admin credentials, triggering the built‑in device‑wipe command. No ransomware was delivered, but the wipe function acted as a destructive wiper. Affected data types were primarily system files and configuration data; patient‑level data on devices was not reported as exfiltrated. Source: The Record