Iran‑Linked Hackers Wipe 200k Stryker Devices and Exfiltrate 50 TB of Medical Data
What Happened — An Iranian‑affiliated hacktivist group announced it breached Stryker’s Active Directory, used Microsoft Intune to remotely wipe roughly 200,000 medical devices and servers, and exfiltrated an estimated 50 TB of “critical” data. The group is now threatening additional attacks as class‑action lawsuits mount.
Why It Matters for TPRM —
- Demonstrates how compromised privileged credentials can be weaponised against a single vendor, creating downstream risk for all customers.
- Highlights the vulnerability of OT and medical IoT environments that rely on cloud‑hosted management tools.
- Shows that data loss can occur even when traditional backups exist, emphasizing the need for immutable, offline storage.
Who Is Affected — Healthcare and med‑tech manufacturers, hospitals, clinics, and any third‑party that integrates Stryker’s devices or services.
Recommended Actions — Review and tighten third‑party access controls (AD, Intune), verify immutable backup strategies, segment OT networks, and monitor for Iranian‑linked threat actor activity.
Technical Notes — Attack vector leveraged stolen AD credentials to gain Intune admin rights, enabling a native remote‑wipe command rather than custom malware. Exfiltration of ~50 TB preceded the wipe; 12 PB of data was claimed destroyed. The incident underscores the risk of cloud‑hosted endpoint management tools in OT contexts. Source: DataBreachToday