Stryker said production lines are ramping back up after a cyberattack that forced parts of its global environment offline, and the company now says malware played a role in the intrusion. In a Monday update, the medical device maker said its teams, alongside Palo Alto Networks Unit 42 and other specialists, identified a malicious file used by the attackers to run commands and hide their activity inside Stryker systems.
The company had previously said it did not believe ransomware or malware were involved. That changed after the latest review, though Stryker said the file was not capable of spreading inside or outside its environment. Stryker also said the incident has been contained and that it has not found malicious activity directed toward customers, suppliers, vendors or partners. Palo Alto Networks’ incident response team said it found no current evidence of active, uncontained or persistent unauthorized access in the company’s environment.
The attack hit Stryker’s Microsoft environment earlier this month, leading to a widespread outage and disruption to electronic ordering systems, according to Cybersecurity Dive. The company said it is restoring systems from backups predating the known window of compromise and isolating some still-unrestored systems from the network. Manufacturing sites are stabilizing, and Stryker said critical lines and plants are being brought back online quickly.
There was still uncertainty around the full operational and financial impact, according to Cybersecurity Dive, which reported that Stryker had not yet set a timeline for full restoration. The company has continued to tell hospitals and healthcare facilities that its products remain safe to use, and it has been prioritizing systems tied directly to customer ordering and shipping. In a separate notice cited by The Record, Stryker said it is rebuilding wiped systems after more than 200,000 company devices were affected.
The Record reported that federal prosecutors have also linked the incident to alleged Iranian cyber actors, saying the attack affected emergency medical services and hospitals in Maryland and caused some hospitals to temporarily suspend connections to Stryker. The outlet also said clinicians in some cases had to rely on radio consultation and verbal description after communications systems were disrupted. Stryker said it has not identified any customer, supplier, vendor or partner systems impacted by the incident.