Photo: Joe Raedle/Getty Image
The FBI on Thursday reportedly seized two websites belonging to the Iran Ministry of Intelligence and Security (MOIS)-linked hacktivist group Handala after the group used compromised credentials to gain access to Microsoft Intune controls of medical device vendor Stryker on March 11 to wipe devices.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance in response to the Stryker cyberattack, urging organizations to secure endpoint systems by implementing multi-factor authentication (MFA) and requiring multi-admin approvals for high-impact actions like device wiping.
WHY IT MATTERS
The threat actors acknowledged the seizure and claimed they are in the process of creating new websites, Bleeping Computer said on Thursday.
"In light of recent events and the need to establish secure and resilient infrastructure, we inform you that building a new digital base is a complex and time-consuming process," the group posted on the social channel Telegram, according to the report.
Handala, aka Void Manticore, COBALT MYSTIQUE, Banished Kitten, Storm-1084/Storm-0842 and Doom, first appeared in December 2023 and has targeted organizations in critical sectors for operational disruption by exploiting identity through phishing and administrative access.
NBC News said Handala's Telegram channel was still active on Thursday, and the group verified the FBI takedown of Handala-Redwanted[.]to and Handala-Hack[.]to.
These domains now display a seizure notice stating the websites were seized under a seizure warrant issued by the District Court for the District of Maryland, according to that report.
Later that day, the U.S. Department of Justice announced multiple court-authorized domain seizures related to its ongoing effort to disrupt hacking and transnational schemes "conducted by the Islamic Republic of Iran's Ministry of Intelligence and Security."
"The seized domains – Justicehomeland[.]org, Handala-Hack[.]to, Karmabelow80[.]org, and Handala-Redwanted[.]to – were used by the MOIS in furtherance of attempted psychological operations targeting adversaries of the regime by claiming credit for hacking activity, posting sensitive data stolen during such hacks and calling for the killing of journalists, regime dissidents and Israeli persons," the DOJ said.
The actors who disrupted Stryker's operations have reportedly confirmed the FBI's seizure of its operational portal:
"To all truth-seekers and defenders of justice, we inform you that the Handala RedWanted website, which was dedicated to exposing Zionist crimes and raising global awareness, has also been seized and taken offline by order of the FBI," the group said on Telegram. "This aggressive action reveals the extent to which the enemies of truth will go to silence voices that unveil their atrocities."
CISA, which had opened an investigation into the Stryker attack, issued a new alert on Wednesday, warning organizations to protect networks from similar cyber threats by shoring up their endpoint management system configurations.
"To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software," the agency advised.
CISA also recommended assigning the minimum permissions necessary for completing day-to-day operations, including which actions users and devices may take, while enforcing phishing-resistant MFA and privileged access hygiene protocols and requiring multi-admin approvals in the Intune software.
"Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.," said CISA.
Stryker and Microsoft contributed to the agency's alert and suggested mitigations. CISA said it continues to coordinate with federal partners to identify additional threats and determine mitigation actions.
THE LARGER TREND
Kalamazoo, Michigan-based Stryker said in a compliance report filed with the U.S. Securities and Exchange Commission on the day of the attack that it had "no indication of ransomware or malware and believes the incident is contained."
The company said the incident was expected "to continue to cause disruptions and limitations of access to certain of the company's information systems and business applications supporting aspects of the company's operations and corporate functions."
Stryker stated that the incident did not affect the security or safety of its products or devices.
While the company noted restoration of its systems continues in a consumer update posted to its website Thursday evening, it acknowledged specific patient care disruptions related to new or replacement devices:
"Some of our customers that utilize our personalized implants are experiencing some disruptions," Stryker said. "We understand that some patient-specific cases scheduled for the week of March 16 have been rescheduled due to shipping delays we are experiencing."
Healthcare leaders have increased their security budgets to keep up with the growing number of cyberattacks on medical devices. One security report released last year discussed an increase in the direct targeting of patient care devices.
Of organizations that reported medical device compromise, 43% said they experienced one to four hours of downtime, 31% said they have faced five to 12 hours of outages, and 19% said their organizations lost use of medical devices for more than 13 hours.
ON THE RECORD
"We have been focused on proactive outreach to and collaboration with government agencies and industry partners," Stryker said on its incident update page. "We are in close contact with the White House National Cyber Director, FBI, CISA, [the Defense Health Agency], [U.S. Health and Human Services] and [Health-ISAC] and appreciate the ongoing support they have been giving us."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
