Hackers Boast as Lawsuits Pile Up | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker

See Also: The Healthcare CISO’s Guide to Medical IoT Security

In a post on its website, the hacktivist group – widely suspected of being a front for Iran’s Ministry of Intelligence – boasted on Monday of exfiltrating 50 terabytes of “critical data.” it said it permanently erased “in just a few hours” 200,000 devices and 12 petabytes of Stryker data “that took years to collect and billions of dollars to protect.”

“This is only the beginning; those who think they are safe had better be prepared. Our voice will be heard not only by Stryker, but by all those who walk the path of oppression and aggression,” Handala said.

Some experts said organizations operating critical infrastructure should take the threats seriously – although threat intel firm Cisco Talos has said the Stryker hack was likely opportunistic rather than targeted and that the health sector does not face elevated risk (see: Health Sector Braces for Stryker Hack Supply Chain Shock).

“Iran does have significant offensive cyber capabilities, so there is a strong possibility of additional attacks if the conflict persists,” said Scott Gee, deputy national cybersecurity risk advisor at the American Hospital Association.

Organizations across all sectors should ensure that systems are patched and effectively protected, he said. Entities should also examine the operational technology in their environments, “as the Iranians have attacked OT systems in the past,” Gee warned.

Handala appears to have gained access to Stryker’s Active Directory infrastructure and used Microsoft Intune endpoint management tool to remotely wipe tens of thousands of devices and servers (see: Medtech Firm Stryker Disrupted by Pro-Iran Hackers).

Handala use of Intune’s native remote wipe, rather than malware, makes destruction “thorough and uniform” across enrolled Stryker devices, said Piyush Sharma, CEO and co-founder of security firm Tuskira.

“Cloud-hosted structured data with proper backups has a reasonable recovery path. Endpoint and BYOD data could be gone permanently. Stryker’s core transactional systems appear to be recovering, suggesting critical databases were protected,” he said.

“The harder problem is the claimed 50 TB exfiltrated before the wipe, since that data doesn’t come back regardless of backups,” he said.

Quick recovery in these kinds of incidents “is feasible if they maintain offline/immutable backup data storage best practices methodology,” said Steve Eisele, CEO of security firm Lonestar Data Holdings.

“If the backups are network-connected or cloud-based, they could also be compromised. Often, bad actors target backups first as part of their strategy to harm the full system,” he said.

In a worst case scenario, the primary data and backups are destroyed and rebuilt by relying on third-party records or need for patients and customers to re-update their information, which could take months to years, resulting in major financial loss as well, he said.

“Iran has specifically mentioned that U.S. technology providers are within its targets, and it has used similar destructive cyber techniques in the past,” said attorney Cathy Mulrow-Peattie, a partner at the law firm Hinshaw & Culbertson.

“This means that disaster recovery and business continuity systems are even more critical as a defense and a way to stay in business,” she said.

Stryker contends the incident did not impact devices and systems connected to customers but an outage of the company’s electronic ordering systems is hampering purchasing processes and could result in delayed shipments and product shortages the longer the disruption persists (see: Health Sector Braces for Stryker Hack Supply Chain Shock).

“This situation really emphasizes third-party risk. Hospitals themselves were not attacked in this instance, but the loss of a critical third-party supplier has the potential to have significant impact to hospitals,” AHA’s Gee said.

Meanwhile, as Handala threatens other potential victims and Stryker works to restore its affected IT systems, plaintiffs – including current and former Stryker employees – are already racing to federal court with proposed class action litigation against the manufacturer.

“The actions of Stryker related to this data breach are unconscionable,” alleges one of several proposed putative class action lawsuits already filed against Stryker in recent days.

“Stryker failed to implement practices and systems to mitigate against the risks posed by Stryker’s negligent – if not reckless – IT practices. As a result of these failures, plaintiff and class members face a litany of harms that accompany data breaches of this magnitude and severity.”