Thought Leadership
Just one day after the massive attack, Stryker declared the incident “contained.” An incident response engineer explains why that assessment may be premature and why new screenshots are cause for concern.
Stryker declared the March 11 cyberattack contained just one day after the breach came to light. Corey Staas, Incident Response Engineer at US cybersecurity firm ProCircular, cautions against taking that assessment at face value.
What “contained” actually means
“Contained in incident response has a specific technical meaning,” Staas explains. The source of initial access must be identified, lateral movement traced, all impacted systems scoped, and the attacker’s access fully cut off. “This is rarely straightforward, especially when identity infrastructure like Microsoft Entra ID is involved.”
That appears to be the case here. Reports indicate Stryker’s Entra ID was compromised with admin-level access, which according to Staas opens several additional persistence paths: “Syncing malicious changes to on-premises Active Directory through Entra Connect, abusing federated identity or legacy authentication protocols, or maintaining access across SaaS applications tied to that identity plane.”
“Enterprises receiving that kind of statement from a vendor partner in such a short time should understand it as an early assessment, not a final answer.” To be fair, Staas acknowledges: “That one-day timeline reflects a large, capable security organization working around the clock. When they say ‘contained,’ they may well be right.”
New screenshots raise questions
On March 16, screenshots surfaced that reportedly show the attackers accessing Stryker’s Rubrik and vSphere environments. Neither is Microsoft infrastructure, yet Stryker’s status page has consistently described the scope as limited to its internal Microsoft corporate environment.
“If those screenshots are legitimate, the forensic picture may still be developing,” Staas says. “Anyone relying on Stryker should be watching for updates as the forensic picture becomes clearer.”
At ProCircular, Staas focuses on forensic investigation of security incidents, proactive threat hunting, and developing detection signatures.
Background
The hacking group Handala has claimed responsibility for the attack, alleging it wiped more than 200,000 systems and exfiltrated 50 terabytes of data. The group is widely regarded in the cybersecurity industry as a front for Void Manticore, a threat actor attributed to the Iranian state. Stryker, a Fortune 500 company with over $25 billion in annual revenue and a major supplier to hospitals worldwide, has confirmed the incident in an SEC Form 8-K filing but has not provided a timeline for full recovery.
