State, local, tribal and territory (SLTT) governments continue to raise questions about what effects the war in Iran could have on U.S. cybersecurity, and on Thursday discussed takeaways from the March 11 cyber attack on Stryker.
The attack, confirmed as a global disruption to Stryker’s Microsoft environment and claimed by Iran-linked Handala, was a touchpoint for those on a Thursday call with the Multi-State Information Sharing and Analysis Center (MS-ISAC). Cybersecurity advisers have been taking the lead on membership calls to address concerns stemming from the Iran war.
MS-ISAC analysts said afterward that the Stryker attack was of concern for various reasons. Iranian and Iran-linked hackers often attack the health-care sector, in which SLTTs have ownership. Those hackers also target public schools and municipally owned critical infrastructure.
Specific to the Stryker attack, a data theft and wiping attack, there were concerns about the LIFENET system that EMS and health-care workers use to transmit incoming patient data to hospitals, do remote consultations and manage fleets, among other functions. Stryker said that the system “continues to function normally with no impact from the disruption” although some “vendors and hospital systems may have temporarily paused transmissions.”
Mobile devices also factor into the attack, The HIPPAA Journal reports, and Stryker has 56,000 employees. It’s possible that the attackers accessed the company’s Active Directory services and used the Microsoft endpoint management tool Intune to wipe devices. With that in mind, Randy Rosefrom the Center for Internet Security (CIS) advised that organizations using Intune should review access policies as outlined on the Microsoft Learn pages for Intune and confirm they have the correct configurations.
“If people are really concerned about mobile device management, that’s a great resource for them,” he said. “It’s fairly straightforward and easy to follow. The challenge a lot of SLTT organizations have is that they’re resource strapped. They may have something like this deployed to do mobile device management, but they may not be experts in configuration. So … they may be set up with a default policy … but not gone in and addressed specific controls.”
Rose and TJ Sayers, senior director of threat intelligence at CIS, give presentations during these MS-ISAC briefings — called “snap calls” — and fielded questions after they presented Iran-related cybersecurity developments. They said Iranian-backed hackers and proxy hacktivists ramp up political attacks closer to election season, but that all public-sector entities are potential targets.
Organizations should maintain data backups in case of theft or data wiping and keep them separated from the network, Sayers said. Also, secure any public-facing systems including Internet protocol cameras, since threat actors have been targeting them in the Middle East and other war zones.
“A lot of organizations are using some type of IP-based cameras for security purposes, so there was a lot of concern around that as well,” he said. “What we encourage folks to do to address the wiper activity and the IP camera-related things is patch publicly facing services — that could be your mail server, your firewall, a VPN connection … or a camera like that.”
For coverage on MS-ISAC’s March 3 snap call, read this piece from our sister publication Governing.
