Experts point to increasing threat intelligence in light of Handala attacks

Following significant cyberattacks linked to a hacking group thought to be linked to Iran, experts are highlighting how securing systems against credential-based hacks is critical.

In the beginning of March, Handala Hack, also known as Handala, claimed responsibility for a cyberattack on medical services and devices provider Stryker. Reuters reported that the company experienced disruptions and limited access to systems as a result of the attack; Healthcare Brew reported that 56,000 global employees were encouraged to disable company-issued devices and keep them off of networks.

Amy Mushahwar, data privacy, security, safety, and risk management team chair at law firm Lowenstein Sandler, told IT Brew that the Stryker attack “could happen to any critical company in the US.” The attack itself, she added, was unique in that the attackers destroyed data permanently rather than holding it for ransom. ProArch shared that, in some departments at Stryker, up to 95% of devices had been erased before defenders reacted. Attackers also reportedly defaced login screens with Handala’s logo and propaganda.

“Iranian nation state actors are normally pretty smash and grab…I think the novelty of the wiper attack here is pretty interesting,” Mushahwar said. “This was a deliberate disabling of an entire set of company end points.”

Handala also claimed responsibility for compromising FBI director Kash Patel’s personal email later in March.

Limited traction. Rafe Pilling, director of threat intelligence in the Sophos counter threat unit, said that while Handala is known for embellishing its successes, the Stryker attack “lends credibility to the rest of the claims and an amplification that they’re making.”

Alex Rose, Sophos’s global head of government partnerships and the Counter Threat Unit (CTU) added that “some of these effects from Handala, exaggerated or otherwise, are drawing more attention.”

Cyber’s role in the conflict. Joseph Saunders, CEO of RunSafe Security, said cyber disruptions to an enterprise can have a “psychological effect to help sway public opinion.”

“The Stryker attack demonstrates that, in this case, Iran has access and proxies and organizations it works with that can reach out and touch an organization,” Saunders said.

As a result, he said, organizations need to reassess risk-management practices, and software developers need to do more to protect the products they ship.

“What manufacturers have done to bolster their cyber defense is to eliminate vulnerabilities as much as they can in the code and ensure that the software they ship is the software that gets loaded…out in the field,” Saunders said. “What they don’t do is add in protections that could target those systems at runtime.”

How to prepare. Given how the Stryker attack wiped out enterprise data, Pilling said, administrators may consider putting a control in place so that two admins have to approve any data-wipe operation.

However, he said, that “adds a lot of operational friction” and employees may try to figure out a way around such controls.

Instead, professionals should try to keep systems updated instead of trying to “slam into place some draconian control that breaks people’s workflow day to day,” he added.