Medtech Under Fire: Stryker and the Iran-Linked Wiper Threat

Saw the breaking news from Krebs regarding the alleged Iran-backed wiper attack on Stryker. The reports of 5,000 staff being sent home in Ireland and the "building emergency" at their US HQ suggest this isn't just a data breach—it's a severe operational disruption.

We've seen Iran-linked actors (like Pioneer Kitten or Agrius) pivot from espionage to destructive attacks in critical infrastructure sectors. If this is a wiper (similar to ZeroCleare or Dustman), they are likely targeting the Master Boot Record (MBR) or using disk-level encryption to render hardware inoperable, which complicates recovery significantly compared to standard ransomware.

If you are defending healthcare or manufacturing environments, you should be hunting for signs of disk-level interaction or VSS shadow copy deletions. Wipers often try to disable recovery mechanisms immediately.

Here is a KQL query to hunt for processes attempting to delete Volume Shadow Copies via vssadmin:

DeviceProcessEvents
| where FolderPath endswith "\\vssadmin.exe"
| where ProcessCommandLine has "delete" and ProcessCommandLine has "shadows"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine


You should also look for unusual usage of `wbadmin`:

# Check command line arguments for backup deletion attempts
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -match 'wbadmin.*delete.*catalog'}

Given the timing and the target profile, I suspect the initial vector might have been phishing or exploiting a public-facing vulnerability. Has anyone seen specific IOCs associated with this group, or is everyone still waiting for the technical drop?