When the Tool Becomes the Weapon: Lessons from the Stryker Attack

There are some key takeaways from what happened with the Iranian hacktivist group named Handala attack on the Stryker Corporation.  The group was able to compromise the Microsoft Intune Admin Center that controls policy for their entire Microsoft Infrastructure and then manipulate the system to affect tens of thousands of corporate and personal devices. They did what all hackers strive to do, use legitimate tools for illegitimate reasons.

There is now a great deal of reporting on the incident to include Stryker’s own website.  If you are not familiar with the incident, I recommend doing some online research to level my observations and comments.  By the way, Kudos to Stryker for being honest and forthright in reporting the incident. It really does not get worse than this attack. I feel for their CISO and entire security team. Nothing like being on the receiving end of a major incident. It reminds me of my days commanding the Army Computer Emergency Response Team and then being the lead contractor at the US CERT. 

For those who do not have time to do the detailed research on the incident, I will sum it up. The group attacked corporate infrastructure and instead of wiping just the corporate data, they wiped the entire phone. And for thousands of employees taking advantage of a Bring Your Own Device (BYOD) offering using the Microsoft product suite (Intune, Company Portal, O365, etc.), their phones were wiped.

So why would anyone want to use their personal phone for their work communication?  And why would any corporation ever want to trust the security of a BYOD employee device?

It’s a Competing Set of Requirements

First of all, we have become a remote and mobile first workforce. For many employers they need to provide access to their HR systems for time accounting, pay and benefits. They also want to enable employees to communicate with each other or management.   The current model is that companies have to provide some sort of device to provide that service. That comes with a whole host of issues: communication provider expenses, device costs, and then provide an internal or outsource staff to manage, configure, maintain, secure and comply with their industry regulations and standards.  And then they have no assurance that the phone will always be in the employee’s possession to include data loss from the device.  And of course, even with a fleet of managed devices maintained and protected by the best security team available with the best tools – the organization has expanded their attack surface outside of their positive control. And from the employee’s point of view, they have to account for another mobile device and either carry two phones, or trust that their employer doesn’t monitor their conversations or personal business, if they are even allowed to do so in the Acceptable Use Policy (AUP). And their AUP probably already states that they will be monitored.

So what is an alternative? Many companies, like Stryker, have a BYOD policy in place.  The benefit is that the employee can use their personal mobile device for work related functions. In this case, the workload apps like email or messaging would be containerized on the end user device usually using a Mobile Application Management (MAM) app. These apps are usually policy driven. If the device adheres to certain security criteria, then the user can access enterprise resources. The app can manage access controls, device security attestation about OS versions and basic compromise detection, encrypted data storage, and prevent downloads.  Sounds great and convenient right? What could go wrong?

From the perspective of the organization,  a great deal can go wrong.  Most people do not run any kind of device security. They will use their personal device for banking, sharing detailed personal information over social media, or even access their medical data on an unsecure device. And if they use it for work,  the device could be compromised and then secured by the malicious actor to look legit, while being full of tools to extract data or gain access to a variety of online resources. Once again, the attack surface increases while trusting the end user device at some level.  Even if it is only the “container” MAM provides. And how much can you trust it, if a malicious actor can use a baseband attack to gain access to the device and shutdown firmware to include the trusted execution environment. And this does not include any possible invasions of privacy that can occur with monitoring a personal device.

Replicating the Stryker incident,  a compromise occurred within a seemingly trusted component like  an Admin Center that then led to cascading effect throughout the enterprise.  The malicious actor then used a legitimate tool to do a malicious act. They wiped every personal device enrolled in MAM. If the end user employee did not have good back-ups in place in their cloud service provider or carrier, then their data was gone. The legal implications are going to be unprecedented.

What Security Leaders Should Take Away From This

What makes the Stryker incident especially concerning is that it exemplifies how the security community continues to focus on securing endpoints rather than reducing their attack surface focusing on what is really important.  The data is the jewel, not the device. With modern day backups and infrastructure as code, restoration of operating systems and configurations are at a push of a button.  However, what about your data?  What about your personal data? What about  the intellectual property an entire business is based on like the Coca-Cola secret formula? As long as data and device security are tightly coupled, any breach of the management layer turns into immediate, enterprise-wide exposure.

Can you have your cake and eat it too? Absolutely – it’s called Hypori!

We built Hypori around a different assumption; that endpoints can’t be trusted and the data never has to reach the device. Instead of trying to secure every device, we remove the device from the equation entirely. With Hypori’s Virtual Mobile Infrastructure, apps, data, and controls stay inside a secure, centralized environment, and the phone becomes nothing more than an access point.

That fundamentally changes the risk model.

You’re no longer worrying about what happens when a device is compromised, lost, or wiped, because there’s nothing on the device to lose in the first place. There’s no corporate data sitting on a personal phone, and no need to extend enterprise control into something the organization doesn’t actually own.

It also changes how security leaders think about disruption. When everything lives in a controlled environment, organizations aren’t chasing impact across thousands of endpoints. They’re managing and containing risk where it actually lives: inside the enterprise.

And this is where BYOD finally starts to make sense. We’re not asking employees to give up control of their personal devices or accept invasive management layers. We’re not putting them in a position where a corporate incident can spill over into their personal lives.

We’re creating true separation.

Regardless, the only way to guarantee separation, not just between personal and corporate data, but also to prevent the propagation of threats between environments, is to eliminate the device from the attack surface. Hypori provides that separation and prevents threats from moving in either direction.