{
  "threatScenario": "Ransomware Attack",
  "companyName": "Stryker Corporation",
  "companyInfo": "Stryker Corporation (NYSE: SYK) is a Fortune 500 medical technology company headquartered in Portage, Michigan, with approximately 56,000 employees and $25.1 billion in annual revenue (2025). Stryker develops and manufactures surgical equipment, orthopedic implants (joint replacements, trauma fixation), medical imaging systems (Airo TruCT mobile CT), neurovascular devices, hospital beds, and connected digital health platforms (Vocera communications, care.ai ambient monitoring, SurgiCount surgical safety). The company operates across three primary business divisions — Orthopaedics, MedSurg & Neurotechnology, and Spine — with manufacturing, R&D, sales, and distribution operations spanning 79 countries. Stryker holds significant U.S. military medical device contracts and operates OrthoSpace Ltd., an orthopedic device subsidiary based in Israel. Products are deployed in operating rooms, emergency departments, and ambulance services worldwide, including the LIFEPAK defibrillator line and the Mako robotic-arm surgical system. Stryker's CISO is Dave Nathans, and CEO is Kevin Lobo.",
  "department": "",
  "exerciseObjectives": "Detection & Response, Recovery & Restoration",
  "participants": "it_staff, leadership",
  "industry": "Healthcare",
  "itStaff": "Debra King (Vice President, Chief Digital and Information Officer), Alan Douville (Former CIO, architect of Stryker's global IT operating model and data center consolidation), Dale Pease (Group Vice President, Supply Chain Operations IT)",
  "otStaff": "Viju Menon (Group President, Global Quality and Operations), Dylan Crotty (Group President, Orthopaedics — oversees implant manufacturing operations), Andy Pierce (Group President, MedSurg and Neurotechnology — oversees surgical and medical device manufacturing)",
  "cybersecurityStaff": "Dave Nathans (Chief Information Security Officer — led incident response and direct outreach to customers and cybersecurity community during the March 2026 attack), Alissa Johnson (Former CISO — built Stryker's cybersecurity program; previously Deputy CIO for the Executive Office of the President)",
  "leadershipStaff": "Kevin Lobo (Chair and Chief Executive Officer — authorized SEC filings and public communications during the incident), Spencer Stiles (President and Chief Operating Officer — leads global businesses, strategy, and M&A), Preston Wells (Vice President, Chief Financial Officer — oversees financial impact assessment and SEC reporting), Rob Fletcher (Vice President, Chief Legal Officer — manages regulatory disclosure, litigation risk, and law enforcement coordination), Katy Fink (Vice President, Chief Human Resources Officer — manages employee communications and BYOD personal device impact), Kim Montagnino (Vice President, Chief Communications Officer — manages external communications, media strategy, and crisis PR)",
  "networkEnvironment": "CORPORATE IDENTITY & ENDPOINT MANAGEMENT LAYER: Microsoft-centric enterprise environment with Microsoft Entra ID (formerly Azure AD) as the primary cloud identity provider, federated with on-premises Active Directory across global offices in 79 countries. Microsoft Intune serves as the unified endpoint management (UEM) and mobile device management (MDM) platform, managing approximately 80,000+ enrolled Windows workstations, corporate laptops, mobile phones, and tablets, as well as personal devices enrolled through a BYOD (Bring Your Own Device) program. Intune pushes software deployments, compliance policies, and configuration profiles to all enrolled endpoints via base-64 encoded payloads. Global Administrator and Intune Administrator roles in Entra ID hold full administrative control over the entire device fleet, including the ability to issue remote wipe, factory reset, and retire commands to any enrolled device. Microsoft 365 (Exchange Online, SharePoint, Teams, OneDrive) underpins corporate communications, collaboration, and document management. Conditional Access policies and role-based access control (RBAC) govern access to cloud resources, though the environment lacks Multi Admin Approval for high-impact Intune actions and does not enforce phishing-resistant MFA (FIDO2/passkeys) on all privileged accounts. Privileged Identity Management (PIM) for just-in-time access elevation is not fully deployed across all administrative roles.\n\nCORPORATE IT INFRASTRUCTURE: Hybrid architecture combining on-premises data centers at the Portage, Michigan headquarters and regional manufacturing sites with Microsoft Azure cloud services, connected via Azure ExpressRoute dedicated circuits and site-to-site VPN tunnels. On-premises infrastructure runs Windows Server with Active Directory Domain Services, Microsoft IIS web servers, and enterprise applications including DELMIA Apriso (manufacturing execution system), Mainsaver (computerized maintenance management), and SolidWorks (engineering/CAD). Corporate ERP, order processing, manufacturing scheduling, and logistics/shipping systems reside within the internal Microsoft environment. Microsoft Defender for Endpoint and/or third-party EDR solutions provide endpoint detection, though the living-off-the-land nature of Intune administrative commands may bypass signature-based detection. Azure Monitor, Microsoft Sentinel (SIEM), and CloudTrail-equivalent logging provide centralized security event correlation across the hybrid environment.\n\nPRODUCT & CONNECTED DEVICE ECOSYSTEM (ARCHITECTURALLY SEPARATED): Stryker's connected medical products operate on isolated, purpose-built networks that are architecturally independent from the corporate Microsoft environment. Vocera Ease (communications platform) is hosted on Amazon Web Services (AWS) with Azure Entra ID used solely for authentication, but with no data transmission pathway to the corporate environment. SurgiCount (surgical safety platform) runs in a dedicated, isolated cloud environment with no interface to the corporate Microsoft infrastructure. The Mako robotic surgical system, LIFEPAK defibrillators, Airo TruCT mobile imaging, BACS Assure, and Stryker's Surgical Visualization Platforms and Connected OR Hub all operate on independent networks with product-specific security protocols and no standard network pathway to the affected corporate environment. This segmentation is critical — while corporate IT was fully disrupted, patient-facing connected products remained operational and safe.\n\nMANUFACTURING & SUPPLY CHAIN SYSTEMS: Global manufacturing operations across multiple countries depend on corporate IT systems for electronic ordering, production scheduling, inventory management, and shipping/logistics coordination. Manufacturing execution systems interface with both OT/production floor networks and corporate IT for order fulfillment. Personalized implant manufacturing (patient-specific surgical guides and custom components) requires active corporate systems for order processing and design file transmission. Distribution and shipping systems rely on the corporate Microsoft environment for order reconciliation and logistics coordination. When corporate systems go offline, manual ordering through sales representatives is the fallback process.\n\nOUT-OF-BAND COMMUNICATIONS: Corporate email (Exchange Online) and Microsoft Teams are the primary communication channels. Phone systems and certain email routing may remain functional during a corporate Microsoft environment compromise, enabling continued communication with customers and sales representatives even during a full corporate IT disruption.",
  "injects": "INJECT #1 — THE PERSONAL PRIVACY CRISIS (T+30 min): The Intune factory reset hit the Work Profile on personal BYOD phones, but a bug in older Android/iOS versions caused a Full Device Wipe on a subset of enrolled devices. Thousands of employees have lost personal photos, messages, financial apps, and personal data. Employee social media posts are going viral. An employee in Ireland posts: 'Stryker just wiped my kid's photos off my personal phone. Every single one.' Legal counsel warns that Hold Harmless clauses in the BYOD enrollment agreement may not cover Gross Negligence if the company failed to implement reasonable safeguards on the Intune admin console. HR is fielding hundreds of calls from distraught employees. At least 6 lawsuits will eventually be filed.\n\nINJECT #2 — THE CLEAN ROOM LOCKOUT (T+1 hr): Badge readers and IoT HVAC control systems in Stryker's implant manufacturing Clean Rooms authenticate through Entra ID. With the identity provider disrupted, these systems have defaulted to a Fail-Secure (locked) state. No one can badge into the clean rooms, and the HVAC environmental controls are no longer maintaining the required temperature, humidity, and particulate levels. If the HVAC environmental controls remain offline for more than 4 hours, the current $50 million batch of custom orthopedic implants in production is considered contaminated under FDA manufacturing standards and must be destroyed.\n\nINJECT #3 — THE GHOST IN THE MACHINE (T+2 hrs): The recovery team begins restoring servers from Rubrik backups. Thirty minutes later, Handala posts a message on Telegram: 'We saw you restoring the Finance DB. Thank you for doing the work for us. We've updated the admin password again.' The message includes a screenshot showing a timestamp from Stryker's internal Rubrik console taken after the wipe was supposed to have been contained.\n\nINJECT #4 — THE SURGICAL SUPPLY CRISIS (T+4 hrs): Major trauma centers report that Stryker Personalized Implants (custom-manufactured for specific patients based on pre-operative imaging) are stuck in a wiped shipping/logistics system. Surgeons at three Level 1 trauma centers are threatening to cancel life-saving operations scheduled for this week. Separately, Maryland EMS reports that Stryker's LIFENET ECG transmission system — used by paramedics to transmit cardiac data to hospitals en route — is offline across most of the state. Paramedics are falling back to radio consultations.\n\nINJECT #5 — THE INSIDER DOUBT (T+6 hrs): The forensic team identifies that the compromised administrator account belongs to a senior IT employee who recently returned from a vacation in a country with known Iranian intelligence operations. Security leadership asks: is this an insider threat, or was this employee simply phished? HR wants to suspend the employee immediately. Legal warns that premature action could constitute wrongful termination and trigger additional litigation.\n\nINJECT #6 — THE MEDIA FIRESTORM (T+8 hrs): NBC News breaks a story identifying the attack as the first significant Iranian cyberattack against a U.S. company since the war started. The White House issues a statement. Congressional leaders demand a briefing. Stryker's stock drops 4% in pre-market trading. A major healthcare system (representing 8% of Stryker's annual revenue) calls the CEO directly to ask whether they should begin sourcing implants from a competitor as a precaution.",
  "winConditions": "",
  "loseConditions": "",
  "additionalInstructions": "IMPORTANT SCENARIO CONTEXT: This scenario is based on the real-world March 11, 2026 cyberattack on Stryker Corporation. The attack was NOT ransomware — it was a destructive wiper operation conducted by Handala, an Iran-linked hacktivist group assessed by multiple intelligence firms (Check Point, CrowdStrike, Palo Alto Networks Unit 42) as a front for Void Manticore, a destructive operations unit within Iran's Ministry of Intelligence and Security (MOIS). The stated motivation was retaliation for U.S. military strikes in Iran. ATTACK METHODOLOGY: The attackers compromised an administrator account (likely via AiTM phishing that stole an authenticated session, bypassing MFA), then created a new Global Administrator account in Entra ID. Using this elevated access, they issued mass remote wipe commands through Microsoft Intune between 05:00-08:00 UTC on March 11, 2026, wiping approximately 80,000 devices (Handala claimed 200,000+ including servers) across 79 countries. A malicious file was also used to run commands while hiding activity from threat detection. No ransomware or traditional malware was deployed — the attack used purely legitimate administrative tooling (living-off-the-land). The attackers also claimed to have exfiltrated approximately 50 TB of corporate data. KEY EXERCISE THEMES: (1) Wiper vs. ransomware response differences, (2) Identity/control-plane compromise detection, (3) Living-off-the-land attack recognition, (4) Endpoint management platform as an attack vector, (5) Out-of-band communications when corporate email/systems are down, (6) Manufacturing and supply chain continuity during IT disruption, (7) Medical device safety assurance communications, (8) Multi-agency coordination (FBI, CISA, White House NCD, HHS, H-ISAC), (9) Geopolitically motivated threat actor response, (10) BYOD risk during destructive attacks on MDM platforms.",
  "exerciseType": "cyber",
  "difficultyLevel": "intermediate",
  "verbosityLevel": "standard",
  "technicalLevel": "mixed",
  "complexityLevel": "intermediate"
}