The medical device firm Stryker said it is ramping production lines back up two weeks after alleged Iranian cyber actors wiped more than 200,000 company devices.

The company sought to reassure customers in a notice on Monday, sharing a letter from cybersecurity firm Palo Alto Networks confirming that the hackers behind the incident have been removed from Stryker systems.

Stryker officials said they are in the process of rebuilding the wiped systems or restoring them from backups predating the known window of compromise to further prevent threat actors from reentering. The impacted systems that have not been restored yet are isolated from the network.

Multiple updates have been sent to hospitals and healthcare facilities around the world after concerns were raised about whether the cyber intrusion extended to Stryker’s customers. 

In a Justice Department affidavit targeting the Iranian hackers behind the incident last week, federal prosecutors said the Stryker attack "had a direct impact on emergency medical services and hospitals within Maryland” and “prompted some hospitals to temporarily suspend connections” to the company out of fear of being affected by the wiper incident.

The affidavit cites one Stryker employee stationed at a hospital in Maryland who struggled to continue working after their device had been wiped following the cyberattack. 

Stryker produces a variety of hospital technology, including bed sensors and hands-free communication devices that allow nurses and doctors to contact each other. Court documents said that "as a result of the disruption to [Stryker] systems… clinicians were instructed to rely on radio consultation and verbal description."

“The disruption to required clinical communication systems demonstrates that the cyberattack on [Stryker] in some cases interfered with the delivery of emergency medical care in Maryland hospitals,” prosecutors wrote. 

Stryker recently sent out urgent notices to customers assuring them that their technology is safe to use and is not connected to the cyberattack, which was targeted at internal corporate Microsoft systems. The Iranian hackers used a native functionality within Microsoft Intune — the device wipe feature — to destroy all company data on more than 200,000 devices across Stryker’s employee base in the U.S., Ireland, India and other countries.

The company said Monday that it is prioritizing the restoration of systems that directly support customers, ordering and shipping. 

Stryker also noted that malware was used by the attackers during the attack. Since the  incident began, the company has repeatedly told the public and regulators that no ransomware or malware was involved. 

In Monday’s update, Stryker said Palo Alto Networks’ incident response team Unit 42 and other experts “identified that the threat actor used a malicious file to run commands which allowed them to hide their activity while in” company systems.

“To be clear, this file was not capable of spreading — either inside or outside of our environment. Most importantly, at no point has our investigation identified malicious activity directed towards our customers, suppliers, vendors or partners,” Stryker said.  

The company shared a copy of a letter from Troy Bettencourt, vice president of incident response at Palo Alto Networks Unit 42. The letter confirms Stryker’s assessment that the incident has been contained and that there is no evidence that the hackers accessed customer, supplier, vendor and partner systems.

The letter says Unit 42 helped remove “unauthorized persistence mechanisms” installed by the threat actors. 

“Unit 42 has found no current evidence of active, uncontained, persistent unauthorized access within the Stryker environment,” Bettencourt said, adding that they are working with Microsoft to monitor the situation going forward.  

Stryker said manufacturing systems are “ramping quickly as critical lines and plants are brought back online.” Global manufacturing sites “continue to stabilize" according to the company. 

Bloomberg reported last week that some surgeries have been cancelled because Stryker-made implants are not available due to the attack.