Industry Insights

Identity Is the New Perimeter. Stryker Just Taught Us That the Hard Way.

A story on how an Iran-linked group wiped tens of thousands of Stryker’s devices

A nation-state attack that changes every assumption we had

For years, we have treated nation-state threats as a “Tier 1” problem — something reserved for defense contractors and the energy grid. The March 2026 attack on Stryker Corporation by Iran-linked group Handala officially kills that assumption.

On March 11, 2026, Stryker’s corporate Microsoft environment was hit. Employees arrived to find their managed devices wiped out overnight through entirely legitimate Intune commands. Handala claimed 200,000+ systems affected; independent reporting confirms that tens of thousands were impacted. Stryker’s initial official statement: “No ransomware. No malware deployed. Incident contained corporate systems.” Medical products remained 100% safe.

As the investigation progressed, Stryker’s March 23, 2026, update clarified the findings:
• There was no ransomware or self-propagating malware
• The attacker used a small, non-propagating file to execute commands and obscure activity while abusing administrative tools
• The incident remained contained to corporate systems, with no impact to customers, suppliers, or partners

“The most dangerous attack isn’t the one that breaks through your defenses — it’s the one that uses your own tools against you.”

What did the exploit actually do?

The attackers abused the same Microsoft Intune features that IT uses every day. Once inside, they appear to have:

• Gained administrative access to Intune and Entra ID. Investigators say the attackers obtained high-privilege credentials — likely via phishing, credential stuffing and infostealer activity targeting senior staff — and then moved laterally into the cloud administration layer.
• Turned Intune into a global wipe engine. With Intune admin rights, the attackers issued legitimate Remote Wipe commands to large groups of enrolled Windows devices, phones, and tablets, effectively factory-resetting or erasing tens of thousands of endpoints in a coordinated wave.
• Used both native commands and wiper tooling. Analysis also points to use of Handala’s FuxSocy wiper and living-off-the-land techniques like PowerShell and WMI to remove recovery points such as Volume Shadow Copies, maximizing destructive impact.

 
The “exploit” was control of Intune — not a zero-day on the endpoint. Because those wipe requests came from a trusted cloud management platform, they bypassed traditional endpoint defenses that look for malicious binaries or exploit signatures.

What steps should we take to stop or contain this?

We cannot stop a nation-state from targeting organizations like Stryker  or us. But we can stop our own tools from becoming the attacker’s weapon. Here is the action plan.

1 . KILL STANDING ADMIN PRIVILEGES

The era of always-on Global Admin rights is over. We must move to Just-In-Time (JIT) access via Privileged Identity Management (PIM). Admins shouldn’t hold longstanding permissions — they request a role, justify it, and it expires automatically. All admin work must be done from hardened, dedicated identities and laptops — never from normal user accounts.

2 . IMPLEMENT MULTI-ADMIN APPROVAL

Microsoft and other MDM vendors now support Multi-Admin Approval (MAA) policies. Wiping beyond a defined threshold (e.g., more than 10 devices) must require a second, independent administrator to approve. No single compromised account should be able to sink the ship. This same gate applies to role escalation too.

3 . MONITOR AND ACT ON LEAKED CREDENTIALS

We must actively monitor for credentials associated with our domains exposed in data breaches, correlate them against active user accounts, and force resets immediately. Without this, we are leaving a valid entry point open for attackers who don’t need a zero-day — just a reused password.

4. MOVE TO PHISHING- RESISTANT MFA

Standard push-based MFA is too easy to defeat via MFA fatigue or session hijacking. Admins must use FIDO2/WebAuthn-based authentication: Yubikeys or Windows Hello for Business. Pair this with risk-based Conditional Access and trusted network conditions for all admin roles.

5 . TREAT INTUNE AND MDM AS TIER- 0 ASSETS

Device management platforms must be protected with the same rigor applied to domain controllers: strong segmentation, continuous monitoring, strict change control, and least-privilege scoping on who can issue wipe commands. Build SIEM alerts for new Global Admins, role escalations, and unusual wipe activity.

6. CLOSE THE INFOSTEALER GAP

Deploy EDR and browser controls on admin endpoints and block credential storage in browsers. Every VPN, SSO, and vendor access path into Intune and Entra must be reviewed — with least privilege, MFA, and comprehensive logging enforced across all of them.

7. BUILD RESILIENCE AND RECOVERY READINESS

Regularly export Intune, Entra, and SaaS configurations. Maintain air-gapped or write-once immutable backups with regularly tested restores. Run exercises assuming every managed device is gone. Practice out-of-band communication now.

Our control plane is the new crown jewel

We’ve spent years hardening endpoints and patching servers, but many organizations still treat admin consoles and identity platforms as “just IT tools” rather than Tier-0 assets. That has to change.

→ Shift from trusting administrators to protecting administration by design — least privilege, just-in-time access, multi-admin approvals, and continuous monitoring.

→ Treat identity as critical infrastructure, with the same rigor we apply to core clinical systems, payment platforms, or trading infrastructure.

→ Assume that in the next major incident, an attacker will try to turn our own tools against us — and design our controls so that even if they gain a foothold, they can’t easily pull our organization’s global “off” switch.

Sources: Stryker official updates / Bleeping Computer / Dark Reading