Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New
Stryker filed an 8-K with the SEC today confirming a cyberattack has caused a “global disruption to the Company’s Microsoft environment.” The company says it has “no indication of ransomware or malware” – which is technically accurate. There was no malware. There was a Microsoft Intune admin account and a remote wipe command. More than 5,000 workers were sent home from Stryker’s Cork, Ireland facility alone. Surgical supply chains are starting to feel it: at least one major US university medical system has reported inability to order supplies normally sourced through Stryker.
Changelog
| Date | Summary |
|---|---|
| 11 Mar 2026 | Initial publication, same-day as incident. |
Stryker employees woke up in the early hours of Wednesday morning to find their devices showing an unfamiliar logo on the lock screen. A moment later, the device wiped. Laptops, phones, servers – all of them. The login pages that came back up on any surviving screens displayed the same image: the Handala logo.
By the time the sun rose on Stryker’s offices across 79 countries, the company was gone from its own network.
Over 200,000 systems, servers, and mobile devices wiped. 50 terabytes of data claimed exfiltrated. Offices reverting to pen and paper. A $22.6 billion company – Fortune 500, 53,000 employees, major supplier to virtually every surgical hospital in the United States – operating on WhatsApp group chats because nothing else works.
This is not a story about Stryker making an unusual mistake. This is a story about a standard enterprise architecture being used exactly as designed, by people who were not supposed to have access to it.
Who Is Handala
Handala (also known as Handala Hack Team, Hatef, Hamsa) surfaced in December 2023, weeks after the Hamas attack on Israel. Palo Alto Networks’ Unit 42 links the group to Iran’s Ministry of Intelligence and Security (MOIS), assessing it as one of several personas operated by Void Manticore, a known MOIS-affiliated threat actor.
Their toolkit is wide: phishing, custom wiper malware, ransomware-style extortion, data theft, hack-and-leak. IBM X-Force describes their operations as focused on “generating disruptive and psychological impact,” with deliberate targeting of life-critical sectors including healthcare and energy. Check Point characterises their recent posture as breaking into accessible systems, exfiltrating data, and timing publication for maximum pressure.
Until now, Handala’s primary focus was Israeli targets – civilian infrastructure, energy companies, Israeli defence contractors. The attack on Stryker is a pattern shift: a large-scale Western enterprise attack, framed as retaliation for a US military strike on an Iranian school in Minab that killed more than 175 people, mostly children.
The group described Stryker as a “Zionist-rooted corporation,” likely referencing the company’s 2019 acquisition of Israeli medical device company OrthoSpace, and its $450 million Department of Defense contract secured last year to supply medical devices to the US military.
Whether you accept that framing or not is beside the point. The technical execution here is what matters.
The Attack Chain
The attack did not involve novel malware. There was no zero-day. Based on reporting from KrebsOnSecurity – sourced from someone with direct knowledge of the incident – Handala appears to have used Microsoft Intune to issue a remote wipe command against every enrolled device in Stryker’s estate.
The chain looks like this:
Step one: Entra admin compromise. Handala gained access to an account with administrative privileges in Microsoft Entra ID (formerly Azure Active Directory). How they got in is not yet confirmed publicly – phishing is the most likely initial vector given the group’s known tradecraft, potentially aided by credential theft or MFA bypass.
Step two: Intune admin access. Entra is the identity layer for the entire Microsoft 365 ecosystem. An Entra Global Administrator, or an account with the Intune Administrator role, has full control of the Intune management plane. Once you are in Entra at the right privilege level, Intune is already yours.
Step three: Remote wipe at scale. Intune’s remote wipe functionality is designed for exactly this: bulk device management, policy enforcement, and – in the event of loss or theft – factory resetting a device remotely. You can wipe a single device or every enrolled device. You can do it from the Intune web console. There is no additional confirmation required beyond having the right role.
Step four: Defacement. Stryker’s Entra login page was replaced with the Handala logo. Multiple sources confirmed devices woke up displaying the same image before completing the wipe.
The entire destructive phase of this attack was executed through legitimate Microsoft tooling, using legitimate administrative functions, by an account that appeared fully authorised to issue those commands.
Stryker’s own statement to employees acknowledges “a severe, global disruption across the Windows environment impacting both client devices and servers.” Their public statement says no malware was found. They are right: there was none. The weapon was Intune.
Intune Is a Double-Edged Sword
Microsoft Intune is ubiquitous. It is the standard MDM solution for organisations running Microsoft 365, and it is genuinely useful: it enforces encryption policies, controls which applications can access corporate data, and provides IT teams with visibility across a distributed device estate. Remote wipe is one of its most valued features – if an employee loses a laptop, IT can wipe it before sensitive data is exposed.
That mental model – Intune as a protective tool – is exactly the wrong frame for understanding the risk it carries.
Remote wipe is not a protective feature with a destructive edge case. It is a mass destruction capability with access controls applied to it. The protection model only holds as long as the access controls hold. The moment someone with Intune Administrator privileges is compromised, that protection model inverts completely.
At Stryker’s scale, Intune had approximately 200,000 enrolled devices. That means there existed, at all times, a single administrative action – executable from a web browser – that could simultaneously wipe every laptop, phone, and managed server in the company. The only thing standing between “normal operations” and “every device in the estate is gone” was the security of the accounts with Intune admin access.
Most security teams do not think about Intune this way. They think about it as part of the endpoint security stack. They worry about what Intune protects. They do not adequately model what Intune enables if the admin layer is compromised.
This is the architectural error. Not Stryker’s specifically – the industry’s.
The BYOD Blast Radius
There is a secondary problem here that tends to get less attention.
After the attack, Stryker instructed employees to immediately remove corporate applications from their personal devices: the Intune Company Portal, Microsoft Teams, VPN clients. That instruction came too late for many of them. Employees who had enrolled personal phones in Stryker’s BYOD Intune programme had their personal devices wiped alongside company-issued hardware.
This is the BYOD nightmare scenario, and it is one that most organisations have not fully reckoned with.
When you enrol a personal device in a corporate MDM, you are accepting that the organisation can impose security policies on your device and – if required – remotely wipe it. Employees understand this in the context of “Stryker will wipe my phone if I report it stolen or I leave the company.” They do not understand it in the context of “if Stryker’s Intune admin account is compromised, someone else can wipe my personal phone.”
That liability exposure is real. It is buried in MDM enrolment terms and conditions. It is not prominently communicated. And when the event happens, there is no recovery path – the data is gone.
The same policy that protects corporate data on personal devices is the same policy that creates the blast radius when the MDM admin layer is breached. Organisations running BYOD Intune programmes need to be explicit with employees about this risk, and they need to think carefully about whether BYOD enrolment belongs in the same Intune instance as corporate-managed devices at all.
Recovery at Scale
Stryker has no timeline for restoration. That is not a communications failure – it is an honest reflection of what “restore 200,000 devices” actually involves.
Wiper attacks are categorically different from ransomware in one critical respect: there is no decryption key. With ransomware, paying (or breaking) the key gets you your data back. With a wiper, the data is gone. The recovery path is backup restoration and clean device provisioning across the entire estate, simultaneously, in 79 countries.
Consider what that involves operationally. Every managed device needs a clean OS image, domain rejoining, application reinstallation, user profile restoration from backup, and validation. For a single device, that is hours of work. For 200,000 devices, the maths is brutal even with automation – and automation assumes the automation infrastructure survived, which it may not if servers were also wiped.
Realistic timelines for full restoration at this scale are measured in months, not days. During that period, Stryker is operating with degraded capability across its entire global operation. Surgical supply chains are already showing disruption. Healthcare providers who source from Stryker are reporting inability to order supplies. The downstream effects of a wiper attack on a company this embedded in healthcare infrastructure extend well beyond the company itself.
This is what “no ransom demand” means in practice. It does not mean the attack costs less. It means the cost is entirely borne by the victim with no option to short-circuit recovery.
The Actual Lesson
The Stryker attack is not primarily an argument for better endpoint security. It is not an argument for better firewall rules or improved EDR coverage. Those controls were irrelevant here. No malware landed on a device. No suspicious network traffic needed to be detected. The attack executed entirely through legitimate administrative tooling.
The argument it makes is for identity layer security – specifically for treating highly privileged accounts with the blast radius they actually carry.
In Microsoft’s ecosystem, the accounts that matter most are not the ones with access to sensitive data. They are the ones with access to the tooling that controls every device and every identity in the estate. An Intune Administrator or Entra Global Administrator is, in effect, a single point of failure for your entire managed device fleet.
The mitigations are not exotic:
Privileged Identity Management (PIM). Entra PIM allows you to make privileged role assignments just-in-time rather than persistent. An Intune admin account does not hold its role constantly – it requests elevation when needed, with time limits and approval workflows. A compromised account that has never been elevated has no Intune access.
Intune admin role segmentation. The Intune Administrator role does not need to be held by the same accounts that have Entra-wide administrative access. Separate the roles. An account that can manage device policies should not also be able to wipe every device.
Conditional access on privileged actions. Remote wipe is a destructive, irreversible action. Conditional access policies can require additional authentication factors, compliant device access, or specific network locations for high-risk operations. Issuing a bulk wipe command from an unrecognised location or device should trigger additional verification.
Break-glass account monitoring. If a bulk wipe command is issued in Intune, something should fire immediately. Not in the next log review cycle – immediately. The window between “wipe command issued” and “200,000 devices gone” is measured in minutes.
BYOD in a separate Intune instance. If you are running BYOD enrolment, the blast radius argument alone justifies segregating it from your corporate device management. A compromised admin account should not be able to issue a wipe against personal devices.
This is the same principle I wrote about in the context of AI agent pipeline hardening: privilege separation is not paranoia, it is blast radius control. Every capability that can be weaponised at scale needs a commensurate control on the access path to that capability.
What You Should Do Today
Stryker is not uniquely careless. They are a large enterprise running standard Microsoft tooling in a standard way. The architecture that failed them exists in thousands of organisations right now.
The specific action is simple: open your Entra admin centre and look at who holds Intune Administrator and Global Administrator roles. Are those assignments persistent or just-in-time? Are there accounts in those roles you do not recognise or cannot immediately justify? Is PIM enabled?
If persistent privileged role assignments exist in your environment with no PIM controls, you have the same exposure Stryker had. The only question is whether someone with the right motivation and capability decides to use it.
Handala used what was available to them. So will the next group.
Sources: KrebsOnSecurity – BleepingComputer – TechCrunch – Palo Alto Unit 42