Stryker Cyberattack: The Case to Secure Microsoft Intune

When pro-Iranian threat actors struck US medical giant Stryker last week, it became immediately apparent how loopholes in enterprise endpoint management open the doors to threat actors.
The healthcare and medical device sector is currently under sustained assault from threat actors who have pivoted away from complex exploit chains towards identity-centric attack vectors, targeting access management systems and administrative control planes.
These groups are deploying well-established tactics against the sector, including credential phishing campaigns, in which cyber criminals impersonate trusted entities through email, SMS or voice channels to manipulate their victims.
These campaigns are accompanied by the deployment of previously compromised credentials and the abuse of inadequately secured remote access infrastructure.
These methodologies facilitate lateral movement across victim networks, frequently culminating in destructive operations designed to disrupt business continuity rather than prioritise data theft.
The Stryker situation
Medical device and equipment manufacturer Stryker recently suffered a catastrophic disruption to operations following a cyber attack that eliminated its ability to process orders, manufacture products and fulfil shipments to customers.
The global disruption the company experienced was because of threat actors exploiting a loophole in the organisation's Microsoft environment.
Upon detection, the company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors and cyber experts to assess and contain the threat.
"Investigations suggest the attackers may have abused Microsoft Intune to issue remote wipe commands to managed devices, causing factory resets on corporate laptops and mobile devices," says Lucie Cardiet, Cyberthreat Research Manager at Vectra, a cybersecurity company that specialises in AI-driven threat detection and response.
Threat actor attribution and tactics
A pro-Palestinian, pro-Iran-aligned hacktivist group called Handala, also known by some researchers as Void Manticore, has claimed responsibility for the attack, stating that more than 200,000 devices were impacted and large volumes of data were exfiltrated. Though the volume of data has not been verified.
The group has targeted other organisations to date including IT providers, infrastructure operators and companies tied to sensitive supply chains.
"Unlike many financially motivated groups, Handala campaigns often emphasise operational disruption and psychological impact," Lucie says.
"The group frequently publishes screenshots of compromised systems, exaggerates claims of stolen data and defaces systems with propaganda imagery such as the Handala logo.
"The device wipes and defaced login screens reported in the Stryker incident align with this pattern."
Stryker says in a public statement that the hackers were only able to access its Microsoft accounts, specifically Microsoft Intune, which is used to remotely manage corporate phones and laptops.
The company says: "This incident did not affect the security or safety of our products or devices.
"All Stryker products across our global portfolio, including connected, digital and life-saving technologies remain safe to use.
"Some of our customers that utilise our personalised implants are experiencing some disruptions.
"We understand that some patient-specific cases scheduled for the week of 16 March 2026 have been rescheduled due to shipping delays we are experiencing.
"There is nothing more important to us than the customers and patients we serve and we recognise the criticality of every procedure to every patient.
"We are working as quickly and safely as possible to reconcile orders, manufacture products and deliver to our customers so they can continue to provide seamless patient care."
Security hardening recommendations from CISA
Following this breach, the Cybersecurity & Infrastructure Security Agency (CISA) has urged companies to secure access to their Microsoft Intune accounts.
This includes implementing Microsoft's latest best practices for securing Microsoft Intune including use principles of least privilege when designing administrative roles, enforce phishing-resistant multi-factor authentication (MFA) and configure access policies to require multi-admin approval in Intune.
It is imperative that organisations conduct immediate audits of their Microsoft Intune configurations to identify potential vulnerabilities.
This should include reviewing all administrative accounts, verifying access permissions and ensuring that only authorised personnel have the ability to execute remote commands such as device wipes.
The emphasis now falls on the importance of implementing continuous monitoring solutions that can detect anomalous activity within cloud management platforms. Organisations should establish baseline behaviours for administrative actions and configure alerts for unusual patterns, such as mass device wipe commands or unexpected changes to security policies.
CISA is working with federal partners, including the FBI, to identify additional threats and determine mitigation actions.






