Imagine working for a large global company and suddenly discovering that every corporate device, including laptops, desktops, servers, and smartphones, had become useless. That’s exactly what employees at the U.S. medical technology giant Stryker recently experienced. And unlike typical ransomware attacks that are motivated by financial gain, this incident appears to have been purely destructive in intent.

Description

As early as 3:30 the morning of March 11, employees started reporting that their phones and laptops were rebooting and all of their applications and data were gone. Reports of wiped devices came in from multiple countries, affecting Stryker operations at its 79 offices worldwide. In the end, more than 200,000 systems, servers, and mobile devices were wiped. Stryker is one of the largest medical device manufacturers in the U.S., with a total revenue of over $25 billion, and operates in 61 countries.

A pro-Palestinian hacktivist group called Handala has claimed responsibility for the attack. Some security experts believe that Handala is linked to Iran’s Islamic Revolutionary Guard Corps and acts as a strategic extension of Iranian state interests. The group also claims to have exfiltrated up to 50 TB of data from Stryker as well. To confirm their involvement, the group defaced the company’s Entra login page to display a Handala logo.

How the Attack was Carried Out

All the devices affected by the attack were managed by Intune. Intune is a mobile device management system (MDM) offered by Microsoft that allows companies to manage computing devices using the cloud. One Intune capability is “remote wipe,” which can reset a device to factory defaults and remove corporate data. This is commonly used when a corporate device is reported lost or stolen. In this case, the attackers weaponized this capability at scale by issuing wipe commands against Intune‑managed devices. To do this would have required the attackers to have gained administrative‑level access in Stryker’s Microsoft 365/Entra/Intune environment.

Actions Taken

Once the attack was identified, Stryker activated its cybersecurity response plan and launched an investigation with external advisors and cybersecurity experts. Stryker also took the following actions:

  • Instructed employees not to connect to the corporate network from any device
  • Avoid using apps like Outlook and Teams while the investigation and containment were underway.
  • Remove corporate management and applications from their personal devices
  • Staff were told not to power on or log into company‑issued devices until further notice

Stryker also filed an 8-K filing with the SEC, confirming that the company has experienced global disruption from the attack, that ransomware was not involved in the attack, and that it had been contained.

Prevention

The “Remote wipe” feature of Intune is a handy tool that has many practical implications. Unfortunately, that same power can be weaponized if attackers obtain privileged access to your Intune or other MDM systems.  If your company uses Intune or another type of MDM to manage company devices, here is a list of steps you should take to prevent unauthorized users from accessing this and other powerful privileged features of the MDM:

  • Limit the number of Global Admins in your Microsoft Entra/Intune environment, as Global Admins have full, unrestricted control over all Microsoft 365 and Intune settings, roles, and device actions.
  • Other roles besides Global Admins have access to the remote wipe feature, including Intune Administrator and Help Desk Operator. All users assigned to that role should be assigned phishing-resistant MFA such as FIDO2 security keys, Windows Hello for Business, or Authenticator apps.
  • Enforce conditional access policies for admins that block access from unmanaged, non-compliant, or risky devices and require strong MFA.
  • Create alerts for suspicious MDM operations such as large-scale or unusual patterns of wipe or reset actions, new assignments of Global/Intune admin roles, changes to compliance or conditional access policies.

 

Review Your Risk and Security Posture