17APR

Handala wipes 200,000 devices at Stryker

3 min read

13:56UTC

One stolen login, no malware, up to 200,000 devices dark in hours across 79 countries. The Microsoft Intune admin console used exactly as designed.

← Back to Stryker MDM wipe exposes identity perimeter Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A single stolen Intune admin credential was enough to wipe Stryker's global estate without any malware.

Iran-linked hacktivist group Handala remotely wiped between 80,000 and 200,000 devices belonging to US medical-device maker Stryker across 79 countries on 11 March 2026 using a single stolen Microsoft Intune administrator credential ¹. No malware was deployed. No payload ran on the endpoints. The attackers used the Mobile Device Management (MDM) console, Microsoft's cloud platform for remotely configuring and wiping enrolled laptops, phones and tablets, the way its legitimate operators do, from the Stryker tenant's own admin pane.

Stryker is the Kalamazoo-headquartered Fortune 500 manufacturer whose orthopaedic implants, surgical tables and hospital beds sit in almost every operating theatre in the United Kingdom and United States. NHS Supply Chain, the National Health Service procurement body for England, issued a disruption alert to UK hospitals on 18 March warning that Stryker ordering, manufacturing and invoicing systems were degraded, with most product lines projected to return by 10 April ². For three weeks, trusts running Stryker-supplied kit reverted inventory workflows to paper and delayed scheduled procedures. Handala claimed 50 terabytes exfiltrated and framed the operation as retaliation for a February missile strike on an Iranian school.

An Intune admin account has authority equivalent to root on every device in the tenant. Most Endpoint Detection and Response (EDR) products cannot block a wipe command issued from the legitimate MDM console because, to the EDR, it looks like authorised IT activity. The defensive perimeter the industry has spent five years building, around endpoints, around networks, even around cloud workloads, has no view into the console that controls all of them. Conditional Access, Microsoft's policy engine for step-up authentication on admin roles, is the control that should have caught this. The question the Stryker incident forces on every Chief Information Security Officer (CISO) is whether their own MDM tenant has it configured tightly enough to stop a single stolen credential from reaching the wipe button.

The industry has been told this for half a decade. The 2020 SolarWinds SUNBURST compromise and the 2022 Okta Lapsus$ breach established identity as the attack surface. Zero Trust became doctrine. Conditional Access was sold as the answer. Stryker is the first mass-scale, no-malware, MDM-level demonstration that the doctrine did not translate into operational posture. CrowdStrike's $740m acquisition of session-revocation vendor SGNL in January, and the 80 cybersecurity acquisitions announced across February and March, track the same thesis commercially. The commercial signal is now running ahead of the defensive one.

Deep Analysis

In plain English

Imagine a building management company that gives its head of maintenance a master key card that unlocks every room in every office it operates worldwide. Now imagine someone steals that card. Handala, a hacking group with links to Iran, stole the login credentials for one senior IT administrator at Stryker, a US medical device company. That login gave them access to Microsoft Intune, the software Stryker uses to manage laptops, phones, and tablets for all its staff worldwide. Using only that login, Handala pressed the 'remote wipe' button on up to 200,000 devices across 79 countries. No virus. No hacking. Just a stolen password used exactly as the software intended. UK NHS hospitals felt the effect because Stryker supplies medical equipment; their ordering and invoicing systems went dark for about three weeks.

Deep Analysis

Root Causes

Microsoft Intune's default tenant configuration grants the Intune Service Administrator role the ability to issue remote wipe commands to all enrolled devices from any location, on any device, without step-up authentication. This posture is industry-standard, not an anomaly.

Conditional Access policies in most enterprise tenants are designed to protect user-facing applications, not admin console actions. Break-glass account governance, geographic IP fencing, and session-binding for privileged MDM roles remain optional Entra ID features, not defaults.

The structural dependency runs deeper: EDR agents on managed endpoints treat wipe commands issued from the legitimate MDM console as authorised IT activity. No detection layer sits between a compromised admin credential and estate-wide destructive capability.

What could happen next?

Risk
Any enterprise with an unreviewed Microsoft Intune, Jamf, or VMware Workspace ONE tenant faces the same attack surface Handala exploited: a single admin credential with mass-wipe authority and no step-up gate.
Immediate · 0.9
Consequence
SEC Rule 13a-15 enforcement will use Stryker's 8-K/A as the reference case for material cybersecurity incidents caused by credential theft without malware, expanding the disclosure precedent beyond ransomware.
Medium term · 0.75
Precedent
OFAC, NCSC, and major cyber insurers are likely to add MDM admin-account posture as an auditable control requirement, following the pattern of how ransomware drove MFA adoption after 2020.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources from United States

United States

Primary parallel: The March 2022 Okta breach, in which Lapsus$ obtained a single customer support engineer's credentials and gained read access to 366 Okta customer environments. Like Stryker, no vulnerability was exploited; the admin credential was the attack. Unlike Stryker, Lapsus$ used the access for reconnaissance rather than mass destructive action, demonstrating how the same attack shape produces radically different outcomes depending on the attacker's intent.

Counter-parallel: The 2020 SolarWinds SUNBURST supply-chain compromise reached thousands of organisations but required months of planning and a sophisticated software build-pipeline implant. Stryker's wipe used no custom code; the credential alone sufficed. The gap between complexity and impact has collapsed.

Stryker's 8-K/A acknowledged Q1 2026 earnings impact while maintaining full-year guidance, suggesting the financial disruption was contained within one quarter. However, the supply-chain impact through NHS Supply Chain extended to UK NHS trusts for approximately three weeks, with deferred procedures carrying their own indirect economic cost that Stryker's filing does not capture.

CrowdStrike's $740 million acquisition of SGNL in January 2026 is the direct commercial signal: real-time session revocation and just-in-time privilege access are becoming purchase categories rather than architectural aspirations. Cyber insurers are expected to begin adding MDM admin-account segmentation to underwriting questionnaires by end-2026, following the Stryker precedent.

Consensus view: CrowdStrike's 2026 Global Threat Report and Mandiant's M-Trends 2026 both identify MDM and SaaS administration consoles as the fastest-growing lateral-movement surface, with identity-plane attacks now outpacing malware-based intrusions in the enterprise sector.

Counter-view: Citizen Lab's Ron Deibert argues the Stryker incident reflects hacktivist capability specifically, not a general shift in the adversary population; most MDM-wipe attacks require pre-existing organisational access that financially motivated actors rarely obtain through commodity phishing.

Key tension: Whether the Handala playbook is replicable by less sophisticated actors, or whether its execution required insider-level familiarity with Stryker's Intune tenant structure that limits the incident's generalisability.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Krebs on Security· 17 Apr 2026

Read original →

Different Perspectives

CISA and FBI (US government)

CISA added nine KEV CVEs, confirmed Volt Typhoon in US CNI, and lost its counter-ransomware initiative under prior cuts; the FY27 budget proposes a further $707m cut and 860 jobs. An FBI official confirmed Salt Typhoon at 200+ companies across 80 countries is 'still very, very much ongoing'.

NCSC (UK)

NCSC published attribution-backed advisories naming GRU Unit 26165 for SOHO router DNS hijacking and co-issued warnings with Dutch AIVD on FSB, APT31, and IRGC messaging-app targeting, in the same month the UK Cyber Security and Resilience Bill cleared its Public Bill Committee. The ICO's £14m Capita fine now treats NCSC guidance as the enforceable GDPR technical baseline.

European Commission

The Commission published draft Cyber Resilience Act implementation guidance on 3 March with manufacturer reporting obligations beginning 11 September 2026, while running infringement proceedings against EU member states that have not transposed NIS2. Only 14 of 27 states had fully transposed by mid-2025; Germany's post-transposition registration compliance sat at roughly one-third.

Russian foreign ministry (GRU posture)

The Russian foreign ministry has issued no formal response to the NCSC advisory attributing the SOHO router DNS-hijacking campaign to GRU Unit 26165; its standard position is that Western attribution claims are politically motivated fabrications. Russia denies state sponsorship of any offensive cyber operations against NATO infrastructure.

People's Republic of China

Tsinghua University's Center for International Security and Strategy characterised US Volt Typhoon 'sabotage pre-positioning' assessments as misrepresenting standard state signals intelligence, framing the attribution narrative as a US strategic communication exercise rather than a conclusion grounded in confirmed adversary intent. Beijing formally denies state involvement in Salt Typhoon and Volt Typhoon.

Handala

Handala publicly claimed the Stryker MDM wipe as retaliation for a February 2026 Iranian school missile strike, asserting 200,000 devices wiped and 50 terabytes exfiltrated. The public framing positions the operation as proportionate non-lethal retaliation, a characterisation no Western agency has formally attributed to IRGC command-and-control.