8MAY

Handala wipes 200,000 devices at Stryker

3 min read

10:57UTC

One stolen login, no malware, up to 200,000 devices dark in hours across 79 countries. The Microsoft Intune admin console used exactly as designed.

← Back to CISA's deadline outruns Palo Alto's patch Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A single stolen Intune admin credential was enough to wipe Stryker's global estate without any malware.

Iran-linked hacktivist group Handala remotely wiped between 80,000 and 200,000 devices belonging to US medical-device maker Stryker across 79 countries on 11 March 2026 using a single stolen Microsoft Intune administrator credential ¹. No malware was deployed. No payload ran on the endpoints. The attackers used the Mobile Device Management (MDM) console, Microsoft's cloud platform for remotely configuring and wiping enrolled laptops, phones and tablets, the way its legitimate operators do, from the Stryker tenant's own admin pane.

Stryker is the Kalamazoo-headquartered Fortune 500 manufacturer whose orthopaedic implants, surgical tables and hospital beds sit in almost every operating theatre in the United Kingdom and United States. NHS Supply Chain, the National Health Service procurement body for England, issued a disruption alert to UK hospitals on 18 March warning that Stryker ordering, manufacturing and invoicing systems were degraded, with most product lines projected to return by 10 April ². For three weeks, trusts running Stryker-supplied kit reverted inventory workflows to paper and delayed scheduled procedures. Handala claimed 50 terabytes exfiltrated and framed the operation as retaliation for a February missile strike on an Iranian school.

An Intune admin account has authority equivalent to root on every device in the tenant. Most Endpoint Detection and Response (EDR) products cannot block a wipe command issued from the legitimate MDM console because, to the EDR, it looks like authorised IT activity. The defensive perimeter the industry has spent five years building, around endpoints, around networks, even around cloud workloads, has no view into the console that controls all of them. Conditional Access, Microsoft's policy engine for step-up authentication on admin roles, is the control that should have caught this. The question the Stryker incident forces on every Chief Information Security Officer (CISO) is whether their own MDM tenant has it configured tightly enough to stop a single stolen credential from reaching the wipe button.

The industry has been told this for half a decade. The 2020 SolarWinds SUNBURST compromise and the 2022 Okta Lapsus$ breach established identity as the attack surface. Zero Trust became doctrine. Conditional Access was sold as the answer. Stryker is the first mass-scale, no-malware, MDM-level demonstration that the doctrine did not translate into operational posture. CrowdStrike's $740m acquisition of session-revocation vendor SGNL in January, and the 80 cybersecurity acquisitions announced across February and March, track the same thesis commercially. The commercial signal is now running ahead of the defensive one.

Deep Analysis

In plain English

Imagine a building management company that gives its head of maintenance a master key card that unlocks every room in every office it operates worldwide. Now imagine someone steals that card. Handala, a hacking group with links to Iran, stole the login credentials for one senior IT administrator at Stryker, a US medical device company. That login gave them access to Microsoft Intune, the software Stryker uses to manage laptops, phones, and tablets for all its staff worldwide. Using only that login, Handala pressed the 'remote wipe' button on up to 200,000 devices across 79 countries. No virus. No hacking. Just a stolen password used exactly as the software intended. UK NHS hospitals felt the effect because Stryker supplies medical equipment; their ordering and invoicing systems went dark for about three weeks.

Deep Analysis

Root Causes

Microsoft Intune's default tenant configuration grants the Intune Service Administrator role the ability to issue remote wipe commands to all enrolled devices from any location, on any device, without step-up authentication. This posture is industry-standard, not an anomaly.

Conditional Access policies in most enterprise tenants are designed to protect user-facing applications, not admin console actions. Break-glass account governance, geographic IP fencing, and session-binding for privileged MDM roles remain optional Entra ID features, not defaults.

The structural dependency runs deeper: EDR agents on managed endpoints treat wipe commands issued from the legitimate MDM console as authorised IT activity. No detection layer sits between a compromised admin credential and estate-wide destructive capability.

What could happen next?

Risk
Any enterprise with an unreviewed Microsoft Intune, Jamf, or VMware Workspace ONE tenant faces the same attack surface Handala exploited: a single admin credential with mass-wipe authority and no step-up gate.
Immediate · 0.9
Consequence
SEC Rule 13a-15 enforcement will use Stryker's 8-K/A as the reference case for material cybersecurity incidents caused by credential theft without malware, expanding the disclosure precedent beyond ransomware.
Medium term · 0.75
Precedent
OFAC, NCSC, and major cyber insurers are likely to add MDM admin-account posture as an auditable control requirement, following the pattern of how ransomware drove MFA adoption after 2020.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources from United States

United States

Primary parallel: The March 2022 Okta breach, in which Lapsus$ obtained a single customer support engineer's credentials and gained read access to 366 Okta customer environments. Like Stryker, no vulnerability was exploited; the admin credential was the attack. Unlike Stryker, Lapsus$ used the access for reconnaissance rather than mass destructive action, demonstrating how the same attack shape produces radically different outcomes depending on the attacker's intent.

Counter-parallel: The 2020 SolarWinds SUNBURST supply-chain compromise reached thousands of organisations but required months of planning and a sophisticated software build-pipeline implant. Stryker's wipe used no custom code; the credential alone sufficed. The gap between complexity and impact has collapsed.

Stryker's 8-K/A acknowledged Q1 2026 earnings impact while maintaining full-year guidance, suggesting the financial disruption was contained within one quarter. However, the supply-chain impact through NHS Supply Chain extended to UK NHS trusts for approximately three weeks, with deferred procedures carrying their own indirect economic cost that Stryker's filing does not capture.

CrowdStrike's $740 million acquisition of SGNL in January 2026 is the direct commercial signal: real-time session revocation and just-in-time privilege access are becoming purchase categories rather than architectural aspirations. Cyber insurers are expected to begin adding MDM admin-account segmentation to underwriting questionnaires by end-2026, following the Stryker precedent.

Consensus view: CrowdStrike's 2026 Global Threat Report and Mandiant's M-Trends 2026 both identify MDM and SaaS administration consoles as the fastest-growing lateral-movement surface, with identity-plane attacks now outpacing malware-based intrusions in the enterprise sector.

Counter-view: Citizen Lab's Ron Deibert argues the Stryker incident reflects hacktivist capability specifically, not a general shift in the adversary population; most MDM-wipe attacks require pre-existing organisational access that financially motivated actors rarely obtain through commodity phishing.

Key tension: Whether the Handala playbook is replicable by less sophisticated actors, or whether its execution required insider-level familiarity with Stryker's Intune tenant structure that limits the incident's generalisability.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Krebs on Security· 17 Apr 2026

Read original →

Causes and effects

Caused by

Ivanti EPMM logs fourth KEV zero-day since 2023

Ivanti EPMM CVE-2026-6973 compounds MDM plane pressure established when the Stryker Intune wipe showed a single credential could destroy 200,000 managed devices.

Occurred 7 May 2026

Read story →

This Event

Handala wipes 200,000 devices at Stryker

First mass-scale demonstration that an identity-only attack at the Mobile Device Management (MDM) layer can reach every enrolled endpoint without tripping any endpoint defence.

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.