20MAY

Handala wipes 200,000 devices at Stryker

3 min read

09:58UTC

One stolen login, no malware, up to 200,000 devices dark in hours across 79 countries. The Microsoft Intune admin console used exactly as designed.

← Back to AI joins the breach column on both sides Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A single stolen Intune admin credential was enough to wipe Stryker's global estate without any malware.

Iran-linked hacktivist group Handala remotely wiped between 80,000 and 200,000 devices belonging to US medical-device maker Stryker across 79 countries on 11 March 2026 using a single stolen Microsoft Intune administrator credential ¹. No malware was deployed. No payload ran on the endpoints. The attackers used the Mobile Device Management (MDM) console, Microsoft's cloud platform for remotely configuring and wiping enrolled laptops, phones and tablets, the way its legitimate operators do, from the Stryker tenant's own admin pane.

Stryker is the Kalamazoo-headquartered Fortune 500 manufacturer whose orthopaedic implants, surgical tables and hospital beds sit in almost every operating theatre in the United Kingdom and United States. NHS Supply Chain, the National Health Service procurement body for England, issued a disruption alert to UK hospitals on 18 March warning that Stryker ordering, manufacturing and invoicing systems were degraded, with most product lines projected to return by 10 April ². For three weeks, trusts running Stryker-supplied kit reverted inventory workflows to paper and delayed scheduled procedures. Handala claimed 50 terabytes exfiltrated and framed the operation as retaliation for a February missile strike on an Iranian school.

An Intune admin account has authority equivalent to root on every device in the tenant. Most Endpoint Detection and Response (EDR) products cannot block a wipe command issued from the legitimate MDM console because, to the EDR, it looks like authorised IT activity. The defensive perimeter the industry has spent five years building, around endpoints, around networks, even around cloud workloads, has no view into the console that controls all of them. Conditional Access, Microsoft's policy engine for step-up authentication on admin roles, is the control that should have caught this. The question the Stryker incident forces on every Chief Information Security Officer (CISO) is whether their own MDM tenant has it configured tightly enough to stop a single stolen credential from reaching the wipe button.

The industry has been told this for half a decade. The 2020 SolarWinds SUNBURST compromise and the 2022 Okta Lapsus$ breach established identity as the attack surface. Zero Trust became doctrine. Conditional Access was sold as the answer. Stryker is the first mass-scale, no-malware, MDM-level demonstration that the doctrine did not translate into operational posture. CrowdStrike's $740m acquisition of session-revocation vendor SGNL in January, and the 80 cybersecurity acquisitions announced across February and March, track the same thesis commercially. The commercial signal is now running ahead of the defensive one.

Deep Analysis

In plain English

Imagine a building management company that gives its head of maintenance a master key card that unlocks every room in every office it operates worldwide. Now imagine someone steals that card. Handala, a hacking group with links to Iran, stole the login credentials for one senior IT administrator at Stryker, a US medical device company. That login gave them access to Microsoft Intune, the software Stryker uses to manage laptops, phones, and tablets for all its staff worldwide. Using only that login, Handala pressed the 'remote wipe' button on up to 200,000 devices across 79 countries. No virus. No hacking. Just a stolen password used exactly as the software intended. UK NHS hospitals felt the effect because Stryker supplies medical equipment; their ordering and invoicing systems went dark for about three weeks.

Deep Analysis

Root Causes

Microsoft Intune's default tenant configuration grants the Intune Service Administrator role the ability to issue remote wipe commands to all enrolled devices from any location, on any device, without step-up authentication. This posture is industry-standard, not an anomaly.

Conditional Access policies in most enterprise tenants are designed to protect user-facing applications, not admin console actions. Break-glass account governance, geographic IP fencing, and session-binding for privileged MDM roles remain optional Entra ID features, not defaults.

The structural dependency runs deeper: EDR agents on managed endpoints treat wipe commands issued from the legitimate MDM console as authorised IT activity. No detection layer sits between a compromised admin credential and estate-wide destructive capability.

What could happen next?

Risk
Any enterprise with an unreviewed Microsoft Intune, Jamf, or VMware Workspace ONE tenant faces the same attack surface Handala exploited: a single admin credential with mass-wipe authority and no step-up gate.
Immediate · 0.9
Consequence
SEC Rule 13a-15 enforcement will use Stryker's 8-K/A as the reference case for material cybersecurity incidents caused by credential theft without malware, expanding the disclosure precedent beyond ransomware.
Medium term · 0.75
Precedent
OFAC, NCSC, and major cyber insurers are likely to add MDM admin-account posture as an auditable control requirement, following the pattern of how ransomware drove MFA adoption after 2020.
Short term · 0.7

Source Landscape

This story draws on neutral-leaning sources from United States

United States

Primary parallel: The March 2022 Okta breach, in which Lapsus$ obtained a single customer support engineer's credentials and gained read access to 366 Okta customer environments. Like Stryker, no vulnerability was exploited; the admin credential was the attack. Unlike Stryker, Lapsus$ used the access for reconnaissance rather than mass destructive action, demonstrating how the same attack shape produces radically different outcomes depending on the attacker's intent.

Counter-parallel: The 2020 SolarWinds SUNBURST supply-chain compromise reached thousands of organisations but required months of planning and a sophisticated software build-pipeline implant. Stryker's wipe used no custom code; the credential alone sufficed. The gap between complexity and impact has collapsed.

Stryker's 8-K/A acknowledged Q1 2026 earnings impact while maintaining full-year guidance, suggesting the financial disruption was contained within one quarter. However, the supply-chain impact through NHS Supply Chain extended to UK NHS trusts for approximately three weeks, with deferred procedures carrying their own indirect economic cost that Stryker's filing does not capture.

CrowdStrike's $740 million acquisition of SGNL in January 2026 is the direct commercial signal: real-time session revocation and just-in-time privilege access are becoming purchase categories rather than architectural aspirations. Cyber insurers are expected to begin adding MDM admin-account segmentation to underwriting questionnaires by end-2026, following the Stryker precedent.

Consensus view: CrowdStrike's 2026 Global Threat Report and Mandiant's M-Trends 2026 both identify MDM and SaaS administration consoles as the fastest-growing lateral-movement surface, with identity-plane attacks now outpacing malware-based intrusions in the enterprise sector.

Counter-view: Citizen Lab's Ron Deibert argues the Stryker incident reflects hacktivist capability specifically, not a general shift in the adversary population; most MDM-wipe attacks require pre-existing organisational access that financially motivated actors rarely obtain through commodity phishing.

Key tension: Whether the Handala playbook is replicable by less sophisticated actors, or whether its execution required insider-level familiarity with Stryker's Intune tenant structure that limits the incident's generalisability.

First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Krebs on Security· 17 Apr 2026

Read original →

Causes and effects

Caused by

Ivanti EPMM logs fourth KEV zero-day since 2023

Ivanti EPMM CVE-2026-6973 compounds MDM plane pressure established when the Stryker Intune wipe showed a single credential could destroy 200,000 managed devices.

Occurred 7 May 2026

Read story →

West Pharma SEC 8-K on ransomware halt

West Pharma's 8-K material-incident filing within thirty days of Stryker's 8-K/A establishes a two-case precedent for operational-disruption materiality disclosures by US-listed CNI-adjacent manufacturers.

Occurred 7 May 2026

Read story →

This Event

Handala wipes 200,000 devices at Stryker

First mass-scale demonstration that an identity-only attack at the Mobile Device Management (MDM) layer can reach every enrolled endpoint without tripping any endpoint defence.

Different Perspectives

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Google Threat Intelligence Group

GTIG's 11 May report establishes AI-assisted offence and AI-infrastructure targeting as concurrent named-incident categories, not theoretical ones: UNC6780 attacked LiteLLM and Cisco AI Defense in parallel; state actors used Gemini operationally; CANFAIL and LONGSTREAM used LLM-generated queries to evade static analysis.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.

NCSC

The ICO's South Staffs Water fine applies NCSC PAM and monitoring guidance as the GDPR Article 32 enforcement baseline against a water-sector CNI operator, extending the Capita precedent before the CS&R Bill has reached Royal Assent. NCSC guidance now carries enforceable weight inside the existing statutory framework for CNI sectors processing personal data.

Microsoft Security Response Center

The Exchange Emergency Mitigation Service URL rewrite is the sole available mitigation for CVE-2026-42897; MSRC has not signalled an out-of-band patch timeline. The workaround breaks OWA calendar print, inline images, and Light mode, forcing CISOs to choose between user-experience breakage and active-exploitation exposure.

CISA

CISA's Exchange CVE-2026-42897 deadline of 29 May, set before Microsoft published a patch, repeats the PAN-OS posture from 6 May: exploitation velocity now overrides vendor release timelines. BOD 22-01 compliance against an unpatched flaw leaves federal CISOs with only mitigation documentation and mailbox-rule monitoring.