Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

Handala wipes 200,000 devices at Stryker

3 min read
11:00UTC

One stolen login, no malware, up to 200,000 devices dark in hours across 79 countries. The Microsoft Intune admin console used exactly as designed.

TechnologyDeveloping
Key takeaway

A single stolen Intune admin credential was enough to wipe Stryker's global estate without any malware.

Iran-linked hacktivist group Handala remotely wiped between 80,000 and 200,000 devices belonging to US medical-device maker Stryker across 79 countries on 11 March 2026 using a single stolen Microsoft Intune administrator credential 1. No malware was deployed. No payload ran on the endpoints. The attackers used the Mobile Device Management (MDM) console, Microsoft's cloud platform for remotely configuring and wiping enrolled laptops, phones and tablets, the way its legitimate operators do, from the Stryker tenant's own admin pane.

Stryker is the Kalamazoo-headquartered Fortune 500 manufacturer whose orthopaedic implants, surgical tables and hospital beds sit in almost every operating theatre in the United Kingdom and United States. NHS Supply Chain, the National Health Service procurement body for England, issued a disruption alert to UK hospitals on 18 March warning that Stryker ordering, manufacturing and invoicing systems were degraded, with most product lines projected to return by 10 April 2. For three weeks, trusts running Stryker-supplied kit reverted inventory workflows to paper and delayed scheduled procedures. Handala claimed 50 terabytes exfiltrated and framed the operation as retaliation for a February missile strike on an Iranian school.

An Intune admin account has authority equivalent to root on every device in the tenant. Most Endpoint Detection and Response (EDR) products cannot block a wipe command issued from the legitimate MDM console because, to the EDR, it looks like authorised IT activity. The defensive perimeter the industry has spent five years building, around endpoints, around networks, even around cloud workloads, has no view into the console that controls all of them. Conditional Access, Microsoft's policy engine for step-up authentication on admin roles, is the control that should have caught this. The question the Stryker incident forces on every Chief Information Security Officer (CISO) is whether their own MDM tenant has it configured tightly enough to stop a single stolen credential from reaching the wipe button.

The industry has been told this for half a decade. The 2020 SolarWinds SUNBURST compromise and the 2022 Okta Lapsus$ breach established identity as the attack surface. Zero Trust became doctrine. Conditional Access was sold as the answer. Stryker is the first mass-scale, no-malware, MDM-level demonstration that the doctrine did not translate into operational posture. CrowdStrike's $740m acquisition of session-revocation vendor SGNL in January, and the 80 cybersecurity acquisitions announced across February and March, track the same thesis commercially. The commercial signal is now running ahead of the defensive one.

Deep Analysis

In plain English

Imagine a building management company that gives its head of maintenance a master key card that unlocks every room in every office it operates worldwide. Now imagine someone steals that card. Handala, a hacking group with links to Iran, stole the login credentials for one senior IT administrator at Stryker, a US medical device company. That login gave them access to Microsoft Intune, the software Stryker uses to manage laptops, phones, and tablets for all its staff worldwide. Using only that login, Handala pressed the 'remote wipe' button on up to 200,000 devices across 79 countries. No virus. No hacking. Just a stolen password used exactly as the software intended. UK NHS hospitals felt the effect because Stryker supplies medical equipment; their ordering and invoicing systems went dark for about three weeks.

Deep Analysis
Root Causes

Microsoft Intune's default tenant configuration grants the Intune Service Administrator role the ability to issue remote wipe commands to all enrolled devices from any location, on any device, without step-up authentication. This posture is industry-standard, not an anomaly.

Conditional Access policies in most enterprise tenants are designed to protect user-facing applications, not admin console actions. Break-glass account governance, geographic IP fencing, and session-binding for privileged MDM roles remain optional Entra ID features, not defaults.

The structural dependency runs deeper: EDR agents on managed endpoints treat wipe commands issued from the legitimate MDM console as authorised IT activity. No detection layer sits between a compromised admin credential and estate-wide destructive capability.

What could happen next?
  • Risk

    Any enterprise with an unreviewed Microsoft Intune, Jamf, or VMware Workspace ONE tenant faces the same attack surface Handala exploited: a single admin credential with mass-wipe authority and no step-up gate.

    Immediate · 0.9
  • Consequence

    SEC Rule 13a-15 enforcement will use Stryker's 8-K/A as the reference case for material cybersecurity incidents caused by credential theft without malware, expanding the disclosure precedent beyond ransomware.

    Medium term · 0.75
  • Precedent

    OFAC, NCSC, and major cyber insurers are likely to add MDM admin-account posture as an auditable control requirement, following the pattern of how ransomware drove MFA adoption after 2020.

    Short term · 0.7
First Reported In

Update #1 · Stryker MDM wipe exposes identity perimeter

Krebs on Security· 17 Apr 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.