Full Report
The attackers behind a recent attack on Stryker did not use malware, instead breaking into a legitimate Microsoft device management system called Intune and wiping the company’s data that way.
Analysis Summary
# Incident Report: Iran-Linked "Handala" Attack on Stryker via Microsoft Intune
## Executive Summary
Stryker, a major healthcare technology firm, suffered a massive "living-off-the-cloud" attack where over 200,000 devices were remotely wiped using the company's own Microsoft Intune instance. The threat actor, identified as the Iran-linked group Handala, did not use traditional malware, instead leveraging administrative access to trigger built-in device management commands. The incident resulted in global operational disruption and the loss of data on both corporate and personal devices.
## Incident Details
- **Discovery Date:** Approximately March 11th, 2026 (based on "more than a week" recovery period as of March 19th)
- **Incident Date:** Early March 2026
- **Affected Organization:** Stryker
- **Sector:** Healthcare Technology / Medical Devices
- **Geography:** Global (U.S., Ireland, India, and others)
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2026
- **Vector:** Compromise of legitimate administrative credentials.
- **Details:** Attackers gained access to the victim's Microsoft Intune portal, a platform used for Endpoint Management.
### Lateral Movement
- **Details:** Once inside the Intune environment, the attackers did not need to move laterally across servers in the traditional sense; they utilized the platform's native reach to push commands to 200,000+ endpoints simultaneously.
### Data Exfiltration/Impact
- **Impact:** Attackers initiated a "remote wipe" command across the fleet. This wiped corporate data and, in some cases, personal data on Bring Your Own Device (BYOD) phones that had Intune profiles installed.
### Detection & Response
- **Detection:** Discovered when employees were locked out of systems and devices began factory resetting globally.
- **Response:**
- Engagement with FBI and CISA.
- Federal seizure of the Handala-connected website (handala-redwanted[.]to).
- Recovery efforts spanning over ten days for critical infrastructure and manufacturing systems.
## Attack Methodology
- **Initial Access:** Compromised Azure/Entra ID credentials with Intune administrative privileges.
- **Persistence:** Legitimate administrative access to the Microsoft 365 tenant.
- **Privilege Escalation:** Use of global or Intune administrator roles.
- **Defense Evasion:** "Malware-less" attack; used trusted Microsoft signed binaries and legitimate cloud management workflows.
- **Credential Access:** Likely via phishing or credential harvesting (exact method not specified in report).
- **Discovery:** Utilization of Intune’s inventory features to identify all connected devices.
- **Lateral Movement:** Cloud-to-Endpoint command execution.
- **Collection:** N/A (Focus was on destruction).
- **Exfiltration:** N/A.
- **Impact:** Strategic use of the "Wipe" or "Retire" function within Microsoft Intune to perform mass data destruction (T1485 - Data Destruction).
## Impact Assessment
- **Financial:** Significant costs associated with system recovery, lost manufacturing time, and incident response.
- **Data Breach:** Massive data loss due to device wiping; potential exposure of sensitive healthcare data prior to wiping.
- **Operational:** Severe disruption to factories and offices in the U.S., Ireland, and India; employees unable to access critical systems.
- **Reputational:** High-profile breach involving a major medical provider; concerns raised regarding BYOD privacy and security.
## Indicators of Compromise
- **Network indicators:** hxxps://handala-redwanted[.]to (Malicious actor site)
- **File indicators:** N/A (Malware-less attack).
- **Behavioral indicators:**
- Sudden mass "Wipe" commands initiated from the Intune console.
- Unauthorized administrative logins from unusual geographic locations.
- Changes to Intune enrollment or compliance policies.
## Response Actions
- **Containment:** Coordination with Microsoft to revoke compromised administrative tokens and halt ongoing wipe commands.
- **Eradication:** Federal law enforcement (FBI) seizure of attacker infrastructure.
- **Recovery:** Manual re-imaging and re-enrollment of 200,000+ wiped devices.
## Lessons Learned
- **The Intune Risk:** Centralized management tools are "force multipliers" for attackers; a single compromised admin account can destroy an entire global fleet.
- **BYOD Vulnerability:** Employees' personal data is at risk when personal devices are enrolled in MDM solutions without strict containerization.
- **MFA is Not Enough:** If MFA is bypassed or session tokens are stolen, attackers have unrestricted access to destructive "god-mode" tools.
## Recommendations
- **Role-Based Access Control (RBAC):** Assign the least privilege necessary for Intune admins; avoid using Global Admin for daily tasks.
- **Multi-Admin Approval:** Enable "Multi-Admin Approval" in Intune to require a second authorized user to approve high-impact actions like "Wipe."
- **Conditional Access:** Implement strict Microsoft Entra ID policies (MFA, compliant devices only, and IP geofencing) for accessing the Intune admin portal.
- **Logging/Alerting:** Configure alerts for "Mass Device Actions" within the Microsoft 365 Audit Logs.