Full Report
Iran-linked attackers wiped employees' devices using Intune The US government has urged companies to better secure Microsoft Intune, an endpoint management tool that was abused in last week's cyberattack against med-tech firm Stryker.…
Analysis Summary
# Incident Report: Handala Group Exploitation of Microsoft Intune
## Executive Summary
In March 2026, the Iran-linked threat group "Handala" targeted the medical technology firm Stryker, compromising its Microsoft Intune endpoint management environment. The attackers utilized administrative access to issue remote wipe commands to employee devices and disrupt critical shipping and ordering operations. The incident highlights a growing trend of "living off the land" by weaponizing legitimate enterprise management tools against the organization.
## Incident Details
- **Discovery Date:** Approximately March 15, 2026
- **Incident Date:** Week of March 10, 2026
- **Affected Organization:** Stryker
- **Sector:** Medical Technology / Healthcare
- **Geography:** United States (Global operations impacted)
## Timeline of Events
### Initial Access
- **Date/Time:** Early March 2026
- **Vector:** Compromise of Microsoft environment credentials (specific vector undetermined, likely targeting administrative accounts).
- **Details:** Attackers gained sufficient privileges to access the Microsoft Intune (Endpoint Manager) dashboard.
### Lateral Movement
- **Details:** Once inside the Microsoft tenant, attackers escalated privileges or utilized existing high-level administrative roles to pivot from general environment access to specialized endpoint management controls.
### Data Exfiltration/Impact
- **Details:** Attackers issued remote "Wipe" commands through Intune, factory-resetting employee laptops and mobile devices. This resulted in the total loss of local data on affected assets and mass operational downtime.
### Detection & Response
- **How it was discovered:** Employees reported sudden, unauthorized device wipes; internal monitoring flagged offline shipping and ordering systems.
- **Response actions taken:** Stryker took affected networks offline to contain the spread; CISA issued a national alert on March 18, 2026; Microsoft released emergency hardening guidance on March 13, 2026.
## Attack Methodology
- **Initial Access:** Credential compromise of Microsoft admin accounts.
- **Persistence:** Creation of new administrative accounts within the Intune portal.
- **Privilege Escalation:** Exploitation of over-privileged service accounts or role-assigned administrative users.
- **Defense Evasion:** Use of legitimate Microsoft administrative tools (Intune) to perform destructive actions, bypassing traditional antivirus/EDR.
- **Credential Access:** Likely targeted Global Administrator or Intune Administrator credentials.
- **Discovery:** Enumeration of enrolled devices and user groups via the Intune dashboard.
- **Lateral Movement:** Cloud-to-endpoint movement via MDM (Mobile Device Management) protocols.
- **Collection:** N/A (Focus was on disruption rather than theft).
- **Exfiltration:** N/A.
- **Impact:** Remote wipe/Data destruction and disruption of supply chain systems.
## Impact Assessment
- **Financial:** High (Significant costs related to device reprovisioning and lost revenue from shipping delays).
- **Data Breach:** Localized data loss on wiped devices; no confirmed data exfiltration reported.
- **Operational:** Critical; shipping, ordering, and medical equipment manufacturing networks were knocked offline.
- **Reputational:** High; incident required federal intervention and public alerts from CISA.
## Indicators of Compromise
- **Network indicators:** Logins to Microsoft Admin portals from suspicious IPs (details not publicly released).
- **File indicators:** N/A (Legitimate system tools used).
- **Behavioral indicators:**
- Mass execution of `device wipe` or `factory reset` commands via Intune.
- Creation of unauthorized administrative roles within Microsoft Entra ID/Intune.
- Policy changes in Intune targeting large device groups.
## Response Actions
- **Containment:** Disabling of compromised administrative accounts and taking targeted systems offline.
- **Eradication:** Removal of persistence mechanisms in the Microsoft tenant.
- **Recovery:** Restoration of device functionality through re-enrolling and re-imaging wiped assets from backups.
## Lessons Learned
- **MDM Vulnerability:** Endpoint management tools like Intune are "god-mode" utilities; if they are not secured with the same rigor as domain controllers, the entire fleet is at risk.
- **Over-Privileging:** The ability for an attacker to wipe the entire organization suggests a lack of Role-Based Access Control (RBAC) and "Blast Radius" limitations.
- **Fast Notification:** The speed of federal response (CISA) and vendor guidance (Microsoft) suggests that similar attacks may be targeting other organizations.
## Recommendations
- **Enforce MFA:** Mandatory Multi-Factor Authentication (MFA) for all users, with phishing-resistant MFA (FIDO2) for all administrative roles.
- **Implement RBAC:** Use the Principle of Least Privilege (PoLP) to restrict who can initiate "Wipe" or "Retire" commands in Intune.
- **Conditional Access:** Restrict access to the Intune admin portal to specific "Managed Devices" or trusted IP ranges.
- **Audit Logging:** Enable and monitor Microsoft Entra ID and Intune logs for "Mass Action" alerts (e.g., more than X devices wiped within an hour).
- **Just-In-Time (JIT) Access:** Use Privileged Identity Management (PIM) to ensure admin rights are only active when necessary.