Full Report
Last week's cyberattack on medical technology giant Stryker was limited to its internal Microsoft environment and remotely wiped tens of thousands of employee devices. [...]
Analysis Summary
# Incident Report: Remote Device Wipe of Stryker Corporate Environment
## Executive Summary
The medical technology giant Stryker suffered a major disruptive cyberattack that resulted in the remote wiping of approximately 80,000 corporate and employee-enrolled devices. The attack was carried out by compromising a high-level administrative account within Stryker's Microsoft Intune environment, allowing the threat actor to issue destructive commands without deploying malware. While shipping and ordering systems were disrupted, the company confirmed that medical devices and products remained unaffected.
## Incident Details
- **Discovery Date:** March 11, 2026
- **Incident Date:** March 11, 2026
- **Affected Organization:** Stryker
- **Sector:** Medical Technology / Healthcare
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to March 11, 2026
- **Vector:** Compromise of an existing administrator account.
- **Details:** The threat actor gained access to the internal Microsoft corporate environment.
### Lateral Movement
- After the initial compromise, the attacker created a new **Global Administrator** account within the Microsoft environment to ensure full control over the tenant.
### Data Exfiltration/Impact
- **Exfiltration:** Although the "Handala" hacktivist group claimed to have stolen 50 TB of data, investigators found no evidence of data exfiltration.
- **Impact:** Between 05:00 and 08:00 UTC on March 11, the attacker used the Microsoft Intune "wipe" command to erase data from tens of thousands of devices.
### Detection & Response
- **Detection:** Discovered following massive reports of devices being wiped and internal system outages.
- **Response:** Stryker engaged Microsoft DART and Palo Alto Unit 42; moved ordering systems to manual processes via sales representatives.
## Attack Methodology
- **Initial Access:** Valid Accounts (Administrator account compromise).
- **Persistence:** Create Account (Global Administrator account creation).
- **Privilege Escalation:** Gain of Global Admin privileges.
- **Defense Evasion:** Use of legitimate administrative tools (Living-off-the-Cloud) rather than malware.
- **Credential Access:** Not specifically disclosed, but likely involved credential theft or session hijacking of an admin.
- **Discovery:** Cloud Service Discovery (Intune endpoint enumeration).
- **Lateral Movement:** Cloud account pivoting.
- **Collection:** N/A (No evidence of data collection found).
- **Exfiltration:** N/A (Claims of 50TB exfiltration are unverified).
- **Impact:** Remote Service Wipe (Abuse of Microsoft Intune remote wipe feature).
## Impact Assessment
- **Financial:** Significant costs associated with incident response (DART/Unit 42) and labor for re-provisioning 80,000 devices.
- **Data Breach:** Loss of local data on 80,000 devices; some personal data lost on employee-enrolled devices (BYOD).
- **Operational:** Electronic ordering and shipping systems went offline; manufacturing sites faced potential disruption.
- **Reputational:** High-profile disruption claimed by a hacktivist group; impact on employee trust due to personal data loss on enrolled devices.
## Indicators of Compromise
- **Network indicators:** Activity originating from IPs associated with the "Handala" group (details not publicly released).
- **File indicators:** N/A (Attack was "malwareless").
- **Behavioral indicators:**
- Creation of unauthorized Global Admin accounts.
- Bulk execution of "Wipe" commands via Microsoft Intune between 05:00-08:00 UTC.
## Response Actions
- **Containment:** Secured the Microsoft environment and revoked unauthorized Global Admin access.
- **Eradication:** Identification and removal of any backdoors or secondary accounts created by the attacker.
- **Recovery:** Initiated restoration of core transactional systems; manual processing of customer orders via sales reps; re-imaging and re-provisioning of wiped devices.
## Lessons Learned
- **The "Malwareless" Threat:** Attackers are increasingly using legitimate management tools (Intune) to cause damage, bypassing traditional antivirus/EDR.
- **BYOD Risks:** Enrolling personal devices in corporate MDM (Mobile Device Management) solutions creates a risk of personal data loss during corporate security incidents.
- **Global Admin Risk:** A single compromised Global Admin account can cause catastrophic, irreversible physical-world disruption.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure phishing-resistant MFA (e.g., FIDO2) is enforced for all administrative accounts.
- **Conditional Access:** Implement strict policies to prevent the creation of Global Admin accounts from unrecognized locations/IPs.
- **Privileged Identity Management (PIM):** Use Just-In-Time (JIT) access to elevate privileges only when necessary, rather than having persistent Global Admins.
- **Intune Safeguards:** Review Intune "Wipe" permissions and consider implementing "Dual-homing" or multi-party approval for bulk destructive actions.
- **Backup Policy:** Reinforce that employees should not store the only copy of critical data locally on endpoints.