Full Report
Handala weaponized Microsoft Intune to remotely wipe Stryker Corporation across 61 countries. We built 10 Sigma rules, KQL queries, and OpenSearch queries covering the full attack chain. Download the detection pack.
Analysis Summary
# Incident Report: Handala Cloud-Native Wiper Attack on Stryker Corporation
## Executive Summary
Stryker Corporation, a global medical technology giant, suffered a catastrophic destructive attack where the Iranian-linked threat actor "Handala" weaponized Microsoft Intune to remotely wipe devices across 61 countries. Leveraging compromised Global Administrator credentials, the attackers bypassed traditional malware defenses to execute a "living-off-the-cloud" attack, resulting in the potential wipe of 56,000 employee devices and the exfiltration of 50TB of data. The incident highlights a shift toward attacking the cloud management plane rather than individual endpoints.
## Incident Details
- **Discovery Date:** March 11, 2026
- **Incident Date:** March 11, 2026 (Wipe triggered just after midnight EDT)
- **Affected Organization:** Stryker Corporation
- **Sector:** Healthcare / Medical Device Manufacturing
- **Geography:** Global (61 countries; significant impact noted in Ireland and Australia)
## Timeline of Events
### Initial Access
- **Date/Time:** Weeks prior to March 11, 2026
- **Vector:** Credential compromise (associated with MuddyWater pre-positioning)
- **Details:** Threat actors (MuddyWater) initially established access to the Entra ID environment, obtaining Global Administrator credentials.
### Lateral Movement
- **Details:** The attackers did not perform traditional network lateral movement. Instead, they moved through the cloud management plane, moving from compromised administrative accounts to the Microsoft Intune (MDM) dashboard.
### Data Exfiltration/Impact
- **Data Exfiltration:** Approximately 50 terabytes of data were allegedly exfiltrated over several days/weeks prior to the wipe.
- **Impact:** Mass remote wipe commands issued via Intune hit corporate laptops, servers, and BYOD devices. Login screens were defaced with the Handala logo.
### Detection & Response
- **Detection:** Discovered when devices began wiping globally and employees were unable to log in; attackers sent direct emails to executives.
- **Response Actions:** Stryker filed an 8-K with the SEC; 5,000 employees in the Ireland HQ were sent home; global Microsoft environment was isolated/disrupted.
## Attack Methodology
- **Initial Access:** Valid Global Admin credentials (likely obtained via phishing or credential harvesting).
- **Persistence:** Pre-positioned access by MuddyWater; use of stale sessions.
- **Privilege Escalation:** Assignment of Global Admin roles to attacker-controlled accounts.
- **Defense Evasion:** Use of Starlink IP ranges (AS14593) to mask Iranian origin; "Living-off-the-Land" via legitimate IT tools (Intune) to bypass EDR.
- **Credential Access:** Compromise of high-privilege Entra ID/M365 accounts.
- **Discovery:** Audit of Intune-enrolled device inventory.
- **Lateral Movement:** Cloud-to-cloud pivot (Entra ID to Intune).
- **Collection:** Bulk exfiltration of 50TB of M365 data.
- **Exfiltration:** High-volume data transfer over an extended period.
- **Impact:** Remote wipe/factory reset of all managed endpoints (T1485).
## Impact Assessment
- **Financial:** Significant (Stryker is a $25B revenue company); 8-K filing indicates material impact.
- **Data Breach:** 50TB of sensitive corporate, medical, or research data stolen.
- **Operational:** Global business disruption; total "darkness" for IT infrastructure; factory resets of thousands of devices.
- **Reputational:** High-profile hacktivist claims and executive-targeted psychological operations.
## Indicators of Compromise
- **Network:** Sign-ins from Starlink ASN (AS14593) and Iranian ASNs.
- **File:** None (No malware payload used for the wipe).
- **Behavioral:**
- Unexpected "Bulk Wipe" or "Retire" commands in Intune audit logs.
- Global Admin role assignments outside of PIM (Privileged Identity Management).
- Entra ID login branding modifications (T1491).
## Response Actions
- **Containment:** Disruption of the Microsoft environment to prevent further wipe commands.
- **Eradication:** Revocation of compromised Global Admin sessions and credentials.
- **Recovery:** Restoration of 56,000 endpoints from backups (where possible) and re-enrollment of devices.
## Lessons Learned
- **MFA Gap:** Standard MFA (SMS/TOTP) is insufficient; phishing-resistant MFA (FIDO2) is required for high-privilege accounts.
- **Cloud Governance:** The "PIM Gap" — attackers exploited windows where Privileged Identity Management was not strictly enforced or where session hijacking occurred.
- **Blind Spots:** Traditional EDR does not stop MDM-initiated wipes; monitoring must extend to the cloud admin plane.
## Recommendations
1. **Phishing-Resistant MFA:** Implement hardware keys (e.g., YubiKeys) for all Global Admins.
2. **MDM Guardrails:** Establish "Four-Eyes" approval or rate-limiting for bulk wipe actions in Intune.
3. **Anomalous Login Alerts:** Configure SIEM alerts for administrative logins originating from Starlink/Satellite providers or unusual ASNs.
4. **Conditional Access:** Restrict Intune Admin console access to specific, managed "jump boxes" or trusted IP ranges.
5. **Log Monitoring:** Regularly audit Intune and Entra ID logs for modified compliance policies or bulk device actions.