Stryker attack used Intune to wipe 80,000 devices in three hours, no malware needed

Attackers wiped roughly 80,000 Stryker devices in three hours on March 11. They used Microsoft Intune's built-in remote wipe command. No malware was involved. The medtech giant confirmed a week later that order processing, manufacturing, and shipping across 61 countries remain disrupted. Stryker's latest customer update calls the incident "contained" but provides no restoration timeline.

A source told BleepingComputer how the attacker got in. They compromised an existing admin account and created a new Global Administrator in the Microsoft environment. From that position, the attacker issued mass wipe commands through Intune. The commands erased Windows laptops, smartphones, and other managed endpoints between 5:00 and 8:00 AM UTC.

Iran-linked group Handala claimed it wiped "over 200,000 systems" and exfiltrated 50 terabytes. Investigators found no evidence of exfiltration. BleepingComputer's source puts the actual count at roughly 80,000. Some employees had personal phones enrolled in the Stryker network and lost personal data during the wipe.

The endpoint management platform was the weapon.

— Denis Calderone, CTO, Suzu Labs

Calderone pointed to a specific Intune feature that could have blocked the mass wipe. Multi-Admin Approval requires a second administrator to explicitly sign off before any device wipe or retire command executes. The requesting admin must provide business justification. A separate approver must confirm. Stryker has not disclosed whether Multi-Admin Approval was active at the time of the incident.

Palo Alto Networks Unit 42 assesses Handala as a front for Iran's MOIS. Justin Moore, senior threat intelligence manager at Palo Alto Networks, told Bloomberg the group's tradecraft "has significantly evolved over the past two years." Handala called the operation retaliation for a February 28 U.S. missile strike in Minab, Iran. AP News reported at least 175 people killed, including children.

Stryker's Cork, Ireland, headquarters (4,000 employees) shut down entirely.

Staff across five countries were told to disconnect and avoid powering on company hardware. They had to uninstall Intune Company Portal, Microsoft Teams, and VPN clients from personal phones. Some lost two-factor authentication access and could not reach any corporate account.

The recovery timeline is not unknown because of servers. It's unknown because of factories. Restoring endpoints is an IT project with a finish line. Restoring manufacturing, shipping, and supply chain operations across 61 countries is a business continuity project with dependencies that extend far beyond IT.

— Collin Hogue-Spears, senior director of solution management, Black Duck.

Cloud-hosted products that run independently of Stryker's Microsoft environment were not hit. Vocera Ease (hosted on AWS), care.ai (hosted on Google Cloud Platform), and SurgiCount (isolated cloud environment) continued operating normally. Stryker confirmed all connected medical products, including LIFEPAK defibrillators and Mako robotic surgical systems, are safe to use.

Stryker filed two 8-K forms with the SEC. The March 13 filing stated the company "has not determined whether the attack will have a material impact." As of March 17, core transactional systems are "on a clear path to recovery." CISA has opened an investigation.

Seedworm (MuddyWater), another MOIS-linked group, planted backdoors in U.S. corporate networks since early February 2026. Symantec and Carbon Black researchers reported the activity independently. The timing suggests the Stryker hit may be part of a broader coordinated Iranian cyber campaign.

Intune and MDM administrators should check Multi-Admin Approval status now. Restrict global admin roles to break-glass accounts. Require phishing-resistant MFA for all administrative sessions. Set alerts on bulk wipe operations. Stryker treats more than 150 million patients annually. The supply chain cost of the ongoing disruption has not been quantified.