Stryker Corporation Hit by Mass Device Wipe via Single Stolen Credential (March 11, 2026)
Stryker Corporation, a $25+ billion global leader in medical technology and one of the world’s largest manufacturers of orthopedic implants, surgical equipment, and hospital beds, suffered a devastating cyberattack on March 11, 2026. The incident, claimed by the pro-Iran hacktivist group Handala (with reported links to Iranian intelligence), highlights how a single weak credential can cause massive operational chaos — without any malware.
Attackers compromised one Microsoft Intune administrator account. Using this legitimate access, they created a new Global Administrator account in Stryker’s Microsoft 365 / Entra ID environment. They then leveraged Microsoft Intune — the company’s own cloud-based endpoint management and mobile device management (MDM) platform — to issue remote wipe commands.
Between approximately 5:00 AM and 8:00 AM UTC, the hackers remotely wiped or reset data from tens of thousands to over 200,000 devices (including laptops, servers, and employee mobile phones) across 79 countries. The wipe affected production facilities, corporate offices, and even some personally owned devices enrolled in the company’s Intune environment. No traditional malware or ransomware was deployed; the attackers simply weaponized built-in IT tools designed for legitimate device recovery.
Immediate impact
Manufacturing lines and shipping operations ground to a halt at multiple facilities worldwide.
Some plants reverted to pen-and-paper processes as workers lost access to computers and systems.
Employees reported blank screens, forced OS resets, and wiped personal phones that had corporate apps installed.
The group also claimed to have exfiltrated approximately 50 terabytes of data, though Stryker has not publicly confirmed the volume or sensitivity of any stolen information.
Stryker quickly activated its incident response plan, contained the attack, and began restoration efforts. The company stated that the disruption was limited to its Microsoft environment and that customer-facing operations were recovering rapidly. However, the incident sent shockwaves through the healthcare and medtech sectors, prompting urgent warnings from the FBI and CISA about the risks of poorly secured endpoint management systems.
Why this attack is so alarming
This was not a sophisticated zero-day exploit. It was a credential-based attack that exploited the immense power of modern unified endpoint management (UEM) tools like Microsoft Intune. Once inside with admin rights, attackers could push destructive actions globally in minutes. The absence of multi-admin approval workflows, strong session monitoring, or phishing-resistant authentication turned a routine IT platform into a digital “kill switch.”
This attack demonstrates how easily a single stolen password — often obtained through phishing, infostealer malware, or credential stuffing — can destroy operations and potentially expose sensitive data, including patient-related information or proprietary medical device designs.
Take these steps today to protect your organization:
Enforce multi-admin approval (also called “just-in-time” or “break-glass” access with approval workflows) for all high-privilege actions in device-management tools like Microsoft Intune, Jamf, or similar platforms.
Require phishing-resistant multi-factor authentication (MFA) — such as Microsoft Authenticator with number matching, FIDO2 security keys, or passkeys — on every administrative account.
Review and lock down your identity and access management (IAM) controls immediately: Implement least-privilege principles, regularly audit admin accounts, enable conditional access policies, and monitor for anomalous sign-ins.
Conduct a full review of all enrolled devices and remove unnecessary personal device enrollments where possible.
Don’t assume your current setup is secure — attackers only need one overlooked account to cause catastrophic damage. At Mojave IT Pros, we help businesses harden their Microsoft 365 and endpoint environments with proactive monitoring, privileged access management, and rapid response capabilities so you stay protected against these evolving threats.
