A sophisticated cyberattack against medical technology leader Stryker has resulted in the remote wiping of tens of thousands of corporate devices. Contrary to initial fears, the incident was not a ransomware attack, and the threat actor did not deploy any traditional malware. Instead, the attackers exploited legitimate administrative tools within Stryker's internal Microsoft environment. According to an update from the company, the attack was contained within its corporate IT infrastructure, and all Stryker medical devices remain safe for clinical use. However, critical business systems, including electronic ordering platforms, remain offline, forcing customers to place orders manually through sales representatives.
The attack, claimed by the hacktivist group Handala—which is believed to have ties to Iran—reportedly leveraged Microsoft Intune, a cloud-based endpoint management service. A source familiar with the investigation told BleepingComputer that the threat actor executed a wipe command through Intune, erasing data from approximately 80,000 devices during a concentrated three-hour window. The attackers boasted of compromising over 200,000 systems and exfiltrating 50 terabytes of data, but forensic investigators have found no evidence of actual data theft, suggesting the primary impact was disruptive rather than exfiltrative.
The consequences of the wipe were immediately felt by Stryker's global workforce. Employees across multiple countries reported that their company-managed laptops and mobile devices were remotely reset to factory settings overnight. In a more invasive twist, some personnel who had enrolled personal devices into the company's Mobile Device Management (MDM) system also lost personal data, highlighting the risks of "Bring Your Own Device" (BYOD) policies when corporate security is compromised. This aspect underscores the attack's significant operational and personal impact beyond corporate data loss.
This incident serves as a critical case study in modern cyber threats, where attackers increasingly abuse legitimate administrative tools and cloud services to inflict damage. The use of Intune for a mass wipe demonstrates a "living off the land" technique, making detection more difficult as the activity blends with normal administrative actions. In response, organizations are urged to enforce strict access controls, multi-factor authentication (MFA) on all administrative consoles, and rigorous segmentation of critical systems. As Stryker works to restore its internal IT environment manually, the cybersecurity community is analyzing the event to bolster defenses against similar cloud-based administrative tool abuse.
