The Stryker Attack: CISA demands Intune hardening after 200,000 devices wiped

Name: Haggeburger
Address: SE
Price range: $$

March 23, 2026

CISA urges all organizations to harden Microsoft Intune after Iran-linked Handala wiped 200,000 devices at medtech giant Stryker.

The Stryker Attack: CISA demands Intune hardening after 200,000 devices wiped

On March 11, 2026, Iran-linked hacktivist group Handala wiped approximately 200,000 devices at medtech giant Stryker. Operations across 79 countries went dark. Swedish hospitals using Stryker's services had to disconnect.

How the attack worked

Handala compromised an administrator account in Stryker's Entra ID tenant. From there, they created a new Global Administrator account and used Microsoft Intune to issue mass remote wipe commands to all connected devices. No vulnerabilities were exploited — a compromised admin account and standard Intune functionality was all it took.

This is the key insight: Intune did exactly what it was designed to do. The problem was that the wrong person had access.

Why SMBs need to act now

CISA issued emergency guidance on March 18 with three specific requirements:

Least-privilege admin roles — use Intune's role-based access control (RBAC) instead of Global Administrator for day-to-day operations
Dual-approval for destructive actions — wipe and retire commands should require a second admin's confirmation
Phishing-resistant MFA on all admin accounts — FIDO2 keys or Passkeys, not SMS

CERT-SE covered the attack in their weekly newsletter (v.12). Ericsson also suffered a related data breach affecting 15,000+ employees. Awareness in the Nordics is high right now.

What you should do

Check how many Global Administrator accounts exist in your Entra ID tenant. If the answer is more than two active accounts, you have too many. Enable Privileged Identity Management (PIM) so admin rights are only active when actually needed.

Review your Intune policies: can a single admin remote-wipe all devices without approval? If yes — fix that this week.

Make sure all admin accounts use phishing-resistant MFA. SMS codes are not enough.

How HaggeBurger can help

We offer an Intune Security Health Check (half-day assessment) covering admin roles, wipe policies, Conditional Access, and PIM configuration. We can also run a quick admin account audit at 2 hours per tenant.

Want us to check your environment? Get in touch.