The reported cyberattack against Stryker last week is believed to have used Microsoft Intune to remotely wipe thousands of corporate devices, a source told BleepingComputer.
Claimed by hacktivist group Handala, the attackers said they wiped more than 200,000 servers, mobile devices, and other systems, forcing the company to shut down offices across 79 countries. The hacktivists also claimed they exfiltrated about 50 TB of corporate data from the company’s infrastructure.
Stryker, a multinational medical device and equipment manufacturer, said investigators did not find any indication that data was exfiltrated. It also emphasized that the incident was not a ransomware attack and that the threat actor did not deploy any malware on its systems.
How the Attack Played Out
Cybersecurity Dive reported that Halcyon researchers found the Stryker attack impacted all phones and workstations with an Intune Base64 string. Intune is normally used to push software or manage devices through Base64 encoding, according to the researchers.
The attackers reportedly used encoded commands to trigger remote wipes on all devices tied to the company’s Intune environment.
The commands executed during the attack appear to have deleted critical data from phones and workstations. Analysts stressed that Intune itself was not breached; rather, the attackers appeared to have obtained administrative access to the platform, allowing them to use its built-in capabilities for destructive purposes.
High-level privileges, such as Intune administrator or global administrator accounts, would have been necessary to execute the wipes. Researchers say this points to credential theft or privilege escalation as a likely step in the attack chain.
Stryker is working with external forensic experts, and the Cybersecurity and Infrastructure Security Agency is assisting with investigations to learn more about the attack.
What Intune Users Should Do
For organizations using Intune or similar endpoint management tools, the Stryker incident is a reminder of the risks tied to administrative access.
Security experts recommend enforcing strict multi-factor authentication for all administrative accounts to reduce the likelihood of account takeovers. Dual-approval systems for destructive actions, such as remote wipes, can also prevent a single compromised account from executing mass deletions.
Palo Alto Networks Unit 42 did not comment on the Stryker attack but noted in a blog last week that reports from Israel’s National Cyber Directorate highlight a pattern of destructive “wiper” attacks targeting corporate networks. In those incidents, attackers gained initial access using stolen credentials and leveraged existing enterprise tools to expand control and cause damage.
Organizations should also closely monitor administrative activity and audit command usage in real time. Platforms like Intune are powerful for managing devices at scale, but they require robust safeguards and constant oversight to prevent misuse.
Lessons Learned and Forward-Looking Measures
The Stryker attack underscores the double-edged nature of centralized device management tools. While Intune and similar platforms are critical for controlling large device fleets, they can become liabilities if administrative access is compromised.
Security leaders are being urged to reassess endpoint management strategies. Protecting administrative credentials, enforcing multi-factor authentication, monitoring critical commands, and implementing dual-approval safeguards are now considered standard best practices. The Stryker case illustrates that even trusted enterprise tools can be turned against organizations. Vigilance, proactive monitoring, and layered security are essential in today’s threat landscape.
As companies increasingly rely on unified endpoint management, the incident highlights the need for ongoing scrutiny and continuous improvement of security policies to prevent attackers from weaponizing enterprise software. This ensures IT operations remain both efficient and safe.
