John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Stryker is a $25 billion medical device company. Its products are in basically every US hospital that does surgeries. On March 11, callers to Stryker HQ heard this: “We are currently experiencing a building emergency.”
That’s not how you describe a routine IT glitch.
Here’s what apparently went down. An Iranian-linked hacking group called Handala got admin access to Stryker’s Microsoft Intune console. Intune is the cloud-based device management tool that most big enterprises use to push updates, enforce security policies, and manage their fleets of laptops and phones. It also has a remote wipe function. Lose a laptop with sensitive data? IT can nuke it remotely.
So Handala used that wipe button on everything.
Staff across multiple countries were sent home. Employees reported having personal phones wiped after connecting to work resources. Hospitals couldn’t process surgical supply orders through normal channels. Handala claims 200,000 devices were hit. That number’s probably inflated, they love to exaggerate for effect. But the real-world disruption checks out.
Handala is tied to Iran’s Ministry of Intelligence through a group called Void Manticore, according to Palo Alto’s Unit 42. They’re not precision espionage operators. They’re opportunistic wrecking balls. Stryker wasn’t targeted for its data. It was targeted because it was accessible and hitting it would make noise. The trigger? A US Tomahawk strike on an Iranian school.
And that’s what makes this kind of threat so hard to defend against. A targeted spy wants to stay quiet and persistent. A destruction-oriented opportunist just wants to get in and break things fast.
The real lesson here is uncomfortable. Every org running Intune, JAMF, Workspace ONE, or any other MDM platform needs to ask: are we treating that admin console with the same paranoia we’d apply to our domain controllers?
Most aren’t.
Things to audit right now. Who has admin access, including service accounts and integration accounts. Whether MFA is enforced on the admin portal, and not just any MFA, but phishing-resistant stuff like hardware keys. Whether your SIEM alerts on mass wipe commands. And whether your MDM can reach every single device in the org from one console, because if so, that’s a single point of catastrophic failure.
There’s a healthcare angle too. Stryker’s customers are hospitals. Surgical supply chains got disrupted. Any major medical device company is a high-value target because you get the public impact of disrupting healthcare while hitting a corporate target that might have fewer direct patient safety regulations.
Bottom line: an attacker with admin access to your MDM console can destroy your entire device fleet. For Stryker, that stopped being theoretical last week.
If you haven’t audited who holds those keys lately, now’s the time.