John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
The attack that should terrify every CISO doesn’t involve a zero-day or a phishing email. It involves someone getting admin access to the tool you already use to manage every device in your org. And then using it exactly as designed.
That’s what happened to Stryker.
The Iran-linked group Handala got into Stryker’s Microsoft Intune environment and used it to remotely wipe tens of thousands of devices. Laptops, workstations, phones. Gone. Not encrypted for ransom. Not exfiltrated. Just wiped. The company’s own MDM became the weapon, and it didn’t require a single malware binary.
Stryker is a $25 billion medical device company. More than 5,000 workers were sent home from their Ireland operations. Hospital ordering systems that depend on Stryker were still down a week later. The supply chain damage is ongoing.
This might be the most important cybersecurity story of the month. Not because it was sophisticated. Because it’s replicable against almost any org running centralized device management.
Here’s the uncomfortable reality. If you run Intune, Jamf, SCCM, or any similar MDM platform, you’ve already deployed a wiper to every managed endpoint. The “wipe device” command is a built-in feature. An attacker with admin access doesn’t need to deploy anything. The destructive capability is already installed, authenticated, and authorized to reach every device in your fleet.
Think about the kill chain. There’s no malware to detect. No malicious payload to flag. The wipe commands were legitimate Intune commands, executed through the legitimate console, doing exactly what Intune was built to do. Every security tool in the environment saw authorized admin actions.
So how do you tell the difference between IT doing a bulk device reset and an attacker doing the same thing?
About Handala. They present themselves as hacktivists. They’re not. Multiple intelligence assessments link them to Iran’s Ministry of Intelligence and Security. The targeting is too precise, the operational tempo too sustained, and the capabilities too polished for a grassroots operation. It’s a model Iran has refined for years: run destructive ops under a hacktivist brand, let the brand take credit, maintain plausible deniability at the state level. It’s clever. And it’s working.
The Stryker attack didn’t come from nowhere. Iranian cyber operations have evolved from crude disk wipers a decade ago to living-off-the-land techniques that turn the defender’s own infrastructure into the weapon. Why write malware when the target’s MDM system will destroy its own fleet on command?
If you run centralized device management, here’s your checklist:
Audit who has bulk wipe permissions. Right now. How many accounts? Are they protected by more than just MFA? Any service accounts with wipe access that nobody’s reviewed in months?
Build break-glass protections for destructive MDM actions. A mass wipe should require multi-admin approval or at minimum trigger an alert with a delay window. Treat it like someone trying to delete your Active Directory.
Treat your MDM platform with the same security rigor as AD. Most orgs have invested years in AD security. MDM often gets a fraction of that attention despite having comparable destructive power.
Monitor for anomalous MDM admin actions. One device wipe during business hours is normal. Fifty wipes in sixty seconds is an attack. Your SIEM should know the difference.
Have an MDM compromise response plan. If Intune gets owned, can you revoke its authority before it finishes wiping your fleet? Do you have out-of-band recovery procedures that don’t depend on the devices being wiped?
This attack is a template. Other threat actors are watching. The MDM-as-weapon concept isn’t theoretical anymore. It worked at scale against a Fortune 500 company with devastating results.
Any org using centralized device management has a potential wiper deployed on every endpoint it manages. The question isn’t whether others will try this. It’s whether you’ll fix the exposure before they do.