No malware, no ransomware, just your own IT tools turned against you.
On March 11, 2026, employees at Stryker, a Fortune 500 medical device giant operating in 79 countries, came into work and found their screens blank. Laptops wiped. Company phones wiped. Even personal devices enrolled in Stryker’s bring-your-own-device program. Everything gone, all at once, without warning.
No malware was found, no ransomware, nothing a traditional antivirus tool would have caught.
The attackers used Stryker’s own IT management software to destroy everything.
What Actually Happened
A pro-Iran hacktivist group called Handala claimed responsibility for the attack, framing it as retaliation for a U.S. airstrike. But the method is what makes this story worth paying attention to.
According to TechCrunch and BleepingComputer, the hackers gained access to a Microsoft Intune administrator account. Intune is the tool IT teams use to remotely manage, configure, and yes, wipe employee devices.
Once inside, they issued a remote wipe command across the entire fleet. No elaborate exploit, no zero-day vulnerability. Just a compromised admin account and a legitimate IT feature used as a weapon.
Stryker confirmed the disruption was contained to its internal Microsoft environment, that its connected medical products remained safe to use, and that it found no evidence of ransomware or traditional malware. Order processing, manufacturing, and shipping were still knocked offline for a company that serves roughly 150 million patients globally. Not exactly a light Tuesday.
The FBI seized Handala’s websites shortly after and CISA issued an advisory urging organizations to lock down their Microsoft Intune environments immediately.
The Part That Should Keep IT Leaders Up at Night
Here is the uncomfortable truth buried in this story.
The tools your IT team uses every day to manage your business, Microsoft Intune, remote desktop, device management platforms, are also the tools attackers want access to most. Because with admin-level credentials, they don’t need malware or to hack anything in the traditional sense. They just log in and start using your own systems against you.
Security researchers at Palo Alto Networks believe Handala likely gained initial access through phishing, potentially combined with infostealer malware that quietly harvested credentials before anyone noticed.
All it took was one phishing email, one stolen password, and 80,000 devices were wiped.
That is not just a Stryker problem. That is an everyone-who-runs-a-business problem.
What This Means for Your Business
You don’t need to be a Fortune 500 company serving 150 million patients to be at risk. The same attack pattern works on small and mid-size businesses, and attackers know that smaller companies often have weaker controls around privileged accounts (less red tape, more exposure).
Here’s what the Stryker attack reveals about where businesses are exposed:
- Admin accounts with too much access. A single compromised Intune admin account took down a global company. If your IT admin accounts don’t require multi-factor authentication and approval workflows for high-impact actions, you have the same vulnerability.
- No second approval for destructive actions. Arctic Wolf noted that requiring a second authorized administrator to approve remote wipe commands could have stopped this attack entirely. That’s a policy change, not a technology purchase. Arguably the cheapest fix on this list.
- BYOD devices in MDM environments. When personal phones are enrolled in your device management platform, a compromised admin account can wipe those too. Employees lost personal data in the Stryker attack. Know what’s enrolled in your MDM and govern it accordingly (yes, including your CEO’s personal iPhone).
- Phishing is still the front door. The most sophisticated part of this attack was arguably the first step, getting credentials through phishing. Employee training and email security are not optional extras.
The Bottom Line
The Stryker attack is the first confirmed destructive wiper operation against a U.S. Fortune 500 company. It crossed a line attackers had not crossed before at this scale.
But the technique isn’t new, and it isn’t going away. When your legitimate IT management tools can be turned into weapons with a single set of stolen credentials, the question isn’t whether your business is a target. It’s whether your access controls are tight enough to make it not worth trying.
Start by reviewing who has admin access to your device management platforms, require MFA everywhere, and build approval workflows for any action that can’t be undone.
Because the next attack won’t announce itself with a ransomware note. You’ll just come in to work and find blank screens.
Want to know if your business has the same exposure Stryker had?
GiaSpace helps businesses audit privileged access, tighten MDM controls, and build the kind of layered security that catches attacks before they cause damage.
→ Schedule a Security Assessment with Rob
→ Learn more about our Managed Security Services
Published: Mar 26, 2026
