Back to News
Cyber Attack

Stryker Hit by Global Wiper Attack, Intune Admin Account Abused

CyberSecurityWaala 2 weeks ago Mar 12, 2026
Stryker Hit by Global Wiper Attack, Intune Admin Account Abused

Stryker, the medical device maker, was hit by a large destructive cyberattack that knocked its global Windows systems offline. KrebsOnSecurity reported the outage and Stryker confirmed a “severe, global disruption” to its Windows environment.

What happened

Handala, a hacktivist group, publicly claimed responsibility. Handala said it stole data before wiping machines and posted a defacement message reading “No need to learn Hebrew anymore. You won’t need it for much longer.” Handala also claimed about 50 terabytes of data stolen and more than 200,000 systems wiped. Those numbers have not been independently verified, and Stryker has not released its own totals.

This was not a ransomware event, according to early Stryker statements and media reports. The incident used destructive wiper malware. Data is unrecoverable on affected devices unless firms have cold, offline backups.

How the attack worked

KrebsOnSecurity reported, citing an anonymous trusted source, that attackers abused Microsoft Intune administrator credentials. With those credentials the attackers issued remote wipe commands to Intune enrolled devices. Remote wipe is a legitimate IT feature. In the wrong hands it becomes a weapon.

Security firms Halcyon and Palo Alto Networks Unit 42 assessed that attackers likely spent days inside Stryker networks before acting. Unit 42 said recent activities by this actor are “opportunistic and ‘quick and dirty'” and IBM X-Force added that the group’s operations “focus on generating disruptive and psychological impact.”

Immediate impact

Stryker told The Wall Street Journal, “Our teams are actively working to restore systems and operations as quickly as possible. Stryker has business continuity measures in place, and we’re committed to continuing to serve our customers.” Brian Krebs verified an emergency voicemail at Stryker’s Michigan office that said, “We are currently experiencing a building emergency. Please try your call again later.”

Staff in Cork, Ireland first noticed systems going dark. News outlets reported roughly 5,500 Stryker employees in Ireland were sent home. Reports also said some personal phones with company work profiles were wiped when Intune remote wipe commands reached them. The outage affected devices across many countries and disrupted manufacturing and research facilities in Cork.

What experts recommend

Security responders and industry experts urged immediate actions: revoke Intune admin credentials, disconnect devices from networks, audit cloud admin accounts, enforce multifactor authentication, and limit remote wipe privileges. Firms should restore only from offline backups to avoid reinfection. TechCrunch and BleepingComputer reported Microsoft engineers and external incident responders were engaged to help.

The incident highlights a simple but powerful risk: cloud admin credentials are high-value targets. Protect them like the crown jewels.

#Stryker #CyberAttack #WiperMalware #Intune #MedTech