Stryker Wiper Attack: How One Compromised Account Took Down a Global Business

On 11 March 2026, U.S. medical technology company Stryker Corporation confirmed a cyber attack that brought its global operations to a standstill. The company's devices had factory-reset and systems were offline, affecting more than 56,000 employees across 79 countries. Manufacturing, supply chain, and order processing systems went down with them. Stryker shares fell approximately 4% within hours of the attack becoming public.

This isn't just another headline. Stryker is a billion-dollar enterprise with a dedicated security team, and they were still brought to their knees in a matter of hours. If it can happen to them, it can happen to any organisation that hasn't closed the same gaps. We're sharing this because understanding how it happened is the first step to making sure it doesn't happen to you.

Handala, a hacktivist threat group, claimed responsibility, alleging system wipes and the exfiltration of data. They obtained administrative credentials for Microsoft Intune, Stryker's cloud-based device management platform. With that access, they issued legitimate wipe commands to every enrolled device in the tenant at once.

Because these actions were performed through a trusted platform, they appeared as normal administrative activity. No endpoint detection tool flagged it.

Why This Goes Beyond Stryker

This incident points to a gap that exists across most organisations. A single compromised admin account is enough to wipe every managed device in your organisation.

Traditional endpoint security does not protect against this. The wipe happens inside your own management plane, through your own tools. Most environments have no alerting configured to catch it.

This is a privileged access control failure. The capability to wipe an entire device fleet was unprotected, time-unlimited, and required no approval from a second person. The attackers walked through an open door.

For any organisation running Microsoft Intune or a similar platform: who has admin access, and what does it take to activate a mass action? If the answer is a username and password, that is not enough.

What You Need to Do

Stryker's gap was not caused by the platform they use, but a product of how admin access was managed. The same gap exists in Azure, AWS, backup platforms, identity providers, and every other system where privileged access goes unchecked. These are the controls that close it.

• Enforce multi-admin approval for high-impact actions. No single person should be able to trigger a bulk wipe. Microsoft Intune's multi-account approval feature prevents this. It should be enabled across any platform with that kind of reach.

• Make admin access time-limited. Microsoft Entra Privileged Identity Management (PIM) requires MFA and a second approver before the Intune Administrator role can be activated. No one holds wipe capability permanently.

• Alert on bulk device actions. Any wipe of more than a handful of devices in a short window should trigger an immediate investigation. Most environments have no such alert configured.

• Protect your backups. Backups connected to your network are subject to the same wipe command. Test whether your recovery process survives a scenario where your primary tenant is unavailable.

Recovery from a wiper attack is measured in weeks. Every hour of delay translates directly into downtime and cost.

Why Privileged Access Control and 24/7 Monitoring Both Matter

This attack works on two levels, and the response needs to as well.

The first is privileged access control. Strong access restrictions limit what an attacker can do once inside, making widespread damage significantly harder to execute. The controls above are not optional hardening. They are the baseline that was missing at Stryker.

The second is continuous monitoring, analysis and mitigation. Controls alone do not give you visibility. Cyberattacks begin with credential theft, privilege escalation, and quiet reconnaissance through legitimate channels, and each of those stages produces signals that can be detected. None of this is invisible. It is simply overlooked when monitoring is not continuous.

Most organisations have tooling that could surface this activity. What they lack is someone reviewing it around the clock, correlating it across systems, and acting on it before the destructive phase begins.

Secure ISS addresses both. Lumara, our sovereign SOC runs 24/7 and is configured to detect the pre-wipe indicators that traditional endpoint tools are not built to catch: anomalous admin behaviour, unusual authentication patterns, and bulk device actions outside normal operations. We also work with organisations to strengthen how access is governed, reviewing privileged access, identifying where controls are missing or unenforced, and helping put the right structure in place before an incident makes it urgent.

Access controls reduce the window an attacker has to operate. Continuous monitoring is what catches them before they reach it. Together, that is how we think security operations should work.

Find out where your gaps are. Start the conversation with us.