Executive Summary

Medical technology giant Stryker suffered a severe and destructive cyberattack on March 11, 2026. Attackers, suspected to be pro-Iranian hackers, gained access to a privileged administrative account and used it to abuse the company's Microsoft Intune platform. Instead of stealing data, the attackers issued legitimate remote wipe commands to tens of thousands of corporate devices. This simple but devastating action caused massive operational disruption, impacting inventory delivery and forcing the rescheduling of surgical procedures. The incident highlights a critical threat vector: the weaponization of legitimate IT and device management tools. It underscores the urgent need for organizations to treat MDM platforms as Tier 0 assets, requiring the highest levels of security, governance, and monitoring.

Threat Overview

• Victim: Stryker, a $140 billion medical technology company.
• Threat Actor: Suspected pro-Iranian hackers.
• Attack Vector: Abuse of legitimate administrative functionality (T1078 - Valid Accounts).
• Tool: Microsoft Intune (Mobile Device Management platform).
• Impact: Destructive attack (T1485 - Data Destruction) causing mass device wipes, leading to significant business and operational disruption, including delays in patient surgeries.

Technical Analysis

This attack's brilliance lies in its simplicity. It did not require a zero-day exploit or complex malware. The attack chain was likely as follows:

1. Initial Access / Credential Theft: The attackers first had to obtain the credentials for an administrative account with high privileges in Microsoft Intune. This could have been achieved through phishing, credential stuffing, or purchasing credentials from an underground marketplace.
2. Logon to Intune: Using the stolen credentials, the attacker logged into the Microsoft Intune portal.
3. Abuse of Functionality: The attacker navigated to the device management console and used the built-in, legitimate "Wipe" or "Retire" function. They then applied this command to a large group of devices, or possibly the "All Devices" group.

This is a classic example of Living Off the Land, where attackers use the target's own tools against them. Because the commands were issued by a legitimate administrative account and used standard platform features, they would not be flagged as malicious by traditional security tools.

Impact Assessment

• Operational Paralysis: Wiping tens of thousands of devices instantly cripples a workforce. Employees cannot access corporate data, communicate, or perform their jobs. For Stryker, this directly impacted their supply chain, leading to delays in delivering medical equipment.
• Impact on Human Health: The most severe consequence is the delay of surgical cases. This demonstrates how a cyberattack on a healthcare-related company can have direct, real-world impacts on patient care and safety.
• High Recovery Cost: The cost to re-provision, re-image, and restore data to thousands of devices is immense, both in terms of IT resources and lost productivity.
• Loss of Trust: The incident erodes trust among customers (hospitals) and patients who rely on Stryker's products and services.

Cyber Observables for Detection

• Log Source: Microsoft Entra ID Sign-in Logs and Intune Audit Logs.
• Anomalous Logon: A successful logon to the Intune portal from an unfamiliar IP address, country, or using an anonymous proxy for a privileged admin account.
• Bulk Action Alerts: A single administrative account performing a high volume of critical actions (like 'Wipe') in a short period.
• Impossible Travel: An admin account logging in from two geographically distant locations in a short time frame.

Detection & Response

1. Treat MDM as Tier 0: Classify your MDM/UEM platform (Intune, Jamf, etc.) as a Tier 0 asset, equivalent to Domain Controllers. Access to its administration should be extremely limited and highly monitored.
2. Implement Alerting: Configure your SIEM to ingest Intune audit logs. Create high-priority alerts for:

• Any use of the 'Wipe' command on more than a small number of devices.
• Any changes to large or critical device groups.
• Any logon to the MDM admin portal from an unrecognized location.

3. MFA on All Admin Accounts: Enforce phishing-resistant Multi-Factor Authentication (MFA) on all administrative accounts, no exceptions.
4. Incident Response Playbook: Develop a specific playbook for a compromised MDM scenario. It should include steps to immediately revoke the compromised session, disable the account, and assess the scope of actions taken by the attacker.

Mitigation

1. Role-Based Access Control (RBAC) and Least Privilege: Do not use a single, all-powerful admin account. Create granular administrative roles in Intune. For example, a helpdesk user might have permission to troubleshoot a single device but not to wipe the entire fleet. This is a critical application of M1026 - Privileged Account Management.
2. Multi-Administrator Approval (Quorum): For highly destructive actions like a mass device wipe, explore solutions or processes that require approval from a second, independent administrator before the command can be executed. While not a native feature for all actions, this principle should be applied wherever possible.
3. Break Glass Accounts: Have emergency 'break glass' accounts that are kept offline and only used in emergencies. These should be subject to extreme monitoring.
4. Regular Audits: Regularly audit all accounts and permissions within your MDM platform to ensure that privileges have not crept up over time and that all accounts are still necessary.