The recent cyberattack on Stryker, a leading manufacturer of medical equipment, offers a sobering window into the vulnerabilities that companies tolerate every day. As I commented in eSecurity Planet, the attack also raises concerns not only about data exfiltration, but about the ongoing operation of critical systems.
What exactly happened in the Stryker cyberattack?
How can companies protect themselves from similar attack strategies?
Here’s everything you need to know.
Key takeaways:
- An Iran-backed cyberterrorist group used Stryker’s own device management software to wipe 200,000 devices on March 11, 2026.
- Better identity and access controls and monitoring, in addition to anomalous behavior alerting, might have prevented the attack.
- The attack brought Stryker to its knees in terms of employee access and daily operations.
- The attack did not affect Stryker medical devices deployed to hospitals and clinics, as those devices do not connect to Stryker’s internal network.
- Organizations should implement robust controls around identity, access, and account privilege to prevent the type of infiltration that enabled the Stryker cyberattack.
What happened in the Stryker cyberattack?
Beginning on March 11, 2026, global medical manufacturer Stryker experienced a widespread, devastating cyberattack within their Microsoft environment. Devices and systems, including servers, were wiped clean, locking out employees around the globe. Stryker medical devices were not affected, but the company experienced a significant disruption to their operations. As of this writing, Stryker has not fully recovered, although they have contained the incident.
Who perpetrated the Stryker cyberattack?
A pro-Palestinian, Iran-backed hacktivist group called Handala claimed responsibility for the Stryker cyberattack. Experts believe Handala has ties to Iran’s Ministry of Intelligence and Security, which would make this a nation-state attack against a private company.
While the FBI has since seized Handala’s website, and Handala’s statement is no longer available, Bleeping Computer quoted the statement before the site was taken down. “In this operation, over 200,000 systems, servers, and mobile devices have been wiped and 50 terabytes of critical data have been extracted,” Handala said. “Stryker’s offices in 79 countries have been forced to shut down.”
What strategy did the attackers use in the Stryker cyberattack?
It appears that the Iran-backed cyberterrorist group Handala used a “living off the land” (LOTL) strategy to infiltrate Stryker’s Microsoft environment without detection. This strategy involves gaining access to the environment, often through stolen or compromised credentials, then blending in by carrying out normal activities. Attackers don’t install malicious files; rather, they bide their time, planning to use trusted tools to carry out the attack. Since there’s no malware to detect, basic cybersecurity monitoring may provide little warning of an imminent LOTL attack.
In this case, Handala compromised an admin account in Stryker’s own MDM (mobile device management) platform, then used that account to wipe approximately 200,000 managed devices such as laptops and workstations. The group literally took the platform that was meant to administer Stryker’s devices and used it to wipe them.
What is the impact of the Stryker cyberattack?
As of this writing, Stryker has contained the attack, but the company has not fully recovered in terms of operations, employee access to devices, or system uptime. While active Stryker medical devices were not directly affected by the attack, the disruption to Stryker’s operations will likely have a widespread impact on the medical supply chain for many months to come.
Here are the primary impacts that we expect to see in the global medical supply chain.
- Manufacturing and production disruptions
- Delays in order processing, shipping, and fulfillment
- Shortages of surgical and other medical equipment
- Hospital and surgical scheduling disruptions
- Impact to some EMS (emergency medical services) workflows
- Lost productivity with 56,000 employees idled
- Significant operational backlogs
What can companies learn from the Stryker cyberattack?
The Stryker cyberattack serves as a warning to companies in all verticals. It’s a reminder that geopolitical conflict can create an environment in which cyberterrorists target private companies as retaliation against military action.
Companies should also take note of the attack vector here. The terrorists didn’t install malware. Rather, they likely used compromised credentials to gain access to Stryker’s Microsoft environment. Without robust monitoring of privileged accounts for anomalous behavior, the attack went undetected. Once the terrorists had access, they exploited the MDM platform to wipe approximately 200,000 managed devices.
How can companies prevent a devastating incident like the Stryker cyberattack?
Handala appears to have used a basic strategy to infiltrate the company’s MDM platform without detection. However, companies can implement specific cybersecurity processes, controls, and monitoring to protect themselves from this type of attack.
Here’s what it takes to prevent a Stryker-style attack.
1. Lock down privileged identity access
The attack hinged on the compromise of admin-level credentials in Microsoft Entra ID and Intune, which gave hackers the ability to wipe devices globally using legitimate tools.
Preventative controls include:
- Enforce phishing-resistant MFA (FIDO2 / hardware keys) for all global admins and Intune admins
- Eliminate standing admin rights using Just-In-Time (JIT) privileged access
- Require a multi-admin approval workflow for destructive actions (e.g., device wipe, mass policy pushes)
- Restrict admin access by geography, device trust, and time of day
If an admin account can wipe 200,000 devices, it must be protected like critical infrastructure—not like a normal user login.
2. Segment and safeguard endpoint management platforms
Attackers weaponized Stryker’s MDM functionality in their Intune environment, effectively turning Intune into a global kill switch.
Preventative controls include:
- Divide capabilities like device enrollment, policy administration, and wipe authority across different roles
- Require dual authorization or approval workflows for mass actions
- Maintain read-only roles for monitoring without destructive capability
- Limit which devices (especially BYOD) can be remotely wiped
Organizations should treat their MDM platform as a Tier-0 asset, on par with domain controllers and identity stores.
3. Harden BYOD and personal device enrollment
At Stryker, personal phones enrolled via BYOD were also wiped, amplifying business and employee impact.
Preventative controls include:
- Use mobile application management (MAM) for BYOD
- Explicitly disable factory reset permissions on personally owned devices
- Separate corporate authentication apps from managed profiles
- Provide opt-out paths for high-risk roles
This reduces blast radius even if administrative access is compromised.
4. Monitor for “legitimate but anomalous” activity
The attackers avoided using traditional malware, instead issuing valid administrative commands that looked legitimate until damage was done. However, there were likely signs that the activity was anomalous.
Preventative controls include:
- Monitor for anomalous admin behavior, not just malware signatures
- Configure alerts for mass device wipe commands, policy changes affecting thousands of endpoints, and admin logins from new locations or unmanaged devices
- Correlate identity, endpoint, and cloud logs in a SIEM/XDR platform
Detection must focus on intent and scale, not just known threats.
5. Protect against upstream credential theft
The attackers likely used stolen credentials to enable initial access. They may have harvested these credentials well before the attack.
Preventative controls include:
- Disable password-only authentication for privileged accounts
- Enforce device trust (only compliant, managed devices can access admin portals)
- Rotate and monitor service account credentials aggressively
Credential hygiene remains the foundation of cloud security.
6. Prepare for destructive, non-ransom attacks
The attackers didn’t hold Stryker systems for ransom. They simply destroyed them. The intent was not to extort cash from the company, but to knock them out of commission as revenge for military action.
Many organizations have decent protection against ransomware, but they aren’t prepared for destructive attacks. Here are some preventative measures that your organization can implement.
- Maintain offline, immutable backups of endpoint and identity configurations
- Test MDM and identity recovery procedures, not just data restores
- Pre-stage clean admin environments for rapid recontrol
- Practice destructive attack tabletop exercises, not only ransomware scenarios
Nation-state and hacktivist actors often prioritize disruption over profit. This requires a mindset shift on the part of cybersecurity executives. Ransomware hasn’t become less dangerous, but CISOs need to prepare for destructive attacks as well.
7. Limit blast radius with admin account segmentation
One reason the Stryker attack was so damaging is that a single compromised admin account had global reach. This approach is simpler for internal IT to manage, but it created an immense vulnerability that the attackers exploited.
Preventative controls include:
- Scope admin permissions by region, business unit, or device class
- Separate production, manufacturing, and corporate IT management planes
- Use tenant-level protections and change control policies
- Regularly test “What can this account destroy in 10 minutes?”
If one account can destroy everything, there’s likely an opportunity for improving the design.
The takeaway: Get the sophisticated cybersecurity controls you need
The Stryker cyberattack was certainly preventable. But how many organizations are actively protecting themselves against a similar attack? If you’re not sure where your organization stands, get in touch with us. We’ve helped 1,000+ companies solve their biggest technology challenges. Let’s take the next step in protecting your customers, employees, systems, and data.
