A major incident affecting global medical technology giant Stryker has once again highlighted how critical strong identity and access controls are to modern cyber‑defence.
In mid‑March 2026, Stryker suffered a destructive cyberattack that remotely wiped tens of thousands of employee devices without any malware being deployed.
Unlike traditional ransomware events, investigators found no malware, no encryption, and no ransom demands. Instead, attackers abused legitimate Microsoft cloud management functions particularly Microsoft Intune to issue remote wipe commands across the organisation’s managed devices.
What happened at Stryker?
According to the investigation:
– The attacker compromised an internal administrator account and created a new Global Administrator account, triggering Intune wipe commands on nearly 80,000 devices between 05:00 and 08:00 UTC on 11th March.
– Employees across multiple countries saw their laptops and mobile phones reset overnight including personal devices enrolled into Stryker’s mobile device management environment.
– No evidence of data exfiltration was found, and medical devices remain safe for use.
– The attack has been attributed to the Handala hacktivist group, linked to Iran.
Identity compromise was the root cause
Cybersecurity research now suggests the attackers may have obtained the administrator credentials through infostealer malware, using previously stolen passwords to gain access.
Why this matters for UK businesses
If an attacker gains an admin account, they don’t need malware they can weaponise your own cloud tools against you.
How Priority IT helps protect your business
1. Restricting Admin Access to Trusted Locations
Priority IT configures Conditional Access policies that restrict admin logins to trusted IP locations, preventing attackers from abusing stolen credentials.
2. Enforcing MFA and Phishing-Resistant Authentication
We deploy strong MFA, number matching, and certificate-based authentication.
3. Monitoring Admin Activity
We implement alerts for new Global Admins, conditional access changes, and Intune wipe commands.
4. Zero‑Trust Device Management
We enforce multi‑admin approval, separation of duties, and full logging.
5. Cyber Awareness Training
Most credential theft begins with phishing our training significantly reduces this risk.
Key lessons
– Identity is the new perimeter, hackers don’t break in they log in.
– Trusted-location-based admin restrictions are essential.
– MDM tools like Intune are safe only when access is tightly controlled.
Priority IT can audit and harden your Microsoft 365 environment, implement trusted-location restrictions, and support Cyber Essentials certification. For details call us on 01225 636000 or email [email protected]