On Wednesday morning, employees at Stryker — a $25-billion medical technology company with 56,000 workers across 61 countries — arrived at work to find their devices wiped clean. Login screens replaced with a hacktivist logo. Microsoft Outlook on personal phones? Wiped too. Anything connected to the network? Gone.
More than 5,000 workers at Stryker's Ireland headquarters were sent home. A voicemail at the company's main U.S. headquarters in Kalamazoo, Michigan stated they were "experiencing a building emergency." Staff were communicating via WhatsApp because enterprise communication systems were down.
This is what a wiper attack looks like in 2026. And the method the attackers used should terrify every IT team reading this.
Photo by Tima Miroshnichenko via Pexels
What Happened
An Iranian hacktivist group called Handala (linked to Iran's Ministry of Intelligence and Security, according to Palo Alto Networks' Unit 42) claimed responsibility for the attack. In a statement posted to Telegram, Handala claimed to have erased data from more than 200,000 systems, servers, and mobile devices across Stryker's offices in 79 countries.
The group said the attack was retaliation for a February 28 missile strike that hit an Iranian school, killing at least 175 people — most of them children. The New York Times reported that an ongoing military investigation has determined the United States was responsible for the strike.
But here's the part that should keep infrastructure teams up at night: according to Krebs on Security, the attackers didn't deploy traditional malware. They used Microsoft Intune — Stryker's own device management platform — to issue a remote wipe command against all connected devices.
Let me say that again: the attackers used the company's own security tool to destroy its own data.
How Microsoft Intune Became the Weapon
For those not familiar with it, Microsoft Intune is a cloud-based endpoint management solution. IT teams use it to enforce security policies, deploy software updates, and — critically — remotely wipe devices that are lost, stolen, or compromised. It's designed to be a security tool. It's meant to protect you.
It can also, apparently, be used to wipe 200,000 devices in a single coordinated attack.
This aligns with what multiple people claiming to be Stryker employees reported on Reddit — they were urgently told to uninstall Intune from their devices to prevent further wipes. Think about the irony: an emergency directive to remove your security software to stay safe.
My colleague Tom, who manages infrastructure for a mid-sized healthcare company, had a one-word reaction: "Nightmare."
Then he paused and said: "We use Intune for 3,000 devices."
Why This Attack Vector Is Terrifyingly Effective
Traditional wiper malware — like NotPetya (2017) or WhisperGate (2022) — requires deploying malicious code to each target system. That's detectable. Endpoint protection software can catch it. Network monitoring can flag unusual file operations.
Using the company's own MDM (Mobile Device Management) platform is a completely different threat model:
No malware to detect. The "wipe" command is a legitimate Intune feature. It's designed to be used. Your endpoint protection won't flag it because, from the system's perspective, it's an authorized administrative action.
Instant global reach. Intune manages devices across all locations simultaneously. One command can hit every enrolled device worldwide. There's no need to spread laterally through a network — the management platform already has access to everything.
Mobile devices included. Intune manages laptops, desktops, tablets, and phones. When employees had Outlook on their personal phones enrolled in the company's MDM, those phones got wiped too. The attack crossed the boundary between corporate and personal devices.
Difficult to stop once started. The only way to prevent the wipe once the command is issued is to disconnect the device from the internet before it receives the instruction. For 200,000 devices across 79 countries, that's logistically impossible to do quickly enough.
Rachel, who works in cloud security consulting, called it "the most creative misuse of a defensive tool I've ever seen. They didn't hack the castle — they turned the castle's own cannons around."
The Healthcare Angle Makes This Worse
Stryker isn't a tech company or a financial firm. It makes surgical equipment, implants, and medical technology used in operating rooms around the world. When Stryker's systems go down, the impact isn't lost productivity or delayed emails. It's potentially disrupted medical procedures.
The healthcare sector has been the most targeted industry for ransomware and cyberattacks for several years running. According to IBM's 2024 Cost of a Data Breach Report, healthcare data breaches cost an average of $9.77 million per incident — the highest of any industry, for the 14th consecutive year.
But wiper attacks are different from ransomware. With ransomware, there's a negotiation. You can pay (not recommended, but possible) and potentially get your data back. With a wiper, the data is gone. There's no negotiation. There's no decryption key. There's only your backup strategy — assuming you have one.
What Your Team Should Do Monday Morning
If your organization uses any MDM platform — Intune, Jamf, VMware Workspace ONE, Kandji, or others — this attack is directly relevant to you. Here's what to prioritize:
1. Audit MDM admin access immediately. Who has administrator-level access to your MDM console? How many accounts can issue a mass wipe command? That list should be as short as possible — ideally two or three people — with hardware-based MFA (YubiKey, not SMS) required for access.
2. Implement wipe command restrictions. Most MDM platforms allow you to restrict mass operations. Configure your MDM so that a wipe command affecting more than a threshold number of devices (say, 50) requires additional authorization — a second admin approval, a time delay, or both.
3. Monitor for unusual MDM activity. Your SIEM should be ingesting MDM logs. Set alerts for: mass wipe commands, new admin accounts, privilege escalation, and bulk policy changes. If someone issues a wipe command for 200,000 devices, your SOC should know about it before the first device processes the instruction.
4. Segment MDM access from general IT credentials. If attackers compromised a Stryker admin's credentials through phishing or credential stuffing, that same credential shouldn't have given them MDM wipe access. MDM admin credentials should be separate, stored in a privileged access management (PAM) solution, and rotated frequently.
5. Review your backup strategy against wiper scenarios. Ransomware backups and wiper backups have different requirements. For wipers, you need offline/immutable backups that can't be reached by any network-connected management tool. Air-gapped backup copies. Tested recovery procedures. If your "backup" is a cloud sync that's accessible from the same admin console, it's not a backup — it's another target.
6. Create a "break glass" MDM procedure. If your MDM is compromised, how quickly can you disable it globally? Do you have a documented procedure for emergency MDM shutdown that doesn't depend on the MDM itself? If not, create one.
The Uncomfortable Truth
The Stryker incident exposes a fundamental tension in modern IT: the tools we deploy to manage and secure our devices also represent single points of catastrophic failure. MDM, EDR, SIEM, identity providers — each one is simultaneously a security control and a potential weapon if compromised.
The industry has spent years consolidating management into centralized platforms because distributed management doesn't scale. That's true. But centralization creates targets, and when those targets are breached, the blast radius is total.
Tom spent Wednesday afternoon reviewing his company's Intune configuration. "I found four admin accounts I didn't know about," he told me Thursday morning. "Two belonged to people who left the company last year."
If you're reading this and you haven't checked your MDM admin list recently: stop reading and go check it. Right now. The rest of this article can wait.
(Stryker has not publicly commented on the attack beyond the voicemail message at their headquarters. We will update this article if a statement is released.)