CISA Urges Action After Stryker Microsoft Intune Attack

The healthcare and medical device sector is facing a pervasive threat as modern intrusions increasingly focus on identity access and administrative control planes rather than relying on sophisticated exploits. 

Common tactics against the sector include phishing – where criminals impersonate organisations and people via email, text or voice to deceive victims – the use of compromised credentials and the exploitation of weak remote access controls. 

These methods enable lateral movement within environments, often leading to disruptive attacks, which aim to upset operations rather than primarily steal data.

The Stryker incident

Medical device and equipment manufacturer Stryker recently lost the ability to process orders, make products and ship them to customers following a cyberattack.

The company says it experienced a global disruption to its Microsoft environment.

Upon detection, the company activated its cybersecurity response plan and launched an investigation internally with the support of external advisors and cyber experts to assess and contain the threat.

“Investigations suggest the attackers may have abused Microsoft Intune to issue remote wipe commands to managed devices, causing factory resets on corporate laptops and mobile devices,” says Lucie Cardiet, Cyberthreat Research Manager at Vectra, a cybersecurity company that specialises in AI-driven threat, detect and response.

Behind the Stryker attack

A hacking group called Handala, also known by some researchers as Void Manticore, has claimed responsibility for the attack, stating that more than 200,000 devices were impacted and large volumes of data were exfiltrated. 

The volume of data has not been verified. 

The group has targeted other organisations to date including IT providers, infrastructure operators and companies tied to sensitive supply chains.

“Unlike many financially motivated groups, Handala campaigns often emphasize operational disruption and psychological impact,” Lucie says. 

“The group frequently publishes screenshots of compromised systems, exaggerates claims of stolen data and defaces systems with propaganda imagery such as the Handala logo.

“The device wipes and defaced login screens reported in the Stryker incident align with this pattern.”

In its public statements, Stryker says the hackers were only able to access its Microsoft accounts, specifically Microsoft Intune, which is used to remotely manage corporate phones and laptops.

The company says: “This incident did not affect the security or safety of our products or devices.

“All Stryker products across our global portfolio, including connected, digital and life-saving technologies remain safe to use.

“Some of our customers that utilise our personalised implants are experiencing some disruptions.

“We understand that some patient-specific cases scheduled for the week of 16 March 2026 have been rescheduled due to shipping delays we are experiencing.

“There is nothing more important to us than the customers and patients we serve, and we recognise the criticality of every procedure to every patient.

“We are working as quickly and safely as possible to reconcile orders, manufacture products and deliver to our customers so they can continue to provide seamless patient care.”

What CISA has to say

Since, the Cybersecurity & Infrastructure Security Agency (CISA) has urged companies to take care to secure access to their Microsoft Intune accounts. 

This includes implementing Microsoft’s latest best practices for securing Microsoft Intune including use principles of least privilege when designing administrative roles, enforce phishing-resistant MFA and configure access policies to require multi-admin approval in Intune. 

CISA is working with federal partners, including the FBI, to identify additional threats and determine mitigation actions.