Home / Posts / Security

Stryker Wiper Attack: A Mass-Scale Failure of Microsoft Intune

Stryker Cyber Security Breach

In one of the most destructive cyber attacks of 2026, medical technology giant Stryker has been targeted by a pro-Iranian hacking group that successfully wiped thousands of corporate devices.

The Intune Vector

The attack is particularly chilling because of its delivery mechanism. Rather than traditional phishing or credential harvesting, the attackers managed to compromise a high-level administrator account within Stryker’s Microsoft Intune environment. This gave them the ability to push a malicious "compliance policy" to the entire device fleet.

The policy, which was disguised as a routine security update, contained a script that executed a Zero-Fill Wiper. Within minutes of the policy being synced, thousands of laptops, workstations, and even some integrated hospital terminals had their primary storage drives completely erased, bypassing all on-device endpoint detection and response (EDR) solutions.

The Fragility of Centralized Fleet Management

The Stryker incident highlights a growing risk in the era of Unified Endpoint Management (UEM). While tools like Microsoft Intune are essential for managing global workforces, they also create a single point of failure. If the management plane is compromised, the very tools used to protect the organization become the ultimate weapon against it.

Security researchers noted that the attackers used a Conditional Access Bypass to gain entry. By exploiting a misconfigured legacy authentication protocol that Stryker had failed to decommission, they were able to pivot into the Intune console without triggering a multi-factor authentication (MFA) prompt.

Healthcare in the Crosshairs

This attack follows a series of disruptive actions targeting the healthcare sector. While patient data does not appear to have been exfiltrated—the goal was purely destructive—the operational impact is massive. Stryker has been forced to halt several manufacturing lines and delay shipments of critical medical devices as it works to rebuild its internal infrastructure from offline backups.

Security Advisory:

Organizations using Intune or Jamf are advised to implement Multi-Admin Approval for any policy change that includes scripting or device-wipe commands. This ensures that no single compromised account can trigger a mass-destruction event.

Conclusion

The Stryker wiper attack is a wake-up call for the cybersecurity community. It demonstrates that as our management tools become more powerful and centralized, the potential for catastrophic failure scales accordingly. In 2026, the perimeter isn't the firewall—it's the administrator's console. Security teams must now treat their UEM platforms as "Tier 0" assets that require the highest levels of protection and oversight.