Your MDM can be used as a weapon against you, and Handala just showed us how.

On 11 March 2026, a group of Iranian-linked hacktivists called Handala wiped somewhere between 80,000 and 200,000 employee devices at Stryker Corporation — across 79 countries — using the company’s own mobile device management platform.

They didn’t break in through a zero-day. They didn’t install ransomware. They didn’t even need to be particularly sophisticated.

They stole an admin’s credentials, logged into Microsoft Intune, and hit the factory reset button. Repeatedly. At scale.

Stryker makes surgical robots and joint replacement systems. You’d assume a company that manufactures medical devices — one that sells into hospitals, operates across six continents, and sits squarely in a regulated sector — would have this covered.

You’d be wrong.

Short version — cut to the chase

If you read nothing else, read this.

This was not a sophisticated attack. Handala compromised one admin account and used a legitimate platform feature — remote wipe — to destroy devices at scale. No zero-day. No malware deployment. Just stolen credentials and a console with too much unchecked power.
Scale is irrelevant. Dependency is everything. You don’t need 200,000 devices to have a Stryker problem. Any organisation using cloud-based MDM, RMM, or endpoint management has concentrated enormous destructive power into a handful of admin accounts. That’s your exposure.
The attack vector is completely generic. Ransomware operators, business email compromise groups, and nation-state actors use the same technique — compromised privileged credentials in a cloud management console. The political motivation behind this particular attack is irrelevant to your threat model. The technique is universal.
Three questions your board should be able to answer. Who has global admin access to your MDM? How are those accounts protected? What is the blast radius if one is compromised? If those answers aren’t available in under five minutes, you have a gap.

What actually happened

Handala compromised a Microsoft Intune administrator account, almost certainly via infostealer malware — the commodity credential-theft tools that have been running rampant since 2022. Once inside, they had legitimate access to Intune’s remote wipe functionality: the same feature your IT team uses to wipe a lost or stolen phone.

They used it. A lot.

The attackers also claim to have exfiltrated approximately 50 terabytes of data before the wipe. Stryker confirmed disruption to global internal networks. Q1 earnings were impacted. The company has since recovered — but “recovered” covers a multitude of sins when the recovery involves rebuilding device fleets across 79 countries.

The geopolitical context matters here. The US–Iran conflict that drives Handala’s targeting is ongoing. Stryker was selected for reasons external to its own security posture — that is the nature of politically motivated campaigns. Your threat model probably doesn’t include Iranian hacktivists. But the attack vector they used is not theirs alone.

Why SMEs should be paying very close attention

Here’s where the standard industry response goes wrong: “That’s a big company problem. We don’t have 200,000 devices.”

Wrong lesson. Entirely wrong lesson.

The Stryker incident is not a story about scale. It’s a story about dependency.

Stryker didn’t lose control of its network because a nation-state adversary found a sophisticated vulnerability. They lost control because one privileged credential was compromised, and the blast radius of that one credential was effectively unlimited.

You have the same problem. Every organisation using Microsoft 365, Intune, Google Workspace, or any cloud-based MDM platform has concentrated enormous destructive power into a handful of administrator accounts. If those accounts are protected by a reused password, an SMS-based MFA code, or a token that lives on an already-compromised device, you have a Stryker problem — at whatever scale you operate.

Infostealer malware doesn’t care how many employees you have. It cares whether your admin’s credentials are worth stealing. An MSP managing 50 clients, each with cloud admin access, is a richer target than a mid-sized enterprise. A healthcare provider with Intune-managed devices full of patient records is a very attractive target.

The vendor risk nobody talks about

There’s a second lesson here that gets almost no airplay: the tools you use to secure and manage your environment are also your highest-value attack surface.

Microsoft Intune, your RMM platform, your SIEM, your backup solution — these are the keys to your kingdom. An attacker with admin access to your management plane doesn’t need to compromise individual systems. They own the whole thing at once.

Third-party risk assessments in most SME environments amount to a checklist someone completed when the vendor was onboarded two years ago. There’s no ongoing monitoring of admin credential hygiene, no review of conditional access policies on management consoles, no verification that your MDM admin accounts have phishing-resistant MFA rather than SMS.

These are not enterprise problems. They are universal problems that enterprises have more resources to address.

What your board should be asking right now

If this incident has not come up in a risk discussion, your risk management process has a gap. The questions that matter are not complicated:

Who has global administrator access to our MDM and endpoint management platforms? Can you produce that list today?
How are those accounts protected? Is it phishing-resistant MFA — hardware token or Windows Hello — or are we relying on SMS or an authenticator app without hardware binding?
What is the blast radius if one of those accounts is compromised? Can an attacker wipe every managed device in the organisation from a single console?
How long would recovery take if we lost access to every managed device simultaneously? Has that scenario been modelled?
When did we last test that recovery plan?

If your CISO, IT manager, or MSP can’t answer those questions in under five minutes, you have a problem that predates this incident.

What to do this week

Audit your management plane admin accounts. Who has global admin access to Intune, your RMM, your Microsoft 365 tenant? List them. Not next quarter — today. You can’t protect accounts you haven’t catalogued.

Enforce phishing-resistant MFA on every admin account. If any privileged account uses SMS or an authenticator app without hardware binding, that is your first fix. FIDO2 hardware tokens or Windows Hello for Business. SMS is not acceptable for management-plane access in 2026.

Review your remote wipe blast radius. What is the maximum number of devices a single compromised admin can wipe? Is that number acceptable? What does recovery look like, and when did you last test it? If the answer is “we’ve never tested it”, that is a finding.

Check conditional access policies on management consoles. Is access to your MDM and RMM restricted by device compliance, IP range, or both? Are there alerts on unusual admin activity — bulk wipe commands, access from unfamiliar locations, off-hours activity? These controls exist in most platforms. They are not always enabled.

Sources

Incident details are drawn from public reporting on the 11 March 2026 Stryker–Handala attack. Coverage included reporting by The Register, BleepingComputer, and Wired, among others. Verify specific article URLs before publishing — search “Handala Stryker Intune March 2026” for primary source links. Stryker’s Q1 2026 earnings disclosure confirmed the operational disruption.

Daniel Johns is a CRISC-certified virtual CISO and GRC advisor, Founder of Coastal Cyber, and a member of the ISACA Global Advisory Council and CompTIA Executive Council ANZ. He works with healthcare providers, financial services firms, and technology businesses across Southeast Queensland on privacy, cyber security, and governance.

If your cyber posture needs a clear-eyed assessment, book a 20-minute conversation.