News
CISA, Microsoft Outline Intune Safeguards After Stryker Cyber Attack
The Cybersecurity and Infrastructure Security Agency
is urging U.S. organizations to strengthen security around Microsoft Intune and other endpoint management platforms after a cyberattack on medical technology giant Stryker Corp. disrupted operations and contributed to surgery delays at hospitals nationwide.
In a March 18 advisory, CISA told IT teams to follow Microsoft's recently published Intune hardening guidance and apply the same protections to other endpoint management tools in their environments. The agency said it is working with the FBI to determine whether other organizations could face similar attacks.
A Trusted Tool Turned Against Its Owner
According to reports, the threat group Handala is suspected of compromising a Stryker administrator account, creating a new Global Administrator account and then abusing Intune's built-in wipe capability to erase network systems. Handala has claimed responsibility for the attack and said it wiped more than 200,000 systems, servers and mobile devices. The group has also claimed to have stolen 50 terabytes of data.
Stryker said the incident affected its Microsoft environment, but stressed that patient safety was not at risk. "It is completely safe for Stryker sales representatives to be onsite in hospitals and facilities," the company said in a customer update. "This was not a ransomware attack, and there is no evidence of malware deployed to our systems." The company said the incident has been contained and that restoration is ongoing.
Even so, the operational effects have spread beyond Stryker's own network. Bloomberg reported that disruptions (paywalled) to ordering, manufacturing and shipping contributed to delays for some surgical procedures.
Broader Concerns About Handala
Handala emerged in late 2023 and has previously targeted Israeli organizations in data-wiping and disruption campaigns. Security researchers have described the group as linked or affiliated with Iranian intelligence, though that attribution remains an assessment rather than a publicly proven conclusion. The group has framed the Stryker attack as retaliation against U.S. companies with ties to Israel.
Ronan Murphy, CEO of Cork-based cybersecurity firm Smartech247, told the Irish Examiner that organizations should assume the threat remains active. "Any organisation has to be on very, very significant high alert to potentially be hit by these guys because they're quite sophisticated, they have a lot of resources," Murphy said. "And their sole objective is chaos."
What CISA and Microsoft Want IT Teams To Do
CISA's recommendations closely track
Microsoft's March 14 best practices post on securing Intune, which the agency pointed to as a baseline for immediate action. Microsoft's guidance centers on least-privilege access, stronger authentication protections for privileged accounts and extra approval controls for high-impact administrative actions.
First, orgs should apply least-privilege principles to Intune role-based access control so administrators can affect only the resources within their assigned scope. Broad, standing privileges should be reduced wherever possible. Second, CISA and Microsoft recommend phishing-resistant multifactor authentication for privileged accounts, along with Microsoft Entra Conditional Access policies that limit administrative access based on device compliance, risk signals and network location.
Third, and most directly tied to the Stryker incident, CISA said organizations should enable Intune's Multi Admin Approval capability for high-impact actions. "Set up policies that require a second administrative account's approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.," the agency said in its alert.
CISA said it worked with both Microsoft and Stryker ahead of the advisory, and that both organizations contributed to the guidance. Microsoft, in its own post, said Intune "gives IT and security teams a powerful way to manage endpoints at scale -- deploying apps, enforcing security baselines, and configuring the settings that keep users productive." That administrative reach, the company said, is why stronger protections are essential