Stryker Wiper Attack: Iranian-Linked Hackers Used Microsoft Intune to Wipe 80,000 Devices — Healthcare Sector on Alert

On March 11, an Iranian-linked hacktivist group called Handala breached medical technology giant Stryker Corporation and used Microsoft Intune's built-in device wipe command to remotely erase approximately 80,000 devices. The attackers first compromised an administrator account, created a new Global Administrator account under their control, then issued mass wipe commands through Intune itself — Microsoft's cloud-based endpoint management platform used by virtually every enterprise Microsoft shop. Handala claims to have exfiltrated 50 terabytes of data before triggering the wipe.

The consequences for patients are confirmed and documented. Bloomberg reported on March 18 that Stryker's inability to deliver personalised surgical inventory has resulted in rescheduled procedures. Surgeries delayed. Real healthcare harm from a nation-state proxy operation.

CISA responded today (March 19) with an alert urging all U.S. organisations to harden Microsoft Intune configurations immediately. The agency's guidance is direct: implement least-privilege RBAC for admin roles, enforce MFA and Conditional Access via Microsoft Entra ID, and — critically — require multi-admin approval for sensitive actions including device wipes, application updates, and RBAC modifications. That last control would have stopped this attack in its tracks.

CVE-2026-20963: SharePoint Deserialization Flaw Now Actively Exploited

Compounding the picture, CISA added CVE-2026-20963 to its Known Exploited Vulnerabilities catalogue on March 18 with a federal remediation deadline of March 21 — a three-day window that signals genuine urgency. The vulnerability is a deserialization of untrusted data flaw in Microsoft SharePoint Server (2016, 2019, and Subscription Edition) rated CVSS 9.8. Exploitation allows an unauthenticated attacker to execute arbitrary code over the network. No public proof-of-concept has been released, but confirmed in-the-wild exploitation is sufficient for KEV inclusion.

SharePoint sits in the middle of most enterprise collaboration architectures. A successful exploit provides a foothold in document libraries, workflows, and — in many environments — a path to broader Active Directory access.

What This Means for CISOs

Two distinct but related actions are required.

On the Intune side: review your Global Administrator accounts today. How many exist? Who created them? When were they last audited? Require multi-admin approval for all device wipe commands — Microsoft's own documentation explains how. If you cannot answer basic questions about who can issue a mass device wipe in your environment, this week is the week to find out.

On SharePoint: patch CVE-2026-20963 immediately. Federal agencies have until March 21. That deadline applies to you in practice whether or not you are a government entity — KEV inclusions reflect real attack activity. If on-premises SharePoint is in your estate, treat this as a P1. If you have migrated entirely to SharePoint Online, verify your configuration and check Microsoft's advisory for cloud-specific guidance.

The Stryker attack is also a signal about threat actor willingness to cause direct harm. Handala is an Iranian-linked group with a track record of destructive operations. Using enterprise management tooling to wipe devices at scale is not ransomware — there is no negotiation, no recovery path from a backup. The objective is maximum disruption. Healthcare organisations in particular should review who can issue remote wipe commands in their endpoint management platforms, not just in Intune but in any MDM or EMM solution in their estate.