Microsoft Intune administrative control weaknesses exploited in Stryker breach leading to mass device wipes
Summary
Hide ▲
Show ▼
A pro-Palestinian hacktivist group named Handala (also tracked as Handala Hack Team, Hatef, or Hamsa) compromised Microsoft Intune administrative controls at Stryker Corporation, a U.S.-based medical technology firm, on March 11, 2026. The attackers created a new Global Administrator account after breaching an existing administrator credential, stole approximately 50 terabytes of data, and executed device wipes across nearly 80,000 systems via Intune’s built-in wipe command. The incident follows Microsoft’s hardening guidance for Intune published days after the breach, which CISA subsequently mandated for all U.S. organizations to mitigate similar risks. The attack highlights the risks of excessive administrative privileges and insufficient privileged access hygiene in cloud-based endpoint management platforms.
Timeline
-
19.03.2026 13:02 1 articles · 2h ago
Stryker breach via Microsoft Intune leads to mass device wipes and prompts CISA hardening advisory
On March 11, 2026, Handala compromised Stryker Corporation’s Microsoft Intune environment, creating a Global Administrator account after breaching an existing admin credential. The attackers exfiltrated approximately 50 terabytes of data and executed a mass device wipe affecting nearly 80,000 systems. Microsoft issued hardening guidance for Intune days after the incident, and CISA responded with an advisory requiring U.S. organizations to implement least-privilege access, MFA, privileged access hygiene, and multi-admin approval for sensitive actions such as device wipes and RBAC changes.
Show sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02
Information Snippets
-
Handala, an Iranian-linked pro-Palestinian hacktivist group active since December 2023, claimed responsibility for the attack on Stryker Corporation.
First reported: 19.03.2026 13:021 source, 1 articleShow sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02
-
Attackers compromised an existing administrator account and created a new Global Administrator account within Microsoft Intune to execute the intrusion.
First reported: 19.03.2026 13:021 source, 1 articleShow sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02
-
The intruders exfiltrated approximately 50 terabytes of data prior to deploying a mass device wipe affecting nearly 80,000 systems via Microsoft Intune’s built-in wipe command on March 11, 2026.
First reported: 19.03.2026 13:021 source, 1 articleShow sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02
-
Microsoft published hardening guidance for Intune administrative controls days after the Stryker breach, emphasizing least-privilege access, MFA enforcement, and multi-admin approval for sensitive actions.
First reported: 19.03.2026 13:021 source, 1 articleShow sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02
-
CISA issued an advisory urging all U.S. organizations to harden endpoint management systems, including Microsoft Intune, using least-privilege RBAC, MFA, and multi-admin approval for critical operations such as device wipes.
First reported: 19.03.2026 13:021 source, 1 articleShow sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02
-
Handala has previously targeted Israeli organizations with data-wiping malware for Windows and Linux systems.
First reported: 19.03.2026 13:021 source, 1 articleShow sources
- CISA urges US orgs to secure Microsoft Intune systems after Stryker breach — www.bleepingcomputer.com — 19.03.2026 13:02