A US Fortune 300 company with 56,000 employees and a USD$25 billion revenue just had tens of thousands of devices remotely wiped in a matter of hours. The attack vector wasn’t exotic — and the defences that could have stopped it are available to businesses of every size, including yours.
On 11 March 2026, Stryker Corporation — one of the world’s largest medical technology companies — suffered a devastating cyberattack that brought its global Microsoft environment to its knees. Manufacturing halted. Shipping stopped. Employees across 79 countries were told to disconnect from all networks and not turn on their company-issued devices. Many watched their laptops and phones being wiped in real time.
The attack was claimed by Handala, a group linked by multiple intelligence firms to the Iranian Ministry of Intelligence and Security. It wasn’t ransomware. It was something arguably worse: a deliberate, destructive operation designed to cause maximum damage with no financial motive.
The suspected attack vector was Microsoft Intune — Stryker’s own mobile device management platform. Researchers at Arctic Wolf indicated that attackers likely used Intune to remotely issue mass factory-reset commands to enrolled corporate endpoints globally. In other words, the attackers turned Stryker’s own security tools against it.
This is the question every business leader should be asking — because the uncomfortable answer is: the same way it could happen to you. Stryker is a sophisticated, well-resourced Fortune 300 organisation. They had cybersecurity teams, policies, business continuity plans, and enterprise tooling. And yet attackers were able to gain access to administrative systems and use them destructively at scale.
Security researchers believe malware-stolen credentials were used to gain initial access. Once attackers had valid credentials, they could move through systems with alarming legitimacy.
Attackers exploited Microsoft Intune — a legitimate IT management platform — to issue mass device wipe commands. No custom malware needed. Destruction was carried out using tools the company already trusted.
Attacks like this are driven by geopolitical motives, not target size. State-linked threat actors cast wide nets, and the tools used against Stryker — phishing, credential theft, and admin platform abuse — are the same tools used against small and mid-sized businesses every day. The difference is that smaller organisations typically have fewer layers of defence when those tools succeed.
The Stryker incident is a clear reminder that cyber resilience isn’t about having the biggest budget — it’s about having the right controls in the right places. Based on how this attack unfolded, here are the two things we’d prioritise for every business we work with:
Technicalities can review your current MFA setup and admin approval policies, and help you close the gaps before someone else finds them.