CISA Advises U.S. Organizations to Harden Microsoft Intune Following Stryker Data Wiping Attack
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging U.S. organizations to strengthen administrative controls for the Intune endpoint management tool, following the Iran-linked cyberattack on the medical technology company Stryker. The Stryker cyberattack was conducted by a threat actor called Handala – a hacktivist group with links to Iran’s Ministry of Intelligence and Security.
Handala claimed to have exfiltrated 50 terabytes of data in the attack, before wiping data. Handala has claimed that it managed to delete 12 Petabytes of data in the attack from 200,000 devices. Wiper malware was not required, as Handala used the built-in wipe command in the Intune cloud-based endpoint management tool to wipe Windows devices, including mobile phones and laptops. According to Bleeping Computer, a source familiar with the incident claimed that Handala compromised an administrator account and created a new Global Administrator account, which was used to wipe the data.
At the time of writing, the military action against Iran is continuing, and Iran has issued threats of retaliation. In addition to a military response, retaliation is also likely to include further cyberattacks on U.S. companies. “CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026, cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment,” explained CISA in its March 18, 2026, alert. Consequently, CISA is recommending that organizations take steps to harden their endpoint management system configurations by following Microsoft’s recommendations.
The three main actions to take to harden Intune involve adopting a least-privilege approach for admin roles, assigning only the necessary permissions for day-to-day operations through Microsoft’s Intune role-based access control (RBAC). Organizations are advised to enforce phishing-resistant multifactor authentication and privileged access hygiene, including using Microsoft Entra ID capabilities to block unauthorized access to privileged actions in Microsoft Intune. Microsoft also recommends configuring access policies to require multiple admin approvals. Policies should be set up that require approval from a second administrative account in order to make changes to sensitive or high-impact actions, such as wiping devices, applications, scripts, RBAC, and configurations.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
According to the Palo Alto Networks Unit 42 team, there has been an increase in cyberattacks related to the war with Iran, including data wiping attacks and data theft. While the attack on Stryker involved misuse of Intune to wipe data, Iran-linked threat groups commonly use wiper malware in their offensive cyber operations. The Unit 42 team has observed Iran-nexus hacking groups and hacktivist groups increasing wiper attacks and spear phishing attacks. In addition to hardening Intune security, organizations should ensure that they patch promptly, have robust data backup systems in place, and have a tested disaster recovery and business continuity plan for data wiping attacks.
