Enterprise Resiliency Plans Can’t Ignore UEM

On March 11, media reports indicated that an Iranian-linked hacktivist organization, Handala, claimed to have successfully attacked Stryker Corporation, a Fortune 500 medical device manufacturer. The group also claims to have wiped 200,000 systems and stolen 50 terabytes of data. Unnamed employees on social media said there were widespread network outages and that any user who had Microsoft Office on their personal phones had their devices wiped. In addition, Stryker released a message publicly to customers stating that the attack affected its Microsoft environment. Based on statements from the group claiming responsibility, this cyberattack is a response to the ongoing conflict between the US and Iran and is part of the escalating digital warfare that’s taking place as part of the broader conflict.

So far, Stryker hasn’t released any details about the attack publicly. Reports, however, indicate that this may be wiper malware. Wiper malware can masquerade as ransomware but destroy the victim’s data instead of encrypting it, making recovery more challenging.

Analysis so far also points to the attackers gaining access to Stryker’s mobile device management (MDM) and unified endpoint management (UEM) platform, then being able to extract information and force a system-level wipe and reset on any managed devices. This allegedly impacted personal users who were using their own devices that were registered with the MDM/UEM platform, Microsoft Intune. Please note that this does not necessarily signal a vulnerability with Intune itself. It’s far more likely that the attackers leveraged Intune in a living off the land-style attack, where the attacker uses native tools and processes within the environment to either collect or create an administrative login or is able to exploit those native tools to take administrative-level actions.

Why It Matters

MDM/UEM platform compromises are rare but not new. A recent attack on the European Commission this past January led to an attacker extracting personal information such as names and phone numbers. Malicious actors attacked a multinational conglomerate in 2020, using the MDM to deploy the Cerberus banking trojan. This attack looks different, as the malicious actors had more than data-level access to the platform or app deployment capabilities and were able to utilize administrator-level controls, such as sending wipe commands to managed devices.

Management platforms like MDM/UEM are “keys to the kingdom” systems, as they’re used across enterprises to manage, secure, and monitor the endpoints where users work. While commonly used for desktops and mobile devices, more systems like wearables and browsers are being covered by these platforms. MDM/UEMs allow for centralized control of not just the endpoints but can also bring in app delivery, configure privileged access, deliver certificates, or even get down to BIOS-level controls. A compromise of these platforms has extensive ramifications, as attackers can extract data and wipe devices but can also deploy scripts, relax permissions, and establish command-and-control (C&C) points within the infrastructure. These C&C points are less likely to be detected as malicious, as they’re deployed through normal management channels. From there, attackers could gain access to other corporate data than what is stored locally on the users’ endpoints.

Many enterprises use bring-your-own-device (BYOD) programs. BYOD devices are usually controlled by the MDM/UEM platform, which would give the attacker access to control that endpoint. This could allow them the same level of control as they have on corporate devices, giving them access to personal information as well as corporate info. This makes access to these devices a valuable commodity for malicious actors to sell on hacker marketplaces or to extort individuals.

A common part of the agreement for users enrolling in their company’s BYOD program is that the business retains the right to control, lock, and partially or fully wipe the device in the event of a security incident. This can mean employees can lose access to their personal files on the device and are responsible for regular backups of those files.

The wiping of devices, either corporate- or employee-owned, also highlights a current challenge in enterprises today where data management and security leaders want all business data to be centralized so that it’s easier to control and protect. Yet a lot of data winds up on users’ devices and may never make it to centralized storage. When one system fails, discovering what data was lost and the impact to the business is a challenge, but when 200,000 are wiped, this discovery takes much longer, and it may be some time before the business learns what was truly lost.

What To Do

Based on the claims of the attackers taking responsibility for the cyberattack and their stated reason, the attack appears to be geopolitically motivated. Stryker is a uniquely valuable target for a pro-Iran attacker: It is a publicly traded US company with large contracts with the US military for medical devices, and it has at least one company based in Israel, OrthoSpace Ltd., under its umbrella.

Know The Threat Environment And Prepare

While Stryker may not have been an overt target for a pro-Iran hacker group a month ago, the geopolitical situation is extremely chaotic this year, and the situation has fundamentally changed. The US has been very public about its intent to use cyberattacks more in offensive operations, even outlining this goal in its 2026 cyber strategy for America. To prepare for this, organizations must hold regular (at least once a quarter or more often, depending on resources) geopolitical risk conversations that involve the security team so that they can keep up to date on the latest geopolitical changes and the new attacker groups that may be more inclined to target them.

Companies that think they aren’t likely targets should assess traits such as their country of origin, location of operations, relationship with groups and governments around the world, and the latest threat intelligence about groups that might target them. Examine the tactics, techniques, and procedures of these groups to identify and close potential security posture gaps.

Examine Potential Attack Vectors

While the impacted devices appear restricted to those under MDM/UEM management, it’s imperative that all systems within the enterprise are scanned to look for tools that the threat actors can use to gain access to other data, as well as access to other systems such as those within the operational technology/industrial control system networks where Stryker develops and manufactures its devices.

Understand Your Impact

Stryker has not yet publicly shared any details beyond its Microsoft systems being disrupted. The best course of action is to contact your Stryker account team to find out what details they have available now and learn what their course of action is to communicate with you on the state of things. According to Stryker, its “connected products are not impacted and are fully safe to use.” Pay attention as the company learns more about the nature of the attack.

Users impacted by attacks impacting personal devices such as via the Stryker incident need to know what data may have been extracted. Watch for notices from your employer for more details on what data the attackers accessed. If the threat actor extracted data from BYOD devices, this could mean that anything from personal photos to bank statements on your device were extracted. Also, because of the level of control that MDM/UEM platforms have on managed endpoints, it’s possible that website access tokens and digital certificates could also have been extracted but not the credentials themselves. As a precaution, while the investigation is ongoing, change your passwords for applications and websites you may have been using from your BYO device.

Incidents like this one show the inherent risk of allowing work software on personal devices. It’s worth strongly considering if you would be better off using work-provisioned devices or separate devices solely dedicated to work instead of mixing personal and corporate. This is also an opportunity for risk reduction for the business — BYOD devices are inherently more risky.

Key Takeaways From The Incident

Incidents like this expose attacker techniques and illustrate how attackers may target others, highlighting gaps in many enterprise data resilience strategies. Some actions for all enterprises to take include:

Reviewing access controls to our management platforms like MDM/UEM.
Restricting access to enterprise management systems using phishing-resistant multifactor authentication to ensure that compromised credentials alone don’t allow access.
Configuring destructive actions, such as wiping, to utilize functions such as multi admin approval, which ensures that a single compromised admin account cannot take these actions alone.

The expectation that the only useful infrastructure and data for an organization lives in a data center or cloud environment falls apart in a world where employees are working remotely or where embedded devices and terminals are running full operating systems vulnerable to widespread attacks. Enterprises should make sure that if an attacker is able to compromise a control plane like Intune or execute a malware attack with something like wiper, they can recover those devices quickly or at least get employees and customers access to their data.

We’re closely watching this incident and will continue to share our insight as details emerge and we get definitive answers on what data may have been lost and other particulars that exposed how this attack took place.