Stryker hacked via Intune

On March 11, 2026 Stryker disclosed in a Form 8‑K that it detected a cybersecurity incident, activated its incident response plan, engaged external advisors and cybersecurity experts, and believed the event was contained while investigations continued. (sec.gov: ) The pro‑Iran hacktivist group Handala publicly claimed responsibility and posted that it erased more than 200,000 corporate and personal devices and extracted roughly 50 terabytes of data as retaliation for a reported strike in Minab, Iran. (obsidiansecurity.com: ) (krebsonsecurity.com: ) Independent security reporting places the scale of device wipes between “tens of thousands” and the group’s claim of 200,000 devices, with analysts flagging the operation as a management‑tool‑driven destructive action rather than traditional endpoint malware. (bleepingcomputer.com: ) (pcmag.com: ) On March 18–19 the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert saying it was aware of malicious activity targeting endpoint management systems and urging organizations to harden Microsoft Intune configurations and follow Microsoft’s recommended controls. (cisa.gov: ) (reuters.com: ) Microsoft’s published Intune hardening guidance and security baselines emphasize applying Zero Trust controls, protecting administrative identities, separating administrative and user accounts, enforcing conditional access and privileged access workflows, and deploying Intune security baseline profiles across enrolled devices. (learn.microsoft.com: ) (learn.microsoft.com: ) Stryker’s customer notices and filings said the disruption affected access to Microsoft‑based systems that support ordering, manufacturing and shipping while core transactional systems were put on a “clear path to full recovery” as restoration progressed and the company reported no indication of ransomware or malware. (stryker.com: ) (sec.gov: )