CISA Warns Attackers Abused Microsoft Intune to Wipe Devices in Stryker Cyberattack

The Cybersecurity and Infrastructure Security Agency has issued a new alert urging organizations to harden their endpoint management systems after a recent cyberattack on Stryker exposed critical security gaps. The advisory highlights how weaknesses in administrative controls can be exploited to carry out large-scale disruptions without deploying traditional malware.

According to CISA, the attack began with the compromise of privileged administrative access within the victim organization’s Microsoft cloud environment. Once the attackers obtained elevated permissions, they were able to interact directly with the organization’s endpoint management platform and treated it as a trusted administrative interface rather than an external intrusion point. This initial access allowed the adversaries to operate within normal management workflows, which reduced the likelihood of immediate detection.

After establishing administrative control, the attackers abused built‑in endpoint management capabilities to carry out high‑impact actions at scale. They leveraged legitimate features, such as remote device management and wipe functions, to disrupt a large number of systems simultaneously.

Legitimate tools used to wipe devices without malware

Stryker explained that the attackers did not rely on malicious software such as malware or ransomware. Instead, they took advantage of the access they had already gained inside Stryker’s internal environment. The hackers used legitimate administrative functions to remotely erase data from a large number of devices by accessing the company’s Microsoft Intune management consoles. This included not only corporate systems but also employees’ personal phones and computers that were enrolled in or connected to Stryker’s network.

Following the incident, Stryker stated that it had contained the attack and begun the process of restoring affected systems. The company emphasized that its medical devices continue to operate safely, but acknowledged that key business systems remain unavailable. Stryker has not shared an expected timeline for full recovery.

CISA recommendations to strengthen endpoint security controls

Organizations are advised to strengthen the security of their endpoint management systems by reducing the risk of administrative abuse. A key recommendation is to apply least‑privilege access, which ensures that administrators only have the permissions required for their specific roles. Moreover, they should use role‑based access control (RBAC) to limit how far an attacker can move if an account is compromised. Organizations should also enforce phishing‑resistant multi‑factor authentication (MFA) and stronger privileged access controls through identity platforms (such as conditional access policies and risk‑based authentication) to prevent unauthorized use of high‑level accounts.

CISA also recommends placing safeguards around the most sensitive and high‑impact administrative actions. This includes enabling multi‑admin approval for operations like device wiping, configuration changes, application deployments, and script execution. Moreover, organizations are encouraged to apply these same security principles across all endpoint management tools and adopt zero‑trust design practices.