InfoSec / Cyber

    You are here:  
  1. Home
  2. InfoSec / Cyber
  3. What is the Stryker cyber attack and why should schools be wary?
Stryker company logo, representing the medical technology firm recently impacted by a significant cyber
Information/Cyber Security

What is the Stryker cyber attack and why should schools be wary?

On March 11, threat actors breached Stryker's network via a unique cyber attack - while the data was removed and then devices wipes, the method of entry into Stryker's network is key to improving your own cyber resilience.

What happened?

⚠️ Over 200,000 systems and devices were reportedly wiped clean and reset within in minutes.

⚠️ Many employees watched their devices get wiped in real time.

⚠️ Login screens were defaced with Handala's logo and propaganda messages.

⚠️ The attackers claimed to have stolen 50 terabytes of data during the breach.

⚠️ No ransom was made - it was a state-aligned hacktivist operation.

⚠️ The organisation allowed BYOD, so an unknown device was able to access and admin tool.

Why is this different?

✅ A change in tactics by threat groups linked to nation-states, using sabotage rather than ransomware or espionage.

✅ Trusted administrative tools were exploited, which is harder to detect.

✅ The same technique could be used to compromised service provider's remote management tools.

How does this align with what we do?

⚙️It is thought that the attackers likely used Microsoft InTune to gain access.

⚙️By gaining access, the attackers were able to remote wipe thousands of connected devices.

How can we protect our devices?

🛡️Implement privileged access management and multi factor authentication for any action that affects endpoint devices.

🛡️Ensure your IT teams have immutable backups that are physically and logically separated from the main network, ensuring that if there is an attack on the live environment, a clean copy of critical data remains protected.

🛡️Regularly audit third-party integrations and third party providers.

🛡️Regularly practice table-top exercises to test your cyber resilience.

What do we need to do now?

Phishing -Resistant MFA: Check MFA is set up and is phishing resistant for admin accounts

Privileged Identity Management: Document your admin rights procedures: admins should have standard user rights by default and then elevate to admin status only when needed, for a limited time.

✅Conditional Access: Ensure policies that allow administrative logins only from compliant, company-managed hardware and known, trusted IP addresses.

Multi-admin approval: enable dual custody for destructive actions, so there is a second administrator to approve any Wipe, Retire or Bulk Script command.

Wipe threshold alerts: configure alerts to trigger if more than a small percentage receives a wipe command.

Immutable Backups: ensure your critical backups are away from your live system.

Air-Gapped Recover: maintain a recovery vault that is not logically connected to your main cloud tenant.

Break-Glass Accounts: maintain two emergency-only Global admin accounts with complex passwords stored in a physical safe, excluded from standard MFA.

Monitor: set up network monitoring and alert systems.

Tabletop Exercises: regularly simulate a cyber event/incident and modify with any new cyber threat information you receive.

Department for Education (DfE) Digital Security icon, representing guidance for schools on cyber resilience Schools should look to the DfE Digital Standards to understand their current device and system configurations.  DPE Customers should review the DfE Digital Standards Tracker tools on our Knowledge Bank.

Marcus Hutchins explains what a Mobile Device Management tool is and how it was used:

Related Reading and Reference Sources:

Geopolitically Motivated Cyber Operations Against the Healthcare Technology Industry: Lessons from the Stryker Incident

The Stryker Attack: Enterprise Resiliency Plans Can’t Ignore UEM

Definitions:

  • MDM (Mobile Device Management): A software category that allows IT administrators to control, secure, and enforce policies on smartphones, tablets, and laptops from a central console. In the Stryker attack, the MDM tool (Microsoft Intune) was weaponised to send "remote wipe" commands to over 200,000 devices simultaneously.

  • State-Aligned Hacktivist Attack: A cyberattack carried out by a group that claims to be independent "activists" (hacktivists) but is actually supported, funded, or directed by a nation-state (in this case, Iran). These attacks often prioritise political sabotage and propaganda over financial profit.

  • Endpoint: Any physical device that connects to and exchanges information with a computer network. This includes laptops, desktops, mobile phones, tablets, and servers.

  • Wiper Attack: A form of destructive cyberattack where the primary goal is to permanently delete or "wipe" data from the victim's hard drive, rather than encrypting it for ransom.

  • BYOD (Bring Your Own Device): A policy that allows employees to use their personal devices (phones, laptops) to access privileged company information and applications.

  • MFA (Multi-Factor Authentication): A security process requiring a user to provide two or more verification factors to gain access to a resource (e.g., a password plus a code sent to a physical security key).

  • Phishing-Resistant MFA: A high-standard authentication method (like FIDO2 security keys) that cannot be bypassed by "man-in-the-middle" attacks or fake login pages.

  • Privileged Identity Management (PIM): A service that allows organisations to manage, control, and monitor access to important resources. It typically uses "Just-In-Time" access, where admin rights are only granted for a specific window of time.

  • Conditional Access: An "if-then" security logic. For example: If a user wants to access the admin portal, then they must be on a company-managed laptop and connected to the school's office Wi-Fi.

  • Immutable Backups: Data backups that are fixed and unchangeable. Once written, they cannot be modified or deleted by anyone—including an attacker with administrative credentials—for a set period.

  • Air-Gapped Recovery: A security measure where a copy of your data is kept entirely disconnected from the internet and the main local network, making it impossible to hack remotely.

  • Dual Custody (Multi-Admin Approval): A security protocol that requires at least two authorised individuals to approve a high-risk action (like wiping all devices) before the system executes the command.

  • Break-Glass Account: An emergency-only account used to gain administrative access to a system when normal access methods (like MFA providers) are unavailable or compromised.

  • Tabletop Exercise: A simulated "war game" where IT teams and leadership walk through a hypothetical cyberattack scenario to test their emergency response plans and decision-making.

Stryker Corporation is a leading global medical technology company that manufactures a wide range of specialised products—including robotic surgery systems, artificial joints, and emergency medical equipment—impacting more than 150 million patients annually.

©2025 Data Protection Education Ltd.

Search