When Your Management Tools Become the Weapon

On March 11, pro-Iranian hackers wiped tens of thousands of employee devices at Stryker, one of the world's largest medical device companies. The attack disrupted manufacturing, order processing, and global shipping across 79 offices. It's being called the first major cyberattack on U.S. infrastructure in direct retaliation for geopolitical military action — and it's a wake-up call for every enterprise.

But here's what makes this attack especially alarming: no malware was used.

The Attack Vector Nobody Expects

The Handala threat group, linked to Iran's Ministry of Intelligence, didn't breach Stryker's network with a zero-day exploit or a phishing email laced with ransomware. They gained access to Stryker's Microsoft Intune management console — the very tool IT teams rely on to manage and secure endpoints — and used its built-in remote wipe feature to factory-reset enrolled devices at scale. Legitimate administrative tools, weaponized against the organization they were designed to protect.

The FBI and CISA confirmed the attack and have since urged all organizations using Intune to harden their endpoint management configurations and require multi-person approval for destructive actions like device wipes.

Why This Should Matter to Your Organization

This attack exposes a critical blind spot: the security of your security tools themselves.
Most organizations invest heavily in firewalls, EDR platforms, and SIEM solutions — but fewer treat their management plane (the consoles, identity systems, and administrative access layers) with the same vigilance. If an attacker can authenticate to your device management platform, they don't need to defeat your endpoint security. They just need to use it against you.

A few hard questions worth asking right now:

Who has access to your MDM/UEM console, and is that access protected with MFA?
Are destructive actions in your management tools subject to multi-person authorization?
Do you have 24/7 monitoring of privileged account activity and administrative consoles?
How quickly would your SOC detect a mass wipe event in progress — before it completes?

How InfoSight Helps Close These Gaps

At InfoSight, we've spent over 25 years helping organizations protect not just their endpoints, but the entire security architecture — including the management and identity layers that attackers increasingly target.

24x7 SOC-as-a-Service & Managed Detection and Response (MDR): Our U.S.-based SOC monitors your environment around the clock, providing real-time threat hunting and anomaly detection. A mass device wipe initiated from an admin console is exactly the kind of behavioral anomaly our analysts are trained to catch and contain — fast.
Managed EDR: We don't just deploy endpoint protection and walk away. We actively manage it, ensuring your endpoint tooling is hardened, up to date, and monitored for abuse — including abuse from within the management plane.

Penetration Testing: Our offensive security team simulates exactly these kinds of attacks — testing whether adversaries can gain privileged access to your management consoles, identity systems, and administrative platforms before real attackers do.

Vulnerability Assessments & Compliance Audits: The FBI's post-incident advisory to Stryker focused on hardening configurations. InfoSight's assessments proactively identify misconfigurations in your Microsoft environment, cloud infrastructure, and endpoint management platforms — before they become headlines.

Security Awareness Training (CSAP): Many management console compromises begin with a phished credential. Our Customer Security Awareness Program keeps your employees sharp against the social engineering tactics nation-state actors use to get their initial foothold.

The Geopolitical Dimension Is Now a Security Variable
Perhaps the most important lesson from Stryker isn't technical — it's strategic. Handala targeted Stryker because of geopolitical context. As global tensions rise, companies with international operations, U.S. government contracts, or ties to industries perceived as linked to foreign policy decisions are squarely in the crosshairs of nation-state actors.

Cyber risk is no longer just an IT problem. It's a business continuity, geopolitical, and supply chain problem. Your security posture needs to account for who you are, where you operate, and what you represent — not just what vulnerabilities your scanner found last quarter.

Ready to Assess Your Exposure?
If the Stryker attack has you asking whether your organization is prepared, we'd like to help you find out. InfoSight offers a no-obligation consultation to assess your current security posture, identify gaps in your management plane visibility, and build a roadmap toward true cyber resilience.

Contact InfoSight today →