Iran-Linked Hackers Use Microsoft Intune to Wipe 80,000 Devices in Stryker Attack

Iran-linked hackers have demonstrated a chilling new attack vector by compromising administrator credentials and using Microsoft Intune's legitimate device management capabilities to remotely wipe 80,000 devices in just three hours. The attack on medical technology company Stryker required no malware—only access to administrative accounts and knowledge of how to weaponise endpoint management platforms. This represents a fundamental shift in threat methodology that every UK business using cloud-based device management must understand.

A wiper attack is a cyberattack designed to permanently destroy data and systems rather than steal information, typically rendering devices completely inoperable. The Stryker incident exposes how attackers are evolving beyond traditional malware deployment to exploit the very tools organisations rely on for operational efficiency.

Key Facts:
- Iran-linked attackers wiped 80,000 devices using Microsoft Intune's built-in remote wipe functionality
- The attack required only compromised administrator credentials, not custom malware
- Complete device destruction occurred within three hours, demonstrating the speed of modern wiper attacks
- The incident highlights how endpoint management platforms can become weapons of mass business disruption

How Legitimate Tools Become Weapons of Disruption

According to reporting from BleepingComputer, the attackers gained access to administrative accounts within Stryker's Microsoft Intune environment and systematically triggered remote wipe commands across the organisation's device fleet. Microsoft Intune, designed to help IT teams manage corporate devices remotely, includes legitimate functionality to wipe devices clean—typically used when devices are lost, stolen, or being decommissioned.

The NCSC has previously warned that legitimate administrative tools represent high-value targets for attackers precisely because they provide authorised access to critical systems. In this case, the attackers required no sophisticated malware or zero-day exploits. They simply needed to compromise the right credentials and understand how to operate standard enterprise software.

This attack methodology bypasses traditional endpoint detection and response solutions because the commands appear legitimate within the system logs. IT teams may not immediately recognise mass device wipes as malicious activity, particularly if they occur during what appears to be routine maintenance windows.

Why Traditional Backup Strategies Fail Against Wiper Attacks

The Stryker incident demonstrates why conventional backup approaches prove inadequate against modern wiper attacks. When attackers target endpoint management platforms, they can simultaneously destroy both primary devices and any locally stored backup data. Traditional backup strategies often assume that local devices remain accessible during recovery operations, an assumption that wiper attacks explicitly violate.

UK businesses relying heavily on cloud-based device management must recognise that their backup and recovery plans may not account for scenarios where hundreds or thousands of devices become completely inoperable simultaneously. Your backup strategy is about to fail when it matters most becomes particularly relevant when considering attacks that target the management infrastructure itself rather than individual endpoints.

The ISO 27001 framework requires organisations to maintain business continuity plans that account for various threat scenarios, but many UK businesses have not tested their recovery capabilities against coordinated wiper attacks targeting management platforms.

What Should UK Businesses Do About Endpoint Management Security?

The immediate priority for UK organisations using Microsoft Intune or similar platforms involves implementing multi-factor authentication and privileged access management for all administrative accounts. However, technical controls alone prove insufficient when facing determined nation-state actors with sophisticated credential harvesting capabilities.

Businesses must establish segregation between device management platforms and critical business systems. If attackers compromise Intune administration, they should not automatically gain access to broader network infrastructure or backup systems. This requires careful network segmentation and access control design.

Regular testing of recovery procedures specifically for mass device loss scenarios becomes essential. Many UK businesses test their backup systems by simulating server failures or data corruption, but few test recovery when the majority of employee devices become simultaneously inoperable. The NCSC recommends that businesses maintain offline backup copies and recovery procedures that do not depend on the same management infrastructure that could be compromised.

Boardroom Questions

How quickly could our organisation recover operations if attackers wiped all managed devices simultaneously, and have we tested this scenario?

What administrative privileges exist within our device management platforms, and are these accounts protected by multi-factor authentication and regular access reviews?

Do our business continuity plans account for attacks that target management infrastructure rather than individual systems or data?

Quick Diagnostic

Can your IT team immediately revoke all administrative access to device management platforms if a breach is suspected?

Have you tested business recovery procedures assuming all corporate devices become inoperable simultaneously?

Are your backup systems completely independent from the same credentials and infrastructure used to manage corporate devices?