Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

CISA urges organizations to harden endpoint security following Stryker attack

The agency is coordinating with the FBI and other agencies amid concerns about additional threat activity involving Microsoft Intune.

Published March 19, 2026
David Jones's headshot
Reporter
Microsoft building with logo
CISA is urging U.S. organizations to take steps to harden their Microsoft Intune environments after an attack on medtech giant Stryker, which was targeted by hackers linked to Iran. The hackers were able to wipe data from thousands of company devices. Getty Images

The Cybersecurity and Infrastructure Security Agency is urging organizations across the U.S. to harden their endpoint security following the Iran-linked cyberattack against medtech provider Stryker. 

A state-linked threat actor tracked as Handala claimed credit for the attack against the Michigan-based firm last week. The attacker wiped data from thousands of devices at the company, which confirmed that its ordering, manufacturing and shipping capabilities were briefly disrupted. 

CISA, in a Wednesday advisory, said it is aware of malicious activity targeting endpoint management systems and had been working with agency partners, including the FBI, to identify additional threats. 

Microsoft Intune is a widely used endpoint management application that IT security teams use to manage a range of mobile devices at scale. Security researchers believe the hackers were able to gain access to the administrator level of Microsoft Intune and wipe data from the devices. 

The hackers posted a claim that they accessed 200,000 devices and stole 50 terabytes of data. Stryker, in a regulatory filing with the Securities and Exchange Commission, confirmed its Microsoft environment was disrupted, but did not publicly detail exactly how the attackers gained access or specifically what kind of information was accessed. 

CISA urged IT security teams to make three main adjustments: 

  • Assign the minimum number of permissions to accomplish day-to-day tasks in Microsoft Intune by using the application’s role-based access control.
  • Enforce phishing-resistant multifactor authentication and privileged access hygiene in order to prevent unauthorized access. 
  • Set up policies to require a second level of administrative approval to enable high-level changes, such as wiping data. 

CISA confirmed that it consulted with Microsoft and Stryker before releasing the advisory and said both companies contributed to the guidance. Microsoft released an updated version of its customer guidance earlier this week. 

Researchers from Palo Alto Networks’ Unit 42 last week warned of an increased risk of wiper attacks related to the Iran war. They cited information from the Israeli National Cyber Directorate, which received multiple reports of hackers deleting data from servers and workstations. 

Various state-linked and Iran-nexus groups have used spear phishing and disc wiping malware to launch wiper attacks, according to Unit 42 research. What is most concerning about some of the more recent attacks is the ability to gain administrative access to Microsoft Intune and thus bypass endpoint security triggers. 

Researchers from Halcyon said security teams should take additional measures to make sure they enforce privileged access.

“Organizations should consider maintaining admin accounts as completely separate credentials rather than elevated versions of standard accounts,” Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, told Cybersecurity Dive. “Where possible, privileged identity management, or PIM, is worth exploring to grant admin rights on a just-in-time, time-bound basis, which reduces exposure from persistent global admin sessions.”

Editors' picks

Company Announcements

View all | Post a press release
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
BrandShield Expands Brand and Digital Risk Protection to AI Platforms, Where Millions of Consu…
From BrandShield
April 01, 2026
BrandShield logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
Editors' picks
Latest in Vulnerability
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell