Hacktivist Group Handala Wipes 80,000 Devices and Exfiltrates 50 TB from Stryker via Compromised Microsoft Intune Admin Account
What Happened – Handala (an Iranian‑linked hacktivist group) breached Stryker’s Microsoft Intune environment by compromising an administrator account, creating a new Global Administrator, and using Intune’s built‑in wipe command to erase nearly 80 000 devices. The attackers also claim to have stolen roughly 50 TB of proprietary data before the wipe.
Why It Matters for TPRM –
- A single privileged account can give threat actors control over thousands of endpoints across a supply‑chain partner.
- Data exfiltration combined with mass device destruction amplifies both confidentiality and availability risks for downstream customers.
- The incident highlights the need for hardened endpoint‑management configurations and strict least‑privilege controls in any third‑party SaaS service.
Who Is Affected – Medical‑technology manufacturers, health‑care providers, and any organization that relies on Microsoft Intune (or similar cloud‑based endpoint management platforms) for device administration.
Recommended Actions –
- Review all third‑party contracts for endpoint‑management services and verify that least‑privilege RBAC is enforced.
- Ensure multi‑factor authentication (MFA) and multi‑admin approval are mandatory for privileged actions such as device wipes.
- Conduct a rapid audit of your Intune (or equivalent) configuration against CISA’s hardening guidance.
Technical Notes – The attackers leveraged stolen administrator credentials to create a Global Administrator account, then invoked Intune’s native wipe API. No public CVE was cited; the vector was credential compromise and abuse of native cloud management functions. Data types exfiltrated included design schematics, R&D files, and internal communications. Source: BleepingComputer