Iran‑Linked Handala Group Wipes 200K Devices via Microsoft Intune, Prompting FBI & CISA Advisory
What Happened — An Iran‑affiliated hacking group known as Handala compromised a legitimate Microsoft Intune tenant used by Stryker, a large medical‑device firm, and issued remote‑wipe commands that erased data on more than 200,000 corporate devices. The attackers used no malware, instead abusing privileged Intune permissions to execute the wipes.
Why It Matters for TPRM —
- Cloud‑based endpoint‑management platforms can become a single point of failure if admin credentials are compromised.
- Service‑disruption attacks on a third‑party SaaS can cascade to multiple business units, suppliers, and customers.
- The incident highlights the need for strict least‑privilege, MFA, and dual‑approval controls on all privileged cloud services.
Who Is Affected — Healthcare technology manufacturers, hospitals, and any organization that relies on Microsoft Intune (or similar MDM solutions) to manage endpoints.
Recommended Actions — Review and tighten Intune role‑based access controls, enforce MFA for all admin accounts, implement a second‑approval workflow for high‑impact actions such as device wipes, and continuously monitor privileged activity.
Technical Notes — Attack vector: stolen or misused admin credentials within Microsoft Intune (cloud‑based MDM). No known CVEs were exploited; the breach stemmed from inadequate configuration and lack of multi‑factor authentication on privileged accounts. Data types: primarily operational device data; no evidence of patient or proprietary data exfiltration. Source: The Record