CISA warns firms to strengthen endpoint security after Stryker attack
WASHINGTON, UNITED STATES — The United States Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations worldwide to bolster endpoint security after a state-linked cyberattack disrupted operations at medtech giant Stryker.
According to a report from CIO Dive, the attack, claimed by Iran-linked threat actor Handala, wiped data from thousands of devices, temporarily affecting the company’s ordering, manufacturing, and shipping capabilities.
Rising threats to endpoint management systems
CISA, in an advisory, highlighted ongoing malicious activity targeting endpoint management systems, including Microsoft Intune, a widely used platform for managing mobile devices at scale.
According to the report, security researchers believe the hackers gained administrator-level access to Intune, allowing them to erase data from devices. The attackers claimed to have accessed 200,000 devices and stolen 50 terabytes of data.
“Stryker confirmed its Microsoft environment was disrupted,” the agency noted, though the company did not disclose exactly how the breach occurred or the type of information accessed.
CISA said it coordinated with the Federal Bureau of Investigation (FBI) and other agencies to monitor potential threats and provided guidance developed in consultation with both Stryker and Microsoft.
To mitigate risks, CISA urged IT teams to take three critical steps: assign the minimum permissions necessary for daily tasks using Intune’s role-based access control; enforce phishing-resistant multifactor authentication and privileged access hygiene; and require a second level of administrative approval for high-level actions, such as data wipes.
Microsoft also updated its customer guidance this week in response to the advisory.
Experts stress privileged access controls
Researchers warn that wiper attacks from Iran-linked groups are increasing, citing multiple reports of hackers deleting data from servers and workstations.
Cynthia Kaiser, senior vice president of Halcyon’s Ransomware Research Center, emphasized the need for strict access management.
“Organizations should consider maintaining admin accounts as completely separate credentials rather than elevated versions of standard accounts. Where possible, privileged identity management, or PIM, is worth exploring to grant admin rights on a just-in-time, time-bound basis, which reduces exposure from persistent global admin sessions,” she told Cybersecurity Dive.
Palo Alto Networks’ Unit 42 also highlighted the heightened risk of wiper attacks amid geopolitical tensions, noting that the ability to bypass endpoint security triggers by exploiting administrative access is particularly concerning.
From the outsourcing perspective, the incident underscores a broader trend affecting outsourcing and managed IT services.
Companies that rely on third-party endpoint management tools must now reevaluate their security posture to protect sensitive operations across global networks.
In this context, firms that integrate robust access controls and proactive monitoring not only shield themselves from wiper attacks but also safeguard business continuity for outsourced operations, which are increasingly central to international supply chains.
