Unpacking the Stryker Cyberattack – How InTune was used to maliciously wipe 80,000 devices

By Andy Lomasky, Senior Director, IT, PMMI

A recent cyberattack on medical technology company Stryker is drawing attention across industries.  This was not a new vulnerability or sophisticated malware – this breach occurred because attackers used a trusted system to cause widespread disruption.

For PMMI members, this incident is worth understanding. Many organizations rely on similar tools to manage computers, workstations, mobile devices, and users, and the lessons here apply broadly across manufacturing, packaging, and supply chain environments.

What Happened

According to public reporting and CISA guidance, attackers gained access to Stryker’s environment and leveraged Microsoft Intune, a widely used endpoint management platform.

Once inside, they were able to:

• Compromise an administrative account
• Escalate privileges by modifying administrative access
• Use Intune’s built-in capabilities to remotely wipe large numbers of devices
• Potentially access or exfiltrate sensitive data beforehand

Most importantly, the attackers didn’t need to deploy malware or exploit a software vulnerability. They used legitimate administrative tools to carry out the attack.

Why This Attack Is Different

This incident highlights a growing shift in cyberattacks - rather than breaking systems, attackers are increasingly abusing trusted platforms once they gain access.

Endpoint management tools like Microsoft Intune are designed to:

• Deploy software
• Enforce policies
• Monitor device health
• Reset or wipe devices

Those same capabilities, in the wrong hands, can be used to disrupt operations at scale, which is exactly what happened.  For organizations managing fleets of workstations, laptops, mobile devices, or remote endpoints, these platforms represent a powerful, and potentially risky, control layer.

Why It Matters for PMMI Members

Many companies in the packaging and processing industry use tools like Intune, ServiceNow, Workspace ONE, or other device management platforms to support their remote and hybrid workforces, field service teams, plant floor systems connected to corporate networks, and BYOD (bring-your-own-device) environments.

If compromised, these systems could:

• Disrupt operations by wiping or locking devices
• Push unauthorized configurations
• Impact production, logistics, and customer-facing systems

This makes endpoint management platforms a critical part of your security architecture, not just a convenience.

How to Reduce Your Risk

The Stryker incident reinforces several foundational security practices that every organization should revisit:

• Limit Administrative Access - Review who has administrative privileges in your endpoint management and identity platforms. Apply the rule of least privilege and remove access that is no longer needed.
• Require Strong Authentication - Ensure multifactor authentication (MFA) is enforced for all administrative/privileged accounts, and consider stronger, phishing-resistant methods where possible.
• Introduce Safeguards for High-Risk Actions - Actions like device wipes, major policy changes, or role assignments should not rely on a single account. Where possible, implement approval workflows or additional controls.
• Audit and Monitor Activity - Regularly review logs and alerts for unusual administrative behavior, such as new account creation, privilege escalation, or bulk device actions.  If possible, set up alerts on things like privilege escalation so these actions can be caught quickly if unauthorized.

The Bigger Lesson

The Stryker attack is not just about one company or one tool, it reflects the broader reality that greatest risk is often not a technical vulnerability - it’s what attackers can do once they gain access.  By focusing on access control, visibility, and governance of powerful systems like endpoint management platforms, organizations can significantly reduce the likelihood and impact of this type of attack.

Final Thought

For PMMI members, this is a good moment to pause and ask your IT departments a few practical questions:

• Who has administrative access to our endpoint management tools and cloud platforms?
• Are high-risk actions controlled and monitored?
• Could a single compromised account impact our entire device fleet the way Stryker’s did?

If the answers are unclear, that’s a strong signal to take a closer look.

‍