A suspected wiper attack against medtech giant Stryker has led much of the security community to examine the role of Microsoft Intune. 

Stryker, a Portage, Mich.-based specialist in surgical equipment, was hacked last week in an attack that affected thousands of mobile devices and other systems. 

The company, in a regulatory filing, confirmed the attack impacted its Microsoft environment and warned in a customer update that its electronic ordering systems remain unavailable. 

An Iran-linked hacker tracked under the name Handala claimed credit for the attack, according to Check Point Research. The hacker claims to have stolen 50 terabytes of data and to have wiped information from thousands of servers and mobile devices in the process. 

Researchers from Halcyon told Cybersecurity Dive the Stryker attack impacted all phones and workstations with an Intune base 64 string. Intune is normally used to push software or manage devices that are base-64 encoded, according to researchers.

The payload included remote wipe commands, which were used to delete data on all affected devices, according to Halycon.

In order to conduct such an attack, a hacker would need to obtain Intune administrator or global administrator privileges, researchers said. 

Paddy Harrington, a senior analyst at Forrester, said the attack does not point to any inherent weakness in Microsoft Intune, but essentially utilizes living-off-the-land techniques to bypass existing security systems. 

Attacks using mobile device management platforms are not new and have been used to conduct significant attacks in recent years. Harrington points to a January attack against the European Commission and a 2020 attack against a multinational firm using a Cerberus banking Trojan. 

“Using MFA to access MDM/UEM can reduce the likelihood of a simple account takeover attack. And for destructive functions like wipe actions, Intune and other modern platforms have a multiaccount approval feature that ensures that no one person can make critical changes,” Harrington told Cybersecurity Dive.

Researchers from Palo Alto Networks Unit 42 would not comment on the specifics of the Stryker attack, but cited a March 6 report from Israel’s National Cyber Directorate about destructive wiper attacks targeting servers and workstations at several companies with the goal of deleting data, according to a blog post published Thursday. 

In some of those attacks, hackers gained access to credentials or other information from legitimate users and weaponized that to gain initial access to systems, according to Unit 42 blog post. 

Microsoft has thus far declined to comment on the incident, but a spokesperson told Cybersecurity Dive it would provide an update if any additional information became available.

Stryker has been working with third-party forensic experts to investigate the attack and the Cybersecurity and Infrastructure Security Agency has been investigating the attack as well.