They Didn't Hack Stryker. They Became Stryker's Admin

What happened at Stryker today isn't a malware story. It's an identity story. And it's one the industry has seen before — the Sony hack, twelve years ago, followed a similar path. A dozen years later, the attack surface has changed. The fundamental failure hasn't.

Here's what the reporting tells us: Stryker's Microsoft environment was compromised at scale. No ransomware. No novel exploit. Handala claims 200,000 devices wiped, 50TB of data exfiltrated — and multiple sources point to Microsoft Intune as the likely mechanism. That matters, because Intune is a legitimate management platform. It's designed to remotely wipe enrolled devices across Windows, macOS, iOS, Android, and ChromeOS. In the wrong hands, your trusted control plane becomes the weapon. (BleepingComputer)

The Likely Attack Path

To use Intune this way, you need one thing: a privileged Microsoft identity. An Entra global admin. An Intune administrator. An account with equivalent authority.

How do you get it? The same ways that have always worked: phishing, session theft, AiTM attacks against legacy MFA, help desk social engineering, stolen admin credentials. Once you own the identity plane, you don't hack 200,000 assets one by one. You issue legitimate remote commands — and the infrastructure does the rest. (Krebs on Security)

This is also why Stryker reported no indication of ransomware or malware. When an attacker controls native administrative functions — wiping endpoints, disabling login surfaces, pushing destructive actions through trusted channels — they don't need conventional malware. They are the admin.

The attacker's branding reportedly appeared on login pages. That's not a ransomware signature. That's a flag planted at the identity layer.

What This Costs

Stryker generated over $25 billion in revenue in 2025. Roughly $68.8 million per day. Not all of that evaporates during an outage — but the exposure compounds fast when manufacturing, order flow, hospital support, field sales, and supply chain operations go dark globally. (Q4 Capital)

Realistic damage range: $150 million to $500 million. Potentially higher.

Recovery looks like this: initial containment in days. Partial operations restored in one to three weeks. Most users and devices functional in 30 to 90 days. Full rebuild — forensics, credential reset, re-enrollment, confidence restoration — six to twelve months.

The attacker was in for hours. Stryker pays for it for months.

This is not a flaw in Intune or Entra

It's a flaw in identity assurance.

The moment a credential can be stolen, relayed, or social-engineered — the moment a push notification can be fatigued, a session hijacked, a help desk bypassed — the entire control plane is available to anyone who can impersonate the person who holds it.

Token exists precisely here. Biometric-assured, device-bound, cryptographically enforced identity. Nothing to phish. Nothing to relay. No shared secret. No easy bypass. Real presence. Real biometrics. Real proof — tied to the human being, the device, and the session.

If the identity cannot be stolen, the admin cannot be impersonated. That is the difference between cleanup and prevention. Token deals in absolutes.