Lock down Microsoft Intune, feds warn after Stryker attack
(2026/03/19)
- Reference: 1773936020
- News link: https://www.theregister.co.uk/2026/03/19/microsoft_intune_lockdown_stryker/
- Source link:
The US government has urged companies to better secure Microsoft Intune, an endpoint management tool that was abused in last week's cyberattack against med-tech firm Stryker.
Handala, a group [1]linked to Iran's intelligence agency , claimed responsibility for the [2]attack , which knocked some of the surgical equipment maker's networks offline and [3]continues to affect shipping and ordering systems.
Stryker has publicly said the attack affected its Microsoft environment, and a source familiar with the investigation confirmed to The Register that the attackers wiped employees' devices using Intune.
[4]
Microsoft to date has declined to comment.
[5]
[6]
In a Wednesday security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) [7]said it is "aware of malicious cyber activity targeting endpoint management systems of US organizations" following the Stryker intrusion, and urged companies to follow Microsoft's best practices for securing Intune.
Redmond published [8]this guidance three days after the cyberattack.
[9]Iran's cyberattack against med tech firm is 'just the beginning'
[10]Iran-linked cyber crew says they hit US med-tech firm
[11]Cybercrime isn't just a cover for Iran's government goons - it's a key part of their operations
[12]Another massive security snafu hits Microsoft, but don't expect it to stick
Among the recommendations: Use principles of least privilege when designing administrative roles.
This can prevent someone who has breached Intune – as appears to be the case in the Stryker intrusion – from creating new admin accounts and using these to control employees' access to internal systems and perform wipe commands.
[13]
Companies should use Intune's role-based access controls to assign only the minimum permissions necessary to each role for complete day-to-day operations. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2026/03/10/cybercrime_iran_mois/
[2] https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
[3] https://www.theregister.com/2026/03/18/irans_cyberattack_against_stryker/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization
[8] https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117
[9] https://www.theregister.com/2026/03/18/irans_cyberattack_against_stryker/
[10] https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
[11] https://www.theregister.com/2026/03/10/cybercrime_iran_mois/
[12] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Handala, a group [1]linked to Iran's intelligence agency , claimed responsibility for the [2]attack , which knocked some of the surgical equipment maker's networks offline and [3]continues to affect shipping and ordering systems.
Stryker has publicly said the attack affected its Microsoft environment, and a source familiar with the investigation confirmed to The Register that the attackers wiped employees' devices using Intune.
[4]
Microsoft to date has declined to comment.
[5]
[6]
In a Wednesday security alert, the US Cybersecurity and Infrastructure Security Agency (CISA) [7]said it is "aware of malicious cyber activity targeting endpoint management systems of US organizations" following the Stryker intrusion, and urged companies to follow Microsoft's best practices for securing Intune.
Redmond published [8]this guidance three days after the cyberattack.
[9]Iran's cyberattack against med tech firm is 'just the beginning'
[10]Iran-linked cyber crew says they hit US med-tech firm
[11]Cybercrime isn't just a cover for Iran's government goons - it's a key part of their operations
[12]Another massive security snafu hits Microsoft, but don't expect it to stick
Among the recommendations: Use principles of least privilege when designing administrative roles.
This can prevent someone who has breached Intune – as appears to be the case in the Stryker intrusion – from creating new admin accounts and using these to control employees' access to internal systems and perform wipe commands.
[13]
Companies should use Intune's role-based access controls to assign only the minimum permissions necessary to each role for complete day-to-day operations. ®
Get our [14]Tech Resources
[1] https://www.theregister.com/2026/03/10/cybercrime_iran_mois/
[2] https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
[3] https://www.theregister.com/2026/03/18/irans_cyberattack_against_stryker/
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization
[8] https://techcommunity.microsoft.com/blog/intunecustomersuccess/best-practices-for-securing-microsoft-intune/4502117
[9] https://www.theregister.com/2026/03/18/irans_cyberattack_against_stryker/
[10] https://www.theregister.com/2026/03/11/us_medtech_firm_stryker_cyberattack_iran/
[11] https://www.theregister.com/2026/03/10/cybercrime_iran_mois/
[12] https://www.theregister.com/2025/07/21/massive_security_snafu_microsoft/
[13] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44abwrtJPvEEuJcfdxPgabjAAAARg&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[14] https://whitepapers.theregister.com/
Can't believe I'm saying this....
This has got nothing to do with Microsoft.
Pish identity. Lack of MFA. Lack of RBAC. Lack of alerting into a SIEM. Take your pick
Unless, of course, that Intune has poor RBAC.... Which it doesn't: https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/create-custom-role
So, back to Stryker and it's poor Security. CISO needs to be fired: https://www.stryker.com/us/en/about/our-management/leaders/1200.html