Stryker Wiped. How not to be next.
3–16–2026 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, March 16, 2026. The war in Iran continues, and we’re starting to see the cyber components come into play, although tangentially.
Let’s dive right in today.
Stryker Wiped. How Not To Be Next.
US Medical Equipment provider Stryker has confirmedStryker has confirmed that they are experiencing a global outage due to a cyber attack.
Credit for that attack is being claimed by a hacking group known as Handala, which is notional affiliated with Iranian interests. The attack used Microsoft Intune - a legitimate IT tool used by most companies of scale - to wipe more than 200,000 Stryker devices, including laptops, desktops, and phones.
This cyber attack is in direct response to the US bombing of a girl’s school in Iran, which resulted in the death of more than 170, most of them children. I’ll leave the politics aside for now and talk through the cyber issues we’ve got at hand.
As I often say on this show, everything in security is a trade off. In this case, the trade-off is using a centralized administration tool that lets Stryker’s IT team reach out and touch every device in their enterprise. It might seem silly to create a system that could facilitate this, but think about the trade-off: if you don’t have centralized IT administrative capabilities, you’re going to need them at every location, or spend a lot of additional time connecting remotely or even flying people around, creating opportunities for missed machines, updates, or inventory.
In another instance, if there was a wide-spread zero day that needed to be patched across the whole business quickly, this sort of Intune setup would be a godsend, not a disaster.
This hack has been called in the press “the most significant cyber incident linked to the recent Iran war,” and The Cybersecurity and Infrastructure Security Agency has launched an investigation into the hack. Though, given the cuts at CISA - including the lead for their Pre-Ransomware Notification Initiative - and the fact that DHS remains in an unfunded shutdown state and employees are now going to miss paychecks - I’m not sure how helpful they’ll actually be.
Meanwhile, Iran continues to up their rhetoric, reportedly designating US companies Amazon, Google, IBM, Microsoft, Nvidia, Oracle, and Palantir facilities as legitimate targets of retaliatory strikes, according to an Al Jazeera report citing Iran’s state-affiliated Tasnim news agency.
So what can you do to avoid becoming the next victim?
PaloAlto’s Unit42 put out a very good brief on this very topic. Like many recommendations we make here, they’re not particularly sexy, sophisticated, or glamorous, but they are effective.
They fall broadly into three buckets: eliminate standing privileges and tighten session tokens, harden EntraID admin accounts, and enhance Azure-specific security controls and monitoring.
I’ve linked through to the specific brief below, but you can also get a quick sense of your own potential exposure by looking in your Intune instance:
Intune path: (Tenant Admin > Roles > Roles by Permission > Remote Tasks > Wipe)
If you go look, you’ll see which accounts and roles have this capability in your tenant. Remove the Wipe ability from any role that doesn’t need it, and ensure that you’ve got phish-resistant MFA on all admin accounts. Consider additional restrictions around console access to known, managed, and compliant devices (which gives you a backstop if a set of credentials is stolen or a session token is compromised).
You can also add alerts on bulk wipe detection, and ensure that Intune logs are getting to your SIEM for additional visibility.
All of these steps will harden your infrastructure, but the tradeoff is some additional friction for your IT team. Given what Stryker is looking at in terms of restoration, I think your teams will gladly make that tradeoff every time.
Fundraising
From a fundraising perspective, we are surprisingly back to big numbers, with more than $21B in newly committed capital announced in the past week (and many more billions noted as being in pursuit):
Bain Capital raised $10.5b for its sixth Asia buyout fund, topping its $7b target, per Bloomberg;
Founders Fund is nearing a $6b final close for its fourth growth fund, per TechCrunch;
Truelink Capital of LA raised $2b for its second flagship midmarket PE fund.
I say this is surprising because of the macro picture - the tremendous volatility we’re seeing in not just the oil market, but in adjacent and downstream markets, paired with the long run to return to “normal” or baseline mechanics, sure seems like a “cash is king” moment.
And maybe that’s why I’m a security pro and not a professional investor.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html
https://www.nytimes.com/2026/03/11/us/politics/iran-school-missile-strike.html
https://www.theregister.com/2026/03/11/iran_threatens_us_tech_companies/
https://www.politico.com/news/2026/03/13/democrats-republicans-dhs-shutdown-00827135
https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/