In the wake of the Iran-backed hacktivist attacks on Stryker, CIOs rethink enterprise risk models to account for different attacker intents and methods.
On March 11, 2026, an Iran-linked hacktivist group called Handala attacked medical technology company Stryker.
Within hours of the attack, an estimated 80,000 corporate and personal devices had been factory reset across 79 countries. No ransom was demanded.
Attackers had weaponized Microsoft Intune, Stryker's device management platform, to issue remote wipe commands across the organization. Every command was a legitimate administrative function. Stryker filed an 8-K form with the U.S. Securities and Exchange Commission confirming a global disruption to its Microsoft environment.
Stryker holds large U.S. military contracts, including supply relationships with Walter Reed National Military Medical Center, and has at least one Israel-based subsidiary. Handala framed the attack as retaliation tied to the U.S.-Iran conflict. Stryker was chosen for what it represents, not for any gap in its defenses.
The old risk model is broken
Standard enterprise risk models assume adversaries want something: data, money or access. Wartime attackers often want none of those things. The goal is disruption, destruction and signaling. Existing threat models do not capture that category of intent and most enterprise risk frameworks were not designed for the class of attacker that impacted Stryker.
Built for financially motivated actors. Enterprise cyber risk frameworks have spent decades optimizing for adversaries who want something. Ransomware operators seek payment and espionage groups steal IP. That logic shaped how organizations have deployed controls and built incident response programs.
Most organizations have simply relabeled threat actors without changing their underlying models, according to Brian Blakley, CISO at ConnectSecure and Bellini Capital. The real shift requires moving from event-based risk to outcome-based risk, modeling for business disruption and geopolitical intent rather than just financial exposure, with scenario planning tied directly to revenue and operations.
Cyber operations are increasingly synchronized to geopolitical events. The World Economic Forum's Global Cybersecurity Outlook 2025 found that nearly 60% of organizations say geopolitical tensions have already affected their cybersecurity strategy.
Geopolitics and cybersecurity are now inseparable. Ongoing conflicts, sanctions regimes, trade disputes and technological competition have pushed state rivalry into cyberspace.
"The risk model itself hasn't been replaced, it's been reframed," said Jared Atkinson, chief strategist and CTO at SpecterOps. "Instead of centering on attacker type, organizations are starting to center on what level of control leads to destructive impact."
In the crosshairs (without knowing it)
Stryker did not consider itself a participant in the U.S.-Iran conflict, but its business profile made it one. Therefore, CIOs should audit their organizations against the following exposure factors:
Government or military contracts at the federal, state or allied-nation level.
Subsidiaries, acquisitions or joint ventures in geopolitically sensitive countries.
Technology partnerships with companies on sanctioned-nation watchlists.
Critical infrastructure adjacency in healthcare, energy, logistics or the defense supply chain.
Brand visibility that makes the organization a symbolic target for hacktivist groups.
The reality of today is that supply chain dependencies often extend exposure further than organizations realize.
"If you have third-party vendors or partners with any form of privileged or federated access into your environment, your exposure automatically extends beyond your own perimeter," said Praerit Garg, CEO of One Identity.
Forward-looking decisions carry the same weight as current operations, said James Owen, global head of digital risks at Control Risks. Market entries, acquisitions and technology partnerships can shift an organization's geopolitical profile quickly.
The organizations that become most exposed are not those in conflict zones, but those whose digital footprint or strategic choices suddenly make them politically symbolic at exactly the wrong moment.
James OwenGlobal Head of Digital Risks, Control Risks
"The organizations that become most exposed are not those in conflict zones, but those whose digital footprint or strategic choices suddenly make them politically symbolic at exactly the wrong moment," Owen said.
The Stryker attack as a technical case study
The Stryker incident is now an emerging case study in what can go wrong and why organizations need to prepare now for a new type of cybersecurity reality.
The attack vector. How Handala gained initial access has not been publicly confirmed by Stryker. Palo Alto Networks Unit 42 assessed phishing as the primary vector for recent Handala destructive operations, with identity exploitation through administrative access to Microsoft Intune as the core pattern. Check Point Research documented hundreds of brute-force and credential stuffing attempts against organizational VPN infrastructure linked to Handala in the months before the attack, originating from commercial VPN nodes and Starlink IP ranges. It is confirmed that attackers reached privileged administrator accounts within Stryker's Microsoft Entra ID environment.
From identity to management plane. Once in control of a Global Administrator account, the attackers issued enterprise-wide remote wipe commands.
"The attackers compromised a single Intune Global Administrator credential, reportedly a weak password with no MFA [multi-factor authentication] and no multi-admin approval enabled, and used it to issue factory reset commands to over 80,000 devices across 79 countries in roughly three hours," said Buddy Pitt, director of IT security and incident response at Logically. "No malware, no vulnerability exploited, every action was a legitimate administrative command from the platform's perspective, which means EDR [endpoint detection and response] never triggered."
Cascading employee impact. Personal devices enrolled in Intune for corporate email and Teams access were wiped alongside company-owned assets. Employees lost personal photos, eSIMs and their only authentication path back into corporate accounts. According to an FBI affidavit filed in support of the DOJ domain seizure action, the attack disrupted hospital systems in Maryland, with Stryker's Lifenet ECG transmission system going offline and forcing emergency services to fall back on radio consultations with receiving hospitals.
The regulatory response. The Cybersecurity and Infrastructure Security Agency [CISA] subsequently warned U.S. organizations to follow Microsoft's guidance for strengthening Intune endpoint management after the attack exploited it to wipe Stryker's systems.
The prior breach problem. Stryker disclosed in December 2024 that attackers had accessed its network for approximately four weeks between May and June 2024, exfiltrating PII tied to joint replacement procedures. Whether that intrusion left persistent access contributing to the March 2026 attack has not been confirmed.
The risks CIOs aren't modeling
The Stryker incident exposes multiple enterprise risk categories that are consistently absent from enterprise threat models.
Wiper attacks vs. ransomware. With ransomware there is a negotiation, a recovery key and a financial resolution path. A wiper attack offers none of those, as the damage is the point.
BYOD as a wartime liability. Employee-owned devices enrolled in corporate environments can become weapons turned against their owners. The Stryker attack wiped personal phones enrolled for corporate email access, destroying photos, eSIMs and authentication apps.
Management plane exposure. Hypervisors and management planes sit below cloud workloads and enterprise environments, yet few organizations have clear security ownership at this layer. That gap represents a single point of failure capable of cross-sector disruption.
"If an attacker gains administrative access, they don't just have data access, they can operate the environment," Atkinson said.
Identity as the new perimeter. Attackers increasingly use valid credentials to abuse identity systems, single sign-on and trusted AI agents, blending into normal activity. Avani Desai, CEO of Schellman, identified a governance gap that runs across the industry. "Even in mature organizations, identity and privileged access are often still treated as an IT function rather than a core risk domain," she said.
What good looks like: A CIO action framework
The Stryker attack exposed several specific IT infrastructure gaps that CIOs should address in immediate, near-term and long-term strategic time frames.
Immediate (0-30 days)
Planning for an attack should start immediately.
"A realistic action plan starts with identifying where the organization has concentrated identity risk, where it is dependent on key vendors or service providers and which business functions would be hardest to sustain if a destructive or politically motivated attack occurred," said Jackie Mattingly, senior director of consulting services at Clearwater.
CIO actions:
Audit every account with mobile device management (MDM) and unified endpoint management (UEM) global admin rights.
Enforce phishing-resistant MFA on all privileged accounts.
Review whether managed service providers hold persistent admin access.
Map your geopolitical exposure profile: government contracts, international subsidiaries, allied-nation partnerships.
Near-term (30-90 days)
Looking beyond the immediate steps, there is a need to harden management plane controls as an essential foundation.
"Organizations are strengthening privileged access pathways, enforcing phishing-resistant authentication, reducing the blast radius of admin accounts and introducing multi-person approval for high-impact actions," Owen said. "These steps are no longer best practices, they are essential safeguards against destructive attacks."
CIO actions:
Implement Multi-Admin Approval policies for destructive MDM actions including mass wipe commands.
Implement just-in-time access through Privileged Identity Management so no account holds standing Global Admin rights.
Separate BYOD enrollment tiers to limit wipe authority on personal devices enrolled only for email or collaboration access.
Map your blast radius to identify which systems a weaponized management console could reach simultaneously.
Add a geopolitical risk review to your quarterly security cadence with business, legal and security leadership present.
Strategic (90+ days)
Organizations with the immediate and near-term fundamentals locked down should then focus on the broader threat surface.
"If you've been on a path to compliance like CMMC (Cybersecurity Maturity Model Certification), you're going to be better positioned going into a period of elevated risk than organizations with major gaps," Pitt said.
CIO actions:
Add a geopolitical threat actor category to your enterprise risk register with distinct scenarios: wiper attack, destructive hacktivism, nation-state sabotage.
Run tabletop exercises that simulate wartime-motivated attacks, not only ransomware scenarios.
Evaluate supply chain and M&A exposure for geopolitical risk.
Treat newly acquired international subsidiaries as immediate threat profile changes.
Shift investment bias from reactive to proactive, budgeting toward monitoring, testing and training.
The board conversation CIOs need to have
The board conversation needs to happen before a crisis forces it. Here are ways for CIOs to address the enterprise risk factors with their boards:
This is a business strategy issue, not a technical one. A $25 billion company filed an SEC 8-K because one admin password was compromised and surgeries were delayed and hospital systems were disrupted.
CEO and CISO concerns diverge. CEOs rate cyber-enabled fraud as their top concern. CISOs remain focused on ransomware and supply chain resilience. Neither is modeling the threat category that just hit Stryker, so CIOs need to bridge that gap. The way to do it is not with threat intelligence briefings.
The conversations that get traction with boards are grounded in operational impact, including which systems would fail, how long recovery would take and what the implications are for customers and revenue. Quantified business disruption moves boards, not abstract geopolitical risk narratives.
"What doesn't get traction is abstract threat intelligence briefings or fear-based presentations without actionable recommendations and cost estimates," Pitt said.
Run the exercise before the crisis. The single most effective tool available is a geopolitical escalation tabletop with executive leadership. Bring in the cyber insurance war exclusion clauses and put the quantifiable uninsured exposure on the table. Make the scenario real.
"Boards that have walked through a simulated nation-state wiper attack understand the risk in a way that no slide deck can achieve," Pitt said.
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He has pulled Token Ring, configured NetWare and been known to compile his own Linux kernel. He consults with industry and media organizations on technology issues.
