Iranian Hackers Used Microsoft's Own Security Tool to Destroy a Medical Device Company's Data
An Iranian-linked hacking group deployed wiper malware through Microsoft Intune, the endpoint management tool that companies use to protect their devices. Stryker, a $100 billion medical technology company, lost data permanently. The attack follows a lineage from Shamoon to NotPetya to the most dangerous category of cyberweapon: the kind that destroys instead of steals.
Key Takeaways
- •Iranian-linked hackers deployed wiper malware through Microsoft Intune, the endpoint management tool companies trust to secure their devices
- •Stryker, a $100B medical technology company, suffered permanent data destruction across its network
- •Wiper malware destroys data permanently, unlike ransomware which encrypts it for payment. There is no recovery
- •The US government issued urgent guidance for all organizations to harden their Microsoft Intune configurations
- •Wiper attacks trace back to Shamoon (2012), which destroyed 35,000 Saudi Aramco workstations, and NotPetya (2017), which caused $10 billion in global damage
- •The attack echoes Stuxnet (2010): both weaponized the trusted management tools that organizations depend on
Root Connection
Wiper malware, designed to permanently destroy data rather than steal or ransom it, traces back to Shamoon in 2012. That attack destroyed 35,000 workstations at Saudi Aramco and was attributed to Iran. The lineage runs through Dark Seoul (2013, North Korea), NotPetya (2017, Russia, $10 billion in global damage), and now the Stryker attack of 2026. But the technique of weaponizing trusted management tools echoes an even older precedent: Stuxnet (2010), which used Siemens industrial controllers to destroy Iranian centrifuges. The attackers keep finding the same lesson: the most devastating attacks come through the tools you trust most.
Timeline
Stuxnet, a US-Israeli cyberweapon, is discovered. It used Siemens Step 7 industrial control software to sabotage Iranian nuclear centrifuges. The worm weaponized trusted industrial software, a pattern that would repeat.
Shamoon wiper malware destroys 35,000 workstations at Saudi Aramco, replacing data with a burning American flag image. Attributed to Iran. It is the first major wiper attack against critical infrastructure.
Dark Seoul attacks hit South Korean banks and broadcasters. North Korean hackers use wiper malware to destroy data across thousands of machines simultaneously.
NotPetya, disguised as ransomware but actually a Russian wiper, spreads globally through a Ukrainian tax software update. Maersk loses 45,000 PCs and $300 million. Total global damage exceeds $10 billion.
WhisperGate and HermeticWiper target Ukrainian infrastructure as Russia invades. Multiple wiper variants are deployed in the opening hours of the war.
Iranian-linked hackers deploy wiper malware through Microsoft Intune at Stryker, the global medical technology company. The US government issues urgent guidance to harden Intune configurations nationwide.
Stryker Corporation makes surgical robots, joint replacements, medical imaging systems, and emergency medical equipment. It is one of the largest medical technology companies in the world, with a market capitalization exceeding $100 billion and products installed in hospitals across more than 100 countries.
In March 2026, an Iranian-linked hacking group called ShinyHunterz deployed wiper malware across Stryker's network. The malware did not encrypt data for ransom. It did not exfiltrate files to sell on the dark web. It destroyed data. Permanently.
The attack vector was Microsoft Intune.
Intune is Microsoft's endpoint management platform. Companies use it to deploy software updates, enforce security policies, manage device configurations, and distribute applications across thousands of employee laptops, desktops, and mobile devices. It is, by design, one of the most trusted and most privileged tools in any enterprise environment. When Intune pushes a software package to a device, the device installs it without question. That is the entire point.
The attackers compromised Stryker's Intune administrator credentials. Then they used Intune to push the wiper payload to endpoints across the company's network. The devices received the malware through the same channel they receive legitimate security updates. No endpoint protection tool flagged it because it came from a trusted source.
The malware did not break through the security perimeter. It walked through it using the front door.
The attackers did not break through Stryker's security perimeter. They walked through it using the same tool that Stryker uses to manage and secure its own devices. Microsoft Intune was the door, the key, and the weapon.
— ROOT•BYTE analysis
Wiper malware is the most destructive category of cyberweapon. It is important to understand what makes it different from ransomware, because the distinction is the difference between a hostage situation and an arson.
Ransomware encrypts your data. The attackers hold the decryption key. They demand payment, usually in cryptocurrency. If you pay, you typically get your data back (though not always, and paying funds further criminal activity). If you do not pay, you restore from backups. Either way, the data still exists somewhere. Recovery is possible.
Wiper malware overwrites your data. It does not encrypt. It destroys. It writes zeros, random bytes, or corrupted data over every file it can reach. Then it typically destroys the master boot record so the operating system cannot start. Then it targets backup systems.
There is no key to buy. There is no negotiation. There is no recovery from a successful wiper attack beyond restoring from offline backups that the wiper did not reach.
This distinction matters because it reveals intent. Ransomware is criminal. Wiper malware is strategic. Criminal groups use ransomware because they want money. Nation-states use wiper malware because they want to cause damage. The goal is destruction, not profit.
Ransomware says: pay us and you get your data back. Wiper malware says: your data is gone and it is never coming back. There is no negotiation. There is no recovery. There is only the before and the after.
— ROOT•BYTE analysis
The Stryker attack follows a lineage that is now sixteen years long.
The ancestor is Stuxnet, discovered in 2010. Stuxnet was a joint US-Israeli cyberweapon designed to sabotage Iran's nuclear enrichment program. It targeted Siemens Step 7 software, which controlled the industrial centrifuges at the Natanz facility. Stuxnet did not delete data. It subtly altered the rotation speed of centrifuges, causing them to tear themselves apart while reporting normal operations to monitoring systems.
What made Stuxnet revolutionary was not its destructive capability. It was its delivery mechanism. Stuxnet weaponized the very industrial control software that the facility depended on. The centrifuge operators trusted Siemens Step 7 to manage their equipment. Stuxnet exploited that trust.
Iran learned the lesson.
In August 2012, Saudi Aramco, the world's most valuable oil company, suffered the most destructive cyberattack in history up to that point. A wiper called Shamoon destroyed 35,000 workstations in a matter of hours. The malware overwrote the master boot record of every infected machine and replaced data with the image of a burning American flag.
The attack was attributed to Iran. The motive was widely understood as retaliation for Stuxnet.
Shamoon established the template for nation-state wiper attacks: compromise a network quietly, deploy the wiper payload to as many machines as possible, and trigger it simultaneously for maximum damage.
In 2017, Russia refined the approach with NotPetya. Disguised as ransomware (it displayed a ransom note and demanded Bitcoin), NotPetya was actually a wiper that permanently encrypted data without any mechanism for decryption. It spread through an update to M.E.Doc, a Ukrainian tax accounting software used by virtually every business operating in Ukraine.
NotPetya was meant for Ukraine. It escaped. The worm spread globally through multinational companies with Ukrainian offices. Maersk, the world's largest shipping company, lost 45,000 PCs and $300 million. Merck, the pharmaceutical company, lost $870 million. FedEx lost $400 million through its TNT Express subsidiary. Total global damage exceeded $10 billion.
NotPetya demonstrated something crucial: wiper malware deployed through trusted software supply chains does not stay contained. The 2020 SolarWinds attack, while not a wiper, exploited the same principle. The attackers compromised SolarWinds' Orion update mechanism and used it to push malicious code to 18,000 organizations, including multiple US government agencies.
The Stryker attack is the latest iteration of this pattern. The weapon changes. The technique is the same. Compromise a trusted management tool. Use it to deploy destruction.
What makes Intune particularly dangerous as an attack vector is its design purpose. Intune is an endpoint management platform. It has deep, persistent access to every device it manages. It can install software, modify configurations, push scripts, and enforce policies. It operates with the highest level of system privilege.
If an attacker controls Intune, they control every device that Intune manages. There is no security tool designed to stop Intune from doing its job, because its job is to have unrestricted access to every endpoint.
The US government recognized the severity immediately. Within days of the Stryker incident, the Cybersecurity and Infrastructure Security Agency (CISA) issued urgent guidance for all organizations using Microsoft Intune. The guidance includes hardening administrator account security, implementing conditional access policies, enabling logging on all Intune management actions, and restricting which applications can be deployed through the platform.
The recommended changes are, in many cases, configurations that should have been in place from the beginning. But they were not. Because Intune is a security tool. And security tools are, paradoxically, the ones most often left with default configurations because administrators assume they are inherently safe.
This assumption, that the tools designed to protect you do not themselves need protection, is the recurring vulnerability that runs through the entire history of wiper attacks. Stuxnet exploited trusted Siemens controllers. NotPetya exploited a trusted software update. The Stryker attack exploited a trusted endpoint manager.
The attackers are not breaking through walls. They are becoming the walls.
For the healthcare sector, the implications are particularly serious. Medical device companies like Stryker maintain data related to surgical equipment, patient outcomes, regulatory compliance, and device safety records. The permanent destruction of this data does not just cause financial damage. It can affect patient safety.
The Stryker attack did not involve ransomware demands. The attackers did not ask for money. They came to destroy. That means the motive was strategic, not financial. Iran has used wiper malware as a tool of geopolitical pressure for over a decade. The Stryker attack fits the pattern.
The lesson is not new, but it bears repeating: the most dangerous cyberattacks do not come from outside your network. They come through the tools you trust most. The update mechanism. The management platform. The security software itself.
The question every organization should be asking after Stryker is not "Are we protected from hackers?" It is "Are we protected from our own tools?"
The answer, for most organizations, is no.
(Sources: CISA Advisory on Microsoft Intune Hardening, Cybersecurity News, Red Hat Security Blog, SharkStriker March 2026 Breach Report, Wired, Kim Zetter's "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon," Andy Greenberg's "Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers")
Enjoy This Article?
RootByte is 100% independent - no paywalls, no corporate sponsors. Your support helps fund education, therapy for special needs kids, and keeps the research going.
Support RootByte on Ko-fiHow did this make you feel?
Recommended Gear
View all →Disclosure: Some links on this page may be affiliate links. If you make a purchase through these links, we may earn a small commission at no extra cost to you. We only recommend products we genuinely believe in.
YubiKey 5 NFC
Hardware security key for phishing-resistant 2FA. Works with USB-A and NFC. The gold standard in account protection.
Hacking: The Art of Exploitation
The classic hands-on guide to understanding how exploits work. Covers C, assembly, networking, and shellcode.
Faraday Bag for Phones
Signal-blocking bag that prevents tracking, remote wiping, and wireless exploits. Essential for privacy-conscious users.
Keep Reading
Want to dig deeper? Trace any technology back to its origins.
Start Research