Your IT team uses Intune to manage devices. So did the attacker who wiped Stryker’s hospital infrastructure.
No malware. No ransomware. No exploit chain. Just one compromised Global Admin account and the same management console your team logged into this morning. The attacker pushed a factory reset to every managed device in the estate. The tool designed to protect the fleet destroyed it.
This is what happens when the management plane becomes the weapon.
What the attacker did
This was a two-team operation. Research from Tenable and Symantec confirms a playbook that Iranian state groups have refined across multiple campaigns.
MuddyWater, also tracked as Seedworm, handled initial access. The group spent weeks inside US and Israeli infrastructure. They deployed a previously undocumented backdoor called Dindoor. They planted a Python implant called Fakeset. Symantec found them inside a US bank, an airport operator, and a defense contractor.
They were not there to destroy anything. They were building access.
Then the handoff. A separate group called Handala took that access and used it for destruction. Check Point tracks this group as Void Manticore. At Stryker, they targeted Intune’s remote wipe capability.
The attacker did not need to touch a single endpoint. No lateral movement. No payload delivery. The trust relationship between the management plane and the devices it controls did the work.
Why it matters
Most organizations treat their management plane as trusted infrastructure. It sits behind MFA. It is operated by senior IT staff. It rarely appears in test scopes.
But a compromised Global Admin account does not just manage devices. It owns them. Remote wipe. Policy push. Conditional access changes. Certificate deployment. Every capability that makes Intune useful in defense makes it devastating in attack.
The deeper problem is dependency. Identity, device management, backup orchestration, and internal communications often flow through the same cloud tenancy. One compromised admin account can disable all four.
Your BCDR plan assumes backup systems are independent. If they are not, the plan has a single point of failure. An attacker can reach it from one credential.
This is the kind of access that sits dormant for weeks. A test that runs for five days will never find it. A test that never touches identity infrastructure will never look.
What to do about it
Create a break-glass Global Admin account on a separate, non-federated identity. Store its credentials offline. Test it quarterly. This account must survive a full tenancy compromise.
Separate your backup infrastructure from your primary identity provider. If your backups authenticate through the same tenancy an attacker controls, they are not backups. They are another target.
Enforce phishing-resistant MFA on every Global Admin account. Hardware tokens only. No SMS. No app-based fallback.
Build an out-of-band communication channel that does not depend on Microsoft 365. If Teams goes down with the tenancy, your incident response coordination goes with it.
Audit Intune’s remote wipe permissions. Restrict wipe commands to named accounts with separate approval workflows. Alert on any bulk wipe.
Have the Swarm replicate this attack against you.
Sources
Dark Reading: Why Stryker’s Outage Is a Disaster Recovery Wake-Up Call
Tenable: Cyber Retaliation — Analyzing Iranian Cyber Activity Following Operation Epic Fury
Symantec Threat Hunter Team: Seedworm APT Group Activity Following U.S. and Israeli Military Strikes on Iran
The threat of cyber attack is constant. So are we. Schedule a call to discuss how to outpace cyber threats.