Skórzewiak - stock.adobe.com

News

Cisa tells US organisations to harden endpoint management after Stryker attack

Last week’s cyber attack on the systems of a US medical services company by Iranian hacktivists has prompted an alert from Cisa, urging organisations to reinforce their defensive posture

Alex Scroxton
By
Published: 19 Mar 2026 16:45

In the wake of a wave of cyber attacks over the past week, including an ongoing incident at medical technology firm Stryker, the US Cybersecurity and Infrastructure Security Agency (Cisa) has urged organisations to immediately harden their endpoint management system configurations against intrusion by Iran-linked threat actors and others.

The 11 March incident at Michigan-based Stryker targeted its Microsoft Intune endpoint management systems, and saw Microsoft devices wiped and data stolen, resulting in widespread disruption and, in some cases, knock-on effects for frontline healthcare services.

It was swiftly claimed by the Iranian hacktivist Handala operation as retaliation for the continued Israeli-US war on Iran.

Since then, Cisa said it has been working closely with its US partners, including the FBI, to identify further threats and risks to organisations.

“To defend against similar malicious activity that misuses legitimate endpoint management software, Cisa urges organisations to implement Microsoft’s newly released best practices for securing Microsoft Intune,” said Cisa in a statement.

“The principles of these recommendations can be applied to Intune and more broadly to other endpoint management software,” the agency added.

Organisations are advised to use Intune’s role-based access control features to enforce principles of least privilege, giving users the minimum permissions necessary to complete their day-to-day tasks; to rigorously enforce phishing-resistant multi-factor authentication and privileged access hygiene with Microsoft Entra; and to reconfigure Intune access policies to require the approval of multiple administrators for sensitive or high-impact actions.

Global peers

Keven Knight, CEO of Talion, said that Cisa’s guidance was applicable to, and anticipated similar alerts from, Cisa’s global peers – the UK’s National Cyber Security Centre (NCSC) has already published a wider cyber alert concerning the Iran war.

“What made the Stryker attack so damaging is that it wasn’t executed for money, its motivation was pure destruction, and unlike typical ransomware attacks, there was no option to pay the attackers and get the data back,” he said. “If backups were not in place, it essentially means game over and rebuilding everything from scratch.

“It’s safe to say that given the current geopolitical climate, these types of destructive attacks are going to be happening more frequently. Hardening endpoints, applying least privileged access, running frequent backups and having well-rehearsed incident response plans in place are all essential steps.

“These attacks are executed to inflict harm to countries and it’s vital organisations are prepared,” said Knight.

Tip of the iceberg

The attack on Stryker has been the most high-profile cyber incident of Iran’s retaliatory cyber war against the US – which attacked the oil-rich state just two days after talks over its nuclear programme edged closer to a landmark deal – however, according to observers, it may be the tip of a much larger iceberg.

Michael Smith, field chief technology officer at DigiCert, said he had tracked almost 4,500 total threats from 43 active groups, with the most prolific threat actors in the region launching hundreds of attacks each in the past few weeks. He said that by and large, these cyber attacks are designed to be intimidating rather than destructive.

“There are a lot more attacks happening that aren’t being reported,” said Smith. “We’ve seen lots of DDoS attacks against our customers that we’ve mitigated without causing an outage. We also monitor hacktivist chatter for indications and warnings, and that has been incredibly active.

“Attacks like this are a way of telling people in other countries that you can still reach out and touch them even though they’re on a different continent. That makes them more of an intimidation tactic.”

Kathryn Raines, Cyber Threat Intelligence team lead for the National Security Solutions team at Flashpoint, added: “Cyber activity tied to this conflict is becoming more focused on disruptive operations against organisations.

“Groups like Handala are amplifying claims of large-scale attacks, including data destruction and the exposure of sensitive information tied to both private companies and individuals. Even when some of these claims are difficult to verify, they still contribute to uncertainty and can have real downstream impact on trust, operations and response efforts.”

Timeline: Cyber and tech in the Iran war

2 March:

  • Iran-linked hackers raise threat level against the US and allies as researchers warn that hacktivists and state-linked groups are using DDoS, phishing and other tactics against critical infrastructure. (Cybersecurity Dive)

3 March:

  • While cyber threat levels remain stable following the outbreak of war in the Middle East, at-risk organisations in the UK should take steps to ward off potential reprisals from Iran-linked threat actors, says the NCSC.
  • From AWS outages in the UAE to stronger focus on data control and cyber security, tech leaders say the Israel-US-Iran conflict is challenging, but not stopping the region’s digital goals.
  • Iran and its supporters have taken to cyber space to retaliate for US-Israeli military action, with an aim to cause economic and physical disruption. (Dark Reading)
  • Pro-Russia actors team with Iran-linked hackers in attacks, forming a loose alliance to target CNI. (Cybersecurity Dive)

4 March:

  • Iran-nexus hackers are targeting flaws in IP cameras, echoing prior exploitation during Israel’s war on Hamas. (Cybersecurity Dive)
  • Hacktivist activity surrounding the Iran war is sky-high, but Iran’s state-backed cyber espionage actors have yet to show their hands, giving security teams a valuable window of time to shore up their defences.

6 March:

  • Iran has been hacking IP cameras to plan missile strikes against its enemies, and mounting other attacks on physical assets, showing how cyber and kinetic warfare are fast becoming one and the same. (Dark Reading)

9 March:

  • Major gatherings, including Leap and Gisec Global, remain scheduled, but travel disruptions and geopolitical tensions are adding uncertainty.
  • Researchers found backdoors installed on US company networks in the weeks prior to the US and Israeli bombing campaign. (Cybersecurity Dive)

10 March: 

11 March:

  • As regional uncertainty rises, security leaders across the Gulf focus on resilience, faster incident response and deeper threat intelligence to protect critical systems and data.
  • Datacentres used by both governments and militaries for operations are now fair game, not just for cyber attacks, but for kinetic attacks as well. (Dark Reading)
  • State-backed cyber threat actors from non-combatant states are taking advantage of the Israeli-US war on Iran to fulfil their own goals, according to Proofpoint analysts.
  • The full scope of the impact of a cyber attack on medical equipment firm Stryker, including operational and financial effects, remains unclear. (Cybersecurity Dive)

12 March:

13 March:

16 March:

18 March:

Read more on Endpoint security