Faithful Execution: Lessons from the Stryker Incident
In mid-March, Stryker, a major medical technology company, experienced a significant cyber disruption. A group calling itself Handala claimed responsibility, describing a large-scale wipe of devices and internal systems.
As with many early-stage incidents, the details are still emerging. Stryker has confirmed a global disruption to its internal Microsoft environment and the absence of ransomware or traditional malware. Reporting points to large-scale device impact, potentially involving enterprise management tooling, but the exact mechanism, scope, and timeline have not yet been fully verified.
Even with that uncertainty, the shape of the event is worth paying attention to.
In most discussions of cyberattacks, we focus on how attackers get in. Phishing emails. Exploited vulnerabilities. Malware moving from system to system.
That story matters. But this one is about something else. It’s about control.
Some reporting suggests the disruption may have involved enterprise device management tooling, potentially Microsoft Intune, used to issue commands across large numbers of systems at once.
If that holds, the attacker didn't need to spread malicious code across the environment. They may have used the same mechanisms the organization relies on every day to manage its own devices.
Every modern organization relies on systems that manage end-user devices. They push updates, enforce policies, reset credentials, and, when needed, remotely wipe devices. These systems sit above the day-to-day environment and coordinate how everything behaves. In technical terms, this is called the control plane.
You don't need the term to understand the risk. It's simply the set of tools that can issue trusted commands at scale. And if those tools are misused, the systems below them will comply.
Attackers have used legitimate management platforms to issue commands and wipe devices for years. What’s changed is how much leverage these systems now have. They’re centralized, cloud-managed, and deeply integrated into identity. A single administrative pathway can reach thousands of devices in seconds.
That changes the math.
The disruption didn’t depend on moving through the network step by step. It came from issuing trusted commands. When the attack surface is the management layer itself, detection gets harder. Malicious activity looks legitimate because it is. What matters is who is issuing commands and whether they can be trusted.
For years, security programs have focused on endpoints, networks, and applications. We measure patching, monitor for malware, and segment environments to slow down attackers. Those controls still matter. But they assume the attacker is operating within the system.
Control-plane compromise flips that assumption. It places the attacker above the system, using trusted mechanisms to direct it. At that point, many of the usual signals disappear. Systems behave exactly as instructed. They're just following the wrong instructions.
It's too early to draw firm conclusions from the Stryker incident. The technical picture may turn out to be more complicated. But the underlying pattern is not speculative. We have built environments where a small number of systems hold the authority to act at scale. That authority is what makes modern operations possible. It is also what makes certain failures immediate and hard to contain.
The abuse of trust is the part that resists design. The commands that wiped those devices weren't anomalies. They were instructions that the system recognized, validated, and carried out. The environment did what it was built to do.
The hard part isn't that the system failed. It's that it didn't.