Stryker Was Wiped Through Its Own Infrastructure

On March 11, 2026, an Iran-linked group used Stryker's own Microsoft Intune admin console to remotely wipe tens of thousands of devices across 79 countries using a single compromised credential — no malware, no exploit. The attack succeeded because Stryker's infrastructure could not distinguish a legitimate admin session from an attacker replaying valid credentials. Key failures included no MFA on the admin account, weak/unrotated passwords, no multi-admin approval in Intune, and no hardware-bound device verification. The post argues that hardware-bound device attestation (via TPM/Secure Enclave) is the missing layer beneath MFA and PAM — cryptographically proving a privileged session originates from a specific enrolled device, not just that someone holds valid credentials. Smallstep's ACME Device Attestation product is presented as a solution to this specific gap, deployable starting with admin console access.