FBI, CISA warn on Microsoft Intune risks after Iran-linked cyberattack on Stryker

Federal cybersecurity agencies urged organizations to better protect their deployment of a crucial Microsoft tool designed to manage all of the devices within a company’s network following an alleged Iran-connected cyberattack on a Michigan medical device company. 

The FBI and Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on Wednesday night confirming their involvement in the response to the recent attack on Stryker — a large healthcare technology firm that has struggled for more than a week to recover from an attack where more than 200,000 company devices were wiped clean. 

The attackers did not use malware, instead breaking into a legitimate Microsoft device management system called Intune and wiping the company’s data that way. CISA urged companies that use Intune to follow Microsoft’s newly-released best practices and to “harden endpoint management system configurations.”

The advisories say Intune customers should use role-based access controls to assign the minimum permissions necessary to each role for completing day-to-day operations. All accounts should have multi-factor authentication and Microsoft Entra ID to “block unauthorized access to privileged actions in Microsoft Intune.”

“Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping),” CISA said. 

CISA provided links to several other Microsoft documents about security features that can be added to protect Intune. 

The hacking group behind the Stryker attack — named Handala — wiped thousands of devices, leaving company employees locked out of critical systems and struggling to continue working at factories across the U.S., Ireland, India and other countries. Some employees took to social media to complain that they had Intune installed on personal devices, meaning even their own non-company data had been wiped. 

CISA said it is “conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.”

A website connected to the Handala group was taken down by federal authorities this week. The FBI put a banner on the group’s website that said the FBI filed a seizure warrant after they determined the website "was used to conduct, facilitate, or support malicious cyber activities on behalf of, or in coordination with, a foreign state actor." 

"These activities may include unauthorized network intrusions, infrastructure targeting or other violations of U.S. law," the FBI wrote. The banner adds that the U.S. took over the website "to disrupt ongoing malicious cyber operations and prevent further exploitation." 

The action comes after Israeli officials claimed that several of the Iranian leaders behind Handala were recently killed in airstrikes.