A recent cyberattack on medical technology company Stryker is drawing attention across industries. This was not a new vulnerability or sophisticated malware – this breach occurred because attackers used a trusted system to cause widespread disruption.
For PMMI members, this incident is worth understanding. Many organizations rely on similar tools to manage computers, workstations, mobile devices, and users, and the lessons here apply broadly across manufacturing, packaging, and supply chain environments.
What happened?
According to public reporting and CISA guidance, attackers gained access to Stryker’s environment and leveraged Microsoft Intune, a widely used endpoint management platform.
Once inside, they were able to:
- Compromise an administrative account
- Escalate privileges by modifying administrative access
- Use Intune’s built-in capabilities to remotely wipe large numbers of devices
- Potentially access or exfiltrate sensitive data beforehand
Most importantly, the attackers didn’t need to deploy malware or exploit a software vulnerability. They used legitimate administrative tools to carry out the attack.
Why is this attack different?
This incident highlights a growing shift in cyberattacks; rather than breaking systems, attackers are increasingly abusing trusted platforms once they gain access.
Endpoint management tools like Microsoft Intune are designed to:
- Deploy software
- Enforce policies
- Monitor device health
- Reset or wipe devices
Those same capabilities, in the wrong hands, can be used to disrupt operations at scale, which is exactly what happened. For organizations managing fleets of workstations, laptops, mobile devices, or remote endpoints, these platforms serve as a powerful yet potentially risky control layer.
Why it matters for packaging and processing
Many companies in the packaging and processing industry use tools like Intune, ServiceNow, Workspace ONE, or other device management platforms to support their remote and hybrid workforces, field service teams, plant floor systems connected to corporate networks, and BYOD (bring-your-own-device) environments.
If compromised, these systems could:
- Disrupt operations by wiping or locking devices
- Push unauthorized configurations
- Impact production, logistics, and customer-facing systems
This makes endpoint management platforms a critical part of your security architecture, not just a convenience.
How to reduce risk
The Stryker incident reinforces several foundational security practices that every organization should revisit:
- Limit Administrative Access - Review who has administrative privileges in your endpoint management and identity platforms. Apply the rule of least privilege and remove access that is no longer needed.
- Require Strong Authentication - Ensure multifactor authentication (MFA) is enforced for all administrative/privileged accounts, and consider stronger, phishing-resistant methods where possible.
- Introduce Safeguards for High-Risk Actions - Actions like device wipes, major policy changes, or role assignments should not rely on a single account. Where possible, implement approval workflows or additional controls.
- Audit and Monitor Activity - Regularly review logs and alerts for unusual administrative behavior, such as new account creation, privilege escalation, or bulk device actions. If possible, set up alerts on things like privilege escalation so these actions can be caught quickly if unauthorized.
The bigger lesson
The Stryker attack is not just about one company or one tool; it reflects the broader reality that the greatest risk is often not a technical vulnerability: it’s what attackers can do once they gain access. By focusing on access control, visibility, and governance of powerful systems like endpoint management platforms, organizations can significantly reduce the likelihood and impact of this type of attack.
For PMMI members, this is a good moment to pause and ask your IT departments a few practical questions:
- Who has administrative access to our endpoint management tools and cloud platforms?
- Are high-risk actions controlled and monitored?
- Could a single compromised account impact our entire device fleet the way Stryker’s did?
If the answers are unclear, that’s a strong signal to take a closer look.
