Stryker 2026 Global Wiper Attack — IR & Detection Lessons
Key Questions
What was the Stryker 2026 Global Wiper Attack?
The Stryker 2026 Global Wiper Attack, starting March 14, 2026, involved a destructive wiper that affected 80,000 Entra/Intune devices and OT systems, as reported by Sygnia. It highlighted risks from Azure misconfigurations, including OpenAI least-privilege issues with Owner/Contributor roles. Microsoft and CISA issued guidance on response and mitigation.
What OT hardening measures are recommended post-attack?
Recommendations include using data diodes, content disarm and reconstruction (CDR), and USB kiosks for secure OT file transfers. These measures address vulnerabilities exposed in the attack, particularly in OT/IT overlap areas. VLAN failures in Iranian IoT camera hacks (Hikvision/Dahua CVEs) underscore the need for network segmentation.
How did attackers evade detection in OT/IT environments?
Attackers used pythonw.exe in HMIs for EDR evasion, exploiting OT/IT overlap challenges like analytics, asset management, and IT automation convergence. This real challenge is detailed in related discussions on organizational security posture shifts. Active hunts focus on SIEM/EDR mass-delete events, Entra/OT/Azure/OpenAI indicators.
What are key Azure OpenAI security best practices from the incident?
Implement least-privilege access, avoiding broad Owner/Contributor roles in Azure OpenAI to prevent misconfigurations exploited in the attack. Related guidance emphasizes securing these services as organizations integrate them into core operations. Misconfigs were a noted risk factor in the wiper campaign.
What incident response actions are advised after the attack?
Conduct SIEM/EDR hunts for mass-delete, Entra/OT/Azure/OpenAI indicators; deploy SOAR runbooks, tabletops, and AUTOPSY analysis. Use EDR for ransomware containment and define clear IR team roles/escalation paths. Lessons from the Iranian IoT hack reinforce proactive IoT device security.
Ongoing destructive wiper (2026-03-14; Sygnia: Entra/Intune 80k wipes/OT); MS/CISA guidance; Azure misconfigs incl. OpenAI least-priv Owner/Contributor risks; OT file transfer hardening (data diodes/CDR/USB kiosks); Iranian IoT camera hack (Hikvision/Dahua CVEs/VLAN fails); OT/IT overlap pythonw.exe EDR evasion in HMIs. Active: SIEM/EDR mass-delete/Entra/OT/Azure/OpenAI hunts, SOAR runbooks/tabletops, AUTOPSY; EDR ransomware ms-contain; IR team roles/escalation.