Book a Demo

Legitimate by Design: The Cyberattack That Looks Like Normal Business

cropped-avatar-fallback.jpg

Cyngular Research Team

  • 7 min read
In March 2026, Stryker, a major U.S. medical technology company, experienced a destructive cyberattack attributed to an Iran-linked group operating under the "Handala" persona. While public details are still emerging, enough technical signals point to a clear conclusion: this was not a traditional malware-driven attack, but an abuse of identity and cloud management systems to execute destructive actions at scale.This distinction matters. If defenders continue to anchor on ransomware and endpoint compromise, they will miss how attacks are actually evolving. 

A Control-Plane Attack

Early reporting indicates that attackers likely compromised privileged identities, gained access to Microsoft Intune and cloud administration capabilities, and issued legitimate remote commands to managed endpoints. A non-propagating malicious file was discovered, but it appears to have been used only for execution and evasion rather than as the primary vector.

In other words, the attacker did not need to break into endpoints. They controlled the system responsible for managing them. This represents a structural shift in attack design.

Traditional intrusions follow a familiar pattern: initial compromise, lateral movement, and eventual payload deployment. In this case, the sequence is inverted: identity compromise leads directly to administrative control of the cloud management plane, which in turn enables immediate, large-scale impact.

Figure 1: Comparison of two attack models. The traditional path (left) shows a stepwise progression from initial compromise through lateral movement to endpoint impact. The identity-to-cloud path (right) shows how compromising a privileged identity enables direct control of the management plane, allowing immediate, large-scale impact across multiple systems without lateral movement.

 

Identity and the Control Plane as the Attack Surface

Modern enterprise environments are built around cloud control planes — including identity providers such as Entra ID, endpoint management systems such as Intune, and infrastructure APIs. These systems are designed to act as trusted orchestration layers. That trust is now being exploited.

Once an attacker gains sufficient privileges within this layer, they effectively inherit the capabilities of the platform itself. Devices can be wiped, scripts can be deployed, policies can be modified, and data can be accessed or moved — all through legitimate interfaces. No vulnerability needs to be exploited and no malware needs to spread. The attacker operates entirely within expected system behavior.

 

Reconstructing the Attack Path

Although the full forensic chain has not been disclosed, Cyngular's Research constructed a plausible sequence from available signals and internal research.

The initial foothold was most likely achieved through common identity compromise techniques such as phishing, credential theft via infostealers, or session hijacking. At this stage, the signals are weak and easily dismissed: a login from a new location, a previously unseen device, or a slightly anomalous session. These events rarely trigger strong alerts in isolation.

Once inside, the attacker likely performed reconnaissance through API-driven queries, enumerating users, roles, and device inventory while accessing the Intune management plane. This activity blends seamlessly into normal administrative operations.

The critical transition occurs at privilege escalation. By assigning Global Administrator or Intune Administrator roles — or by creating new privileged identities or service principals — the attacker gains control over both the identity layer and the device management layer. At that point, they effectively control the organization's operational backbone.

Figure 2: This threat sequence shows how an activity such as the Stryker attack is captured and correlated within the Cyngular platform over time, starting from low-severity signals such as anomalous logins and progressing through discovery and privilege escalation. Events that would typically appear benign in isolation are connected into a unified behavioral sequence, enabling Cyngular to surface emerging risk early and drive timely mitigation before impact occurs.

 

From there, the attacker does not deploy malware — because they simply don't need it. Instead, they leverage the management plane itself. Platforms like Intune are designed to execute remote actions, apply policies, and deploy scripts at scale. Every action taken is authenticated with a valid identity, authorized by assigned roles, and executed through first-party APIs. From the system's perspective, nothing is abnormal.

This is what makes detection difficult. The attacker is not bypassing controls but operating within them, so individual events appear benign. Detection therefore requires context rather than signatures. A newly privileged identity performing high-impact actions, administrative operations originating from unusual sessions, or sequences of behavior that deviate from established baselines are the only reliable indicators.

 

Data Exfiltration Without "Exfiltration"

Available evidence suggests that data movement was performed using native cloud mechanisms rather than traditional exfiltration techniques. In Azure environments, large-scale data transfer does not require downloading files or staging them externally. With sufficient privileges, data can be moved entirely within the platform.

One plausible method is cross-tenant storage replication, where a policy is configured to continuously copy data from the victim environment to an external tenant. Once established, this process runs asynchronously in the background, relies entirely on Azure services, and requires no further attacker interaction. There are no large outbound transfers, no suspicious protocols, and no malware-based staging. From a monitoring perspective, it appears as a configuration change followed by normal service behavior.

In effect, the attacker does not extract data directly. They configure the platform to move it on their behalf.

This model is consistent with claims made by the attacking group, which published sample data on an underground leak site and suggested downstream impact across multiple medical institutions. While such claims should be treated cautiously, they reinforce a key point: once control-plane access is obtained, data movement can occur through entirely legitimate workflows without triggering traditional detection mechanisms.


Figure 3: (A) Screenshot from the Handala group's .onion leak site, where the attackers publicly claim responsibility for the Stryker breach and assert large-scale system disruption and data exfiltration. (B) Official statement from Stryker acknowledging a global disruption to its Microsoft environment following a cyber incident, noting operational impact and ongoing investigation without evidence of ransomware involvement.

 

Why Traditional Detection Fails

The significance of the Stryker incident lies not only in how it was executed, but in why it was not detected in time. Most security controls are built around a model of attacks that assumes the presence of malware, lateral movement, or anomalous network activity. They rely on the expectation that an attacker will eventually deviate from normal system behavior.

In this case, that assumption does not hold. The attacker remained entirely within trusted cloud services, using valid identities and legitimate administrative interfaces. There was no exploit, no malicious binary to analyze, and no obvious policy violation. The activity did not evade detection because it was invisible — it evaded detection because it did not match the definition of malicious behavior encoded in existing systems. The attacker did not bypass the tools. They used the tools.

 

The Missed Opportunity: Early Weak Signals

But this attack, like most attacks, did not occur instantaneously. It unfolded over time, leaving behind a sequence of weak but meaningful indicators: an unusual login that was overlooked, access to administrative interfaces by an identity that had never used them before, resource enumeration, privilege escalation, and a shift toward high-impact administrative actions.

Individually, these events are common and often benign. Most detection systems evaluate them in isolation or rely on static thresholds. If no single event crosses a predefined boundary, no alert is generated. There is no mechanism to connect these signals into a coherent narrative of intent. The failure in this case was not a lack of visibility, but a lack of correlation. The system observed events but did not interpret behavior.

Figure 4: A unified view of the attack path as reconstructed by the Cyngular platform, where low-level signals across identity, cloud resources, and workloads are automatically connected into a continuous behavioral graph. Early reconnaissance and anomalous activity are linked to privilege misuse and execution events, making the full progression visible well before impact. By surfacing these relationships in real time, the platform enables early intervention and prevents the attack from fully materializing.

 

Rethinking Prevention

Control-plane attacks depend on environmental conditions as much as attacker capability. Excessive or persistent privileges, poorly scoped administrative roles, lack of just-in-time access controls, permissive storage configurations, and weak conditional access enforcement all increase the likelihood of successful exploitation. These are not active threats but latent risks. Addressing them reduces both the probability of compromise and the potential blast radius.

In the context of the Stryker attack, these risks likely appeared as concrete gaps in identity and control-plane governance. For example, standing Global Administrator or Intune Administrator roles without just-in-time controls would allow a compromised identity to immediately manage devices at scale. Similarly, insufficient Conditional Access for administrative actions could enable access to Intune or Graph APIs from non-compliant devices or anomalous locations without triggering additional verification.

 

A Shift in Security Thinking

Attacks do not follow a fixed pattern. They continuously evolve, taking on new forms that often blend seamlessly into legitimate system behavior. As environments become more cloud-driven and identity-centric, the line between normal operations and malicious activity becomes increasingly difficult to define using static rules or predefined assumptions.

In modern systems, high-impact outcomes can emerge from a small number of legitimate actions executed in the right sequence. What distinguishes an attack is no longer a specific artifact or signature, but the context and progression of behavior over time.

The destructive action at Stryker may have been immediate, but the attack path was not. It developed gradually, leaving behind a series of weak, distributed signals across identity and cloud systems. The organizations that will stop the next attack of this type are not those that rely on faster signature detection, but those that can recognize behavioral patterns early and continuously apply intelligent analysis across their environments — using systems such as Cyngular to identify and interrupt these patterns before they reach impact.

 

Learn More

Recent

See All
Request demo
Cyngular Security
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.