Identity-led attacks don’t become existential because MFA is missing everywhere. They become existential because passwords, standing privilege, and legacy authentication still exist somewhere, and attackers know exactly where to look.
The reported Handala attack on Stryker is the latest reminder: destructive cyber events rarely begin with sophisticated exploits. They begin with compromised identity, abused admin access, and trusted tools turned against the organization.
The Real Lesson: It’s What Happens After They Get In
Public reporting indicates Handala claimed a large-scale destructive attack against Stryker, including device wiping and data theft, while Stryker acknowledged severe global disruption. Analysis of the incident has focused on how administrative control planes and remote management workflows were turned into force multipliers for attackers. That’s the right framing.
When authentication still depends on passwords, when privileged access remains standing, and when legacy systems still require password-backed workflows, one compromised identity can become a company-wide event. Remote actions designed for operational efficiency become destructive at scale. And once attackers inherit trusted admin pathways, recovery stops being containment — it becomes re-architecture.
CISA has warned that Iranian-affiliated cyber actors have used brute force, password spraying, credential access, and MFA abuse to compromise accounts and expand access. Palo Alto’s guidance on wiper risk reinforces the same defensive posture: reduce standing administrative privilege, use just-in-time access, and trigger automated lockouts when mass-wipe behavior is detected.
The Strategic Conclusion: Coverage Is Everything
Phishing-resistant MFA is necessary. But comprehensive passwordless coverage is what actually closes the gaps.
Too many organizations define “passwordless” too narrowly:
- A few cloud apps support modern authentication
- Windows login still depends on passwords
- VPN still has a password fallback
- Legacy and on-prem applications still sit behind brittle credential-based flows
- Privileged access still relies on the same identity fabric attackers target
That’s not a passwordless architecture. That’s a modern façade over legacy risk.
To materially reduce the blast radius of identity-led attacks, organizations need to eliminate user-managed passwords across the workforce, and extend phishing-resistant authentication to every meaningful access path:
- Desktop login
- Web and SaaS applications
- VPN and remote access
- Legacy and on-prem applications
- Privileged workflows and high-risk admin actions
This is where most security programs stall. Greenfield apps are easy. The systems the business still depends on are not.
Why SDO Was Built for This Problem
Secret Double Octopus (SDO) was built specifically for enterprises that can’t afford coverage gaps. Octopus extends passwordless MFA across desktop, web, corporate apps, legacy environments, and privileged access — without requiring a rebuild of the application stack.
For non-SAML and legacy environments, SDO replaces user-facing passwords with backend ephemeral tokens, preserving existing infrastructure while eliminating passwords from the user workflow entirely.
That matters because attackers don’t care which parts of your environment are modernized. They care which parts still trust a stolen secret.
The Bottom Line
The organizations that come out strongest from this cycle won’t be the ones that added more prompts or more friction to a password-centric model. They’ll be the ones that committed to three principles:
- No standing password dependency where it can be removed
- No privileged workflow without stronger controls
- No “legacy exception” left untreated simply because it’s hard
The Stryker story isn’t only about one attack group or one victim. It’s a warning about a security model that still gives too much power to compromised identity.
Passwordless MFA only changes the game when it covers the whole field.