A recent disruption‑focused, “wiper” cyberattack in the medical technology industry underscores a growing reality for executive teams. Some of today’s high‑risk cyber events are not designed to steal data or demand ransom. They are designed to disrupt operations at scale.
Across regulated and critical sectors, organizations have disclosed cyber events involving global disruption to enterprise technology environments, with impacts to core business operations such as ordering, manufacturing, and logistics. In some of these situations, organizations have reported no indication of ransomware or traditional malware and have described the activity as technically contained, even as operational disruption persisted.
Public reporting and threat intelligence increasingly characterize these events as destructive, disruption‑focused cyberattacks and include “wiper‑style attacks.” Rather than deploying malware broadly, attackers may abuse legitimate administrative capabilities within cloud‑based endpoint management platforms. By triggering remote wipe functionality intended for lost or stolen devices, they can render corporate laptops, desktops, and mobile devices inoperable.
The resulting effects can include widespread outages and business interruption, achieved without the tactics most organizations traditionally associate with cybercrime. This risk pattern reinforces an important message for leadership teams: cyber risk encompasses more than confidentiality concerns. It includes threats to operations and continuity.
Why Disruption‑Focused Cyber Incidents Are Different
Many organizations still frame cyber risk primarily around data theft, regulatory exposure, or ransom demands. Disruption‑focused cyberattacks reflect a different and increasingly relevant threat model.
Rather than prioritizing data theft or direct monetization, these activities are designed to impair availability, slow operations, and create uncertainty.
In disruption‑oriented campaigns, attackers may deliberately avoid tactics commonly associated with ransomware or widespread malware. Instead, they rely on the misuse of legitimate access and administrative capabilities to degrade systems, interrupt workflows, or temporarily disable business operations.
“Typically, cyberattacks are focused on financial gain or espionage. Disruption is different. Attackers may gain access to critical systems and simply delete or disable data. The objective is operational impact, not profit.”
— Ben Owings, Forvis Mazars, “Achieving Health” podcast, March 18, 2026
In regulated and safety‑sensitive sectors such as healthcare and medical technology, even short‑lived disruption can cascade into supply chain delays, workflow breakdowns, and customer uncertainty.
Operational Impact Without Traditional Malware
Disruption‑focused cyber incidents reveal how significant business impact can occur without traditional malware or ransomware.
Common operational effects observed across disruption‑oriented events include:
- Loss of endpoint availability: Organizations may experience widespread device inoperability when administrative actions such as remote wipe, reset, or policy enforcement are misused, requiring teams to operate in contingency or manual modes.
- Interruption of core business processes: Corporate IT systems that support functions such as ordering, invoicing, manufacturing coordination, and logistics may be temporarily unavailable, forcing reliance on manual workarounds while systems are stabilized and restored.
In some situations, architectural separation between corporate IT systems and product, operational, or customer‑facing platforms can help limit downstream risk. While this separation may reduce direct impact on customers or end-users, it does not exclude the potential for material operational disruption within the organization.
These scenarios underscore an important risk management reality. A cyber incident can be technically contained while still creating meaningful business interruption. Availability and continuity implications should be considered alongside confidentiality and integrity when assessing cyber risk exposure.
The Control Plane as a Critical Risk Area
Cloud identity and endpoint management platforms, such as Microsoft Intune within a Microsoft 365 environment, allow organizations to centrally manage devices, applications, and user access. These tools are essential for modern operations. They also function as a control plane.
If privileged access to that control plane is compromised, legitimate features, such as remote device wipe, policy deployment, or access revocation, can be turned into high‑impact disruptive actions.
For business leaders, the takeaway is not that a specific technology platform is unsafe. It’s that identity, privilege, and administrative access now represent some of the highest‑consequence risk areas.
Threat Context: Disruption in a Heightened Risk Environment
Wiper and disruption-focused cyberattacks align with patterns highlighted in recent government and sector guidance. Agencies, like the Cybersecurity and Infrastructure Security Agency, have warned that amid geopolitical risks and global tension, organizations that support critical sectors may face nation‑state threats and ideologically motivated disruption attempts.
These campaigns often exploit:
- Stolen or poorly protected credentials
- Excessive standing privileges
- Weak controls around administrative actions
- Overreliance on assumed containment rather than tested resilience
The goal is not always persistence or data exfiltration. In many cases, the objective is highly-visible disruption.
Signals of Responsible Defense
Across disruption‑focused cyber events, several common practices signal responsible defense and effective crisis management, including:
- Fact‑based communication: Effective responses emphasize confirmed outcomes, response actions, and restoration priorities, while avoiding speculation about attribution or unverified technical details.
- Safety and integrity assurance: Clear, consistent messaging about the status of products, services, and critical systems can help reduce uncertainty for customers, business partners, and other stakeholders during periods of disruption.
- Continuity over perfection: Organizations that prioritize manual workarounds, phased restoration, and continuity of critical operations demonstrate a pragmatic resilience approach, even when full system recovery takes time.
These practices reflect widely recommended incident response guidance: communicate what is known, prioritize safety and continuity, and manage disruption deliberately rather than reactively.
A Practical Playbook: Reduce Exposure, Then Build Resilience
Insights from IT Risk & Compliance professionals at Forvis Mazars, informed by incidents like this, point to a two‑part agenda for organizations in regulated and critical sectors.
1) Reduce exposure with targeted assurance and remediation.
Start with visibility. Many organizations can improve agility by validating “what is actually true” in their environment rather than relying on assumptions.
- Risk assessment and technical testing: Use cybersecurity risk assessments, penetration testing, and vulnerability scanning to identify and prioritize exploitable paths, particularly around identity, remote access, and privileged accounts.
- Credential and privilege hardening: Destructive actors are increasingly associated with stolen credentials and abuse of legitimate administrative access. Controls that limit standing privilege and tighten administrative access can help reduce the attack radius.
- Cloud control-plane protections: Review who has administrative privileges for identity and access management tools and other technology layers, and consider additional approval requirements for high-impact actions like device wipe.
2) Build resilience with planning, stress testing, and governance.
When the goal is disruption, resilience becomes a core control.
- Incident response plan design review: Confirm the plan is current, detailed, and usable in a high-pressure moment, including escalation paths and decision authorities that extend beyond IT and include the management roles needed to activate an emergency response.
- Tabletop exercises: Stress test the plan with multidisciplinary leadership, including operations, legal, compliance, communications, HR, clinical leadership where applicable, and key vendors. Tabletop exercises help clarify roles, communication flows, and trade-offs before a real event.
- External communications: Pre-plan how and when to engage law enforcement and government partners, cyber insurance carriers, and critical service providers, including what information is shared and who approves it.
Actions to Consider Now
Organizations that rely on Microsoft 365, Entra ID, Intune, or large managed endpoint fleets may consider the following near‑term actions:
- Identify privileged identities that can administer your cloud control plane, then validate MFA coverage, role assignments, and break-glass procedures.
- Review destructive actions such as remote wipe, device reset, and policy deployment. Consider requiring additional approval or tighter conditional access for those functions.
- Validate backup and recovery assumptions for endpoints and critical business applications, including how quickly users can be re-provisioned if devices are wiped.
- Run a tabletop exercise focused on an identity compromise and a destructive endpoint action scenario, including communications to customers, regulators, and law enforcement.
- Use government and sector guidance to prioritize mitigations associated with nation-state threats, including patching, credential hygiene, and remote access controls.
How Forvis Mazars Can Help
Cybersecurity incidents serve as an important reminder that operational resilience planning is critical.
For executive teams, the takeaway is clear: responsible defense can reduce exposure to disruption-focused cyberattacks and strengthen organizational resilience when disruption occurs.
If your organization is seeking a structured approach to cyber resilience in an increasingly disruptive threat environment, IT Risk & Compliance at Forvis Mazars provides services for cybersecurity risk assessments, penetration testing, vulnerability scanning, remediation road maps, incident response plan evaluation, and tabletop exercises that bring organizational leaders together for practical decision making. Contact us today to ask your questions and learn more.