Alex: Welcome to Cleartext. Thursday, March 12th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: So Jordan, you want to start with the one that had you messaging me at midnight.

Jordan: Yeah. Stryker. A twenty-plus billion dollar medical device manufacturer just got hit with a wiper attack. Not ransomware. A wiper. The pro-Iran Handala group is claiming credit. They say they wiped two hundred thousand systems. Stryker has confirmed the incident, filed an 8-K with the SEC, and sent over five thousand workers home from their Ireland operations. Their U.S. headquarters reportedly declared a building emergency. This is a destructive attack on a major healthcare supply chain company, and it's explicitly framed as geopolitical retaliation for U.S. and Israeli strikes on Iran.

Alex: Let's sit with that for a moment because this is a different category of event. This is not a financially motivated crew looking for a payout. Handala is what the threat intel community calls a faketivist group — they present as hacktivists, but the assessment is they're Tehran-directed. And they chose a wiper. The intent isn't to monetize. The intent is to destroy and to send a message.

Jordan: Correct. And the target selection is telling. Stryker makes surgical equipment, implants, hospital infrastructure. You hit Stryker, you don't just disrupt a company. You potentially disrupt surgical schedules, hospital operations, the downstream supply chain for healthcare delivery. The strategic logic is clear: demonstrate that U.S. critical infrastructure companies are not beyond reach when geopolitical tensions escalate.

Alex: For CISOs listening, especially those outside healthcare, I want to be direct about the implications. If you are in any sector that touches U.S. national interests — defense, energy, healthcare, financial services — your threat model needs to account for destructive operations, not just data theft, not just ransomware. Wiper malware is fundamentally different. Your recovery architecture, your backup strategy, your network segmentation — all of it needs to be tested against an adversary whose goal is maximum destruction, not a negotiation.

Jordan: And the Microsoft ecosystem dependency is worth flagging. Reports indicate the wiping targeted Microsoft systems specifically. If your environment is heavily Microsoft-dependent, which most are, you need to think about whether your endpoint detection can catch wiper behavior before it propagates. Wipers move fast. You don't get the luxury of a dwell time measured in days. You might get hours.

Alex: The 8-K filing is also significant from a governance standpoint. Stryker is doing what the SEC materiality rules require, but every board director at every public company should be looking at this and asking their CISO: what's our wiper resilience? What's our recovery time if an adversary doesn't want money but wants to burn us down?

Jordan: And I'll add one more thing. The claim of terabytes of stolen data alongside the wiping is the hybrid playbook. Destroy the systems, then leak the data to maximize reputational damage. Expect that to unfold over the coming weeks.

Alex: Let's pivot to the policy landscape because it connects directly. The Trump administration released its new national cyber strategy this week, and the analysis from Risky Business is worth unpacking.

Jordan: So the strategy document itself has some genuinely interesting elements. There are goals in there around offensive deterrence, around streamlining public-private threat sharing, around reducing regulatory fragmentation — things CISOs have been asking for. On paper, some of it is legitimately forward-looking.

Alex: The problem, and Tom Uren's analysis nails this, is the gap between the document and the administration's actual actions. You can't release a strategy that emphasizes public-private partnership while simultaneously hollowing out CISA's workforce. You can't talk about strengthening cyber defenses while cutting the budgets of the agencies responsible for them.

Jordan: Right. Strategy documents are aspirational by nature. But CISOs need to read this one as a signal of where regulatory and contracting requirements may shift, not as a description of current reality. If you're a federal contractor or you operate in a regulated industry, the stated goals around accountability and baseline security standards could become compliance requirements. Plan for the document's ambitions, not the administration's current execution.

Alex: There's also the Coruna exploit kit angle buried in the same analysis. A U.S. defense contractor leaked an exploit kit. The details are still emerging, but the implication is clear: the supply chain for offensive cyber capabilities is itself a security risk. When exploit kits leak from the people building them, everyone's attack surface expands.

Jordan: The exploit market is so lucrative that containment is essentially impossible over long timescales. If you're building or stockpiling exploits, they will eventually leak. That's not cynicism. That's empirical reality.

Alex: Let's move to the ShinyHunters campaign against Salesforce Experience Cloud, which I think is one of the most operationally relevant stories this week for a broad set of CISOs.

Jordan: This is the third attack wave hitting Salesforce customer instances in six months. ShinyHunters is claiming they modified the open-source Aura Inspector tool to scrape data from Experience Cloud sites. Salesforce has confirmed the campaign but says, and I quote, no platform vulnerability is involved. Which is their way of saying this is a customer configuration problem.

Alex: And they're not wrong, technically. But here's where I get pointed about it. When the same configuration weakness gets exploited three times in six months by the same threat actor group, at some point the platform vendor has a responsibility to make the secure configuration the default, not the exception.

Jordan: Agreed. But CISOs can't wait for Salesforce to fix this culturally. If you have Experience Cloud deployments, audit your guest user permissions today. Not next quarter. Today. The tooling to exploit this is open source, it's been modified for offensive use, and ShinyHunters is actively running campaigns. This is a known, exploitable pattern.

Alex: The broader lesson here is SaaS configuration drift. Your Salesforce instance, your ServiceNow instance, your Workday instance — these are attack surfaces. They're not someone else's problem just because they're hosted.

Jordan: Amen.

Alex: Two governance stories to hit quickly. First, the HIPAA Security Rule modernization. This is the first major overhaul in decades, and finalization could come as early as May. Healthcare CISOs, and honestly any organization handling protected health information, need to start gap assessments now. The new requirements are grounded in modern frameworks. Think NIST CSF alignment, encryption mandates, incident response specifics. This is not going to be a gentle update.

Jordan: And given what we just discussed with Stryker, the timing is almost poetic. Healthcare is getting hammered by sophisticated adversaries while simultaneously facing a regulatory overhaul. The CISOs who are already aligned to NIST CSF will be in decent shape. Everyone else has work to do.

Alex: Second governance story — DOJ charged another former DigitalMint employee for secretly partnering with the BlackCat ransomware operation. This is the second insider from the same firm. These were people hired to negotiate on behalf of victims who were actually in bed with the attackers.

Jordan: This should terrify every CISO who has ever engaged a ransomware negotiation firm. And I don't say that lightly. The third-party risk here is existential. You're bringing someone into your most sensitive crisis moment, giving them access to your communications, your financial posture, your negotiation strategy, and they might be feeding it directly to the adversary.

Alex: Vet your incident response partners with the same rigor you apply to any critical vendor. References, conflict of interest disclosures, contractual protections. If your retainer agreement with a breach coach or negotiator doesn't address this scenario, fix that.

Jordan: Trust but verify. Except in this case, maybe just verify.

Alex: Two quick market moves. Google closed the Wiz acquisition. Thirty-two billion dollars, all cash, largest cybersecurity acquisition in history. Wiz says it will continue operating independently across multiple cloud platforms.

Jordan: The pledge of multi-cloud neutrality is the thing to watch. Today they say it. In eighteen months, will the Google Cloud integration be subtly better? Almost certainly. If you're running Wiz in AWS or Azure environments, you're not in danger today, but your long-term strategy should account for the possibility that incentives shift.

Alex: And for competitors — Orca, Lacework, the CNAPP market broadly — this changes the competitive dynamics fundamentally. Google's distribution engine behind Wiz is a different animal than Wiz as an independent.

Jordan: On the startup front, Armadin launched with a hundred and ninety million dollars to automate red-teaming with AI agents. Continuous offensive testing, combining AI attack agents with human operators.

Alex: The market signal is clear. Periodic pentesting is being challenged by continuous, AI-driven alternatives. I'd say evaluate, don't abandon. AI red-teaming is a supplement to skilled human operators, not a replacement. But the economics are going to shift fast.

Jordan: One vulnerability to flag. CISA added CVE-2025-68613 to the Known Exploited Vulnerabilities catalog. It's a CVSS 9.9 expression injection leading to remote code execution in n8n, the workflow automation platform. Twenty-four thousand seven hundred instances are exposed on the internet.

Alex: n8n is the kind of tool that DevOps and automation teams deploy without security's knowledge. This is a shadow IT risk. If you don't know whether n8n is in your environment, find out. If it is, patch or isolate immediately.

Jordan: Looking at the week's themes, Alex, the thread connecting everything today is that the perimeter between geopolitics and enterprise security has dissolved completely.

Alex: It has. The Stryker attack is the most visceral example, but it runs through everything. A national cyber strategy that can't execute because of political dynamics. Exploit kits leaking from defense contractors. Ransomware negotiators compromised by the adversaries they're supposed to negotiate against. The systems we depend on are being contested at every level.

Jordan: And for CISOs, the operational implication is that resilience is not optional. Not resilience as a buzzword, but actual tested recovery capabilities against destructive scenarios. Can you rebuild from scratch? How fast? Have you tested it? Not tabletop tested — actually tested.

Alex: That's the question every CISO should be bringing to their next board meeting. Not if, but when a destructive attack hits, what's our recovery time and what's the business cost of that window? If you don't have a crisp answer, you have your next priority.

Jordan: Agreed.

Alex: That's Cleartext for Thursday, March 12th. Thanks for listening. We'll be back tomorrow.

Jordan: Stay sharp out there.