Alex: Good morning. It's Friday, March 13th, 2026. This is Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. The Stryker attack is dominating the conversation, and rightfully so — a major medical device manufacturer filing an 8-K saying they don't know when they'll recover. We'll unpack what that means and why the Iranian attribution matters. We're also going to talk about Salt Typhoon and why the regulatory response is stalling, AI-generated malware crossing from proof of concept to actual ransomware operations, a petabyte-scale breach at a major BPO provider, a ransomware negotiator who was literally running attacks on the side, HIPAA modernization, and a CISA emergency directive on Cisco SD-WAN. Let's start where we have to start.

Jordan: So Stryker. Here's what we know. The company filed an 8-K with the SEC confirming a global disruption to their Microsoft environment. They've brought in external incident responders. And the timeline for recovery — their words — is unknown. The attack is attributed to an Iranian-linked group operating under the Handala brand. And that name matters. Handala has been positioning itself as a hacktivist collective, but the operational sophistication here — destructive wipers against a Fortune 500 medical device company — this is not some ideologically motivated kid in a basement. This is state-sponsored capability wearing a hacktivist costume.

Alex: And that costume is doing real work for Tehran. The hacktivist branding gives them plausible deniability. It muddies attribution, it complicates the diplomatic response, and it gives them an escalation path that stays below the threshold of what would trigger a kinetic response. For CISOs, the takeaway is stark. If you're in healthcare, defense, or critical infrastructure, your threat model needs to account for destructive operations, not just espionage and ransomware. Wipers are a different animal. Your disaster recovery plans need to assume that your primary environment could be rendered completely inoperable.

Jordan: And the "unknown timeline" language in the 8-K should make every board member uncomfortable. That's not a company saying "we'll be back in two weeks." That's a company saying "we genuinely don't know how deep this goes." When your entire Microsoft environment is compromised globally, you're talking about Active Directory, identity infrastructure, potentially every endpoint and server. Rebuilding that with confidence that the attacker is fully eradicated — that's measured in months, not weeks.

Alex: The timing here is critical context too. This is happening amid active military conflict between the U.S., Israel, and Iran. We've been saying for years that cyber would be a primary theater in any peer or near-peer conflict, and now we're watching it play out in real time against private sector targets. Stryker makes surgical equipment, implants, hospital beds. This isn't an abstract target. Disruption here has patient safety implications downstream.

Jordan: And the signal-to-noise problem is real. CyberScoop's reporting highlighted how difficult it's been to separate genuine operational successes from Iranian information operations. There's a lot of noise — claimed attacks, exaggerated impacts, recycled data. But Stryker is clearly a qualified success for the attackers. An 8-K filing doesn't lie.

Alex: Let's stay on the geopolitical thread because Salt Typhoon deserves attention here. U.S. cyber officials went on record this week expressing frustration that public apathy is killing momentum for tougher telecom security regulations. For those who need the refresher, Salt Typhoon is the Chinese state-sponsored group that compromised major U.S. telecom providers. That's not alleged — it's confirmed. And the regulatory response has been, charitably, underwhelming.

Jordan: This is one of those stories that should be a five-alarm fire and instead the public collectively shrugged. Salt Typhoon had access to call metadata, potentially content, across major carriers. The intelligence value of that is extraordinary. And the response from the regulatory side has been essentially: we'd like to do something, but there's no political will.

Alex: And that directly impacts enterprise security strategy. If you were hoping that your telecom providers would be held to a higher security standard after Salt Typhoon, you should stop hoping. The practical implication is that CISOs need to continue treating carrier infrastructure as potentially compromised. End-to-end encryption for sensitive communications isn't optional. Supply chain assurance for your telecom dependencies needs to be a budget line item, not a hope.

Jordan: It's a pattern we've seen before. A major intrusion gets disclosed, there's a brief window of political energy, and then it dissipates. The difference here is the scale of the compromise. This wasn't one carrier. This was systemic. And we're walking away from it.

Alex: Let's pivot to the AI malware story because this one crossed an important threshold. BleepingComputer reported on a malware strain called Slopoly — almost certainly generated using AI coding tools — that was used in an actual Interlock ransomware attack. This isn't a lab experiment. This isn't a researcher demonstrating what's possible. This is a financially motivated threat actor using AI to write functional malware that maintained persistence on a compromised server for over a week and facilitated data theft.

Jordan: And here's why this matters operationally. The malware was novel enough that it wasn't caught by signature-based detection during that persistence window. That's the whole game. Generative AI lowers the barrier to creating net-new tooling. You don't need a skilled malware developer anymore. You need someone who can prompt effectively and test the output. The volume and diversity of malware is going to increase, and the shelf life of your detection signatures is going to decrease.

Alex: For CISOs, the investment implication is clear. Behavioral detection, anomaly-based monitoring, and EDR capabilities that don't rely solely on known signatures — these move from nice-to-have to table stakes. If they weren't already.

Jordan: Now, the Telus Digital breach. A major Canadian BPO provider confirmed a security incident after a threat actor claimed to have exfiltrated nearly one petabyte of data over a multi-month breach. One petabyte. To put that in perspective, that's roughly a thousand terabytes. That's not grabbing a database and leaving. That's sustained, high-bandwidth exfiltration over an extended period.

Alex: And the third-party risk angle here is enormous. BPO providers are handling sensitive data for dozens, potentially hundreds of enterprise clients. If you outsource customer service, back-office operations, data processing — your data was potentially in that environment. The question every CISO who works with Telus Digital should be asking right now is: what data of ours was in scope, and were we notified?

Jordan: The multi-month dwell time is the part that stings. A petabyte doesn't leave quietly. That volume of data moving out of an environment should trigger alerts. The fact that it apparently didn't — or that alerts were missed — raises serious questions about their monitoring capabilities.

Alex: This is why vendor security assessments can't be checkbox exercises. You need to understand your BPO partners' detection and response capabilities, not just their compliance posture.

Jordan: All right, the DigitalMint story. This one reads like a screenplay. Angelo Martino, a ransomware negotiator working for DigitalMint, has been charged with simultaneously conducting BlackCat ransomware attacks. He was allegedly attacking organizations and then in some cases handling the victim-side negotiations for the same incidents. The scheme is tied to approximately seventy-five million dollars in extortion.

Alex: This is the second DigitalMint employee charged, which elevates it from a bad apple story to an organizational integrity story. For CISOs, the takeaway is about vetting your incident response partners with the same rigor you'd apply to any critical vendor. Who are the individuals who will have access to your most sensitive information during your worst day? What background checks have been done? What conflicts of interest exist?

Jordan: It also underscores a structural problem in the ransomware ecosystem. The negotiation space is largely unregulated. There's no licensing, no mandatory disclosure of conflicts. You're trusting a third party with complete visibility into your financial position, your insurance coverage, your operational pain points — and hoping they're working for you and not against you.

Alex: Exactly. And boards should be asking their CISOs: who is our retained incident response firm, how were they vetted, and do we have contractual protections in place?

Jordan: Quick hit on HIPAA modernization. The Security Rule is heading toward its first major overhaul in decades. Finalization could come as early as May 2026, though timelines are uncertain. The new requirements are expected to align with modern cybersecurity frameworks.

Alex: If you're a healthcare CISO or you manage covered entity relationships, start your gap analysis now. Don't wait for final rules. The direction is clear even if the exact requirements aren't. Asset inventories, encryption requirements, incident response procedures — all of it is getting tightened.

Jordan: And finally, CISA issued an emergency directive this week over actively exploited Cisco SD-WAN vulnerabilities. Exploitation grants attackers administrative access to enterprise networks. Federal agencies and critical infrastructure operators are required to respond immediately.

Alex: If you're running Cisco SD-WAN, this is a drop-everything priority. Administrative access means the attacker owns your network. Patch immediately. If you can't patch, implement the published mitigations and monitor aggressively. Don't wait for your normal patch cycle on this one.

Jordan: So stepping back and looking at the week as a whole, Alex, what's the thread you're pulling on?

Alex: It's the gap between the severity of what's happening and the institutional response. Stryker is getting wiped by Iranian state actors and there's no clear government protective framework for the private sector targets caught in this conflict. Salt Typhoon compromised our telecom backbone and the regulatory response is stalling out. AI is being weaponized in live ransomware operations and our detection paradigms haven't caught up. The threat environment is evolving faster than our collective ability to respond, and that gap is where the damage happens.

Jordan: I'd add that the trust infrastructure is cracking. Your telecom provider might be compromised by China. Your ransomware negotiator might be the one attacking you. Your BPO partner might be hemorrhaging a petabyte of your data without noticing. The theme isn't just speed of threat evolution — it's that the entities you're relying on for security and recovery may themselves be compromised or unreliable. CISOs need to internalize that and build accordingly.

Alex: Well said. That's the uncomfortable truth heading into the weekend.

Jordan: Patch your Cisco SD-WAN gear. Verify your IR retainer. And maybe double-check what data your BPO partners are sitting on.

Alex: That's Cleartext for Friday, March 13th, 2026. Thanks for listening. We'll see you Monday.