Jordan: Pro-Iran hackers just wiped thousands of devices at one of the largest medical device companies in the world. Not encrypted them. Wiped them. If you thought the U.S.-Iran conflict was someone else's problem, today's episode is going to change that.

Alex: Welcome to Cleartext. It's Wednesday, March 18th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we're covering a lot of ground. A destructive wiper attack on Stryker that may be the opening shot of Iranian cyber retaliation. CISA's assessment that there's no broad uptick — which we'll push back on. A drive-by iPhone exploit kit tied to Russian state actors. A supply-chain campaign hitting hundreds of developer repos simultaneously. The EU finally sanctioning Chinese and Iranian hacking operations. And the CISO liability conversation that isn't going away. Let's get into it.

Jordan: Let's start with Stryker. Fortune 500 medtech company, major supplier to hospitals globally. Pro-Iran hackers got in, and instead of deploying ransomware, they wiped thousands of employee devices. Ordering systems down. Shipping systems down. This is a destructive attack, not a financial one. That distinction matters enormously.

Alex: It does. Ransomware is bad, but it usually comes with a negotiating table. A wiper attack tells you the adversary's goal is damage, not payment. The intent here is to hurt operations, create disruption, send a message. And the message is: the U.S. is at war with Iran, and American companies are part of the target set.

Jordan: Which brings us to CISA. Acting Director Nick Andersen said Tuesday that the agency has not seen a broad uptick in Iranian cyber threats. And I want to be fair — that's a carefully worded statement. "Broad uptick" is doing a lot of work in that sentence.

Alex: Right. Stryker just had thousands of devices wiped. That's not a broad uptick, that's a precision strike on a high-value target. CISOs should not hear "no broad uptick" and exhale. What CISA is saying is that they haven't seen indiscriminate, widespread campaign activity. That does not mean your organization is safe.

Jordan: Iran's cyber doctrine has always favored targeted, high-impact operations over spray-and-pray. Shamoon against Saudi Aramco. Triton against industrial control systems in the Gulf. This is consistent with their tradecraft. They pick targets that either have symbolic value or create visible operational disruption.

Alex: And from a board conversation standpoint, here's what you need to communicate: this isn't theoretical anymore. A Fortune 500 company just had thousands of endpoints wiped by a geopolitically motivated adversary. The risk that was in your threat model is now in the news cycle. Your board is going to ask. Have the answer ready.

Jordan: Practical guidance: engage your sector ISAC immediately if you haven't. H-ISAC for healthcare, FS-ISAC for financial services, E-ISAC for energy. These sector groups are getting the intelligence CISA is sharing with industry. That's where the actionable detail lives. And review your destructive attack playbooks. Not ransomware playbooks — wiper playbooks. They're different.

Alex: Now, on the EU sanctions front. The European Union sanctioned Chinese firm iSoon — the contractor-for-hire operation whose internal documents leaked publicly last year — along with Iran's Emennet Pasargad, a group that's run influence operations and cyber campaigns against U.S. targets. The EU is characterizing this as aligning with existing U.S. indictments, some of which date back to 2019.

Jordan: Better late than never, but the word "belatedly" in the headline is earned. The operational significance here for CISOs is compliance, not deterrence. If you have any EU operations, any EU-based subsidiaries, any business flowing through EU jurisdictions, you now have a legal obligation to ensure nothing connects to these sanctioned entities. That means vendor reviews, third-party relationships, and updating your threat intelligence tagging for both groups.

Alex: Moving to the DarkSword exploit kit. This is significant. Researchers from iVerify, Lookout, and Google jointly published findings on a drive-by exploit kit targeting iOS 18 devices. Full device takeover. No click required — a user visits an infected website and the device is compromised. Attributed to Russian state-linked actors, initially deployed against Ukrainian targets.

Jordan: The attribution involves a wrinkle worth noting. There's reporting suggesting these tools may have originated as U.S. government-developed capabilities that proliferated. That's a familiar and uncomfortable pattern. Regardless of origin, the operational reality is this: Russian state actors have a working zero-click exploit chain for current iOS in the wild.

Alex: Fleet-wide assessment is the immediate action item. Your executives, your board members, your highest-risk employees — anyone who could be targeted for intelligence value — those devices need priority attention. iVerify's mobile threat detection can identify indicators of compromise. If you're not already doing mobile endpoint monitoring with something more capable than MDM, this is the moment to change that.

Jordan: And "initially targeting Ukrainians" doesn't mean it stays that way. Once a capability is in the wild, proliferation is a question of when, not if. Treat this as an active enterprise risk now.

Alex: GlassWorm. Four hundred-plus packages, repos, and extensions across GitHub, npm, VSCode, and OpenVSX in a coordinated supply-chain campaign. This is a known campaign that's returned with new techniques.

Jordan: The developer toolchain is the soft underbelly of enterprise security. You can have fortress-level perimeter controls and get completely owned because a developer pulled a compromised npm package while building a feature last Tuesday. The attack surface here is your engineering organization.

Alex: Immediate actions: run software composition analysis across your codebases if you're not already doing it continuously. Review recently added dependencies in the affected ecosystems. And have a conversation with your engineering leadership about package provenance standards. This isn't an IT problem, it's a developer culture and tooling problem.

Jordan: Medusa ransomware. Mississippi's largest hospital down for nine days. A New Jersey county government also hit. The nine-day number is what I want people to sit with. Nine days of degraded or no system access at a major hospital. That's patient safety risk, not just operational inconvenience.

Alex: And this comes as we're seeing data suggesting ransomware payment rates are declining. Gangs are responding by maximizing operational disruption to pressure victims. Lower payments mean more pain per attack. The leverage has shifted to impact, not just encryption. Healthcare and public sector CISOs need to be pressure-testing recovery time objectives right now. Not your documented RTOs — your actual RTOs.

Jordan: Quick note on Native, the cloud security startup that came out of stealth today with 42 million dollars. They're targeting the policy-to-architecture gap in multi-cloud environments — the problem where your security policy says one thing and your actual cloud configuration does something else entirely across AWS, Azure, and GCP simultaneously.

Alex: Real pain point, real money behind it. Worth a conversation if you're struggling with consistent cross-cloud security enforcement. We'll see if the product matches the pitch.

Alex: On the governance side, the CISO liability conversation is intensifying. The BankInfoSecurity piece today is direct about something the industry has been dancing around: regulators are pursuing personal accountability after major breaches, and it's reshaping who wants the job and how they do it.

Jordan: The SolarWinds CISO situation set a precedent that hasn't fully worked its way through the profession yet. People are still processing the implications.

Alex: If you are a CISO and you don't have explicit D&O coverage that covers your role specifically, that conversation needs to happen with your general counsel and your board this quarter. Not next quarter. This quarter. Also worth reviewing: your reporting structure, your documented risk escalations, and whether your board-level risk communication creates a clear paper trail of informed decisions made above your level.

Jordan: Because the alternative is that you become the fall guy. And the piece today is right — that dynamic is making the role less attractive to experienced practitioners, which is bad for every organization trying to recruit senior security talent.

Alex: For healthcare CISOs, one more: the HIPAA Security Rule overhaul could be finalized as early as May 2026. First major update in decades. If you're in a covered entity and you haven't started a gap assessment against the proposed requirements, you're already behind. Budget cycles move slower than regulatory timelines.

Jordan: The week's theme is acceleration. Geopolitical cyber conflict accelerating into real destructive attacks on U.S. enterprises. Supply-chain attack surfaces accelerating in scope and coordination. Personal liability for security leaders accelerating in regulatory priority. None of these trends are new — they're all arriving faster than most organizations planned for.

Alex: What to watch: whether Stryker is a one-off or the first of several Iranian retaliatory attacks. If we see a second or third wiper attack on a major U.S. company in the next two weeks, the threat picture changes significantly. Also watch the DarkSword story for Apple's patch response and any expansion of targeting beyond Ukrainian victims.

Jordan: And watch the CISO liability story. There are legislative conversations happening about safe harbor protections for security leaders who follow prescribed frameworks. If that gains traction, it reshapes incentives across the entire profession.

Alex: That's Cleartext for Wednesday, March 18th. If this episode was useful, share it with your team and your peers. We'll be back tomorrow.

Jordan: Stay sharp.