Security Intelligence for Real-World Decisions
← Back to Archive

Iran-Linked Hackers Cripple MedTech Giant Stryker with Wiper Attack; CISA Warns of Active Exploitation of Ivanti, Cisco Flaws

Critical Infrastructure Intelligence Briefing

Report Date: Thursday, March 12, 2026

Reporting Period: March 5–12, 2026

1. Executive Summary

This week's intelligence highlights significant escalation in nation-state cyber operations targeting U.S. critical infrastructure, particularly the healthcare sector. Key developments include:

  • Iran-Linked Wiper Attack on Healthcare: The Handala hacktivist group, with documented ties to Iranian intelligence, has claimed responsibility for a devastating wiper malware attack against Stryker Corporation, a major U.S. medical technology company. The group claims to have wiped over 200,000 devices, representing one of the most significant destructive attacks against the healthcare sector in recent memory.
  • Active Exploitation of Enterprise Infrastructure: CISA has issued urgent warnings regarding active exploitation of vulnerabilities in Ivanti Endpoint Manager (EPM) and Cisco SD-WAN products, adding these to the Known Exploited Vulnerabilities (KEV) catalog with mandatory federal patching deadlines.
  • Cross-Sector ISAC Joint Advisory: Multiple Information Sharing and Analysis Centers have issued a joint advisory regarding Middle East conflict-related cyber threats to critical infrastructure, signaling elevated concern across sectors.
  • Supply Chain Attacks Intensify: Multiple supply chain compromises affecting npm and Rust package ecosystems have been identified, with threat actors successfully leveraging compromised packages to gain cloud environment access within 72 hours.
  • Leadership Transitions: The Senate has confirmed Joshua Rudd to lead both NSA and U.S. Cyber Command under the dual-hat arrangement, while Senator Markwayne Mullin has been nominated to lead DHS.
  • Microsoft Patch Tuesday: Microsoft released patches for 84 vulnerabilities, including two publicly disclosed zero-days, requiring immediate attention from infrastructure operators.

2. Threat Landscape

Nation-State Threat Actor Activities

Iran-Linked Operations (HIGH PRIORITY)

  • The Handala hacktivist group, assessed to have links to Iranian intelligence services, has claimed a significant wiper malware attack against Stryker Corporation, a Michigan-based medical technology company with global operations.
  • The group claims to have wiped more than 200,000 devices, causing substantial operational disruption. Stryker has confirmed the attack and is reportedly offline as recovery efforts continue.
  • This attack follows escalating tensions in the Middle East and represents a concerning expansion of Iranian cyber operations targeting U.S. healthcare infrastructure.
  • WaterISAC has issued a TLP:GREEN notification regarding CISA's Iran Conflict Cyber Alert, indicating elevated threat levels across water and wastewater systems.
  • A Cross-Sector ISAC Joint Advisory (TLP:CLEAR) has been released addressing Middle East conflict implications for critical infrastructure.

Sources: SecurityWeek, Bleeping Computer, KrebsOnSecurity, WaterISAC

Ransomware and Cybercriminal Developments

  • France's ANSSI Reports Ransomware Decline: The French national cybersecurity agency reports a decrease in ransomware attacks in 2025, though small and medium businesses remain the primary targets. This trend has not been observed in U.S. reporting.
  • Salesforce Customer Attacks: Researchers have identified a threat group associated with ShinyHunters conducting a third customer attack campaign against Salesforce instances in six months. The group has previously stolen data for extortion purposes.
  • Bell Ambulance Data Breach: A breach affecting 238,000 individuals at Bell Ambulance has been disclosed, with stolen data including names, Social Security numbers, and driver's license numbers—highlighting continued targeting of healthcare-adjacent services.
  • Michelin Data Breach: The tire manufacturer has confirmed a data breach linked to an Oracle EBS attack, with cybercriminals leaking more than 300GB of allegedly stolen files.

Sources: Infosecurity Magazine, CyberScoop, SecurityWeek

Supply Chain Threats

  • UNC6426 npm Supply Chain Attack: Threat actor UNC6426 exploited keys stolen from the nx npm package supply chain compromise to achieve complete cloud environment takeover within 72 hours, gaining AWS administrative access.
  • PhantomRaven npm Campaign: New attack waves have been detected with 88 malicious packages exfiltrating sensitive data from JavaScript developers.
  • Malicious Rust Crates: Five malicious Rust packages masquerading as time-related utilities have been discovered transmitting .env file data to threat actors.
  • AI Bot CI/CD Exploitation: Researchers have identified AI bots being used to exploit CI/CD pipelines to steal developer secrets.

Sources: The Hacker News, Bleeping Computer

Emerging Attack Vectors

  • Agentic AI Browser Exploitation: Researchers demonstrated that Perplexity's Comet AI browser could be tricked into executing phishing scams in under four minutes, highlighting risks in autonomous AI-driven web browsing.
  • LLM Guardrail Bypasses: Palo Alto Networks' Unit 42 has developed successful attacks to bypass safety guardrails in popular generative AI tools, raising concerns about AI security in enterprise environments.
  • ClickFix Attacks via Compromised WordPress: Over 250 legitimate websites, including news outlets and a U.S. Senate candidate's official webpage, have been compromised to deliver infostealer malware.
  • BlackSanta EDR-Killer: A new malware campaign targets HR teams with fake resumes, deploying EDR-killing capabilities and system data theft.
  • Malicious ISO Resume Attachments: Aryaka has warned of circulating resumes with malicious ISO attachments targeting organizations.

Sources: The Hacker News, Infosecurity Magazine, CSO Online

3. Sector-Specific Analysis

Healthcare & Public Health (ELEVATED THREAT)

Critical Development: The Iran-linked Handala group's wiper attack on Stryker Corporation represents a significant escalation in threats to the healthcare sector. Stryker manufactures surgical equipment, medical devices, and neurotechnology products used in hospitals worldwide.

  • Impact Assessment: With claims of 200,000+ devices wiped, this attack could affect medical device availability, surgical scheduling, and patient care across Stryker's global customer base.
  • Bell Ambulance Breach: The separate breach affecting 238,000 individuals demonstrates continued targeting of healthcare-adjacent emergency services.
  • Recommended Actions:
    • Healthcare organizations using Stryker equipment should contact the company for impact assessment
    • Review and test backup and recovery procedures for medical devices
    • Implement network segmentation between medical devices and enterprise IT
    • Monitor for indicators of compromise associated with Iranian threat actors

Sources: SecurityWeek, Security Magazine, KrebsOnSecurity

Water & Wastewater Systems

  • WaterISAC Alert: A TLP:GREEN notification has been issued regarding CISA's Iran Conflict Cyber Alert, specifically addressing cyber vulnerability insights for the water sector.
  • Cross-Sector Advisory: Water utilities are included in the joint ISAC advisory on Middle East conflict-related threats.
  • Recommended Actions:
    • Review WaterISAC member portal for detailed threat indicators
    • Ensure remote access systems are patched and monitored
    • Verify OT network segmentation and monitoring capabilities

Source: WaterISAC

Communications & Information Technology

  • Google-Wiz Acquisition Complete: Google has completed its $32 billion acquisition of cloud security company Wiz, which will maintain its brand. This consolidation may affect cloud security tool availability and pricing.
  • OpenAI Acquiring Promptfoo: OpenAI is acquiring AI security startup Promptfoo, which helps developers secure LLMs and AI agents.
  • AWS Security Hub Expansion: AWS has expanded Security Hub capabilities for multicloud security operations.
  • LeakyLooker Vulnerabilities: Researchers have uncovered cross-tenant SQL attack vulnerabilities in Google Looker Studio affecting cloud data security.
  • Salesforce Security Issues: Overly permissive "guest" settings continue to put Salesforce customers at risk, contributing to ongoing attack campaigns.

Sources: SecurityWeek, CSO Online, Infosecurity Magazine

Transportation Systems

  • Automated Vehicle Safety: NHTSA is seeking public comment on robotaxi deployment as USDOT hosts an Automated Vehicle Safety Forum, with implications for transportation infrastructure cybersecurity.
  • Global Entry Restoration: The Trump Administration is working to restore the Global Entry program following DHS operational impacts, affecting travel infrastructure.

Source: Homeland Security Today

Financial Services

  • Meta Anti-Scam Measures: Meta has disabled over 150,000 accounts linked to Southeast Asian scam centers and is deploying new anti-scam protections across WhatsApp, Facebook, and Messenger platforms.
  • Wireless Vulnerabilities: A Bastille report finds surging wireless vulnerabilities putting corporate trade secrets and national security at risk, with implications for financial sector data protection.

Sources: The Hacker News, Homeland Security Today

Manufacturing & Industrial

  • Michelin Breach: The Oracle EBS-linked breach at Michelin demonstrates continued targeting of manufacturing sector enterprise systems.
  • Zero Trust Challenges: Analysis indicates zero trust architectures continue to face implementation challenges in IoT and OT environments common in manufacturing.

Sources: SecurityWeek, CSO Online

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CISA Known Exploited Vulnerabilities (KEV) Additions:

  • Ivanti Endpoint Manager (EPM): Actively exploited vulnerability added to KEV catalog. Federal agencies have mandatory patching deadlines.
  • Cisco SD-WAN: Actively exploited flaw requiring immediate remediation.
  • n8n Workflow Automation: CISA has ordered federal agencies to patch actively exploited n8n vulnerability. Critical flaws allow remote code execution and exposure of stored credentials.

Source: CSO Online, Bleeping Computer

Microsoft March 2026 Patch Tuesday:

  • 84 vulnerabilities patched across Windows and other Microsoft products
  • Two publicly disclosed zero-days (no active exploitation reported at patch time)
  • Eight vulnerabilities rated as high severity
  • Three high-severity flaws specifically affect Microsoft Office
  • Recommended Action: Prioritize patching for internet-facing systems and Office deployments

Sources: The Hacker News, KrebsOnSecurity, CSO Online

Additional Critical Patches:

  • HPE Aruba CX Switches: Critical flaw allows attackers to seize admin control without credentials. Immediate patching required for network infrastructure.
  • Fortinet, Ivanti, Intel: High-severity vulnerabilities patched that could lead to arbitrary code execution, privilege escalation, or authentication bypass.
  • SAP: Two critical security flaws patched that could be exploited for arbitrary code execution.
  • Elementor Ally WordPress Plugin: SQL injection vulnerability affects 250,000+ WordPress sites, enabling sensitive data theft without authentication.

Sources: CSO Online, SecurityWeek, The Hacker News, Bleeping Computer

Recommended Defensive Measures

  • Supply Chain Security:
    • Audit npm and Rust package dependencies for known malicious packages
    • Implement software composition analysis (SCA) tools
    • Review CI/CD pipeline security and secrets management
  • Cloud Security:
    • Review Salesforce guest access settings immediately
    • Audit Google Looker Studio configurations for cross-tenant exposure
    • Implement least-privilege access for cloud service accounts
  • Endpoint Protection:
    • Monitor for EDR-killing techniques associated with BlackSanta malware
    • Implement application whitelisting for ISO file execution
    • Train HR teams on resume-based social engineering attacks

5. Resilience & Continuity Planning

Lessons from the Stryker Incident

The Stryker wiper attack provides critical lessons for healthcare and manufacturing sectors:

  • Wiper Malware Preparedness: Unlike ransomware, wiper attacks offer no recovery option through payment. Organizations must maintain robust, tested, and isolated backup systems.
  • Medical Device Dependencies: Healthcare organizations should inventory dependencies on third-party medical technology vendors and develop contingency plans for extended outages.
  • Geopolitical Threat Awareness: Organizations should monitor geopolitical developments and adjust security postures accordingly, particularly during periods of elevated nation-state tensions.

Supply Chain Security Developments

  • The UNC6426 attack demonstrating 72-hour cloud compromise from npm package exploitation underscores the need for:
    • Continuous monitoring of package dependencies
    • Secrets rotation following any suspected supply chain compromise
    • Cloud access logging and anomaly detection

Cross-Sector Dependencies

  • The Cross-Sector ISAC Joint Advisory on Middle East conflict highlights the interconnected nature of critical infrastructure threats.
  • Organizations should review mutual aid agreements and cross-sector communication channels.
  • Consider participating in upcoming cross-sector exercises to test coordination capabilities.

6. Regulatory & Policy Developments

Leadership Changes

  • NSA/Cyber Command: The Senate has confirmed Joshua Rudd to lead both NSA and U.S. Cyber Command under the dual-hat arrangement. This confirmation ensures continuity of cyber operations leadership.
  • DHS Nomination: President Trump has nominated Senator Markwayne Mullin to lead the Department of Homeland Security. Senate confirmation proceedings are expected to follow.

Sources: SecurityWeek, Homeland Security Today

Policy Analysis

  • Vendor Accountability Debate: Analysis from CyberScoop highlights inconsistencies in the administration's approach to cybersecurity accountability—pushing consequences for cyber fraud while easing software security accountability requirements. This creates an uncertain compliance environment for critical infrastructure operators.
  • AI Governance: Commentary from security researchers emphasizes the need for boards to demand accountability in the age of AI-automated exploitation, with questions about liability for preventable incidents.

Source: CyberScoop, The Hacker News

International Developments

  • Canada AI Strategy: Analysis suggests Canada is considering nationalized, public AI infrastructure, which could have implications for cross-border data flows and technology partnerships.
  • UK Attack Trends: Check Point data indicates cyber-attacks on UK firms are increasing at four times the global rate, suggesting potential spillover risks for U.S. organizations with UK operations.

Sources: Schneier on Security, Infosecurity Magazine

7. Training & Resource Spotlight

New Tools and Frameworks

  • Scanner AI-Powered Threat Hunting: Scanner has raised $22 million for AI agents that connect to security data lakes for interactive investigations, detection engineering, and autonomous response.
  • Babel Street Agentic Risk Intelligence: New capabilities announced for AI-on-AI era threat intelligence.
  • GDIT Autonomous Surveillance Towers: New autonomous surveillance technology unveiled for border and perimeter security applications.

Best Practices Highlighted

  • Shadow AI Management: CSO Online outlines a 5-step approach to taming shadow AI in enterprise environments.
  • Security Culture Metrics: Security Magazine emphasizes the importance of culture metrics over traditional dashboard metrics for understanding organizational security posture.
  • Vulnerability Management Evolution: SecurityWeek discusses approaches to 10x vulnerability management programs in the agentic era through continuous telemetry and contextual prioritization.

Industry Recognition

  • CSO Awards 2026: The 2026 CSO Hall of Fame honorees have been announced, celebrating world-class security strategies.
  • CISO Perspectives: SecurityWeek features insights from Aimee Cardwell, CISO in Residence at Transcend, with career perspectives from Netscape, American Express, and UnitedHealth Group.

8. Looking Ahead: Upcoming Events

Conferences and Briefings

  • NIST Technologies and Use Cases for Smart Standards Workshop – March 19, 2026
    • Focus on AI, blockchain, and IoT standards development
    • Relevant for organizations implementing emerging technologies in critical infrastructure
  • NIST Cybersecurity for IoT Workshop: Future Directions – March 31, 2026
    • Discussion of emerging IoT trends and cybersecurity implications
    • Critical for OT/IoT security planning
  • Infosecurity Europe 2026 – Date TBD (Keynote lineup announced)
    • Keynotes from Jason Fox, Shlomo Kramer, Cynthia Kaiser
    • Sessions on AI, cloud security, and post-quantum threats
  • NIST MLXN: Machine Learning for X-ray and Neutron Scattering – April 13, 2026
    • Relevant for research infrastructure security
  • NIST Iris Experts Group Annual Meeting – June 25, 2026
    • Forum for USG agencies employing iris recognition
  • NIST Time and Frequency Seminar – July 21, 2026
    • Covers precision timing critical for infrastructure synchronization

Threat Periods Requiring Heightened Awareness

  • Ongoing: Elevated threat posture recommended due to Middle East conflict and Iranian cyber operations targeting U.S. critical infrastructure
  • Supply Chain Monitoring: Continued vigilance required for npm, PyPI, and Rust package ecosystem compromises
  • Patch Deadlines: Monitor CISA KEV catalog for federal patching deadlines that may indicate broader exploitation timelines

Anticipated Developments

  • Senate confirmation proceedings for DHS Secretary nominee
  • Potential additional CISA advisories related to Iranian threat activity
  • NHTSA robotaxi deployment comment period outcomes
  • Continued Stryker incident response and impact disclosures

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to verify information through official channels and report suspicious activity to appropriate authorities.

Report Prepared: Thursday, March 12, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.