CyberWire Daily – "Iran is muddying the waters."

Date: March 6, 2026
Host: N2K Networks (Dave Bittner)
Special Segment: Ben Yellen & Ethan Cook

Episode Overview

This episode of CyberWire Daily delivers in-depth cybersecurity news and analysis, emphasizing significant nation-state threats, policy shifts, and notable industry developments. The primary focus is on recent infiltration efforts by Iran's Muddy Water threat group against US and allied organizations, high-stakes contract disputes between the Pentagon and leading AI developer Anthropic, a major FBI wiretap system breach, active vulnerabilities, and a widespread worm incident impacting Wikimedia wikis.

Key Discussions and Insights

1. Iranian APT "Muddy Water" Compromises Multiple US Targets

[00:50]

• Scope of Attacks:
  • Targets included an aerospace/defense contractor, a US bank, an airport, a software company with Israeli operations, and a US/Canada NGO.
  • Intrusions believed to be tied to escalating geopolitical tensions following US and Israeli military strikes against Iran.
• Technical Details:
  • Deployment of two backdoors, Dindor and Fakeset, both using certificates referencing names previously linked to Muddy Water.
  • Data exfiltration attempts observed, notably from the software company’s Israeli branch.
• Ongoing Risk:
  • Although some activity was disrupted, researchers stress that remaining footholds could allow future operations.

2. Pentagon–Anthropic Dispute and AI in National Defense

[14:20 – 29:52] | Segment with Ben Yellen & Ethan Cook

Background

• The Pentagon signed a $200 million contract with Anthropic to deploy its AI models (Claude) on classified systems, aiming to strengthen US technology leadership.

Breakdown of the Dispute

• Anthropic’s Stance:

  • Objected to Pentagon’s requests to use their AI for autonomous weapons and mass domestic surveillance.
  • Sought strict contractual assurances that its AI services would not be leveraged for these controversial uses.

    "Anthropic was not okay with some of the things that were being requested... specifically the DoD's plan to use its AI services for both autonomous weapon systems as well as mass surveillance of US citizens." (Ethan Cook, [14:52])

• Pentagon’s Response:

  • Characterized Anthropic's reluctance as insufficient cooperation.
  • After failed negotiations, the President publicly denounced Anthropic as "woke" and a risk to national security, ordering a phase-out across all federal agencies.

    "That post said that Anthropic was a woke company and was going to destroy... the war fighting powers of our Pentagon and therefore we are severing ties." (Ben Yellen, [17:35])

  • Defense Secretary Pete Hegseth designated Anthropic as a national security supply chain risk, an action previously reserved for adversarial foreign entities (like Huawei).
  • Move prompted immediate legal challenge from Anthropic.

• Rapid Replacement by OpenAI:

  • OpenAI was brought in almost immediately to fill the gap, agreeing to work within existing legal frameworks and policies—less restrictive than Anthropic's contractual demands.
  • OpenAI pledged safeguards against domestic surveillance and autonomous weapons, but did not insist on the same direct contractual limitations.

    "OpenAI is just like, we promise we won't break any laws, here's ChatGPT. Enjoy. And I think that level of cooperation is what the Pentagon was looking for." (Ben Yellen, [22:00])

Broader Implications

• Industry Tension and Ethics:
  • Mass resignations within OpenAI; open letters supporting Anthropic.

    "60 OpenAI employees... voluntarily resigned because they backed the anthropic's original stance." (Ben Yellen, [25:44])

  • Concerns raised about a “race to the bottom” in ethical standards among US AI developers chasing government contracts.
• Risks to Innovation:
  • Potential creation of a "single point of failure" by favoring one major AI provider.
  • Undermining competition and robustness in sensitive national security sectors.

    "For us to alienate them and almost create a semi single point of failure by going after OpenAI exclusively, I would have loved to see a dynamic where we use both." (Ethan Cook, [23:53])

• Lack of Legal Frameworks:
  • Both hosts warn of "gray zones" due to the absence of comprehensive federal AI regulation.

    "We've had AI for years now and we still have no federal AI framework from a legislative standpoint... this is the time where if you're gonna kind of walk that gray zone... it's really concerning." (Ethan Cook, [29:13])

3. FBI Wiretap Management System Breach

[08:40]

• FBI confirms investigation after suspicious activity detected in its surveillance and wiretap warrant management systems.
• Systems process both court-authorized wiretaps and FISA warrants; details on scope or data leak remain undisclosed.
• Not attributed to any public group; prior similar breaches by China-linked Salt Typhoon noted, but no definitive connection.

4. China-Linked UAT9244 Targeting South American Telecoms

[10:50]

• New threat actor, UAT9244, actively targeting South American telecommunications since 2024.
• Deploys three new malware families:
  • Turn Door: Windows backdoor.
  • PeerTime: Linux backdoor leveraging BitTorrent protocol for C2.
  • Brute Entry: Tool for scanning and proxy network expansion.
• Techniques overlap with known Sparrow and Tropic Trooper groups, though considered a distinct campaign.

5. Major Security Vulnerability Updates

• Cisco:

  • 48 vulnerabilities patched; two critical flaws (CVSS 10) in Secure Firewall Management Center, including authentication bypass and remote code execution. No workarounds; update urged immediately.

• CISA Warnings:

  • Hikvision camera vulnerability (CVSS 10) risking credential and configuration exposure.
  • Rockwell Automation vulnerability (CVSS 9.8) enables attackers to impersonate engineering workstations.
  • Both now listed in CISA's Known Exploited Vulnerabilities catalog and flagged for immediate remediation.

6. US Legislative Activity on Child Online Safety

[12:35]

• Kids’, Internet and Digital Safety Act advanced in committee; debate split along party lines.
  • Republicans: Bill enhances parental control; disables recommendation algorithms for minors.
  • Democrats: Criticize lack of proactive duty of care, warn about undermining state legal actions.
  • Other bills (Sammy’s Law, App Store Accountability Act) advanced, but critics cite possible risks to privacy and free expression.

7. Major Crypto Theft from US Marshals Service

[13:55]

• Arrest of John Dea (aka Dagita) in St. Martin for alleged theft of $46M in seized crypto.
• Connections drawn between suspect, government contractor CMDSS, and high-profile Bitfinex hack funds.
• Investigation ongoing after Telegram dispute exposed wallet addresses; CMDSS removed online presence.

8. Widespread Wikimedia Worm Incident

[30:10]

• Self-propagating JavaScript worm infected Wikimedia’s Meta Wiki.
• Originated from a dormant script, activated during staff security review.
• Mechanism: Worm injected code into user/global JavaScript files, enabling rapid spread; approximately 4,000 pages and 85 user scripts affected in 23 minutes.
• Response: Engineers quickly locked down editing rights and removed malicious code; cleanup ongoing.
• Comparison to classic worms: Recalled echoes of the Morris Worm (1988) and Code Red/SQL Slammer, but noted for its rapid but short-lived impact.

Notable Quotes & Memorable Moments

• On AI Ethics and Contracting:

  "It feels like this is almost a race to the bottom, that now that OpenAI has opened this door... who's willing to cut corners and bend to military demands the most to get the contract?"
  — Ethan Cook, [26:50]

• On Lack of Regulation:

  "We've had AI for years now and we still have no federal AI framework from a legislative standpoint... if you have to caveat with 'technically', it's really concerning."
  — Ethan Cook, [29:13]

• On Industry Fallout:

  "You also might be creating this divide within the industry between the people who write the contracts and the developers... who don't want to see the fruits of their work used to autonomously kill people in foreign conflicts or for mass domestic surveillance."
  — Ben Yellen, [25:50]

Important Timestamps

• 00:50: Muddy Water breaches multiple US and allied organizations.
• 08:40: FBI confirms investigation into a breach of wiretap management systems.
• 10:50: China-linked UAT9244 targets South American telecoms.
• 12:35: US House advances controversial Kids Online Safety bill.
• 13:55: Arrest in $46M crypto theft from US Marshals.
• 14:20: In-depth discussion: Anthropic vs. Pentagon (with Ben Yellen & Ethan Cook).
• 30:10: Detailed rundown of the Wikimedia worm outbreak.

Summary & Takeaways

• Iranian and China-linked threat groups remain highly active, targeting critical US, allied, and infrastructure organizations.
• The abrupt Pentagon–Anthropic split signals escalating tension between tech industry ethics and government operational demands, potentially chilling future partnerships or innovation.
• Rapid patching and vulnerability management are stressed, with urgent updates required across popular Cisco, Hikvision, and Rockwell platforms.
• Ongoing debates on child online safety, cryptocurrency enforcement, and incident response in open platforms (like Wikimedia) highlight the multifaceted challenges facing cybersecurity professionals.

For those seeking further depth, the Caveat podcast features a fuller version of the Anthropic–Pentagon debate with Ben Yellen and Ethan Cook.