A

You're listening to the Cyberwire Network powered by N2K.

B

No, it's not your imagination. Risk and regulation are ramping up and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together along with on one AI powered platform. Whether you're preparing for a SoC2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and RYTR report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies, from startups to big enterprises trusting Vanta. Get started at Vanta.com, cyber. CISA pushes critical infrastructure to prepare for offline operations during cyber attacks. Questions grow over a shared U S China AI threat. A Russian university is accused of feeding talent into GRU cyber units. Researchers warn poison data could quietly corrupt enterprise AI. LinkedIn faces a GDPR fight over monetizing user data. Millions downloaded fake Android call history apps before Google pulled them. Dragos reports AI assisted targeting of OT systems. A California man is sentenced in a $250 million crypto theft ring. Our guest is Azdrubal Picardo, CEO of Squalify, who wonders if banks are ready for worst cyber disruptions and a bandwidth bandit breaks bullet trains. It's Thursday, may 7, 2026. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. CISA this week launched CI Fortify, a new initiative designed to help critical infrastructure organizations continue operating during major cyber attacks or telecommunications outages. The guidance urges operators to prepare for scenarios where Internet access, third party services or communications systems become unavailable. The initiative emphasizes network segmentation, operational isolation and rapid system recovery. CISA officials said organizations should be able to disconnect from external dependencies while maintaining essential services and restoring compromised systems in isolation. The effort comes amid ongoing concern over nation state campaigns like China Linked volt typhoon, which U.S. officials say targeted critical infrastructure to enable potential disruptive attacks during future conflicts. CISA is shifting toward a assumed compromise model for operational technology. Defense security experts say deeply embedded adversaries may not be fully removable in the near term, making resilience and containment increasingly important, especially as artificial intelligence accelerates cyber operations. In a New York Times opinion column, Thomas Friedman argues that next week's Trump Xi summit could rival the historic Nixon mao meeting of 1972, but with a different shared threat. Friedman says the United States and China now face a common danger from advanced artificial intelligence, particularly agentic AI systems capable of enabling large scale cyber attacks by small groups or individuals. Friedman contends that globalization and technological interdependence have fused nations together, making issues like cyber threats, pandemics, climate change and supply chain disruptions impossible for any one country to manage alone. He warns that increasingly powerful AI models from companies such as OpenAI, Anthropic, Google, Alibaba and Deepseak could dramatically lower the barrier for destructive cyber operations. Friedman argues both governments and major AI firms must establish safeguards before these tools become uncontrollable. He frames AI driven cyber risk as a modern equivalent to Cold War era mutually assured destruction. A cache of more than 2,000 leaked documents reviewed by several European news outlets alleges that Bauman Moscow State Technical University operates a covert training pipeline for Russia's military intelligence agency, the GRU. The reporting describes a secretive Department 4 where select students receive instruction in cyber operations, surveillance, disinformation and intelligence tradecraft before assignment to GRU linked units, including the hacking groups Fancy Bear and Sandworm. The documents reportedly show GRU officers overseeing recruitment, exams and graduate placements. Coursework allegedly includes penetration testing, malware development, psychological influence operations and reconnaissance techniques. Western officials have long accused Russian state linked groups of conducting cyber attacks, sabotage and election interference across Europe and the United States. The report highlights concerns that Russia continues investing heavily in hybrid warfare capabilities despite years of sanctions, indictments and public exposure of its cyber programs. According to reporting from the Guardian, the training pipeline remains active through at least 2027 as enterprises rapidly deploy large language models, AI co pilots and autonomous agents. Security researchers are warning about a less visible threat corrupted data shaping how AI systems interpret reality Experts say AI poisoning can occur through malicious tampering, compromised retrieval systems or simple data hygiene failures inside organizations. Researchers and security leaders told CSO that many companies are already polluting their own AI environments by feeding models inconsistent, outdated or conflicting internal information from disconnected systems. Others warn attackers may only need a small amount of manipulated data to influence AI behavior, particularly in retrieval, augmented generation or rag environments. The concern grows as AI systems move beyond answering questions and begin making operational decisions involving procurement, finance, customer support and security workflows. Experts say the challenge increasingly resembles a supply chain and governance problem, where organizations must understand what data their AI trusts and who controls it. A privacy complaint against LinkedIn could establish an important European legal precedent over whether companies can charge users to access data already collected about them. The case centers on LinkedIn's profile viewers feature, where premium subscribers receive detailed records of who viewed their profiles while free users see only limited information. According to privacy advocacy group Noib, one LinkedIn user filed a GDPR Article 15 request seeking a copy of all personal data processed by the platform, including profile viewer information. LinkedIn reportedly denied the request, arguing disclosure could affect the rights of others. NOIB disputes that reasoning, noting LinkedIn already provides the same information to paying subscribers. The case could clarify whether companies may restrict access to user related data behind subscription paywalls even when European privacy law grants individuals broad rights to obtain processed personal information. Researchers at ESET have uncovered a large scale Android scam campaign they call call phantom, involving 28 fraudulent apps that falsely claim to provide call logs, SMS records and WhatsApp history for any phone number. According to ESET, the apps collectively reached more than 7.3 million downloads before Google removed them from the Play Store. The apps primarily targeted users in India and the Asia Pacific region. Researchers found the supposed call histories were entirely fabricated using hard coded names, phone numbers and timestamps. Victims were prompted to pay subscription fees or submit payment details to unlock fake results. Some apps reportedly bypassed Google Play's official billing system by routing users to third party payment platforms or direct card entry forms, making refunds more difficult. Researchers also observed deceptive tactics designed to pressure users into subscribing. Dragos and Gambit Security say an unknown threat actor used commercial AI models from Anthropic and OpenAI during a large scale intrusion campaign targeting Mexican government organizations, including a municipal water utility in Monterey. Investigators found the attacker used CLAUDE and GPT models to automate reconnaissance, malware development, lateral movement and data analysis across compromised IT environments. According to Dragos. The AI assisted operation escalated into attempt to identify and access operational technology systems connected to the utility's industrial network. Researchers say CLAUDE independently recognized a SCADA and industrial gateway platform as a high value target and attempted password spraying attacks against the interface. Though investigators found no evidence the OT environment was breached, DRAGOS emphasized the attack did not involve novel OT specific capabilities. Instead, the AI tools accelerated known offensive techniques and and reduced the expertise required to identify industrial infrastructure from inside enterprise networks elsewhere. Poland's Internal Security Agency, or ABW, says hackers breached water treatment facilities in five towns during 2025, in some cases gaining access to industrial control systems capable of disrupting water supplies. The agency warned attackers could alter device settings, creating direct operational risks. While the report did not formally attribute the incidents, ABW said hostile cyber activity tied to Russian intelligence services has intensified sharply since 2024. Polish media previously linked several water facility intrusions to a pro Russian hacktivist group. The report also described broader Russian linked sabotage, espionage and cyber campaigns targeting Polish infrastructure, transportation and government systems amid Poland's support for Ukraine. A 20 year old California man was sentenced to more than six years in prison for his role in a cryptocurrency theft operation that combined online fraud with physical home invasions. Prosecutors said. Marlon Farrow targeted victims believed to hold large amounts of cryptocurrency, stealing hardware wallets when social engineering attacks failed, according to court documents. Pharaoh carried out burglaries in Texas and New Mexico and helped launder stolen cryptocurrency through exchanges and fraudulent payment accounts. Authorities said. The broader criminal ring stole more than 4,100 bitcoin and use the proceeds to fund luxury lifestyles, private jets and high end real estate rentals. Coming up after the break, my conversation with Hasdrubal Picardo, CEO of Squalify. Wondering if banks are ready for worst case cyber disruptions and a bandwidth bandit breaks bullet trains. Stay with us. And now a word from our sponsor, the center for Cyber Health and Hazard Strategies, also known as chhs. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Carey School of Law. This part time two year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field, no GRE required. Learn how you can master the law without a JD at Law. Umarland Eduardo. As Drubal Picardo is CEO of Squalify, I recently sat down with him to learn whether banks are ready for worst case cyber disruptions.

A

If you look at in the past the banks have been one of the top targets for cyber attacks and for ransomware. And I think they, I mean they've been doing a great job being more prepared and being less exposed, but still there's work to be done. What we observed also their engagement with banks, they tend to underestimate the extent of outages. For example, when something happens they think in hours and not in days. So typically a disruption can take several days. And at the end it's not only about being prepared and having good plans, it's also about making sure those plans work and that they come into effect orchestrating all the needed parties to react to an event and make sure things go back to normal.

B

Well, you mentioned there being some gaps here. What sort of things do you Find are common among banks specifically.

A

Yeah, so typically when we engage with banks, we looked at the maturity of their information security. So we do bring into our platform an assessment and typically two main areas, incident response and data backup are the most frequently assessed topics needed improvement. So banks still have more to do before they can be confident in their operational resilience. And the next two, I mean the other most common controls weaknesses is on the supply chain risk management. And we know also from the past that probably 40%, more than 40% of cyber attacks are derived from the third party or supply chain. So also one of the areas that need attention and the other ones is managing assets through their life cycle. But the top two are backup and incident response, data backup.

B

In the conversations I've had with commercial bankers in my own community, they've expressed just how much of their time is being taken up by dealing with cyber fraud. Where do we stand there? I mean, has AI really supercharged the possibilities here?

A

For sure, for sure. I think on one side, AI helps cream cybercriminals to be more efficient and probably help them with the volume of attacks, so the intensity and the frequency, but also on the deep fake, so really having fake precedent schemes or AI deep fake impersonations really leading to fraudulent payments. So that's something that definitely has increased now because of AI.

B

What are your recommendations then for banks to really focus on the things where perhaps you're seeing them coming up short?

A

Well, I think one thing is not to be very complacent. I mean, again, having a plan doesn't mean that it's going to work when things happen, when things go south. So really making sure that the plans work when they are needed. Don't underestimate the length of a disruption because of cyberattack. Again, we've been with banks and customers thinking that the interruption is going to be one or a few hours, but in reality it's several days. So really don't make those assumptions and being complacent. The other thing we see with banks is banks are driven a lot by compliance. And compliance, of course, is like ticking a box, yes or no. But between having a yes and no, there's something in between that is really measuring how you can be effective when something happens. So not being too complacent because you have a yes, really you need to get into understanding the implication of a cyber attack despite of being compliant in front of the regulator.

B

Yeah. Is this a matter of investing in things like I'm thinking of tabletop exercises or testing your backups? Some of these basic things that I guess it's easy for people to overlook.

A

Yes, yes. So testing is important. Doing tabletop exercises and making sure even the backups that they are working. And because in the case of a cyber attack, a bank cannot just recover and restore a backup, they really need to see that the backup was not compromised. So testing is part of the defense and the cyber posture, cyber risk posture. But at the end it's also making sure you are investing in the right areas in the right buckets. I mean banks, but also other companies in different industries, they are investing a lot of money in cybersecurity, but they are not necessarily investing that in the areas with most impact. They are relying maybe on qualitative assessment instead of quantifying and really understanding the business impact from a cyberattack. So looking at high, medium, low or looking at lights can be misleading. You really need to quantify to understand and make sure you invest in the right areas to minimize the risk.

B

And how should they go about quantifying that risk?

A

Yeah, well, quantifying, I mean the service quantification is a complex topic. Obviously there have been tools out there, need to make sure you are making the right assumptions, that you have the right data, that you're using the right model. As for example, what we are doing at Squalify, we exercise a top down approach which is backed by more than 11 years of actual historic data from the insurance world. So really looking into what companies have experienced cyber losses from more than 100,000 companies. So that allows us to do quantification that comes close to reality because again, if you don't rely or you don't leverage this historic data and the right model kind of blind. So you're probably only looking at risk that you know. But what about unknowns? Unknowns? Companies in the same industry, in the same country, in the same region, similar size, they have experience and with our model we help the banks to come to a pretty good number and of course asking the right questions, understanding where they're doing business, how many customers they have, what kind of supply chains they have, and then of course getting a little bit into business continuity plans and understanding how good or how bad they are prepared in case of a cyberattack. So we help with companies with the minimum input of data and come with a pretty trustworthy quantification that is telling them what is the financial impacts of a cyber attack. So really translating the cyber risk into financial metrics. And with that of course then you can derive the right decisions and the

B

right investments that's Azdrubal Picardo from Squalify. And finally, a 23 year old university student in Taiwan is accused of bringing part of the country's high speed rail network to an abrupt halt with a software defined radio, a handful of handheld transmitters and apparently far too much free time. Authorities say the student transmitted a high priority emergency signal into the train's Tetra communications system on April 5, triggering automatic braking procedures that stopped four trains for nearly an hour. Investigators allege the student decoded rail communications parameters using inexpensive SDR equipment purchased online, then programmed radios to impersonate legitimate railway devices. Reports suggest the same system parameters had remained unchanged for 19 years, a detail now attracting pointed criticism from lawmakers and security observers alike. Police traced the activity through network logs and CCTV footage, eventually seizing radios, SDR equipment and a laptop from the suspect's residence. His attorney reportedly claimed the transmission was accidental. Authorities appear skeptical. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your Favorite Place podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.

A

Some Follow the noise Bloomberg follows the money. Whether it's the funds fueling AI or crypto's trillion dollar swings, there's a money

B

side to every story. Get the money side of the story. Subscribe now@bloomberg.com.