CyberWire Daily Podcast Summary

Episode: The lights stay on, but dimmer.
Date: February 17, 2026
Host: Dave Bittner (N2K Networks)

Episode Overview

This episode of CyberWire Daily covers significant cybersecurity news including the impact of a U.S. government shutdown on CISA, rising ransomware attacks on critical infrastructure, new research on AI risks and password managers, novel information-stealing malware tactics, and the prevalence of identity-based breaches. The second half features a detailed discussion on incident response with Steve Elovitz of Palo Alto Networks’ Unit 42, who shares insights from analyzing 750 major breaches in a year.

Key Discussion Points & Insights

1. Government Shutdown Effects on CISA

• CISA’s Operations: During the Department of Homeland Security shutdown, CISA operates at reduced capacity. Essential staff remain without pay, nonessential projects halt, and regulatory work—including the Circia reporting rule—stops.
• Threat Response: Staff can be recalled if a significant threat emerges; updates to critical vulnerability lists will likely slow.
• Notable Quote:

  "Adversaries do not pause during government shutdowns."
  — Madhu Gautamukkala, Acting Director of CISA [00:57]

2. Surge in Ransomware Targeting Industrial Organizations

• Dragos Report Findings:
  • In 2025, 119 ransomware groups hit industrial sectors (up 49% from 2024).
  • 3,300 industrial organizations affected globally.
  • Entry Vectors: Attackers exploited remote portals (VPNs/firewall interfaces) and legitimate credentials from phishing or purchased access.
  • Dwell Time: Average of 42 days in OT environments.
  • Risks: Prolonged access raises chances of disruptive, multi-day outages.

3. AI Risks in Critical Infrastructure

• Gartner’s Warning:
  • By 2028, a misconfigured AI in cyber-physical infrastructure (e.g., power grids) could cause shutdowns in a G20 nation.
  • Systemic risks from opaque models, privileged access, and lacking governance.
  • Unlike hacking, automation and lack of oversight are the core threat.

4. Operation DoppelBrand: Phishing Campaign

• Socradar’s Findings:
  • Campaign targeted Fortune 500 financial/tech firms (Wells Fargo, USAA).
  • Used lookalike domains and cloned portals; credentials sent to attackers via Telegram bots.
  • Over 150 related domains uncovered, operated by automated infrastructure.
  • Actors may serve as initial access brokers for compromised accounts.
• Notable Trend:
  • High automation and rapid domain rotation make takedown difficult.

5. First OpenClaw AI Info-Stealer Attack

• Hudson Rock Investigation:
  • Discovery of info-stealing malware (Vidar variant) targeting OpenClaw AI agent files.
  • Stolen assets: authentication tokens, private signing keys, memory files.
  • Implications: Enables device impersonation and broader identity compromise.
  • Reflects a tactical shift from browser credentials to AI environment targeting.

6. Identity-Based Attacks Dominate Breaches (Unit 42 Report)

• Key Stats:
  • Nearly two-thirds of breaches initiated via identity abuse (social engineering, compromised credentials, insider threats).
  • Identity elements cited in almost 90% of incidents.
  • Median extortion payments rose 87% to $500,000; data theft often occurred within two days.
  • Expansion of attack surface due to machine identities and AI agents.
• Quote:

  "Identity is the new attack surface...You compromise an identity, you can gain access to an organization in many cases."
  — Steve Elovitz [20:01]

7. Major Cloud Password Managers Vulnerable

• ETH Zurich Study:
  • Analyzed Bitwarden, Dashlane, LastPass, 1Password.
  • Under a fully compromised server scenario, full or shared vault compromise was possible for all.
  • Attackers could view/modify credentials; assumes advanced skills and server access.
  • Vendors issued mitigations; some risks persist due to industry-wide cryptographic challenges.

8. Arrest Linked to Phobos Ransomware

• Law Enforcement Update:
  • Polish police arrested a man with data tying him to Phobos ransomware.
  • Seized credentials, server data, illicit access tools.
  • Operation Ether (with Europol coordination) led to multiple arrests and further seizures.

9. Funding and M&A Activity in Cybersecurity

• Key Deals:
  • Vega ($120M Series B), GetGuardian ($50M), Ricoh ($30M), Nucleus Security ($20M).
  • M&A: Sophos → Arkos, Cyber Aura → Quoria, Zscaler → Squarex, and others.
  • Focus: scaling AI, cloud, identity-focused security, managed security, SaaS expansion.

Threat Vector Segment: Incident Response Insights

Host: David Moulton
Guest: Steve Elovitz, North American Consulting Practice Lead, Unit 42

Insights from 750 Major Breach Investigations

What Happens When an Organization Calls for Help

• The Process: Calls come in 24/7. The team is trained to respond calmly and apply well-developed procedures, as they handle over 750 incidents/year.

• Notable Quote:

  "Our team is trained in expecting to have the conversation with someone who's experiencing potentially one of the worst days in their career."
  — Steve Elovitz [17:30]

• Elovitz occasionally takes calls himself.

  "I'm told I have both a voice and a face for radio... I'll absolutely dive in with my team, yes."
  — Steve Elovitz [18:27]

Patterns in Incidents

• Mature organizations may only need validation; others face total uncertainty.

• "...It goes on a spectrum..."
  — Steve Elovitz [19:03]

The Identity Weakness Epidemic

• 90% of investigations involved identity-related issues.

• "Most organizations ... using single factor authentication still in some cases or SMS for the multi factor... All of those are fishable and we have attackers reliably SIM swapping, reliably socially engineering people to get that one-time passcode..."
  — Steve Elovitz [20:01]

• Problems escalate when identity is federated or allowed to sprawl across environments.

• "Identity is the fabric that stitches environments together... You compromise one environment because of how they structured that identity, the attackers now compromise both..."
  — Steve Elovitz [20:39]

Case Study: Over-Privileged OAuth Tokens

• Post-incident review exposed that OAuth tokens were overly privileged and not restricted by IP, enabling widespread access.

• "If it sprawls beyond what it needs for its job, you've just added risk without adding function."
  — Steve Elovitz [23:08]

Notable News Story: Dutchman Arrested After Refusing to Delete Confidential Files

• Dutch police arrested a man who refused to delete confidential documents mistakenly sent by police; he demanded a reward instead.

• "Police noted that knowingly downloading restricted files after being warned could constitute computer trespassing."
  — [29:16]

Timestamps for Key Segments

• CISA Shutdown Impact: 00:57–02:10
• Ransomware OT Report: 02:11–03:15
• AI Risks in Critical Infrastructure: 03:16–04:20
• Operation DoppelBrand: 04:21–05:35
• OpenClaw AI Infostealer Incident: 05:36–06:40
• Unit 42 Report (ID-based Attacks): 06:41–08:24
• Cloud Password Manager Vulnerabilities: 08:25–09:43
• Phobos Ransomware Arrest: 09:44–10:36
• Cybersecurity Funding & M&A: 10:37–13:25
• Threat Vector Interview - Steve Elovitz: 16:04–23:43
• Dutch Police Digital Detour Arrest: 29:00–end

Memorable Quotes

• "Adversaries do not pause during government shutdowns." — Madhu Gautamukkala [00:57]

• "Identity is the new attack surface is the slogan you'll hear repeated. It's true..." — Steve Elovitz [20:01]

• "If it sprawls beyond what it needs for its job, you've just added risk without adding function." — Steve Elovitz [23:08]

• "Our team is trained in expecting to have the conversation with someone who's experiencing potentially one of the worst days in their career." — Steve Elovitz [17:30]

Practical Takeaways

• Identity controls remain paramount; phishing-resistant MFA and strict least-privilege policies are critical.
• AI integration in infrastructure demands robust, transparent, and governed deployment with focus on misconfiguration risks.
• Organizations must monitor new infostealer tactics targeting AI agent environments as well as more traditional credentials.
• If using cloud password managers, keep up with vendor mitigations and realize that even robust encryption models have edge-case vulnerabilities.
• Regulatory and compliance delays from government outages can have real-world impacts on security posture.

This episode delivers a comprehensive state-of-the-industry snapshot, balancing actionable intelligence with expert analysis from the front lines of cyber defense. Listeners walk away with a grounded understanding of today’s greatest cyber risks and effective countermeasures.