CyberWire Daily – "War Comes for the Cloud" (April 3, 2026)

Host: Dave Bittner (N2K Networks)
Guest: Brandon Karpf (NTT)

Overview

This episode centers on the escalation of cyber conflict amid the Iran war, as commercial cloud data centers and core digital infrastructure face direct attacks and systemic risks. It covers recent high-profile breaches, legislative responses, and practical guidance for organizations. The feature interview with cyber expert Brandon Karpf delves into under-addressed vulnerabilities in US critical infrastructure, the true threat from Iran, and the cyber community’s need for action—moving past expensive technology to fundamental security hygiene.

Key Discussion Points & Insights

1. Cloud & Infrastructure Now Wartime Targets

• Iranian Strikes:
  • Recent attacks against telecom and cloud facilities in Bahrain and an Oracle data center in the UAE mark a significant shift.
  • Earlier March drone hits on AWS regional sites disrupted banking, payments, and government functions.
• Implications:
  • Analysts see a clear, ongoing pattern, not isolated incidents, as Iran frames attacks as retaliation for US military/intelligence use of these services.
  • Heightened risk to any enterprise relying on cloud or regional connectivity.
  • Threats to submarine cables and critical maritime chokepoints (e.g., Strait of Hormuz) raise fears of wider, even global connectivity outages.
  • Takeaway for CIOs:
    "Geopolitical risk must now factor into infrastructure planning, including multi region redundancy, war scenario continuity testing, and closer scrutiny of cloud service contracts." (03:10)

2. Major Data Exposure Tied to China’s Cyber Operations

• UpGuard finds:
  • 1TB open Elastic DB with vast 'dark web and Telegram threat intelligence'— ~1 billion breach records, with China-focused annotations, tracking breach victims, brokers, journalists, social groups.
• Significance:
  • Demonstrates China using large-scale, surveillance-style intelligence (not just offensive ops) and pre-positioning in critical infrastructure with AI-augmented operations.

3. Zero-Day Exploits and Software Supply Chain Concerns

• TrueConf Zero-Day Attack:
  • Chinese threat actors exploited flawed update mechanisms to infect government agencies in Asia.
  • Used compromised server to distribute malware via trusted updates, enabling deep infiltration.
• Response:
  • TrueConf patched; US CISA mandates federal agencies fix by April 16th.

4. US Intelligence Community Cyber Modernization

• ODNI Initiatives:
  • Policies for AI-backed cyber defense
  • Automated threat hunting
  • Zero trust strategies (protecting data regardless of location)
  • Shared repository for vetted, secure applications
• Context:
  • First major update under DNI Tulsi Gabbard in Trump’s second term; in line with National Cyber Strategy.

5. React-to-Shell Attacks in the Wild

• Cisco Talos:
  • Threat actor UAT10608 exploits REACT vulnerability to compromise Next.js apps (766+ systems hit in 24 hours, 10,000+ files stolen).
• Advice:
  • Immediate credential rotation and supply chain scrutiny recommended.

6. Legal and Policy Landscape

• Iowa Sues UnitedHealth (Change Healthcare Breach):
  • Ransomware exposed nearly 193 million people’s data. Iowa alone: 2.2 million affected.
  • AG alleges violation of consumer protection, HIPAA, and (un)timely breach notification.
• France Moves to Ban Kids Under 15 from Social Media:
  • Would classify platforms by risk, ban most for under-15s, set broader EU precedent.

7. Power Regulation as a Digital Weak Point

• Report ("The Silent Dependency"):
  • DC power regulation now managed by networked, firmware-driven controllers = new attack surface.
  • Risks: firmware vulnerabilities, supply chain, lateral movement, voltage glitching.
• Recommendation:
  • Treat power infrastructure as cyber asset: secure boot, segmentation, better supplier review.
  • “Securing power infrastructure becomes essential to maintaining system resilience and trust.” (12:02)

8. Insider Threats: Admin Sabotages Own Company

• Case:
  • Engineer Daniel Ryan pleads guilty to locking out admins on 254 servers and 3,000+ workstations, deleting accounts & demanding ransom.
• Lesson:
  • Even with advanced threats, the “soft underbelly” includes trusted insiders.

Feature Interview: Brandon Karpf on Iran Conflict Cyber Risks

(Timestamps from 15:15 onward)

Observations from RSAC & State of US Preparedness

• Lack of Industry Urgency:
  • "We're at this place now... about day 30 of the war with Iran... Iranian hacker alliances... potentially holding at risk our domestic US water infrastructure." (15:37)
  • Karpf notes absence of meaningful discussion about Iran—even as Iranian APTs make credible threats against soft targets like water treatment plants and medical suppliers (Stryker incident).
• Historical Context:
  • "There was an incident in Aliquippa, Pennsylvania a few years ago where Cyber Avengers, which is one of the Iranian APTs, did infiltrate... the OT/ICS system for the water authority." (17:01)
• Chronic Underfunding:
  • Massive staffing and funding shortfalls at CISA ('critical functions only') make response difficult:
    • "SISA has certainly had a staffing collapse over the last 12 months...60% of their staff right now is suspended or furloughed." (19:52)
• Community Focus:
  • Too much at conferences on 'shiny tech', not enough on basic defense or support for under-resourced infrastructure.
  • Praises Center for Long-Term Cybersecurity’s ‘cyber clinics’ but says:
    • "We need a lot more of that... It's not fear, uncertainty, and doubt. I'm not trying to say everything is bad... But we're in a serious situation as a nation and we need to respond as a community..." (21:15)

Why America May Be Complacent

• Geographic Isolation & Threat Fatigue:
  • “America’s always benefited from having that standoff... but cyber crosses boundaries.”
  • “Fear, uncertainty, and doubt can only be used so much... The Boy Who Cried Wolf can only be espoused so many times before people start losing interest.” (22:16)
• Reality Check:
  • Reminds audience: Colonial Pipeline, SolarWinds, NotPetya, WannaCry, and recent attacks have all had massive impact—trillions lost.

Call to Action

• Political Will Essential:
  • “Call your representatives... even your state representatives... The states have a lot of control here.” (24:41)
• Support for Local, Volunteer-Led Initiatives:
  • “Practitioners should be looking for opportunities to donate your time to those types of cyber clinics.” (26:10)
  • Notable Quote:
    • "We need just a little more community give back in the cybersecurity industry to try to resolve this critical center of gravity that our adversaries are actively targeting and telling us that they're going to target. And quite frankly, when an adversary tells me they're going to target something, I'm going to believe them." (26:40)
• Corporate Engagement:
  • “Managed Security Service Providers should consider how they can support local critical infrastructure, even if some work is not paid.”

Notable Quotes & Moments

• “Geopolitical risk must now factor into infrastructure planning—including multi-region redundancy, war scenario continuity testing, and closer scrutiny of cloud service contracts.” – Dave Bittner (03:10)
• "Iran has shown themselves certainly capable of having cyber effects on core infrastructure... Water treatment plants historically in the US are under-resourced on security infrastructure..." – Brandon Karpf (17:01)
• “SISA has certainly had a staffing collapse... They are down at least 30% in terms of total staff, but then 60% of their staff right now is suspended or furloughed.” – Brandon Karpf (19:52)
• "We're in a serious situation as a nation and we need to respond as a community... I'm not saying everything is bad... But we're exposed." – Brandon Karpf (21:15)
• "Fear, uncertainty, and doubt can only be used so much... We've been doing it for a very long time and there hasn't been huge incidents except for the fact that there really has and we forget about it." – Brandon Karpf (22:16)
• "When an adversary tells me they're going to target something, I'm going to believe them." – Brandon Karpf (26:40)

Segment Timestamps

• [01:08] – Headlines: Wartime cloud/infra targets, dark web intelligence exposure, China video conf. exploit
• [15:15] – Interview: Brandon Karpf on Iran conflict, critical infrastructure gaps
• [22:04] – Geopolitical complacency and impact of “cyber fatigue”
• [24:27] – Concrete steps and call to action for professionals/community
• [29:00+] – Espresso machine IoT hack cautionary tale

Memorable Anecdote

The Espresso Exploit

• A company’s espresso maker, with outdated software and default password, exfiltrated executive emails every time someone brewed coffee—showing that even innocuous IoT in the lunchroom can be attack vectors.
  • “The awkward briefing that followed informed leadership their security posture had been undone by cappuccino...” (29:00+)

Summary for Non-Listeners

This episode illustrates how the war in Iran is shaping global cyber risk—cloud providers and submarine cables are fair game, and the US urgently needs to shore up its under-resourced critical infrastructure before a catastrophic attack arrives. Despite warnings and recent real-world impacts, there’s persistent complacency. Speakers call for action: push for political support, engage in local cybersecurity volunteering, and refocus on defense of basic critical systems. Even as advanced cyber foes grow more formidable, sometimes the weakest spot is a coffee machine with a default password.

For full episode transcripts, related articles, and more insights, visit cyberwire.com