Sponsor Announcer

You're listening to the CyberWire network, powered by N2K. And now a word from our sponsor arcova. Formerly Morgan Franklin Cyber, arcova is a global cybersecurity and AI consulting firm built by practitioners who've been in the seat. They work directly with enterprise teams to solve complex security challenges, building secure by design programs that hold up as technology and threats evolve. From focused engagements to long term partnership, arcova delivers outcomes that endure because no one should navigate complexity alone. Learn why leading Global Enterprises Trust arcova@www.arcova.com that's a R C O V A.com.

Dave Bittner

Cloud data centers come under fire in wartime A massive dark web intelligence database is exposed Chinese hackers exploit a video conferencing zero day the intelligence community rolls out cyber modernization plans react to shell attacks spread at scale. Iowa sues UnitedHealth over the change Healthcare breach moves to bar kids from social media Researchers warn about hidden risks in power regulation an insider extortion plot locks admins out of hundreds of servers. Our guest is Brandon Karpf with insights on the war in Iran and An espresso exploit exposes executive emails.

Brandon Karpf

Foreign

Dave Bittner

april 3, 2026 I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. Happy Friday. Recent Iranian strikes on telecom and cloud linked facilities in Bahrain, an acclaimed attack on an Oracle data center in the UAE signal a shift in modern conflict. Commercial cloud infrastructure is becoming a wartime target. Earlier drone attacks in March hit multiple AWS facilities across the region, disrupting banking, payments and government services, reinforcing what analysts describe as a clear pattern rather than isolated incidents. Iranian sources frame the strikes as responses to alleged US Military and intelligence use of these platforms, highlighting the growing dual use nature of commercial data centers. This raises serious risks for enterprises that depend on regional cloud availability. At the same time, threats to submarine cables and maritime chokepoints such as the Strait of Hormuz increase the possibility of wider global connectivity disruptions. For CIOs, the takeaway is Geopolitical risk must now factor into infrastructure planning, including multi region redundancy, war scenario continuity testing, and closer scrutiny of cloud service contracts. Researchers at upguard discovered a publicly accessible Elastic database in March containing nearly a terabyte of dark web and Telegram threat intelligence, apparently tailored to Chinese state interests. The data set tracked breach victims, data brokers, journalists, social media groups, telegram channels, and Tor marketplaces with annotations such as China related, US related and counter revolutionary speech. It included roughly 1 billion breach records and monitoring of thousands of underground sources. The exposure highlights how China, despite its advanced offensive cyber campaigns such as Salt Typhoon and Volt Typhoon, relies on threat intelligence methods similar to Western defenders. It also reflects a broader shift toward pre positioning in critical infrastructure and AI assisted cyber operations. Overall, the leak illustrates how large scale surveillance style threat intelligence systems are are now central to both national cyber defense and geopolitical competition. Chinese hackers exploited a zero day vulnerability in TrueConf Video conferencing software to target government entities in Asia. According to Check Point, the flaw stems from the client's failure to verify update integrity when retrieving packages from on premises servers. Attackers compromised a government operated TrueConf server, replaced legitimate updates with malicious ones and distributed them to dozens of agencies through the Trusted Update process. This implanted malware enabled reconnaissance, persistence, lateral movement preparation and communication with infrastructure linked to the Havok Post exploitation framework. Because TrueConf is widely used in isolated government and critical infrastructure environments, the attack leveraged centralized trust rather than endpoint compromise. TrueConf patched the issue and CISA added the vulnerability to its known Exploited vulnerabilities catalog, requiring federal agencies to remediate it by April 16th. The Office of the Director of National Intelligence announced a new cybersecurity and technology modernization measures after a year long effort across the US Intelligence community. The initiatives include policy standards for applying artificial intelligence to cyber defenses, expanded automation of threat hunting across intelligence networks, and development of a zero trust strategy focused on protecting data regardless of location. ODNI also created a shared repository of cybersecurity reviewed applications to reduce duplication of testing and speed deployment across agencies. The National Counterintelligence and Security center was directed to counter foreign intelligence cyber threats more proactively. The effort aligns with broader national cyber Strategy goals to strengthen federal network defenses and advance defensive AI capabilities. The announcement marks the first major cybersecurity update under the Director of National Intelligence Tulsi gabbard during the second Trump administration. Cisco Talos researchers warn that threat actor UAT10608 is exploiting a critical REACT vulnerability known as React to Shell to compromise vulnerable next JS applications at scale. Using automated scanning, the attackers gained remote code execution and deployed scripts with the Nexus Listener framework to harvest credentials, cloud tokens, SSH keys and environment secrets. Talos observed at least 766 compromised systems and over 10,000 stolen files within 24 hours. The campaign targets publicly exposed deployments indiscriminately and researchers advise organizations to rotate all exposed credentials immediately to reduce risks of lateral movement, supply chain compromise and further intrusion. Iowa Attorney General Brenna Byrd has sued UnitedHealth Group and its Optum and Change Healthcare units over the 2024 ransomware attack that disrupted healthcare operations and exposed data from nearly 193 million people nationwide, including 2.2 million Iowans. The lawsuit alleges violations of Iowa consumer protection laws, breach notification requirements and and HIPAA related obligations and seeks civil penalties, damages and mandated security improvements. Officials say attackers remained undetected for 10 days, stealing Social Security numbers, medical records and insurance data while crippling claims processing across the state. The Black Cat ransomware incident halted insurance transactions and imposed significant costs on providers. UnitedHealth disputes the claims. Additional state lawsuits and a federal investigation by the Department of Health and Human Services remain possible. France's Senate has approved legislation to ban social media access for children under age 15, advancing a proposal that could make France the first European country to adopt restrictions similar to Australia's approach. The bill would classify platforms by risk level, imposing outright bans on those deemed harmful to minors while allowing limited access to others with parental consent. Education platforms would be exempt. The measure reflects a broader European trend, as the European Union, Spain, the Netherlands and the United Kingdom consider similar age restrictions and verification requirements aimed at strengthening online protections for children. DC power regulation underpins modern digital infrastructure but has evolved from a simple voltage stabilization function into a critical cybersecurity dependency, as described in the NCC Group report the silent dependency. D.C. power regulation in Cyber physical security Regulators now rely on embedded firmware, digital control and network connectivity, making them part of the cyber physical attack surface rather than passive electrical components. Compromise at this layer can manipulate voltage, disrupt availability, corrupt data, or trigger cascading failures across data centers, industrial systems and telecommunications environments. Modern risks include insecure firmware updates, supply chain exposure, lateral movement through management networks, and physical fault injection techniques such as voltage glitching. The report recommends treating power regulation as a security architecture component with secure boot segmentation, telemetry monitoring and supplier verification. As AI assisted power management and IT OT convergence increase complexity, securing power infrastructure becomes essential to to maintaining system resilience and trust. A former infrastructure engineer has pleaded guilty to sabotaging his employer's network in an attempted extortion scheme that locked administrators out of hundreds of systems. Prosecutors say Daniel Ryan used unauthorized access to a Windows domain controller in November 2023 to delete admin accounts, reset passwords across more than 300 user accounts, and target credentials affecting 254 servers and over 3,000 workstations. He also scheduled server shutdowns and sent ransom emails claiming backups were deleted, demanding 20 bitcoin to halt further disruption. Investigators later found he researched methods for clearing logs and modifying administrator credentials before the attack. The incident highlights the risks posed by insider threats with privileged access. Rhine faces hacking and extortion charges carrying a maximum sentence of 15 years in prison. Coming up after the break, my conversation with Brandon Karp, who has insights on the war in Iran and an espresso exploit, exposes executive email Stick around. Maybe that's an urgent message from your CEO. Or maybe it's a deepfake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering? Learn more@doppel.com that's.p P E L.com Foreign. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. It is always my pleasure to welcome back to the show Brandon Karpf. He is the leader of international public Private Partnerships at ntt, also a former member of the intelligence community and a US Naval Academy grad. Brandon, welcome back.

Brandon Karpf

We're doing the full CV today.

Dave Bittner

Dave well, I think it's good context for the conversation we're going to have today. So you and I are just freshly returning from the RSAC conference in San Francisco and you have some thoughts with what you did and did not see when it comes to conversations about the current conflict in Iran?

Brandon Karpf

Yeah, we're all still recovering from the weak in San Francisco for sure. And we're at this place now where we find ourselves about day 30 of the war with Iran and the statements and the confluence of events around cybersecurity and cyber operations. You know, Iranian hacker alliances across their multiple threat actor groups, Cyber Avengers and Handala, potentially holding at risk our domestic US water infrastructure. They came out with some statements just in the last few days specifically holding at threat some of our water treatment plants in the US and none in particular. But you know, there's some early indications and previous events that seem like those threats are potentially legitimate and then combined with the ongoing lapse of funding with dhs, which obviously funds organizations like CISA and FEMA and other early response organizations and all that kind of framed with what we experienced last week at RSA and potentially didn't experience and some of the concerns, but also the call to actions that I have and I think other people have to our security community.

Dave Bittner

Do we consider it a credible threat that Iran would be coming after our water treatment plants? Is that a legit soft target?

Brandon Karpf

Yeah, I think so. You know, it's without obviously having access to threat indicators from water treatment plants. There was an incident in Aliquippa, Pennsylvania a few years ago where Cyber Avengers, which is one of the Iranian apts, did infiltrate and attack that OTICS system for the water authority in that township. Others, you know, Handala with a recent Stryker manufacturing breach and compromise. So Iran has shown themselves certainly capable of having cyber effects on core infrastructure. The Stryker incident recently has caused a huge issue in terms of medical device supplies in the US but then more specifically to those water treatment plants. Water treatment plants historically in the US are under resourced on security infrastructure and security technologies. And the fact that they have done it before to a US water treatment plant brings up concerns that water utilities are definitely at risk risk and we might not necessarily have the authorities and the national coordination in place to respond or deter that type of an attack.

Dave Bittner

It is interesting to me that the conversations that I had at RSAC Iran really didn't come up very much.

Brandon Karpf

Yeah, same with me, which I'm a little confused as to why that is. We've spent the last few years responding to the typhoons, right? Volt and salt typhoon pre positioning in US critical infrastructure. And my industry, telecommunications, saying that we still have a problem, it's two years later, we still have problems here. And the focus from whether it's the state and local governments or the federal government and then other resource providers, technology companies, security vendors, just they don't really seem to have the amount of serious focus that I would say is necessary for these threats right now. And then certainly being 30 days into a legitimate war with Iran, who has not necessarily the best of class cyber capabilities, but certainly they are a real threat actor. Maybe not tier one, but tier two, but have shown their willingness, capability and intent on actually having cyber effects on US Critical infrastructure. To me, I mean we've talked about shields up in the past when Jen Easterly was running cisa. I mean this right now is a shields up situation where the community needs to take this more seriously and start leveraging assets and putting resources towards these facilities. Especially when, I mean as a nation

Dave Bittner

we are at war and underfunded or not funded at the moment, with the budget not passing and even before that, all of the cuts that we've seen

Brandon Karpf

at places like CISA, yes, SISA has certainly had a staffing collapse over the last 12 months. I mean they are down at least 30% in terms of total staff, but then 60% of their staff right now is suspended or furloughed, so. And you know, they have another thousand job vacancies. So CISA is on critical functions only. And so you know, we have that issue. But then kind of broadly speaking, you know, bringing it back to RSA last week, I see a lot in terms of exquisite capabilities and new technologies and flashy marketing, which is all important. I mean, I think that stuff is valuable for the community. It's a little noisy, but there's value in there. What I'm not seeing is the basic blocking and tackling. How do we take the under resourced belly of our national economy which is all this critical infrastructure and how do we leverage the power of the community, leverage the power of coordination, intelligence sharing, incident response, preparation, or even kind of getting ahead of the incident and imposing costs on adversaries and making our targets hard to hit. I'm not seeing a lot of conversations that's driving towards that direction. And there are things out there that are doing this and I'll call out a few. The cltc, the center for Long Term Cybersecurity, building these cyber clinics, which are basically kind of public benefit, you know, similar model as the local health clinics, but for cybersecurity. And those resources are certainly helping the most under resourced regions of our country. But that's just one organization. We need a lot more of that. And that's kind of my call to action to this whole community is the things we're talking about are scary and real threats. It's not fear, uncertainty and doubt. I'm not trying to just say everything is Bad and everything is scary. But we're in a serious situation as a nation and we need to respond as a community to start leveraging the knowledge we have, the skills we have, the wisdom we have to minimize the effect that the soft underbelly of our national economy really is exposed to.

Dave Bittner

Do you think we're lulled into a sense of safety partly by our geographic isolation, that we have oceans on other side, or have we been at this cyber game long enough that in the

Brandon Karpf

rearview mirror, I think that's certainly part of it. America's always benefited from having that standoff, from not really having adversaries on our shores. But I mean, the difference with cyber is the cyber domain crosses geographic boundaries and it makes it much easier to attack across those boundaries. I think the other area that has made us kind of lulled into a sense of, I don't want to say complacency, because a lot of folks in this community are working very hard to solve these things, but maybe a lack of urgency is the fact that for years now this community has, you know, just almost like what I've just been doing in the last 10 minutes, talking about the potential for serious effects, the potential for serious attacks. The, you know, the analogies folks have used is the cyber 911 or the cyber Pearl Harbor. And that kind of again, yes, fear, uncertainty and doubt can only be used so much. Right? The Boy who Cried Wolf can only be espoused so many times before people start losing interest. And we've been doing it for a very long time and there hasn't been huge incidents except for the fact that there really has and we forget about it. So Colonial Pipeline is an example. Right. The Aliquippa water treatment plant that I just mentioned. The Striker attack from just a few weeks ago. Right. These solar winds, et cetera, et cetera, heartbleed. Right? These things have cost trillions of dollars to the global economy. Think about WannaCry, think about NotPetya. You know, these cyber events are very real and have cost us a lot of money. It's been a few years since we've had a massive one in this country, but they do keep happening. And for some reason we kind of write it off as a one off. Even though every couple years we're getting a massive attack that costs the economy tens of billions, if not hundreds of billions of dollars. And for some reason we're still not understanding that we need to leverage a lot more public resources into that soft underbelly first before we move on to the exquisite top of the line, best of class technologies. It's really the basics in hardening those soft targets that are the national critical infrastructure.

Dave Bittner

So what's the call to action then for the professionals and those of us who are on the sidelines? Is this double your efforts? Is this a call your representative situation? What can people actually do?

Brandon Karpf

I would say first there has to be political will. So yeah, call your representatives. I mean start sending in regular messages to your local representatives, even your state representatives. Right. The states have a lot of control here. New York State just implemented some new cybersecurity controls for their water treatment plants which just were enacted a few weeks ago. Now those were mandatory reporting laws. So again that is after breach, but again there is showing some willingness to start taking action there. But I do think driving political will and how important it is for the federal government to fund CISA to drive those resources toward those coordinating authorities that CISA has but needs the human resources and the capital to actually deliver on, I think that would go a long way. On top of that, supporting local organizations, I mean again I mentioned CLTC is one, the center for long term Cybersecurity and their cyber clinics programs. A lot of the funding for that did come from, I think larger federal grants, some of them from large organizations like Google and others. But. And Craig Newmark as well in his philanthropic work has funded some of their activities. But they need more support. They need personnel who are willing to donate some of their time, just like how lawyers donate some of their time pro bono cyber cybersecurity operators, practitioners should be looking for opportunities to donate your time to those types of cyber clinics. And I think they're operating in at least a dozen states now, if not more, but growing that type of resource. And then if you do run a managed services or MSSP organization, thinking about how that organization can support local critical infrastructure, whether that's water treatment, energy infrastructure, you know, electrical grids, et cetera. And not all of those engagements are going to be paid. And I know I'm asking you to donate your time, but I think we need just a little more community give back in the cybersecurity industry to try to resolve this critical center of gravity that our adversaries are actively targeting and telling us that they're going to target. And quite frankly, when an adversary tells me they're going to target something, I'm going to believe them. I'm going to say that that's probably true. So let's do something to mitigate that.

Dave Bittner

Brandon Karf is leader of International Public Private Partnerships at NTT Brandon, thanks so much for taking the time.

Brandon Karpf

Thanks David.

Dave Bittner

Most environments trust far more than they should, and attackers know it. Threat Locker solves that by enforcing default deny at the point of execution. With Threat Locker allow listing, you stop unknown executables cold. With Ring Fencing, you control how trusted applications behave. And with Threat Locker DAC defense against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero trust attainable even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo@threatlocker.com N2K today. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. And finally, in a cautionary tale for defenders everywhere, a digital forensics investigator discovered that a company's mysterious data breach was not the work of elite hackers but of a chatty office coffee machine. According to the Register, executives initially suspected corporate espionage. Investigators instead found an Internet connected espresso maker quietly exfiltrating sensitive data abroad every time someone brewed a cup. The device sat comfortably inside the secure network, protected by a default password, an outdated operating system, and apparently unlimited trust. The awkward briefing that followed informed leadership Their security posture had been undone by cappuccino, experts noted such incidents are not rare. Connected devices often lack monitoring and basic safeguards, making them convenient entry points. The lesson is change default passwords, segment networks, and remember that in modern environments, even the break room may be part of your attack surface. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Santiago Ponteroli, Threat Intelligence Research lead from Acronis. We're discussing their work. New Year New Sector Transparent Tribe Targets India's Startup Ecosystem that's research Saturday. Check it out we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliott Peltier. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.