A

You're listening to the Cyberwire Network powered by N2K.

B

No, it's not your imagination. Risk and regulation are ramping up and customers expect proof of security just to do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together along with on one AI powered platform. Whether you're preparing for a SoC2 or managing an enterprise GRC program, Vanta helps keep you secure and your deals moving. Companies like Ramp and RYTR report spending 82% less time on audits. That's not just faster compliance, that's more time to focus on growth. When I look around the industry, I see over 10,000 companies, from startups to big enterprises. Trusting Vanta get started at Vanta.com, cyber. Conflict in the Middle east disrupts the circuit board supply chain the Supreme Court considers arguments on geofence searches. A new report highlights Chinese digital transnational repression. The NCSC protects HDMI and DisplayPort links. Tennessee bans cryptocurrency ATMs Researchers expose a financially motivated subgroup of North Korea's Lazarus Group. Medtronic confirms a Shiny Hunters data breach. Tim Starks from cyberscoop discusses telecom vulnerabilities and a helpful AI deletes everything. Foreign. It's Tuesday, april 26, 2026. I'm dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. It's great as always to have you with us. Conflict in the Middle east has disrupted supplies of key raw materials used to manufacture printed circuit boards, driving sharp price increases across the electronics sector. Strikes on Saudi Arabia's petrochemical complex halted production of high purity polyphenoline ether resin and a critical PCB laminate input largely supplied by Sebec, which produces about 70% of global supply. Shipping disruptions in the Gulf have further tightened availability. At the same time, demand for PCBs has surged due to expanding AI server production, pushing prices up as much as 40% between March and April, according to analysts at Goldman Sachs. Additional shortages of copper foil, glass fiber and epoxy resin have compounded pressures. Manufacturers are now renegotiating prices with customers as lead times stretch and material costs continue rising. Meanwhile, a hacking group linked to Iran's Ministry of Intelligence, known as Handala Hack Team, claimed it leaked personal data of just under 2,400 US Marines in the Persian Gulf and threatened further exposure. The group said it holds detailed information on families, locations and activities and warned personnel they could be targeted by drones and missiles. It also signaled plans to release U.S. navy data. Yesterday, during oral arguments in Chatri v. United States, the Supreme Court signaled it is likely to rule that police geofence searches of cell phone location data qualify as Fourth Amendment searches and therefore require warrants. The case centers on whether law enforcement can request data identifying all devices near a crime scene without probable cause. Several justices expressed concern about the breadth of such searches, suggesting warrants should be narrowly tailored. The discussion crossed ideological lines, with both conservative and liberal justices questioning the government's position. Privacy advocates view the likely outcome as significant since a ruling against warrant requirements could have enabled broader reverse searches, including keyword based requests. Google supported the plaintiff, warning that past geofence warrants have exposed thousands of users location histories. While the Court appears unlikely to ban the practice entirely, it seems poised to impose constitutional limits on how location data can be collected. We'll be having a detailed discussion of the Supreme Court case on this week's Caveat podcast that drops on Thursday. Do check it out. Citizen Lab and ICIJ identified two China aligned threat actors targeting diaspora activists and journalists through digital transnational repression. Glitter Carp used phishing, fake security alerts, impersonation and tracking pixels against Uyghur, Tibetan, Taiwanese and Hong Kong activists as well as ICIJ members. Its goal appeared to be stealing email credentials for possible follow on access. Sequencarp focused on journalists including ICIJ's Skila Alicia, using fabricated or co opted Personas and zero auth consent phishing, which can grant persistent Gmail access without stealing a password. Citizen Lab assesses with high confidence that both actors are affiliated with the Chinese government and and with medium confidence that private contractors may be involved, the report argues. These campaigns show how outsourced cyber operations can scale repression, undermine trust among civil society groups and expand targeting from diaspora communities to journalists investigating China's overseas repression. The UK's National Cybersecurity center has launched Silent Glass, a plug in device that Protects HDMI and DisplayPort links between computers and monitors. Developed through NCSC LED research and licensed to Goldilock Labs with manufacturing support from Sony UK Technology Centre, the device inspects traffic passing through display connections and blocks suspicious or unauthorized activity. NCSC says monitors can expose sensitive information and may create overlooked pathways into larger systems, especially where physical access, supply chain risk or third party maintenance are factors. Silent Glass is designed for simple, affordable deployment across government and business environments. Its commercialization marks a broader shift towards protecting hardware interfaces, not just software and networks, and brings national security grade research into wider commercial use. Tennessee has passed a law banning cryptocurrency ATMs starting July 1, citing their growing role in fraud schemes targeting vulnerable residents. The state follows Indiana in restricting the kiosks, while similar legislation is advancing in Minnesota. Law enforcement officials say scammers commonly use crypto ATMs in government impersonation, tech support, romance and pig butchering scams, urging victims to deposit cash that is quickly converted to Bitcoin and transferred to criminal wallets. According to the FBI, over 13,000 complaints in 2025 involved $389 million in losses tied to crypto ATMs, with most victims over age 60. Regulators have also sued major operators, including Bitcoin Depot, Coinflip and Athena, alleging the machines frequently facilitate scam activity rather than legitimate transactions. Arctic Wolf reports a targeted intrusion against a North American Web3 company attributed with high confidence to Blue Norof, a financially motivated subgroup of North Korea's Lazarus Group. The attackers impersonated a fintech legal expert and sent a spear phishing calendly invite with a typo squatted zoom link. The fake meeting interface covertly captured webcam footage and deployed clipboard injection malware, enabling rapid credential theft focused on cryptocurrency wallet extensions. The compromise progressed from initial click to full system access in under 5 minutes. Investigators identified more than 100 additional global targets across 20 countries, many in crypto and investment roles with CEOs and founders heavily represented. Analysis also revealed infrastructure supporting typo squatted domains and a pipeline combining stolen webcam footage with AI generated images to create convincing deepfake meeting lures for future attacks. Medical technology company Medtronic confirmed a cyber intrusion after the Shiny Hunters group claimed it stole more than 9 million records and corporate data. The company said there's no evidence the incident affected products, patient safety, manufacturing or hospital customer networks, which remain separately managed. Medtronic has not confirmed data theft, but is investigating whether personal information was accessed. Shiny Hunters later removed Medtronic from its leak site after issuing a ransom deadline, suggesting a possible payment, though this remains unconfirmed. Coming up after the break, Tim Starks from cyberscoop discusses telecom vulnerabilities. Stay with us. And now a word from our sponsor, the center for Cyber Health and Hazard Strategies, also known as chhs. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Carey School of Law. This part time two year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at Law Umarland. Edu.

C

Study and play Come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the unreal college deal Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.

B

It's always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back.

D

Dave, you say it's always my pleasure, but it's my pleasure.

B

It's a mutual pleasure, isn't it?

D

All right. It's a very mutual pleasure. Let's let go down the throne. Dave.

B

I don't know what to make of that, but let's talk about the story that you recently wrote and published here. This is titled Surveillance Campaigns Use Commercial Surveillance Tools to Exploit Long Known Telecom Vulnerabilities. That sounds a bit foreboding. Can you unpack what you've discovered here? Tim?

D

Yes, it's actually so I'll just say credit to the discoverers in chief on this, which are Citizen Lab, the University of Toronto outfit that does a lot of deep work on spyware and commercial surveillance vendors that might not just be spyware. So what they found do you remember SS7, Dave? It's been a while. Signaling System 7 was this vulnerability, kind of vulnerability that people were worried about a while back, years ago, related to just the protocols for sent through the telecom system and how those signals are routed. There's now that was a 3G mainly problem. There's a new system for 4G and most of 5G called diameter. There are worries about that being secure as well. And so what Citizen Lab found here was the first occasion of attackers that linked the vulnerabilities of diameter and SS7 to a commercial surveillance vendor. And they found it being routed worldwide through two campaigns. What's interesting about this is that the nature of the telecom system made it hard for them to figure out who was doing this and what vendor they were using.

B

Hmm. So help us understand exactly what's going on here.

D

What's the exploit with these kinds of vulnerabilities? What you're talking about is someone intercepting information from phones, going into the infrastructure, and then being able to track a target. So it's a surveillance campaign and anybody who basically has a phone could be vulnerable to this. Right. The way these, this infrastructure works is pretty byzantine. What they found is that there were countries worldwide where this was happening, from the UK to China to Mozambique. Now, I will say that some of the companies that, whose infrastructure they found being exploited here say we can't verify this. This is not necessarily something we are confirming or agreeing with. So there is some ambiguity here about this. But even, you know, even the, even the researchers talking to Ron Dybert over there, this was something that was a little elaborate and hard for them to get into. But it involves text messages, it involves getting into the system and pretending to be the system and therefore being able to do a lot after that.

B

And who do we seem to be targeting here? I mean, is this a nation state espionage kind of thing or is this the kind of thing that anybody can go out and hire this company to put a bullseye on somebody's back?

D

It could be a nation state. They talked about the typhoons, you know, the Chinese hacking groups that have that Microsoft name of X typhoon, whatever the typhoon may be. But it could also be the kinds of nation states that rely on these commercial surveillance vendors. You know, Israel is an area, one of the main communications providers that was affected by this was Israel. And Israel is a real hotbed for spyware companies. You know, name them and they probably got an Israel connection. So, so that's, that's another mystery, right, is, is who's doing this and who are they doing it for. But it could be just about anybody if you. There was an unrelated story that I didn't mention that that was out this past week in the Guardian with the UK saying that they believe that there are 100 countries that have access to spyware vendors that could get into the UK's infrastructure. So the realm of possibilities here is really large. And one of the researchers made a comment to another publication that said that these two surveillance campaigns are the ones we found. There could be so many more like this.

B

Your reporting points out that Senator Wyden from Oregon is looking into this and has asked CISA for some information.

D

Yeah, he's been asking for information from CISA on this for, I think going back to at least 2022. And you know, the Sean Plankey CISA nomination that fell apart, one of the reasons that it was being held up was over Ron Wyden wanting this report and he wants to know more about the telecom vulnerabilities that are out there, particularly related to SS7 and diameter. The FCC also has concerns about these things. Or at least they did in 2024. They said they were opening a probe into these vulnerabilities. I do not know the status of that under this administration. So it's something that people have been worried about for a while, but this is something that maybe should give them a little additional worry.

B

Yeah, it's such a weird space. Like I remember years ago digging into the stingray devices and how. And one of the things I learned just talking to folks from the FCC on background was that the, the FCC is very deferential to law enforcement when it comes to those sorts of devices. And I would have thought that anything that spoofs a cell phone tower would be verboten, but not necessarily the case.

D

Yeah. And there's some legal issues around that. Right. You know, we're going to get a Supreme Court argument about what kinds of surveillance the federal government can do on things like this, particularly related to cell phone records. And you know, the Supreme Court has ruled on some of this in the past as it relates to cell site location information, if I've got the acronym right. It's a fertile ground for attackers. It's a fertile ground for the government to get information about us. But this is, this is the off the books stuff. This is the stuff that is not authorized. This is the stuff that is not controlled by the, by, by the U.S. government that this citizen lab stuff has found out about.

B

Is there anything to be done here by mere consumers or is this the kind of thing where we're going to have to wait for some scrutiny from folks like the fcc?

D

This is pretty much not something that consumers have control over, which makes it a little scarier in a certain way. Right. There's not a lot of like, oh, I'll just set up some multi factor authentication and I'm good. This is vulnerabilities that are in the system that would require regulators or the companies themselves to take action. And it's hard for them to take action on this because we're talking about sort of backbone like infrastructure. So anything that they did would have to be deep, deep fixes. Diameter was supposed to be a little more secure than this, but it turns out maybe not as secure as it should have been.

B

Right.

D

Ostensibly more secure than SS7. Not fixed. When they said, okay, we're going to build in some more security into this. Well, they didn't build it in quite enough, it seems.

B

Yeah. No, I feel like so many of the stories that, that you and other folks write include the phrase turns out. Right.

D

Yeah, a lot. Yeah, it's funny. You know, one of the things that's that you know when, when government and people in this, in the industry talk about like, oh, you know, 90% of attacks could be defended against if we just did basic cyber hygiene. Right? Like things like multifactor authentication, keeping up to date passwords, patching that that basic stuff is what not what this is about.

B

Right? Right. Tim Starks is senior reporter at cyberscoop. We will have a link to his recording in our show notes. Tim, thanks so much for joining us.

D

Thank you.

A

When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored

E

Jobs it's time to bring on the blooms at the Home Depot with Spring Garden Deals. Find savings on hanging baskets and flowers to brighten your backyard or any space that needs instant color. Then get everything you need to plant and protect them, with low prices guaranteed on soil and mulch. Dig into Spring garden deals for four days at the Home Depot now through May 10th exclusion supply. See homedepot.com pricematch for details.

B

And finally, Founder of Pocketos, Jere Crain says his company's production database vanished in just nine seconds after an AI coding agent, cursor running Anthropic's Claude Opus 4.6 tried to help. Assigned a routine staging task, the agent instead deleted a shared cloud volume along with every backup stored on it. When asked why, the AI reportedly confessed it guessed instead of verifying, skipped documentation and ran a destructive command anyway. A refreshingly honest postmortem for software, Crane places much of the blame on Railways infrastructure design, which allowed a single API call to erase both live data and backups without confirmation. The result wiped months of customer records, leaving staff reconstructing bookings from payment histories and emails. A three month old backup survived, but the rest required manual recovery. The episode offers a modern automation moves fast, especially when it's confidently wrong. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k. N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Ivan. Peter Kilpie is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.