CyberWire Daily – "Watch out for cybercrime frequent flyers"

Date: March 16, 2026
Host: N2K Networks (Dave Bittner)
Guest: Tim Starks, Senior Reporter, Cyberscoop

Episode Overview

This episode of CyberWire Daily is packed with the latest cybersecurity news, covering international incidents affecting supply chains, AI’s accelerating effect on cyber threats, major data breaches, shifts in fileless malware, and a unique market for cybercriminals: airline miles. The episode culminates in an in-depth interview with Tim Starks (Cyberscoop), analyzing Iranian-linked cyberattacks, especially the significance and context of the Stryker attack.

Key Discussion Points and Insights

Global Supply Chain Disruption (00:57)

Qatar Helium Facility Attack: A drone strike, allegedly Iran-linked, shut down Qatar Energy’s Ras Laffan helium facility (March 2), removing 30% of the world’s helium and threatening the semiconductor industry due to helium’s critical use in chip manufacturing.
- South Korea is highly vulnerable, sourcing ~65% of its helium from Qatar.
- If disruptions persist, supply chain reconfigurations could take months, reminiscent of shocks post-Ukraine invasion.
Critical Insight: There’s no effective substitute for helium in the chip industry, making these vulnerabilities acute.

China-Linked Military Espionage Campaign (02:47)

Palo Alto Networks Report: An extended cyber espionage campaign targets Southeast Asian military organizations, attributed to resident China-linked group CL STA 1087.
- The group remains dormant in networks for months, deploys custom tools (AppleChris, Memphun, GetPass), and uses PowerShell scripts for lateral movement.
- Focus is on military capabilities and joint operations with Western forces.
Analyst Takeaway: Infrastructure clues and operational patterns point to a Chinese origin.

AI Speeds Up the Cyber Arms Race (03:55)

Booz Allen Hamilton Report: Threat actors are adopting AI tools much faster than defenders, compressing breach-to-exploit windows.
- Large language models let attackers automate the discovery and exploitation of subtle vulnerabilities.
- Defenses lag due to slower, manual processes (like patch timelines).
- Organizations are advised to embrace AI-assisted detection and remediation to keep pace.
Key Quote: "[Attackers] have adopted AI faster than governments and private sector defenders."

Major Incidents and Vulnerabilities (05:21)

Telus Digital Breach: Shiny Hunters claim to have stolen nearly 1 petabyte of data from Telus Digital via cloud credentials sourced from prior breaches. Data may include customer support records, call recordings, source code, and financial info.
Microsoft Hot Patch: Out-of-band hot patch for Windows 11 enterprise systems addresses Routing and Remote Access vulnerabilities—applying fixes in-memory without reboot thanks to Windows Autopatch.
Steam Platform Malware: FBI investigates malware-laden games distributed via Steam (e.g., Block Blasters, Dash Verse) acting as trojans. FBI asks compromised users to step forward.

Surge in Fileless Malware and New Attack Techniques (08:30)

Fileless Attacks: Trellix reports increased use of malware running purely in system memory, allowing evasion of traditional endpoint protection.
- Exworm 7.1 malware-as-a-service (174% increase year-over-year), Remcos RAT, and WinRAR/Discord exploit campaigns.
- Stresses need for behavior-based defenses and continuous updates.

Airline Miles: A New Cybercrime Commodity (09:49)

Loyalty Program Fraud: Flair finds that attackers sell stolen airline miles from compromised accounts on underground forums, often bundled with email access for takeover prevention.
- Major airlines (United, American, Delta) affected.
- Industry losses: $1–3 billion annually.

Business Breakdown: Funding & M&A in Cybersecurity (10:55)

AI Security Startups: Major funding rounds highlight AI’s role in future security:
- Armadin ($190M, CEO Kevin Mandia), Kai ($125M), Jazz ($61M), Silake ($45M), and several others.
Industry Deals: Google acquires Wiz ($32B), OpenAI aims for Promptfoo, Quantum Emotion acquires Secure Key.
Quote: “Investor interest in AI-driven security platforms continues to grow.”

In-Depth Interview: Tim Starks Unpacks the Stryker Attack & Iranian Cyber Activity

Segment Starts: 14:13

Background and Attribution (14:41)

Stryker Attack: An Iranian group, Handela, claims credit for hacking Stryker—a Michigan-based medtech and defense contractor—using wiper malware, knocking out internal communications, "basically put the company on its knees."
Quote: "They make a lot of medical devices... really fundamental to a lot of hospital and emergency worker activity... They also have Defense Department contracts." – Tim Starks (14:50)
Nature of the Attack: Not financially motivated—no ransom—the goal was pure disruption. Quote: "They're trying to inflict damage. It's a group that, for the most part, has focused on Israel... Maybe a little different to see it hit a big US Target." – Tim Starks (15:59)

Iran’s Cyber Capabilities in Context (16:24)

Iran is a significant cyber actor but "not comparable to the US or Israel... probably behind Russia and China as well but they'd be in that next tier."
Recent uptick in warnings about Iranian activity, but "for the first week and a half, there really wasn't much," aside from minor incidents (e.g., Albanian parliament, Middle Eastern cameras).
Speculation: Possible mis-targeting—"some even speculated that because there's a family of military vehicles called Stryker that they might have hit the wrong target." – Tim Starks (17:33)
- Possibly opportunistic after discovering a major US target.

Defensive Responses and Threat Level (18:46)

Companies report increased blocking, but "a lot of the companies that are aware of the activity... make money off of promoting" their threat intelligence, so it's hard to gauge real escalation.
Full impact may take "weeks to know."
Key Takeaway on Risk:
Quote: "I would say it's real, but I wouldn't say it's grave, at least not yet." – Tim Starks (19:46)
Advice: Standard cyber hygiene (multi-factor authentication, patching) still applies and is effective, even as AI-driven attacks rise.
- "If you weren't already doing things like multi-factor authentication, here's a good excuse to start." – Tim Starks (20:23)
- For small businesses: Attacks may mean DDoS or defacement, not catastrophic breaches.
Recognize the difference between actual threat and hype. Quote: "It's worth reading and knowing what the threats are, or at least the potential threats and knowing what has happened versus what is probably over-hyped." – Tim Starks (21:23)

AI Toys and Child Safety (24:13)

Cambridge Study: Researchers urge tighter regulation of AI companions after tests with 'Gabo', a plush robot for preschoolers using OpenAI tech.
- Gabo missed emotional cues—when told "I love you," responded with user guidelines; when a child said "I'm sad," Gabo changed the topic.
- Concern: Psychological safety for children, not just physical safety.
Quote: "Childhood imagination is powerful enough without adding a chatbot that doesn't quite understand the assignment."

Notable Quotes and Timestamps

On Stryker Attack:
"They just basically didn't have phones that could work." – Tim Starks (15:02)
On Iran’s Cyber Tier:
"Iran is a power in cyberspace, but they are not comparable... they’d probably be behind Russia and China as well, but they’d be in that next tier." – Tim Starks (16:24)
On Cyber Hygiene:
"All the same defensive techniques work for all of those kinds of attacks too." – Tim Starks (19:54)
On Broader Impacts:
"There’s a chance that as this goes on, as it becomes more prolonged... we will see more activity. I can’t guarantee it. I don’t want to scare people unnecessarily..." – Tim Starks (20:46)

Structure & Flow

Rapid news briefing on global cyber events and trends
Deep dive analysis/interview (Stryker/Iranian activity)
Light coverage of AI toy safety, closing out with a call for regulatory awareness

Conclusion

This CyberWire Daily episode is a microcosm of today’s complex threat landscape: international supply chains exposed to physical and cyber threats, AI rapidly shifting the advantage toward attackers, increasingly valuable non-cash targets (like loyalty points), and state-level actors flexing their muscles in ways both targeted and opportunistic. The main message: Stay proactive, practice cyber hygiene, question the hype, and don’t underestimate the changing face of both traditional and emerging risks.

For more details and links, visit cyberwire.com.

CyberWire Daily – "Watch out for cybercrime frequent flyers"

Date: March 16, 2026
Host: N2K Networks (Dave Bittner)
Guest: Tim Starks, Senior Reporter, Cyberscoop

Episode Overview

Key Discussion Points and Insights

Global Supply Chain Disruption (00:57)

Qatar Helium Facility Attack: A drone strike, allegedly Iran-linked, shut down Qatar Energy’s Ras Laffan helium facility (March 2), removing 30% of the world’s helium and threatening the semiconductor industry due to helium’s critical use in chip manufacturing.
- South Korea is highly vulnerable, sourcing ~65% of its helium from Qatar.
- If disruptions persist, supply chain reconfigurations could take months, reminiscent of shocks post-Ukraine invasion.
Critical Insight: There’s no effective substitute for helium in the chip industry, making these vulnerabilities acute.

China-Linked Military Espionage Campaign (02:47)

Palo Alto Networks Report: An extended cyber espionage campaign targets Southeast Asian military organizations, attributed to resident China-linked group CL STA 1087.
- The group remains dormant in networks for months, deploys custom tools (AppleChris, Memphun, GetPass), and uses PowerShell scripts for lateral movement.
- Focus is on military capabilities and joint operations with Western forces.
Analyst Takeaway: Infrastructure clues and operational patterns point to a Chinese origin.

AI Speeds Up the Cyber Arms Race (03:55)

Booz Allen Hamilton Report: Threat actors are adopting AI tools much faster than defenders, compressing breach-to-exploit windows.
- Large language models let attackers automate the discovery and exploitation of subtle vulnerabilities.
- Defenses lag due to slower, manual processes (like patch timelines).
- Organizations are advised to embrace AI-assisted detection and remediation to keep pace.
Key Quote: "[Attackers] have adopted AI faster than governments and private sector defenders."

Major Incidents and Vulnerabilities (05:21)

Telus Digital Breach: Shiny Hunters claim to have stolen nearly 1 petabyte of data from Telus Digital via cloud credentials sourced from prior breaches. Data may include customer support records, call recordings, source code, and financial info.
Microsoft Hot Patch: Out-of-band hot patch for Windows 11 enterprise systems addresses Routing and Remote Access vulnerabilities—applying fixes in-memory without reboot thanks to Windows Autopatch.
Steam Platform Malware: FBI investigates malware-laden games distributed via Steam (e.g., Block Blasters, Dash Verse) acting as trojans. FBI asks compromised users to step forward.

Surge in Fileless Malware and New Attack Techniques (08:30)

Fileless Attacks: Trellix reports increased use of malware running purely in system memory, allowing evasion of traditional endpoint protection.
- Exworm 7.1 malware-as-a-service (174% increase year-over-year), Remcos RAT, and WinRAR/Discord exploit campaigns.
- Stresses need for behavior-based defenses and continuous updates.

Airline Miles: A New Cybercrime Commodity (09:49)

Loyalty Program Fraud: Flair finds that attackers sell stolen airline miles from compromised accounts on underground forums, often bundled with email access for takeover prevention.
- Major airlines (United, American, Delta) affected.
- Industry losses: $1–3 billion annually.

Business Breakdown: Funding & M&A in Cybersecurity (10:55)

AI Security Startups: Major funding rounds highlight AI’s role in future security:
- Armadin ($190M, CEO Kevin Mandia), Kai ($125M), Jazz ($61M), Silake ($45M), and several others.
Industry Deals: Google acquires Wiz ($32B), OpenAI aims for Promptfoo, Quantum Emotion acquires Secure Key.
Quote: “Investor interest in AI-driven security platforms continues to grow.”

In-Depth Interview: Tim Starks Unpacks the Stryker Attack & Iranian Cyber Activity

Segment Starts: 14:13

Background and Attribution (14:41)

Stryker Attack: An Iranian group, Handela, claims credit for hacking Stryker—a Michigan-based medtech and defense contractor—using wiper malware, knocking out internal communications, "basically put the company on its knees."
Quote: "They make a lot of medical devices... really fundamental to a lot of hospital and emergency worker activity... They also have Defense Department contracts." – Tim Starks (14:50)
Nature of the Attack: Not financially motivated—no ransom—the goal was pure disruption. Quote: "They're trying to inflict damage. It's a group that, for the most part, has focused on Israel... Maybe a little different to see it hit a big US Target." – Tim Starks (15:59)

Iran’s Cyber Capabilities in Context (16:24)

Iran is a significant cyber actor but "not comparable to the US or Israel... probably behind Russia and China as well but they'd be in that next tier."
Recent uptick in warnings about Iranian activity, but "for the first week and a half, there really wasn't much," aside from minor incidents (e.g., Albanian parliament, Middle Eastern cameras).
Speculation: Possible mis-targeting—"some even speculated that because there's a family of military vehicles called Stryker that they might have hit the wrong target." – Tim Starks (17:33)
- Possibly opportunistic after discovering a major US target.

Defensive Responses and Threat Level (18:46)

Companies report increased blocking, but "a lot of the companies that are aware of the activity... make money off of promoting" their threat intelligence, so it's hard to gauge real escalation.
Full impact may take "weeks to know."
Key Takeaway on Risk:
Quote: "I would say it's real, but I wouldn't say it's grave, at least not yet." – Tim Starks (19:46)
Advice: Standard cyber hygiene (multi-factor authentication, patching) still applies and is effective, even as AI-driven attacks rise.
- "If you weren't already doing things like multi-factor authentication, here's a good excuse to start." – Tim Starks (20:23)
- For small businesses: Attacks may mean DDoS or defacement, not catastrophic breaches.
Recognize the difference between actual threat and hype. Quote: "It's worth reading and knowing what the threats are, or at least the potential threats and knowing what has happened versus what is probably over-hyped." – Tim Starks (21:23)

AI Toys and Child Safety (24:13)

Cambridge Study: Researchers urge tighter regulation of AI companions after tests with 'Gabo', a plush robot for preschoolers using OpenAI tech.
- Gabo missed emotional cues—when told "I love you," responded with user guidelines; when a child said "I'm sad," Gabo changed the topic.
- Concern: Psychological safety for children, not just physical safety.
Quote: "Childhood imagination is powerful enough without adding a chatbot that doesn't quite understand the assignment."

Notable Quotes and Timestamps

On Stryker Attack:
"They just basically didn't have phones that could work." – Tim Starks (15:02)
On Iran’s Cyber Tier:
"Iran is a power in cyberspace, but they are not comparable... they’d probably be behind Russia and China as well, but they’d be in that next tier." – Tim Starks (16:24)
On Cyber Hygiene:
"All the same defensive techniques work for all of those kinds of attacks too." – Tim Starks (19:54)
On Broader Impacts:
"There’s a chance that as this goes on, as it becomes more prolonged... we will see more activity. I can’t guarantee it. I don’t want to scare people unnecessarily..." – Tim Starks (20:46)

Structure & Flow

Rapid news briefing on global cyber events and trends
Deep dive analysis/interview (Stryker/Iranian activity)
Light coverage of AI toy safety, closing out with a call for regulatory awareness

Conclusion

For more details and links, visit cyberwire.com.

wavePod

Watch out for cybercrime frequent flyers.

Summary

CyberWire Daily – "Watch out for cybercrime frequent flyers"

Episode Overview

Key Discussion Points and Insights

Global Supply Chain Disruption (00:57)

China-Linked Military Espionage Campaign (02:47)

AI Speeds Up the Cyber Arms Race (03:55)

Major Incidents and Vulnerabilities (05:21)

Surge in Fileless Malware and New Attack Techniques (08:30)

Airline Miles: A New Cybercrime Commodity (09:49)

Business Breakdown: Funding & M&A in Cybersecurity (10:55)

In-Depth Interview: Tim Starks Unpacks the Stryker Attack & Iranian Cyber Activity

Background and Attribution (14:41)

Iran’s Cyber Capabilities in Context (16:24)

Defensive Responses and Threat Level (18:46)

AI Toys and Child Safety (24:13)

Notable Quotes and Timestamps

Structure & Flow

Conclusion

Summary

CyberWire Daily – "Watch out for cybercrime frequent flyers"

Episode Overview

Key Discussion Points and Insights

Global Supply Chain Disruption (00:57)

China-Linked Military Espionage Campaign (02:47)

AI Speeds Up the Cyber Arms Race (03:55)

Major Incidents and Vulnerabilities (05:21)

Surge in Fileless Malware and New Attack Techniques (08:30)

Airline Miles: A New Cybercrime Commodity (09:49)

Business Breakdown: Funding & M&A in Cybersecurity (10:55)

In-Depth Interview: Tim Starks Unpacks the Stryker Attack & Iranian Cyber Activity

Background and Attribution (14:41)

Iran’s Cyber Capabilities in Context (16:24)

Defensive Responses and Threat Level (18:46)

AI Toys and Child Safety (24:13)

Notable Quotes and Timestamps

Structure & Flow

Conclusion