A

You're listening to the CyberWire network, powered by N2K.

B

AI is changing how enterprises operate and how they stay protected. It's time to eliminate risk and protect innovation. From March 23rd through the 26th, join Trend AI for actionable AI security insights. Catch impactful sessions at RSAC, then unwind and grab a bite at their lounge in Trapa. Sueno Experience industry leading AI security in person. Engage with the experts and get your chance to win $500,000. San Francisco lets AI fearlessly. Learn more@trendmicro.com RS. Drone strikes hit a key chip supply chain China linked hackers target Southeast Asian militaries Attackers race ahead with AI Shiny hunters claim a massive Telus breach Microsoft issues a hot patch Malware turns up on Steam Fileless attacks grow Airline miles become cybercrime currency we got your Monday business breakdown. Tim Starks from cyberscoop unpacks the Striker attack and the nebulous nature of Iranian cyber activity and AI playmates puzzle preschoolers. It's Monday, march 16, 2026. I' dave bittner and this is your cyberwire intel briefing. Thanks for joining us here today. Happy Monday. It is great to have you with us. A drone attack linked to Iran has shut down Qatar Energy's Ras Lafan helium facility, removing roughly 30% of global supply and exposing vulnerabilities in the semiconductor supply chain. Helium is critical for chip manufacturing, where it cools silicon wafers during etching and lithography, and there is no effective substitute. Qatar Energy declared force Majeure after the March 2 strike, disrupting deliveries to global buyers. South Korea is particularly exposed, having sourced about 65% of its helium from Qatar last year year. Its government is now reviewing key semiconductor materials tied to Middle Eastern suppliers, including bromine from Israel. Major chipmakers such as sk, Hynix and TSMC say they have contingency stocks for now. However, analysts warn that if the outage lasts beyond two weeks, distributors may need months to reconfigure supply chains, echoing disruptions seen after Russia's 2022 invasion of Ukraine. Palo Alto Networks reports a long running cyber espionage campaign targeting Southeast Asian military organizations attributed to a suspected China linked threat actor tracked as CL STA 1087. Active since at least 2020, the group demonstrated patience by remaining dormant inside compromised networks for months before resuming operations. The attackers deployed custom tools including the AppleChris and Memphun backdoors and a credential stealing utility called GetPass. They also used PowerShell scripts to establish reverse shells, then moved laterally across domain controllers Web servers, IT workstations and executive systems using Windows management instrumentation and native Net tools. The operation focused on collecting sensitive files related to military capabilities, organizational structures and joint activities with Western forces including command control, communications, computers and intelligence systems. Researchers say infrastructure clues, language artifacts and working hours suggest the campaign likely originates from China. A new report from Booz Allen Hamilton warns that cybersecurity is entering a new phase as artificial intelligence accelerates the pace of cyber attacks and compresses defenders response times. The report argues that threat actors, including cybercriminals and state sponsored groups, have adopted AI faster than governments and private sector defenders. Large language models can help attackers quickly identify subtle vulnerabilities and and exploit them at machine speed once inside a network. Booz Allen cites incidents involving AI tools and frameworks that can automate reconnaissance and exploitation across many targets simultaneously. By contrast, many defensive processes still rely on slower human driven workflows such as patch timelines that can take weeks. The report says attackers are using AI both to amplify existing hacking operations and to orchestrate automated attacks. As a result, organizations may need to adopt AI assisted defenses and automated remediation despite the operational risks. Telus Digital, the business process outsourcing arm of Canadian telecom provider Telus, has confirmed a cybersecurity incident after threat actors claim to have stolen nearly 1 petabyte of data in a months long breach. The attack is attributed to the Shiny Hunters group, which allegedly gained access using Google Cloud platform credentials discovered in data from the earlier Salesloft Drift breach. According to the attackers, the credentials allowed them to access internal systems including a large bigquery database and then pivot further using additional secrets discovered in the data. The stolen information reportedly includes customer support data, call records, voice recordings, source code and financial information linked to companies using Telus Digital's outsourcing services. Telus says it's investigating the incident with forensic experts and law enforcement and is notifying affected customers as the investigation continues. Microsoft has released an out of band hot patch update to fix security vulnerabilities affecting certain Windows 11 enterprise systems. The flaws involve the Windows Routing and Remote Access service management tool and could allow remote code execution if a domain authenticated attacker tricks a user into connecting to a malicious server. The issues were previously addressed in the March 2026 Patch Tuesday release. The hot patch version delivers the fixes without requiring a system reboot using in memory patching for devices managed through Windows Autopatch that rely on continuous uptime. The FBI is investigating a suspected hacker who allegedly published multiple malware laden games on the Steam platform over the past two years. Titles linked to the activity include Block Blasters, Dash Verse or Dash FPS, Lampy, Lunara, PirateFi and Tokonova. According to the FBI, the games function normally but secretly installed malware acting as Trojan horses to infect players computers. Steam later removed the files, though an unknown number of users may have been compromised before the takedown. The FBI is now asking potential victims to come forward as the investigation continues. Researchers at Trellix warn that cybercriminals are increasingly using fileless malware attacks that run in the system's temporary memory, helping them evade traditional security tools. One example is Exworm 7.1, a malware as a Service remote access Trojan that gives attackers full control of infected systems and has seen a 174% rise in use over the past year. In one campaign targeting a network security firm in Taiwan, attackers exploited a WinRAR vulnerability and distributed malicious archives through discord disguised as game mods. Once opened, the malware used a living off the land technique to run in memory. A separate campaign used the Remcos rat delivered through phishing emails with procurement themed lures. Trelik says these attacks highlight the need for behavior based detection, timely software updates and stronger monitoring of trusted system tools. Airline loyalty points have become a profitable commodity in cybercrime markets, according to research from Flair cited by bleeping Computer attackers typically obtain account credentials through phishing or infostealer malware, then verify which compromised accounts contain valuable miles. These accounts are sold on underground forums where fraudsters redeem the points for flights or hotel stays that are later resold at discounted prices. Miles often sell for about a dollar per 1000 points, sometimes with full email access included to prevent victims from reclaiming their accounts. Major airlines such as United, American Airlines and Delta are common targets, and loyalty fraud is estimated to cost the travel industry between 1 and $3 billion annually. Turning to our Monday business breakdown, several cybersecurity startups have secured major funding rounds as investor interest in AI driven security platforms continues to grow. Armadin, an AI powered red teaming startup founded by Kevin mandia, launched with $190 million in funding led by Accel, with Mandia serving as CEO. Kai emerged from stealth with $125 million for its AI platform designed to secure it and operational technology environments. Israeli data loss prevention startup Jazz raised $61 million, while sovereign security operations platform Silake launched with $45 million in seed funding. Other notable raises include Reclaim Security with $26 million, Evervault with 25 million scanner at 22 million, Escape with 18 million and Circadance with 16.4 million. Additional early stage investments went to Gala, Intelligrc, Quantro Security and M Proof. The industry also saw major deal activity. Google completed its $32 billion acquisition of cloud security firm Wiz. OpenAI announced plans to acquire AI security platform Promptfoo and Quantum Emotion acquired Secure Key technology assets to expand its Quantum Resilient cybersecurity stack. We have a much more detailed rundown of all the business news over on our website in our Cyberwire Pro Business Briefing. Coming up after the break, Tim Starks from cyberscoop unpacks the Stryker attack and the nebulous nature of Iranian cyber activity and AI Playmates puzzle preschoolers. Stay with us. No, it's not your imagination. Risk and regulation really are ramping up and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to over 10,000 companies, from startups to large enterprises trust Vanta to help prove their security. Get started@vanta.com cyber.

C

This episode is brought to you by Nordstrom. Spring calls for a wardrobe refresh and Nordstrom has the best styles of the season, from dresses and denim to standout tops and accessories. Find the trends and essentials that feel right for you. Discover new arrivals from brands you love like Waif, Princess Polly, Mango, Adidas and free people. Plus free shipping and returns and freestyling appointments. Make everything so easy. Shop in stores@nordstrom.com or download the Nordstrom app.

B

Joining me once again is Tim Starks. He is a senior reporter with cyberscoop. Tim, great to have you back. Hi Dave, Want to focus on this article that I believe you co wrote with your cyberscoop colleague Drew F. Lawrence. And this is looking at the recent Stryker attack from Iran or attributed to Iran, and really more about what that means in the broader context here. Let's start with Stryker. What happened to them?

A

Yeah, and I'll point out that an Iranian group called Handela has taken credit for that, but the analysts I've spoken to believe that they are in fact responsible. So Stryker is A large medtech company is one way to say it. They make a lot of medical devices, especially those focused on communications, that are really fundamental to a lot of hospital and emergency worker activity. They also have Defense Department contracts. They're a big company, and they're based out of Michigan. And they were hacked and with a wiper technology, which is interesting development that basically put the company in terms of at least its internal communications. But there are some reports that maybe it went beyond that on its knees. They just basically didn't have phones that could work. And this was really the first attack in cyberspace since the conflict started with US and Israel that we could say was a success, a qualified success, but still a success. It was pretty important target and did meaningful damage. And if you're trying to send a message, it was the kind of target you would want to hit.

B

And to be clear here, it seems as though the damage is the point. Like they weren't asking for ransom or anything like that.

A

Exactly. Right.

B

Yeah.

A

They. They're trying to inflict damage. It's a group that, for the most part, has focused on Israel to date and using these kinds of wiper technologies there. So maybe a little different to see it hit a big US Target.

B

Help us understand the context here. I mean, how does this all fit into the comparative capabilities of Iran versus the team of US And Israel?

A

Iran is a power in cyberspace, but they are not comparable, I don't think, to the US Or Israel. I think they'd probably be behind Russia and China as well, but they'd be in that next year. And I think that there were a lot of warnings. You know, my inbox, one of the reasons we did this story is because my inbox and my editor's inboxes were we were all getting flooded with warnings about the grave danger of Iranian cyber attacks. And then, you know, for the first week and a half or so, there really wasn't much. There was. There was some stuff here and there. There was a. An attack on the Albanian parliament's email system. There were some targeting of cameras in the Middle east nations that just before Iranian missiles were fired in that direction. So it's not that Iran doesn't have capabilities, it's just that they weren't showing much of them yet. And I think one of the things that. That I learned from the story was, first off, I mean, the Internet has been in bad shape in Iran since the conflict started, right? There have been targeted attacks on the leadership of Iranian bodies, the intelligence and. And military outfits that are associated with these kinds of cyber attacks. So they might have been hiding, they might have been waiting for the Internet to be working again. I think that, you know, the other thing that people brought up to me, at least for the Stryker attack specifically, is that it did not seem like a sophisticated targeting of that company. You know, some even speculated that because there's a family of military vehicles called Stryker that they might have hit the wrong target. Maybe they were going after a different target. That's speculation, certainly, but it seems like the kind of speculation that makes a certain amount of sense. And once they saw that they were in the networks of a company that was US based and was a big company, I think they took advantage of that opportunity. So the context is Iran is an actor in cyberspace that I think people are justifiably worried about, but it has not materialized on a wide scale, certainly yet, and it may not. Another thing that came up is how much things have changed since the Iran war. And it's hard to say that these aren't things that might not be happening anyway. Trying to measure the degree to which the war has caused this versus it just being regular activity that has been happening, and there just happens to be a war happening as well. That's also another part of the context.

B

The folks that you're talking to, is there any indication of successful blocking of, let's say, increased activity from Iran?

A

Yeah, I mean, certainly there are companies saying that's the case, that they, that they block this or block that. And I, you know, they, as reporters, it's always a delicate balance to strike between the fact that a lot of the companies that are aware of the activity also make money off of promoting the fact that they're aware of the activity. So it's hard to say if there's a volumetric way to, like, assess how much more traffic there has been. You know, one of the people who, who was an analyst I spoke to said we might not know for weeks how much things are different. But yes, there are companies saying, we blocked this attack, or, you know, we're getting, we're blocking, we're seeing this. We don't know if the volume has changed specifically because of this kind of, this kind of war, that activity that's going on.

B

So to what degree do you suppose folks should take all of these warnings that we're seeing seriously? How, how serious is this threat?

A

I would say it's real, but I wouldn't say it's grave, at least not yet. I think all the things, you know, one of the other stories I Wrote this week was about top FBI official saying, you know, we hear a lot about AI attacks and they are increasing the threat in the sense that the attacks are happening faster as a result of AI. But all the same defensive techniques work for all of those kinds of attacks too. So if you weren't already doing things like multi factor authentication, well, here's a good excuse to start doing it. If you're being scared of that particular Iranian based attack is something that triggers

B

you to do that. Good.

A

But I don't know that anybody should behave all that much differently in cyberspace than they would if they were being good stewards of their own cybersecurity already. Right. There's a certain amount of, if you're know, if you're a small company or a small business in the United States, I don't think you're probably going to be the target of a massive attack. You might be the target of a DDoS attack. You might have your website defaced. I think that that's, that kind of low level activity is more is more the kind of thing I think you could expect to reasonably see. That might be different than before but, but that's again, this is the early days, you know, I think there's a chance that as this goes on, as it becomes more prolonged, that they, that we will see more activity. I can't guarantee it. I don't want to scare people unnecessarily, but I certainly think it's viable that we're at the beginning of it and it's. And there could be significantly more depending on how things break.

B

Yeah, I guess if nothing else, it deserves people's attention.

A

It does. Yeah. I think it's worth reading and knowing what the threats are, or at least the potential threats and knowing what has happened versus what is probably over over hyped.

B

Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining us.

A

Thank you, Dave.

B

Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result, Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and V vpn. Every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. When cyber threats strike, minutes matter Booz Allen brings the same battle tested expertise trusted to protect national security to defend today's leading global organizations. They safeguard their data, strengthen enterprise resilience, and mobilize in minutes across energy, healthcare, financial services and manufacturing. Their teams don't just respond, they anticipate, outthink and stay ahead of evolving threats. This is powerful protection for commercial leaders only. From Booz Allen See how your organization can prepare today@booz allen.com Commercial. And finally, researchers at the University of Cambridge are calling for tighter regulation of AI powered toys for toddlers after testing how children aged three to five interacted with a chatbot enabled plush robot named Gabo. The toy, which uses an OpenAI voice assistant and is meant to encourage conversation and imaginative play, proved to be a less than empathetic playmate. In practice, Gabo frequently talked over children, ignored their interruptions and struggled to recognize emotional cues. When one 5 year old said I love you, the toy responded with a reminder to follow its interaction guidelines. When a three year old said I'm sad, Gabo cheerfully redirected the conversation. Researchers warn that responses like these could confuse young children who are still learning how conversations and emotional feedback work. The team says regulators should start thinking about psychological safety in toys, not just whether a detachable eye might pose a choking hazard because childhood imagination is powerful enough without adding a chatbot that doesn't quite understand the assignment. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing at the cyber cyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of export, expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26. I'll see you in San Francisco. Foreign. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guardsquare provides industry leading security for your Android and iOS apps at www.guardsquare. Com.