CyberWire Daily — "Water sector feels the pressure"
Date: March 31, 2026
Host: Dave Bittner (N2K Networks)
Guest: Sam Rubin, SVP, Palo Alto Networks (Unit 42 Consulting and Threat Intelligence Team)
Episode Overview
This episode covers the intensifying threat landscape for critical infrastructure, with a special focus on Iranian-linked cyber groups threatening U.S. water systems. The news roundup breaks down urgent vulnerabilities and incidents in global finance, government, military, and banking. The featured Industry Voices segment features Sam Rubin of Palo Alto Networks, who provides insights on Iran’s evolving cyber tactics—particularly their shift to identity weaponization and the use of trusted partnerships for access. The episode concludes with a tech culture story about Wikipedia’s challenges with AI-powered editors.
Key News and Analysis Segments
Iranian Hackers Threaten U.S. Water Utilities
[01:08–02:50]
- Iranian-linked hacking groups, including APT 42, Muddy Water, Cyber Avengers, and Handela, are threatening “irreparable” attacks on U.S. water systems if geopolitical tensions increase.
- These groups are reportedly pre-positioned within some infrastructure networks, allowing for rapid attacks if triggered.
- Hacktivist activity tied to Iran is rising, though the impact is sometimes inflated by recycled or exaggerated online claims.
- Water utilities are flagged as especially vulnerable due to outdated systems and inconsistent cybersecurity resources, with small organizations at greater risk.
“Federal support capacity may be strained, leaving smaller organizations more vulnerable to opportunistic intrusion and activation during escalation.” (Host, [02:34])
Cyber Vulnerability & Incident Updates
[02:51–09:32]
- CISA Citrix Flaw Order:
- Federal agencies must patch a critical Citrix NetScaler vulnerability that allows unauthenticated attackers to read memory and potentially compromise credentials. (Active exploitation reported.)
- Dutch Finance Ministry Breach:
- Accessed internal infrastructure; treasury portal disabled for ~1,600 institutions as a containment measure. Core public services remain unaffected; investigation prominent at national level.
- GPS Control Software Uncertainty:
- U.S. Space Force may abandon the $8B next-gen GPS control project (OCX) due to critical delays and ongoing subsystem failures, affecting military navigational resilience.
- Fortinet EMS Exploit:
- Active exploitation of critical SQL injection bug allows full admin access; researchers note >2,000 systems exposed.
- Lloyds Bank Data Exposure:
- Software bug led to 447,000+ customer account details exposed via mobile app update; company paid £139,000 in compensation; no evidence of fraud but trust eroded.
Workforce & Regulatory Trends
[09:33–11:33]
- Impact of AI and Regulation on Cybersecurity Careers:
- AI is streamlining cybersecurity work and prompting reductions in entry-level analysis roles, but new jobs are expanding in AI/ML security domains.
- Regulatory compliance (NIST2, CMMC, DORA) now drives hiring at 95% of surveyed organizations.
- 27% faced breaches directly linked to workforce skills gaps.
“Cybersecurity challenge is shifting from headcount shortages to skills readiness, creating long term risks for talent development and operational resilience.” (Host, [11:15])
FTC Action Against Dating Apps
[11:34–12:25]
- OkCupid and Match Group settled with the FTC for sharing nearly 3 million users’ data with a third party without user opt-out or consent, in violation of privacy promises. Ongoing oversight and bans on misleading data practices.
Industry Moves: Investments & Acquisitions
[12:39–13:51]
- Highlights:
- Cloaked (privacy, U.S.): $375M Series B.
- Oasis Security (Israel): $120M Series B (nonhuman identity access governance).
- InfoTrust (Australia): Acquires Catalyst Cyber for $5M to enter federal markets.
Featured Interview: Sam Rubin on Iranian Tactics & Identity Weaponization
[15:18–23:11]
Host: Dave Bittner (D) | Guest: Sam Rubin (C)
1. Evolution of Iranian Threat Actor Tactics
[15:18, 21:51]
- Boggy Serpent Group: Known for evolving tactics—now using trusted relationships and third-party access instead of direct attacks.
- Quote:
“What they do that's interesting...is that they target a trusted partner...gain access through spear phishing...then use that trusted account to get to their ultimate target.” (Sam Rubin, [21:51])
2. Iranian Internet Outages and Offensive Cyber Activity
[16:16–17:58]
-
The Iranian government and foreign actors targeting Iran's internet infrastructure have drastically reduced the nation's external connectivity, limiting their capacity for outbound cyber attacks.
-
Quote:
“Iran's Internet was really close to zero in terms of ability to egress...it's really curtailed that and limited the capability.” (Sam Rubin, [16:40])
3. Identity Weaponization: "Living off the Land" Attacks
[18:22–20:58]
-
Shift from using destructive malware (e.g., MBR wipers) to leveraging administrative enterprise software (Entra ID, Intune) for destructive actions (using legitimate admin tools for attacks), increasing stealth and operational impact.
-
Recommendations:
- Principle of least privilege
- Just-in-time admin privileges
- Dual-admin approval for high-risk actions
-
Quote:
“In these recent attacks...we're seeing them using software, enterprise administrative software to facilitate these wipes. So it's a version of living off the land attack...” (Sam Rubin, [18:36])
"These are what the bad guys are targeting because it's kind of the keys to the kingdom." (Dave Bittner, [20:51])
4. Trusted Channel Attacks & Sophistication
[21:51–22:58]
-
Boggy Serpent’s recent attacks on a UAE energy company exploited trusted third parties with spear phishing and weaponized, legitimate-looking documents (e.g., travel itineraries, financial spreadsheets).
-
Quote:
“Very legitimate looking...all weaponized with malware. So pretty sophisticated tactics.” (Sam Rubin, [22:51])
Notable Quotes & Memorable Moments
-
On Small Water Utilities' Risk:
“Federal support capacity may be strained, leaving smaller organizations more vulnerable to opportunistic intrusion...” (Host, [02:34])
-
On AI in Cyber Careers:
“AI is improving efficiency rather than eliminating jobs, with nearly half of organizations reducing manual analysis time and automating workflows.” (Host, [09:41])
-
On Attackers Exploiting Trusted Relationships:
“...they target a trusted partner...gain access through spear phishing to that organization, and then use that trusted account to get to their ultimate target.” (Sam Rubin, [21:51])
Tech & Culture: Wikipedia Blocks AI Editor
[24:42–end]
- An AI-powered editing agent ("Tom Wiki Assist") was blocked by Wikipedia for operating without pre-approval, sparking debate on AI’s place in collaborative platforms and what constitutes a “real” editor.
Timestamps of Important Segments
- [01:08] — News headlines and water sector threat overview
- [02:51] — CISA Citrix vulnerability
- [04:05] — Dutch Finance Ministry breach
- [05:10] — Space Force GPS modernization challenges
- [06:30] — Fortinet EMS exploit
- [07:25] — Lloyds Bank customer data exposure
- [09:33] — AI & regulatory workforce trends
- [11:34] — FTC settlement with OkCupid & Match Group
- [15:18] — Interview with Sam Rubin: Evolution of Iranian attacker tactics
- [21:36] — Boggy Serpent attacks via trusted partners
- [24:42] — Wikipedia’s AI editing debate
Summary Flow & Utility
This episode leverages breaking news to set the context for the critical water sector threat, then uses a deep-dive expert segment to illustrate the sophistication and evolution of Iranian-linked cyber actors, particularly their exploitation of trusted relationships and “living off the land” destructive attacks. Practical mitigation steps and workforce transformation trends are discussed with both urgency and clarity. The show closes with a tech culture story illustrating broader trust and authenticity issues in the digital age.
For more details, listen to the episode or read the full interview with Sam Rubin (link in show notes).