CyberWire Daily – "Wind and Solar Take a Cyber Hit" (Feb 2, 2026)
Host: Dave Bittner (N2K Networks)
Guest Segment: Ann Johnson (Microsoft) & Dr. Lori Cranor (Carnegie Mellon)
Overview
This episode focuses on recent cyber threats impacting critical infrastructure—especially wind and solar energy sites—as well as key cyber incidents targeting Denmark, Ukraine, the software supply chain, privacy, and trade secrets. The show also features an insightful segment on the persistent challenges in cybersecurity usability, passwordless authentication, privacy expectations, and a cautionary tale about insecure AI-powered toys.
Key Discussion Points & Insights
1. Major Incidents Affecting Wind and Solar Power in Poland
[03:00–04:10]
- Russian state-linked hackers breached Poland’s energy infrastructure via basic security lapses like default credentials and lack of multi-factor authentication.
- The attacks targeted wind, solar farms, and a heat/power plant. While destructive malware was thwarted at the heat/power plant, control systems at wind/solar facilities were rendered inoperable.
- Crucially, no outages occurred and the grid wasn’t destabilized.
- The attack was attributed by Poland’s CERT to Russian group Berserk Bear ("Dragonfly").
“The attackers attempted to deploy destructive wiper malware designed to erase systems and potentially disrupt operations.” — [03:29]
2. Russian Hacker Alliance Threatens Denmark
[04:10–05:11]
- The "Russian Legion," a new hacker alliance, threatened a large-scale cyberattack on Denmark, demanding the withdrawal of military aid to Ukraine.
- Initial Distributed Denial of Service (DDoS) attacks targeted public service and energy sector sites.
- Group is seen as state-aligned but not state-funded; their efforts rely on intimidation and disruption, not severe damage.
“DDoS attacks were only the beginning. … Such campaigns often rely on intimidation and disruption rather than escalating to severe cyber damage.” — [04:41]
3. Fancy Bear Exploits Microsoft Office Flaw Against Ukraine & EU
[05:11–06:20]
- APT28 (Fancy Bear) exploited a newly disclosed, unpatched Microsoft Office vulnerability through phishing emails and malicious Word documents.
- Targeted Ukrainian and EU orgs; attacks predated widespread patching.
- Exploited via command and control (using Covenant C2) and comm hijacking.
“The attack chain involved phishing emails with weaponized documents that triggered external connections, downloaded malicious files and ultimately deployed the Covenant Command and Control framework using comm hijacking techniques.” — [05:58]
4. Notepad Supply Chain Compromise
[06:20–07:30]
- Notepad’s security incident traced to a compromise at its former hosting provider, not app code.
- Attacker redirected update traffic via stolen credentials; campaign likely started in June.
- Targeted nature suggests Chinese state sponsorship.
- Notepad has since migrated to a new host, strengthened update checks, and urges manual updates.
5. Supply Chain Attacks in the Claudebot (Multbot) AI Ecosystem
[07:30–08:40]
- Over 230 malicious “skills” published to the official AI registry and GitHub—posing as crypto or automation tools.
- Skills targeted both Windows and MacOS, stealing sensitive info via social engineering.
- Skills mostly remain online despite reports, exposing the fragility of security review in AI skills ecosystems.
“All malicious skills shared the same command and control infrastructure and showed no evidence of security review before publication.” — [07:58]
6. Threats Against Journalists and Security Researchers
[08:40–09:47]
- Survey (by Decent Doe & Zach Whitaker) found 77% of security researchers/journalists experienced threats.
- Legal threats were common (e.g., demand letters), as were criminal threats (esp. against journalists).
- Many feel powerless, with their work shaped by fear yet most do not retract or change work.
“They don’t like it. They still would like to protect their privacy, but they feel powerless to do anything about it.” (See [20:29] for a similar sentiment from Dr. Cranor)
7. Advanced Windows Malware: Pulsar RAT + Stealer V37
[09:47–10:34]
- New malware combines credential theft, crypto-theft, and gaming account hacks; fully memory-resident and evasive.
- Attackers can interact live with victims via chat windows; data exfiltrated to Discord and Telegram.
“Unusually, attackers can interact with victims through a live chat window while stealing data.” — [10:10]
8. Economic Espionage: Former Google Engineer Convicted
[10:34–11:40]
- Linway Ding, former Google engineer, convicted of stealing AI/supercomputing trade secrets for China.
- Over 2,000 pages exfiltrated while maintaining ties to Chinese tech firms and even founding a startup there.
- Evidence showed participation in Chinese government talent programs and attempts to conceal activities.
9. Cybersecurity Funding & M&A Trends
[11:40–13:02]
- Strong investment and deal activity: $250M Series B for Upwind (cloud security), $150M funding for Clarity (cyber-physical systems), and multiple rounds for AI/code security, SOC automation, and more.
- M&A highlights: acquisitions in AI governance, GRC, API security testing, managed services—driven by a push for integrated platforms.
10. Usability & Privacy: Ann Johnson & Dr. Lori Cranor Interview
[16:33–22:14]
[Security Design and Human Factors]
- Security design often overlooks user experience; security pros rarely collaborate closely with usability experts.
“We often forget to consider the human and the user…We haven’t really found a great solution that is better than passwords that meets all the criteria that we have.” — Dr. Lori Cranor [16:55]
[Passwordless Authentication (Passkeys)]
- Passkeys are promising but currently too confusing, even for experts.
“They’re confusing. … If I accept the passkey here and then I want to access this account from another device, what do I do?” — Dr. Cranor [18:41]
[Privacy Attitudes in the Digital Age]
- People aren’t less concerned about privacy, just more resigned and feel powerless.
“They don’t like it. They still would like to protect their privacy, but they feel powerless to do anything about it. … I like the convenience of using all these privacy invasive services and since there’s nothing I can do about it, I’ve just given in and I use them.” — Dr. Cranor [19:31]
[Hope for Usable Security]
- Progress is visible: 25 years ago, almost no usable security research. Now, hundreds of papers, industry interest, and concrete advances like encrypted browsers.
“We’re seeing that companies are increasingly trying to make some efforts to find more usable security solutions. … There’s still a lot of work to be done, but I feel that we actually have made progress.” — Dr. Cranor [21:08]
11. Security Fail: The “AI Dinosaur” Toy Leak
[23:07–24:21]
- Researchers found that Bondu’s AI dinosaur toy exposed over 50,000 chat logs (with children’s names, birthdays, family secrets) to anyone with a Gmail account.
- No hacking required—just login.
- Company focused on content safety, not back-end; responded after discovery, but the data exposure was significant.
“An AI toy that remembers everything also exposes everything, and toddlers shouldn’t need operational security training to play with a plush dinosaur.” — [24:21]
Notable Quotes (By Speaker & Timestamp)
- Dave Bittner:
“The attackers attempted to deploy destructive wiper malware designed to erase systems and potentially disrupt operations.” [03:29] - Dr. Lori Cranor:
“We haven’t really found a great solution that is better than passwords that meets all the criteria that we have.” [16:55]
“They’re confusing. … I also am confused by them. … when my less technically sophisticated friends say, should I use passkeys? I don’t really know what to tell them.” [18:41]
“They don’t like it. They still would like to protect their privacy, but they feel powerless to do anything about it. … I’ve really just given up. I like the convenience of using all these privacy invasive services and since there’s nothing I can do about it, I’ve just given in.” [19:31]
“We’re seeing that companies are increasingly trying to make some efforts to find more usable security solutions. … There’s still a lot of work to be done, but I feel that we actually have made progress.” [21:08] - Ann Johnson:
“If this is complex for me, who ostensibly has been doing this a long time, what’s it like for the average person?” [18:25] - CyberWire Host:
“An AI toy that remembers everything also exposes everything, and toddlers shouldn’t need operational security training to play with a plush dinosaur.” [24:21]
Timestamps for Key Segments
- Wind/Solar Cyberattack in Poland: [03:00–04:10]
- Danish DDoS Threats: [04:10–05:11]
- Fancy Bear/Microsoft Office Attack: [05:11–06:20]
- Notepad Supply Chain Incident: [06:20–07:30]
- Claudebot AI Ecosystem Attack: [07:30–08:40]
- Journalists/Researchers Threat Report: [08:40–09:47]
- Pulsar RAT & Stealer V37 Malware: [09:47–10:34]
- Google Espionage Trial: [10:34–11:40]
- Cyber Deal Activity: [11:40–13:02]
- Ann Johnson x Dr. Lori Cranor Segment: [16:33–22:14]
- AI Dinosaur Toy Data Exposure: [23:07–24:21]
Memorable Moments
- The shock and resignation found in public attitudes toward privacy invasions even as people continue using convenience-driven tech ([19:31]).
- The insecurity of supply chains in both AI and open source, as shown by the Claudebot/Notepad incidents.
- Dr. Cranor’s honest assessment of the lack of clear, usable, universal alternatives to passwords ([16:55], [18:41]).
- The “AI dinosaur” as a metaphor for both innovation and risk in consumer AI technology ([24:21]).
Conclusion
This episode captures the evolving (and increasingly complex) landscape of cyber threats targeting critical infrastructure, supply chains, and individual privacy. Notably, human factors and usability remain both a challenge and area for progress in effective and widely adopted security. The show closes with a powerful reminder: technology—especially when entrusted with the privacy of the most vulnerable—can fall short in surprising and troublesome ways.
