Risky Business #827 — Iranian Cyber Threat Actors Are Down But Not Out

Podcast Date: March 4, 2026
Host: Patrick Gray
Co-hosts: Adam Boileau, James Wilson

Episode Overview

This episode of Risky Business delves into the cyber dimensions of the ongoing war against Iran, discussing the real-world impact of cyber operations in modern conflicts. Patrick Gray, Adam Boileau, and James Wilson cover the hacking of Tehran’s surveillance infrastructure, the current lull in Iranian cyber-ops, new frontiers in threat hunting with AI, notable recent cyber incidents, privacy and AI risks, as well as law enforcement and intelligence community shakeups. The episode features a sponsor interview with Sydney Maroney of Nebuloc, focusing on agentic threat hunting frameworks.

Key Discussion Points & Insights

1. Cyber Warfare in the Iran-Israel Conflict

• Hacked Surveillance in Iran
  • Tel Aviv and Washington’s alleged long-term access to Tehran’s IP traffic cameras enabled intelligence gathering and tactical planning (e.g., tracking movements around locations associated with Iranian leadership).
    • “Israel's access to the camera systems there seem to have been pretty important at tracking movements in and out of the compound where Ali Khamenei was, you know, was eventually killed.” (B, 01:49)
  • US/Israel also reportedly compromised mobile networks, disabling comms for bodyguards and reducing advance warning during the strike.
• IP Cameras as a National Security Risk
  • Ongoing removal efforts (e.g., Hikvision) highlighted as justified by these latest events.
  • “IP cameras are a risk. It sort of explains why a bunch of the SIGINT agencies for years have been so absolutely terrified of, like, Hikvision cameras.” (A, 02:58)
• Influence Operations & Disruption
  • Hacked Iranian apps and media (e.g., a prayer app telling people to surrender) and disruptions to air defense were noted, but not deemed hugely impactful compared to the surveillance angle.
    • “There is a gamut of legitimate uses here, from pattern of life stuff through to some of the disruption we've seen of air defence systems.” (B, 04:25)
• Establishment of ‘Cyber Doctrine’
  • Observed repeated playbooks for integrating cyber, electronic, and kinetic operations—“This is clearly the way that they're going to do this in the future and everyone else is going to be paying attention.” (B, 05:18)

2. Iranian Cyber Threat Activity: Drop, But Not Out

• Current Lull
  • Cloudflare’s Matthew Prince reports a dramatic drop in Iranian ops, likely due to local disruptions: “There's been a dramatic drop in Iranian cyber operations—likely as operators are sheltering.” (A, 05:40)
  • Heavier localized DDoS and bombing described as distracting would-be threat actors.
• Potential for Surge Later
  • The expectation is that Iranian actors will retaliate once operational again: “My feeling is that it's not trivial…we could see a bunch of nuisance attacks coming out of Iran eventually.” (A, 06:52)

3. Satellite Communications as a Wild Card

• Iranian Hackers Using Starlink
  • Both script kiddies and state-linked groups (e.g., Mindala, associated with Iran’s Ministry of Intelligence) using Starlink to maintain operations.
    • “Anyone who's getting online from Iran at the moment is getting online through Starlink.” (B, 08:42)
  • US smuggling Starlink terminals to Iran as infrastructure is increasingly restricted.
• Broader Implications
  • Starlink’s proliferation complicates regimes’ efforts to isolate internet access.

4. GPS Spoofing and Navigation Disruptions

• Significant GPS Disruptions in the Strait of Hormuz
  • Widespread spoofing impacts air and sea navigation, “It’s kind of expected as part of any modern conflict.” (B, 10:12)

5. Physical Attacks on Data Centers

• Missile Hits Amazon Data Center (Dubai): Fallout
  • Amazon’s statement—“an object hit their data center, causing sparks and fire”—mocked for downplaying the reality.
  • Ex-Amazonian James details how strict protocols mean the facility likely must be rebuilt to assure integrity:
    • “When you've got a situation where an object has broken the physical perimeter of a data center…you just don’t know (what was tampered with) and because you don’t know, you got to start again from scratch.” (C, 11:28)
  • Significance: first multi-AZ AWS outage caused by physical attack, not software.

6. US Government Exploits Leak Scandal

• Triangulation Exploit Chain
  • Andy Greenberg’s story connects the iPhone exploit chain (initially used in US operations) leaking via L3 Trenchant’s Peter Williams to Russian hands and then cybercriminals.
  • Patrick Gray: “It is my opinion that what Peter Williams walked out of L3 Trenchant was the triangulation kit and it caused massive harm to security interests…” (A, 15:55)
  • Scandal over operational exposure, light sentencing for Williams, and widespread anger in infosec/intelligence communities.
    • “If you put this guy in a room with his former colleagues … he would not be emerging unscathed.” (A, 19:10)

7. SISA Leadership Turmoil

• Departure of Madhu Gotta Makala
  • Ongoing perception of dysfunction, strange leadership behavior (notably, his “cybertruck guy” reputation).
    • “He actually stood down an employee who was caught…walking past his Cybertruck and flipping at the finger.” (A, 19:38)
• CIO Robert Costello also exits amidst turmoil.
• Described as "SISA’s century of humiliation continues." (A, 21:39)

8. AI, Surveillance & Mass De-Anonymization

• AI Model Contracts & Anthropic v. OpenAI
  • Anthropic resists supplying models for “mass surveillance of US citizens” and “fully autonomous weapons”—not on moral grounds, but technical readiness.
    • “It’s not a moral stance. This is like, you want to kill a robot, man, we would love to help you with that, but our models just aren't ready.” (A, 23:36)
  • Contract snatched by OpenAI after government threatens Anthropic with supply chain risk status.
  • Opaqueness over OpenAI’s concessions; general concern over weak Congressional oversight in regulating commercial surveillance use of AI and COTS data.
    • “This is Congress’s job, and they're missing in action, basically.” (A, 26:41)
• Large-Scale De-Anonymization Using LLMs
  • New research demonstrates LLMs can cross-link users’ pseudonymous presence across platforms at scale using writing samples/embedding similarity.
    • “What they proved here is that using an LLM…and embedding technology…they can do essentially cross platform de-anonymization.” (C, 30:20)
  • Practical privacy implications now compounded by AI efficiency.

9. AI and 'Script Kiddies 2.0'

• Massive Democratization of Offense
  • AI tools like Claude can now automate chaining basic attack steps (“if you break a campaign into small enough chunks…each one looks like ordinary defensive work.” (C, 34:09)), as demonstrated in Mexican government data breaches.
  • Urgent need for defenders to correct misconfigurations (“You gotta get your ducks in a row these days because…the script kiddies…they're coming and they're using LLMs.” (A, 34:59))

10. Technical Findings and New Threats

• Air Snitch Wi-Fi Guest Isolation Bypass
  • New ‘air snitch’ attack is a practical old-school trick but still significant for internal network access via guest Wi-Fi, based on Ethernet design weaknesses.
    • “It absolutely is interesting…to steal traffic or interact with devices on the internal network…but on the other hand, it is still all old bar humbug Ethernet.” (B, 36:25)
• ASD’s Cisco SD-WAN Threat Hunting Guide
  • Noteworthy as a sign of scale and maturity in threat hunting documentation.
• OpenClaw Localhost Security Weakness
  • Oversight in local access controls lets JavaScript in browsers brute-force authentication to the OpenClaw AI agent.
    • “Any JavaScript…can access the local OpenClaw service.” (C, 40:13)
• Claude-assisted Robot Vacuum Hack
  • Hobbyist uses Claude to hack robot vacuums; vulnerability reveals one API key for all vacuums. "Same backend key used for all of them." (C, 41:36)

11. Accountability in Surveillance Tech

• Intellexa Spyware Scandal in Greece
  • Actual prison sentences delivered to Intellexa executives—“we’re not used to seeing these people sent actually to prison.” (A, 42:23)
  • Message to other spyware peddlers, though noting that government users remain unpunished.

12. Ransomware & Crime

• Conti Ransomware: Failed Attempted Extortion
  • Moscow arrest for posing as FSB to extort Conti, not for being a Conti member.
    • “The Conti operators didn’t get arrested, but the guy trying to shake them down did.” (A, 45:06)

13. In Memoriam: FX (Felix Lindner)

• Community mourns loss of well-known European hacker and connector in the international security scene.

Notable Quotes & Memorable Moments

• “It absolutely is interesting…to steal traffic or interact with devices on the internal network…but on the other hand, it is still all old bar humbug Ethernet.” (Adam Boileau, 36:25)
• “Color me completely unsurprised that [GPS spoofing in Strait of Hormuz] is happening.”—Patrick Gray (10:37)
• “If you have an idea, you typically can build it with AI, but you still need to ensure there’s that structure. And sometimes that’s the difficult part to figure out.” —Sydney Maroney (Sponsor Interview, 52:52)
• “You gotta get your ducks in a row these days because…Script Kiddie Mark 2s, they're coming and they're using LLMs.” —Patrick Gray (34:59)
• “It is my opinion that what Peter Williams walked out of L3 Trenchant was the triangulation kit and it caused massive harm to security interests…” —Patrick Gray (15:55)
• “It is, holy dooley...it's the sort of thing...has been theorized for a long time, but to be able to auto do it, put it on auto and just get it done is the new part.” —Patrick Gray on LLM de-anonymization (32:26)

Sponsor Interview: Agentic Threat Hunting with Sydney Maroney (Nebuloc)

Starts at ~49:17

Framework Highlights

• Agentic Threat Hunting Framework
  • Focuses on memory/context preservation—threat hunts aren’t run from scratch each time.
    • “With a framework like I’ve created, you don’t start from scratch. You have some sort of memory to go from.” (D, 49:17)
  • Utilizes repositories (e.g., Git) to record hunts, their queries, and outcomes.
  • Maturity model for gradual AI adoption; from documenting hunts, adding co-pilots, to layering agentic automation.
  • “If you have an idea, you typically can build it with AI, but you still need to ensure there’s that structure.” (D, 52:52)
• Practical Benefits
  • Threat hunts that took weeks can now be accomplished in hours, but guidance and double-checking are still key.
  • Addresses both the acceleration of investigations and the risk of going down fruitless rabbit holes.
• Framework Accessibility
  • Open source and vendor agnostic; available via agenticthreathuntingframework.com and GitHub.

Additional Links & References

• ASD Cisco SD-WAN Threat Hunting Guide (February 2026, v2.4)
• Agentic Threat Hunting Framework: GitHub
• Andy Greenberg's reporting on exploit chains and insider risk

For Further Listening

• Risky Business Features — New interviews and deep dives
• Risky Business Stories — Additional narrative/reporting content

This summary captures the original tone: lively, irreverent, and informed as the hosts dissect complex technical and geopolitical subjects with clarity and skeptical humor.