CyberWire Daily - A city goes dark as cyber questions multiply.
Episode Date: January 5, 2026Venezuela blames physical attacks for blackout as cyber questions swirl. Trump reverses a chip technology sale over national security issues, and removes sanctions linked to Predator spyware. Greek of...ficials say an air traffic shutdown was not a cyberattack. The U.S. Army launches a new officer specialization in AI and machine learning. The Kimwolf botnet infects more than two million devices worldwide. ZoomStealer uses browser extensions to grab sensitive online meeting data. The European Space Agency confirms a cybersecurity incident. Former lawmakers and cyber policy leaders warn that U.S. cyber defenses are slipping. On today’s Afternoon Cyber Tea host Ann Johnson welcomes Troy Hunt, founder of Have I Been Pwned. A researcher swipes left on white supremacy. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On this segment of Afternoon Cyber Tea with host Ann Johnson, Ann is joined by Troy Hunt, founder of Have I Been Pwned, to explore what billions of breached records reveal about attacker behavior, human weakness, and the state of breach disclosure. To listen to Ann and Troy's full conversation, visit the episode page. You can catch new episodes of Afternoon Cyber Tea every other Tuesday on your favorite podcast app. Selected Reading Trump suggests US used cyberattacks to turn off lights in Venezuela during strikes (POLITICO) US Action in Venezuela Provokes Cyberattack Speculation (GovInfosecurity) COMUNICADO | CORPOELEC denuncia ataque perpetrado contra el Sistema Eléctrico Nacional (MPPEE) President Trump Orders Divestment in $2.9 Million Chips Deal to Protect US Security Interests (SecurityWeek) Treasury removes sanctions for three executives tied to spyware maker Intellexa (The Record) Greece says a radio failure that grounded flights is unlikely to be a cyberattack (WRAL.com) US Army to Establish AI Officer Corps for High-Tech Military Management (ForkLog) The Kimwolf Botnet is Stalking Your Local Network (Krebs on Security) Zoom Stealer browser extensions harvest corporate meeting intelligence (Bleeping Computer) European Space Agency Confirms Server Breach (Infosecurity Magazine) Time to restore America’s cyberspace security system (CyberScoop) Researcher Wipes White Supremacist Dating Sites, Leaks Data on okstupid.lol (Hackread) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack, zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result, fast, reliable, and secure connectivity
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
Venezuela blames physical attacks for blackouts as cyber questions swirl.
Trump reverses a chip technology sale over national security issues
and removes sanctions linked to predator spyware.
Greek officials say an air traffic shutdown was not a cyber attack.
The U.S. Army launches a new officer specialization in AI and machine learning.
The Kim Wolf Botnet infects more than 2 million devices worldwide.
Zoom Steeler uses browser extensions to grab sensitive online meeting data.
The European Space Agency confirms a cybersecurity incident.
Former lawmakers and cyber policy leaders warn that U.S. cyber defenses are slipping.
On today's afternoon, CyberT., host Anne Johnson welcomes Troy Hunt, founder of Have I Been Poned.
And a researcher swipes left on white supremacy.
It's Monday, January 5th, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Happy New Year, and thanks for joining us. It is great to have you with us here today.
The United States launched a coordinated military operation in Caracas that led to the capture
of Venezuelan President Nicolas Maduro, accompanied by widespread power and internet outages.
President Donald Trump suggested the blackout reflected U.S. expertise, while Joint Chiefs Chair
John Daniel Kane said U.S. Cyber Command and
Space Command helped layer different effects to enable the operation. Officials did not confirm
whether cyber attacks were used. Internet Monitoring Group net blocks recorded connectivity losses
during the outage, noting any cyber role would likely have been targeted. Venezuela's government
claims the blackout resulted from physical attacks on substations not hacking. The incident has
renewed attention on cyber-enabled warfare, especially given recent allegations by state oil firm
PDVSA that the U.S. previously targeted its infrastructure. If confirmed, the Caracas outage
would represent one of the most visible uses of U.S. cyberpower in a military operation.
President Trump ordered the reversal of a $2.9 million chip technology sale, citing U.S. security risks
tied to foreign ownership.
The deal, approved in 2024 under Joe Biden,
transferred computer chip and wafer fabrication assets
from M-Core Corporation to Haifo Corporation.
Trump said credible evidence shows Haifo's owner
as a citizen of the People's Republic of China
and ordered divestment within 180 days.
Elsewhere, the Treasury Department removed sanctions
on three individuals linked to the information
Intellexa Consortium, reversing Biden-era designations tied to the Predator Spyware operation.
Those delisted include Merrim Harpaz, Andrea Gambazi, and Sarah Hamal, all sanctioned in
2024 for roles supporting Intellexa's opaque corporate structure.
Treasury said the decision followed a reconsideration petition and concluded the individuals
had sufficiently distanced themselves from the consortium.
The move marks a sharp shift from the Biden administration's aggressive crackdown on spyware vendors.
Digital rights groups warned the delisting risks undermining accountability,
noting Predator was used to target dozens of U.S. officials
and remains active globally despite signs of reduced use.
Greece temporarily shut its airspace after a major radio communications failure
disrupted air traffic control systems nationwide.
Transport Minister Christos DeMas said the incident,
caused by noise across multiple communication channels,
was unlikely to be a cyber attack,
though investigations continue.
Flights were grounded, delayed, or diverted for hours,
stranding thousands of passengers.
The Greek Civil Aviation Authority said backup systems were also affected.
Authorities launched judicial and internal problems,
probes, while controllers renewed calls to modernize aging equipment.
The U.S. Army is creating a new officer specialization in artificial intelligence and machine
learning, designated 49B, set to begin in January. The move aims to build a data-centric force
by improving decision-making, intelligence, logistics, and robotic system integration. Officers with
relevant backgrounds are encouraged to apply and will receive advanced master's level training through
2026. The initiative follows the Pentagon's launch of GenaI. Mill, an AI system based on Google's
Gemini model amid broader government efforts to accelerate AI adoption in defense.
Krebson's security highlights a rapidly growing botnet called Kim Wolf that has infected more
than 2 million devices worldwide, exposing a major blind spot in home network security.
According to researchers at Synthiant, Kim Wolf spreads by abusing residential proxy services
to tunnel through firewalls and compromised devices assumed to be protected behind home
routers. The botnet primarily infects unofficial Android TV boxes and digital photo frames,
many of which ship with malware pre-installed or with insecure features like Android Debug Bridge enabled by default.
Synthiant traced much of Kim Wolf's growth to vulnerabilities in the residential proxy network IPedia,
which attackers use to access internal local networks and deploy malware at scale.
While IPedia says it has since patched the flaws, researchers warn the campaign highlights how proxy networks and
insecure consumer devices can enable large-scale abuse, including DDoS attacks, fraud, and
deep intrusion into private home networks. Researchers have uncovered a large-scale browser extension
campaign dubbed Zoom Steeler that has affected roughly 2.2 million users across Chrome, Firefox,
and Microsoft Edge. According to Coy Security, 18 malicious but fully functional extensions
collected sensitive online meeting data,
including URLs, IDs, embedded passwords,
participant details, and corporate metadata
from platforms like Zoom, Microsoft Teams, and Google Meet.
Zoom Steeler is one of three related campaigns
reaching more than 7.8 million users over seven years
attributed to a single-threat actor tracked as Dark Specter,
believed to be China-linked.
Researchers say the stolen data,
enables corporate espionage, sales intelligence, and highly convincing social engineering.
Despite being reported, several extensions remain available, highlighting ongoing risks from
overly permissive browser add-ons.
The European Space Agency has confirmed it's investigating a cybersecurity incident after
reports that hackers access data from servers linked to the agency.
With more on that story, here's Maria.
Vermazas, host of the T-minus Space Daily podcast.
Now, it's not the best way to kick off an intelligence briefing for a new year,
but we are hoping that the story of a cybersecurity breach at a space agency
will be a bit of a motivator to start 2026 with the right security procedures in place.
That's because the European Space Agency has confirmed that some of its systems have been breached
after a hacker offered to sell data allegedly stolen from the organization.
Although it is unclear at this stage which data has been compromised,
it's understood that the attack has not impacted any classified or highly sensitive mission systems.
Threat actors have claimed a total of 200 gigabytes of data has been compromised.
On December 30th, 2025, Issa shared on X the following statement about this breach.
Issa is aware of a recent cybersecurity issue involving servers located outside the ESA corporate network.
We have initiated a forensic security analysis, currently in progress, and implemented measures to secure any potentially affected devices.
Our analysis so far indicates that only a very small number of external servers may have been impacted.
These servers support unclassified collaborative engineering activities within the scientific community.
All relevant stakeholders have been informed, and we will provide further updates as soon as additional information becomes available.
reports have suggested that the attackers had systems access for potentially up to a week,
possibly mapping continuous integration, continuous deployment pipelines, and uncovering
hard-coded credentials.
This could leave the potential, at least, for adversaries to better understand ESA's infrastructure,
to identify potential vulnerabilities and even execute further supply chain tax in the future.
Here is hoping that the damage is contained and that this is the extent of the breach.
that's maria vermasis be sure to check out t-minus wherever you get your podcasts in an op-ed for
cyberscoop former lawmakers and cyber policy leaders warn that u.s cyber defenses are slipping
as adversaries accelerate offensive operations former congressman jim langovin and mark
montgomery retired rear admiral and former executive director of the congressionally mandated
Cyber Space Solarium Commission, argue that China is persistently infiltrating U.S. government and
critical infrastructure networks, while Russia, Iran, and North Korea continue disruptive and preparatory
cyberactivity. Meanwhile, America's defensive posture is eroding. The authors draw on their
experience with the Cyberspace Solarium Commission, which produced 116 recommendations in 2020
that temporarily strengthened U.S. cyber strategy.
They say those gains are now fading due to leadership gaps,
workforce shortages, weakened public-private collaboration,
and lagging international coordination.
They call for urgent action,
including Senate-confirmed leadership
and stable funding for the cybersecurity and infrastructure security agency,
expanded cyber workforce programs,
restored information-sharing mechanisms,
and renewed cyber diplomacy.
Their message is blunt.
Waiting for a cyber catastrophe is not an option.
Coming up after the break,
afternoon's cyber tease Ann Johnson speaks with Troy Hunt from Have I Been Poned,
and a researcher swipes left on white supremacy.
What's your 2 a.m. security worry. Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in.
Vanta automates the manual work so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster,
scale confidently, and finally, get back to sleep.
Get started at vanta.com slash cyber.
That's v-a-t-a-com slash cyber.
Microsoft's Ann Johnson is host of the afternoon CyberT podcast,
and in this week's episode, she's joined by Troy Hunt, founder of Have I Been Poned.
Security often fails not because of technology that is broken,
but because the technology does not work for people.
Breach data is really a story about us.
It is about how attackers adapt and how people keep repeating the same mistakes.
As of the time of recording, we've got just over 17 billion breached records in this service.
Nearly 7 billion unique email addresses when someone gets breached,
they usually get breached more than once.
time on the internet increases risk and increases likelihood of exposure.
I find that really that the biggest blocker for organisations disclosing
is that their number one priority is not to their customers,
despite what the disclosure emails often say.
Their number one priority is probably not surprising is to shareholders.
And what that means is protecting organisational value,
making sure that the share price doesn't take a hit,
that investors don't lose confidence.
And that's this conundrum that people are referring to as data breach fatigue, where we're getting
so many of these notices that were sort of like, oh, well, you know, it happened again.
But maybe what it's doing as well is changing our behaviours or necessitating that we change
our behaviours and we stop sort of treating each individual incident as some major thing.
And we structure ourselves such that we expect breach and we're resilient to breach.
I'm the have a been pined cyber security guy.
and I got fished earlier this year, like proper successfully fished.
I was jet lagged and I had this email allegedly from MailChimp
about my account being locked because of spam complaints
and that seemed very feasible.
And I followed the link and my password manager didn't auto-complete
my strong unique password.
So I copied and pasted it.
I had two-factor turned on and it requested the six-digit token
which I copied and pasted from my code generator into the fishing site
and about five seconds later, my brain went, hang on a second, you know, this isn't right.
So I demonstrated these human weaknesses that social engineering and scams and attackers
take advantage of. One of them was fear losing access to my mailing list.
It caught me in a moment of weakness. People have moments of weakness. You know, they're tired,
they're rushed, they're concerned about losing something. And the great thing about transparency
is that it's almost like a self-evident proof. Open transparency can very quickly disprove
in this case, fraudulent claims.
In the same vein, do you think that we're moving toward more transparency, more
disclosure, openness, or will organizations try to minimize what they share
unless it's mandated or regulated?
Yeah, and unfortunately, I think that's what it is.
One of the things that a lot of people don't understand is around what are the obligations,
the regulatory obligations of organizations for disclosure.
For things like disclosure, the regulatory obligations are usually around
reporting to the regulator. So you might have to, if you're in the UK, for example, report to
the Information Commissioner's office and you have to report to them within 72 hours. But then
you get to self-assess around the necessity report to individuals. And GDPI uses terms like
jeopardising the rights and freedoms of individuals. In Australia, we have a what we call
the notifiable data breach scheme. And if the breach is likely to cause serious harm to the
individuals, you need to disclose to them. But outside of that and outside of particular,
specific classes of data, such as medical data or other financial data or other
sensitive classes, you just don't need to disclose. And people, when the penny drops,
they're outrage. They're like, how on earth do we not have to hear about this? So what will often
happen for me is someone will send me data. And while we're doing this podcast, I saw one pop up
where someone said, look, this organisation has had a data breach. And also here's a link to them
denying it. And the link is to a tweet, which basically just says fake news. Now, I'll have
a look at that data and I'll be able to verify it. And if it's legitimate, I'll get in touch
to that organisation and say, look, I think you should look at this more closely. It's not
consistent with what you've said online. And the advice I normally then give is, look, the truth
is in the data. We will get to the bottom of the truth. And particularly if it's in public
circulation, you cannot escape that truth. Now, this is your opportunity to have some control
over the narrative. You can either analyze this, come up with reasonable conclusions,
make statements about it, and deal with it appropriately, or everyone will draw their own
conclusions. And they have the data. They will be able to draw accurate conclusions in some
cases, inaccurate conclusions and others. But unless you control the narrative, you have no
ability to control what people say about it. Be sure to check out the complete episode of
Afternoon CyberT. You can find that on the Cyberwire website or wherever you get your
favorite podcasts.
And finally, the lights dimmed at the Chaos Communication Congress, and on to the
stage, walked one Martha Root, dressed as a pink power.
Ranger, carrying a story about ideology, automation, and deeply neglected WordPress security.
Over the next hour, Root calmly narrated how she infiltrated White Date, a white supremacist
dating site and two related platforms, quietly harvesting more than 8,000 user profiles while
the site's operators remained blissfully unaware. She described unleashing a custom AI chatbot to
flirt, chat, and socially engineer at scale,
efficiently collecting photos, bios, messages, and metadata,
some complete with GPS coordinates.
Then came the punchline.
Live on stage, Root deleted the site's infrastructure,
turning extremist matchmaking into a 404 error.
A satirical preview of the leak now lives on OKstupid.
www.l, with the full archive preserved by distributed denial of secrets, the lesson landed
gently but firmly. Even self-proclaimed master races still need better patch management.
And that's the Cyberwire, or links to all of today's stories.
Check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at n2K.com.
N2K's senior producer is Alice Caruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilby is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
Thank you.