CyberWire Daily - “The hackers made me do it,” or did they?
Episode Date: January 27, 2026Microsoft rushes an emergency fix for an actively exploited Office zero-day. A suspected cyberattack halts rail service in Spain. The FBI probes Signal chats in Minnesota. The UK moves to overhaul pol...icing for the cyber age. Romania investigates a hitman-for-hire site. A UK court awards $4.1 million in a Saudi spyware case. Google agrees to a voice assistant settlement. CISA maps post-quantum crypto readiness. Prosecutors charge an Illinois man over a Snapchat hacking scheme targeting hundreds of women. Our guest today is Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing some insight into the AI and quantum threats to cybersecurity and the national cyber strategy. A Best Buy guy tries a creative alibi. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest today is Cynthia Kaiser, SVP of the Ransomware Research Center at Halcyon, sharing some insight into the AI and quantum threats to cybersecurity and the national cyber strategy. Selected Reading Microsoft Issues Emergency Patch for Actively Exploited Office Zero-Day (Beyond Machines) Catalonia travel chaos: thousands stranded as suspected cyber attack disrupts rail network (The Olive Press) FBI is investigating Minnesota Signal groups tracking ICE, Patel says (NBC News) UK plans sweeping overhaul of policing amid surge in online crimes (The Record) Romania probes two suspects over alleged hitman-for-hire website (The Record) Judge awards British critic of Saudis $4.1 million, finds the regime hacked his devices (The Record) Google to pay $68 million over allegations its voice assistant eavesdropped on users (CBS News) CISA releases technology readiness list for post-quantum cryptography (CSO Online) Illinois man charged with hacking Snapchat accounts to steal nude photos (Bleeping Computer) Savannah BSavannah Best Buy employee says 'hacker group' blackmailed him into theft ring scheme (WJCL 22) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If securing your network feels harder than it should be, you're not imagining it.
Modern businesses need strong protection, but they don't always have the time, staff, or patients for complex setups.
That's where Nordlayer comes in.
Nordlayer is a toggle-ready network security platform built for businesses.
It brings VPN, access control, and threat protection together in one place.
No hardware, no complicated configuration, you can deploy it in minutes and be up and running in less than 10.
It's built on zero-trust principles, so only the right people can get access to the right resources.
It works across all major platforms, scales easily as your teams grow, and integrates with what you already use.
And now, Nordlayer goes even further through its partnership with CrowdStrike,
combining Nordlayer's network security with Falcon endpoint protection for small,
and mid-sized businesses. Enterprise-grade security made manageable.
Try NordLayer risk-free and get up to 22% off yearly plans,
plus an extra 10% with the code CyberWire 10.
Visit Nordlayer.com slash CyberWire Daily to learn more.
Microsoft rushes an emergency fix for an actively exploited Office Zero Day,
a suspected cyber attack halts rail service in Spain.
The FBI probes signal chats in Minnesota.
The UK moves to overhaul policing for the cyber age.
Romania investigates a hitman for hire site.
The UK court awards $4.1 million in a Saudi spyware case.
Google agrees to a voice assistant settlement.
Sysa maps post-quant crypto readiness.
Prosecutors charge an Illinois man over a Snapchat hacking scheme targeting hundreds of women.
Our guest today is Cynthia Kaiser,
Senior Vice President of the Ransomware Research Center at Halcyon,
sharing some insight into the AI and quantum threats to cybersecurity and the national cyber strategy.
And a Best Buy guy tries a creative alibi.
It's Tuesday, January 27, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great to have you with us.
Microsoft has issued emergency out-of-band.
and security updates for an actively exploited zero-day vulnerability in Microsoft Office,
with a CVSS score of 7.8. The flaw allows attackers to bypass object linking and embedding,
or OLE, security protections, by abusing how office handles untrusted inputs in malicious documents.
Exploitation requires a user to open a specially crafted office file, although the preview pane remains safe.
The issue affects multiple office versions as well as Microsoft 365 apps for Enterprise.
For Microsoft 365 and Office 2021 and later, a service side fix is already live and takes effect after restarting the applications.
Older versions remain at risk until formal patches are released and users are advised to apply registry-based mitigations in the meantime.
According to Microsoft, technical details about...
the attacks remain limited.
Catalonia, Spain, faced widespread travel disruption on Monday
after a suspected cyber attack shut down regional rail services
during the morning rush hour.
Commuter and regional trains were abruptly suspended around 6.45 a.m.
following system failures at Adif, Spain's rail infrastructure manager.
Thousands of passengers were stranded,
prompting the Catalan government to urge remote work and universities to reschedule exams.
Spain's transport minister Oscar Puente said a cyber attack was one possible cause,
though this remains unconfirmed.
Services later resumed intermittently, according to state rail operators,
who cited a major computer malfunction.
The incident compounded an already turbulent week for Spanish rail,
following multiple fatal injuries and injurious accidents nationwide.
Barcelona Mayor Huame Colboni called the disruption unacceptable,
while opposition figures blamed long-term underinvestment and demanded accountability.
FBI director Cash Patel said Monday that the Bureau has opened an investigation into signal group chats
used by Minnesota residents to share information about federal immigration agents,
citing concerns that such activity could put agents in danger.
Speaking on a conservative podcast, Patel said the probe was prompted by claims
that users shared agents' locations and license plate numbers,
though he did not specify which laws may have been violated.
Free speech advocates quickly raised First Amendment concerns,
arguing that sharing lawfully obtained information about law enforcement activity is constitutionally protected.
Civil liberties groups warned the investigation could chill legitimate speech and public oversight of government actions.
The chats hosted on the encrypted app signal have been used by activists and community members
to warn neighbors about immigration and customs enforcement activity.
Patel acknowledged the free speech implications, but said the FBI,
would balance constitutional rights with potential violations of federal law.
The U.K. government has unveiled plans for a sweeping overhaul of policing, aimed at tackling
the surge in cybercrime, online fraud, and other internet-enabled offenses. Proposals from the
Home Office call for creating a new national police service described as Britain's equivalent of the
FBI to handle serious and cross-border crimes increasingly beyond local law.
forces reach. Officials say roughly 90% of crime now involves a digital element, with fraud
accounting for about 44% of recorded offenses. Home Secretary Shabana Mahmood said the reforms reflect
how crime has evolved in scale and sophistication, calling them the most significant changes in
nearly 200 years. Under the plan, the National Crime Agency would be absorbed into the new service,
while local forces remain focused on neighborhood policing.
The government also plans major investments in digital tools,
artificial intelligence, and national coordination
alongside new oversight for technologies such as facial recognition.
Romanian authorities are investigating two nationals
suspected of running a hitman-for-hire website
that allegedly allowed users to contract assassins online.
Police conducted searches at the request of UK authorities,
seizing electronic devices, cryptocurrency worth about $650,000, and large sums of cash.
Prosecutors say the platform used cryptocurrency and escrow-style payments to conceal identities and transactions.
The suspects face potential charges, including organized crime, incitement to murder, and money laundering.
Officials note, such sites often.
and prove fraudulent, though investigations are ongoing.
A UK court has awarded more than $4.1 million to London-based Saudi critic Ghanem al-Masarir,
ruling that his phones were hacked by spyware linked to the Saudi state.
Judge Pushpindersani found a compelling basis that Al-Masarir's phones were infected with Pegasus's
spyware and that the operation was directed or authorized by Saudi Arabia.
The court said the hacking enabled extensive surveillance and caused severe psychological harm,
forcing Al Masarir to stop producing his popular YouTube content.
Evidence from digital forensics researcher Bill Mardzak of the Citizen Lab supported the findings.
Saudi Arabia did not contest the case, leading the judge to enter summary judgment,
calling the intrusion's exceptionally grave invasions of privacy.
Google has agreed to pay $68 million to settle a class action lawsuit,
alleging its voice assistant recorded users' conversations without consent
and shared them with advertisers.
The proposed settlement filed in federal court in California
awaits approval from U.S. District Judge Beth Labson Freeman.
Plaintiffs claimed Google devices recorded private discussions
even without the activation phrase.
If approved, the fund will cover consumer claims and legal fees,
with payouts varying by the number of valid claims.
Google did not comment.
SISA has released new guidance mapping post-quantum cryptography or PQC standards
to common enterprise hardware and software categories.
Issued in response to a June 2025 executive order,
the advisory is meant to help CIOs and security teams assess quantum safe readiness and plan long-term migration.
SISA identifies product classes already using or transitioning toward NIST PQC algorithms,
including cloud services, collaboration tools, browsers, and some endpoint security products.
However, the agency stresses that none are fully quantum resistant yet.
Most implementations focus on key establishment, not digital signatures or authentication.
The guidance signals that PQC is becoming a practical procurement consideration,
while highlighting significant gaps enterprises must address as quantum safe standards mature.
U.S. prosecutors have charged Illinois man Kyle Svara with running a fishing scheme
that allegedly compromised nearly 600 women's Snapchat accounts between 2020 and 2021.
Authorities say he impersonated SNAP employees to steal access codes,
download private images, and sell or trade the material online, including via Reddit.
One client was former Northeastern University coach Steve Wey, later convicted of sextortion.
Svara now faces federal fraud and identity theft charges.
and is scheduled to appear in court in Boston.
Coming up after the break, my conversation with Cynthia Kaiser from Halcyon.
We're talking about AI and quantum threats to cybersecurity,
and a best-by guy tries a creative alibi.
Stay with us.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night?
How do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual work, so you can stop sweating over spreadsheets,
chasing audit evidence, and filling out endless questionnaires.
Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale.
And it fits right into your workflows,
using AI to streamline evidence collection, flag risks,
and keep your program audit ready all the time.
With Vanta, you get everything you need to move faster, scale confidently, and finally, get back to sleep.
Get started at Vanta.com slash cyber.
That's V-A-N-T-A dot com slash cyber.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security
incident last year, and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance,
time to market, or user experience. Discover how Guard Square provides industry-leading security
for your Android and iOS apps at www.gardesquare.com.
Cynthia Kaiser is Senior Vice President of the Ransomware Revenue.
Research Center at Halcyon. I recently sat down with her to discuss AI and quantum threats to
cybersecurity and the national cyber strategy. So, Cynthia, it's always great to have you back.
You know, I want to key off of the fact that not too long ago, we saw some congressional hearings
when it came to AI and quantum threats for cybersecurity. And I wanted to check in with you
on that, to, for your reaction to kind of what this indicates.
the attention that Congress is taking when it comes to these issues.
Thank you for having me back and we're talking about a topic I find really important,
which is kind of thinking about how our adversaries are integrating AI.
And I'm really glad to see Congress taking up this mantle.
I think I saw Representative Olis during the hearing say,
if we don't get this right, we're screwed.
And I mean, that was my big.
takeaway is like that's true, right? We have to really be thinking about this and understanding it.
And by understanding it, though, I mean knowing what's accurate, what might be hyperbolic,
but then what we can actually do to counter it, because it's not a runaway train.
We can do things that really help put us in a better security position.
Well, you use the word hyperbolic, and I'd love to start there, because I see folks talking about
the importance of AI dominance.
and I have to say I'm not certain what that means.
What does it mean to you?
It means that the U.S. stays ahead and is the leader of the kind of frontier models,
the type of AI development that's at that cutting edge.
Because when we keep our market dominance,
keep our AI dominance, to me that means we're the market leaders,
we are able to ensure that the AI that goes out there conforms,
to the free speech and all other ethics that we hold dear as a country and that we know that
we're how it can be exploited, how it can be used for safety and how to combine that and
things aren't coming at us as a surprise. And where do you suppose we stand today in terms of
maintaining our leadership? Yeah, I think that we're easily four to six months ahead of a lot
of other groups, countries, especially China that's developing it. What you've seen China do a lot
is going to rapidly develop after we develop certain types of functions or advances in their own
models. And whether that's from the kind of typical Chinese model of figuring out things,
stealing things along the way, or just when you know something's possible, sometimes it's
easier to get to that point. Either way, the U.S. is still ahead. And it's really important to keep us
ahead as we look at what we might be facing coming down the road.
Well, speaking of what we might be facing, you head up the Ransomware Research Center
with your colleagues at Housian.
What are you anticipating this coming year when it comes to ransomware?
So I think right now we would say that AI hasn't fundamentally changed
ransomware tactics, but it's changed kind of the economics of ransomware, right?
it's lowered the barriers and it's accelerated some discrete tasks, some workflows.
I think that's where you're going to see some of this improvement and some more of these
discrete tasks.
So in the hearing, Google talked about the use of AI in certain points of the attack chain that really
did enable certain components to be a little more autonomous, to act a little more
autonomously and do that kind of in real time to also thinking about the discrete tasks that are
available with initial access. If you like, that's where we've seen a lot of the technology go
where you can kind of imagine how it is really beneficial to adversaries. I think making a lot more
believable fishing emails, deep fakes. So I think in the next year, what we'll likely see is
deep fake social engineering really start to overtake,
just the traditional identity attack at traditional social engineering.
And we're also going to see actors then start to experiment
with some of these more niche things that were talked about in the hearing.
I call them niche.
I call them experimentation because that's what they are.
There's a high failure rate for this kind of stuff that's going on right now.
It's really kind of starting to piece together and automate things that are already known.
So yeah, we'll probably detect it along the way.
So it's easy to say, kind of dismiss it.
now. But the reason you experiment, the reason you do lots of failures is so you can get to success.
And I think that's what we're going to see over the next year is those reps that attempts to really
start to get better and figure out how you can change the sophistication, make things actually
more advanced using AI. Yeah, it's a really interesting point. I mean, I guess from your point of
view, where are we when it comes to the maturity of the ransomware marketplace? I mean,
Is there still room for innovation or are we at a state of refinement?
Well, I think refinement was probably more where we're at over the last year.
And you and I've talked about this before.
Over the last year, ransomers gotten so fast.
And that's where we've seen a lot of the innovation.
And that primarily wasn't because AI was there.
It's because there's more virtualization.
The ransom actors just have more experience.
So they're able to get faster.
There's a lot of different things there.
and that the quickness of ransomware attacks now
already necessitates a change in security posture.
So believing that you used to have days or weeks of dwell time of an actor.
So they're on your system.
You can get an alert.
You could look at that alert in the morning, try to kick them out.
That's not possible now.
Now, really, all these things are happening in 24 hours to hours.
And that means that you really have to automate a lot of your security tasks.
the way in which you defend against AI enhanced threats is much the same.
Like you really need automated defense.
You need defense in depth to be able to identify these attacks in real time.
Because right now and for the foreseeable future, what is more likely to happen is just more, right?
More attacks from more actors who maybe wouldn't have been able to do it otherwise or advanced actors figuring out ways to all.
automate parts of their processes, create agents that help them do their activity so that they can do
more attacks or they can do those, you know, just a slight bit faster. But I think what we're at
now is looking at not having, you know, an attack, you recover from an attack, you can set your
security posture, you wait for the next one. But if you have more and more attacks, that's really
problematic. And that's likely where we're going with some of these integrations of AI.
Well, speaking of more and increased velocity, certainly an area of development is the quantum threat.
Do you suppose that is going to affect ransomware operator's ability to do what they do when these tools become more readily available?
Yeah, I think we're a little bit of ways out from some of the quantum-assisted tools becoming available to the wider swaths of cyber criminal groups.
When I think about the quantum threat, I certainly am thinking first and foremost about,
China and some of the other nation states. But eventually, when you get to those points where I think
I would really worry among the ransomware group overall is not just kind of, hey, it makes this
technically a little bit easier or our ability to move is a lot faster. But even the information
that's been stolen along the way, if it was encrypted or if the information they're stealing is
encrypted, maybe isn't as useful, the ability to then go through data to identify high value data
we thought we were all protecting, that could come into play. But once again, I still feel that's a
much farther out issue than what we're looking at in terms of the advancements fueled by AI.
Well, looking at the big picture, again, you know, heading into, or well, well, into 2026 as we
find ourselves already. What's your advice for the defenders out there when it comes to,
approaching ransomware this coming year?
Really, defenders should expect the shorter lead times,
more convincing social engineering and faster iteration.
And that, I think, just shows focusing on the basics,
but focusing on some of the basics, well, the rapid patching,
strong identity controls, and resilient detection and response processes,
that's still what is most important.
And I think overall, when you're looking at this,
this ensuring that you're creating and thinking about, like, how do I do this detection and
defense in real time? So that's really what the advice I'd give to defenders overall. But I'd go a
step further with now, if we're on the AI topic, which is a lot of organizations are thinking about
or starting to develop their own in-house AI models or maybe have employees that are
pulling together valuable data into their own models on their networks. If more security is not
placed around that, so take an in-house AI model or the kind of discrete ones that maybe
employees are creating on their own, that is a huge target of opportunity for ransom reactors. And
they get onto a system or any adversary, really. They get onto a system, maybe you used to have to go
around and look for the valuable data or maybe it was in different places. But what we're all doing is
consolidating that into very easily findable places. And so we really have to think about the
security and extra security we're putting around the AI tools on our own systems to better
protect our information. That's Cynthia Kaiser from Halcyon. And finally, a 20-year-old
Best Buy employee in Savannah, Georgia is learning that retail crime dramas rarely end with a plot
twist in the defendant's favor.
Police say Dorian Allen helped suspected shoplifters walk out of the Abercorn Street
store with more than $40,000 in merchandise from snack foods to $700 PlayStation consoles.
His explanation?
Online blackmail.
According to the Savannah Police Department, Allen claimed a mysterious hacker group emailed
instructions on which customers to wave through, threatening to live through.
threatening to leak nude photos if he refused.
Investigators say he could not identify the hackers,
describe them, or produce the emails.
Store video allegedly shows weeks of point-of-sale manipulation,
totaling 143 items.
Allen now faces theft charges,
while the supposed hackers remain, for now,
safely imaginary.
And that's the Cyberwire.
For links to all of today's story,
check at our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights
that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show,
please share a rating and review
in your favorite podcast app.
Please also fill out the survey in the show notes
or send an email to Cyberwire at n2K.com.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester
with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibn,
Peter Kilpe is our publisher,
and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year,
make it RASAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community
for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly,
I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges and shaping
what comes next.
Register today at rsaconference.com slash cyberwire 26.
I'll see you in San Francisco.
Attackers don't go through your tools.
They go around them.
In our interview with Jared Atkinson, CTO at SpectorOps, he reveals how a
attackers look to exploit our identities, steal tokens, and quietly snowball their access across
active directory, cloud apps, and GitHub.
We talk through attack paths, why least privilege keeps failing, and how one misconfiguration
can hand over the keys to your organization.
Want to see risk as attackers do?
Then check out the full interview now on thecyberwire.com slash specterops.