CyberWire Daily - The Supreme Court sits on the geofence.
Episode Date: April 27, 2026The Supreme Court weighs geofence warrants. Iran leans toward quieter cyber ops. Researchers unpack Fast16 sabotage malware. Microsoft tracks an Outlook outage. Snow malware moves deep inside networks.... Itron reports a breach. SMS blasters hit Canada. Italy extradites an accused hacker to the U.S. Monday business brief. Our guest is Mick Coady, Field CTO of Elisity, on how hospitals can best defend against ransomware attacks. Meta’s relentlessly watchful eye turns inward. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We are joined by Mick Coady, former head of cybersecurity for hospitals and Field CTO of Elisity, on how hospitals can defend against ransomware attacks, both online and through devices, including patient monitors, HVAC systems, and any device connected to the Internet. Selected Reading Ingenious? Orwellian? Or both? Supreme Court considers constitutionality of 'geofence' warrants (NPR) Iran’s cyber threat may be less ‘shock and awe’ than ‘low and slow,’ officials say (The Record) Newly Deciphered Sabotage Malware May Have Targeted Iran’s Nuclear Program—and Predates Stuxnet | WIRED (Wired) Microsoft says Outlook.com outage is causing sign‑in failures (Bleeping Computer) Threat actor uses Microsoft Teams to deploy new “Snow” malware (Bleeping Computer) American utility firm Itron discloses breach of internal IT network (Bleeping Computer) Toronto police seize 'SMS blasters,' a cybercrime weapon never before seen in Canada (National Post) Italy Decides to Extradite Chinese Man Wanted by US for Hacking (Bloomberg) Artemis emerges from stealth with $70 million in funding. (The Cyber Wire) Meta staff protest surveillance software on work PCs • The Register (The Register) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Today's sponsor, Rapid 7, has an irresistible invitation for you SISOs and security practitioners out there.
A free two-day virtual summit, the subject, preemptive security.
Join the Global Cybersecurity Summit on May 12th and 13th from wherever you like.
A-list speakers will show you how organizations are disrupting attacks before they can blow towards.
your day. You'll see how
exposure management, MDR,
and AI together let you
make the decisive move.
Registration is open at
Rapid 7.brighttalk.com.
The Supreme Court weighs
geo-fence warrants. Iran
leans toward quieter cyber-ops.
Researchers unpack fast-16
sabotage malware. Microsoft
tracks an outlook outage.
Snow malware moves deep inside
networks. I-Tron reporting.
breach, SMS blasters hit Canada.
Italy extradites an accused hacker to the U.S.
We've got your Monday business brief.
Our guest is Mick Cody, field CTO of Elyc,
on how hospitals can best defend against ransomware attacks.
And Mehta's relentless watchful eye turns inward.
It's Monday, April 27, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today. Happy Monday. It is great to have you with us. The U.S. Supreme Court is considering whether geofence warrants violate the Fourth Amendment's protections against unreasonable searches. These warrants are a law enforcement technique that identifies people near crime scenes using tech company location data. In the case before the court, police used Google's location history data to identify suspects,
after a 2019 Virginia bank robbery,
ultimately arresting one man
while also sweeping in innocent bystanders.
Supporters argue users who opted into location tracking
reduced to their expectation of privacy
and that such warrants can help solve crimes efficiently.
Critics counter that geo-fencing resembles a digital dragnet,
allowing searches across millions of accounts
without individualized suspicion.
The court must decide whether geoffence requests count as constitutional searches
and whether voluntary stored location data forfeits privacy rights.
The ruling could shape how digital records are treated under the Constitution
and define limits on law enforcement access to large-scale location data.
U.S. officials and cybersecurity experts say recent warnings about Iranian-linked cyber threats
are more likely to signal opportunistic intrusions than large-scale disruptive attacks on critical infrastructure.
Former NSA director Tim Hogg and incident response expert Kevin Mandia noted
that Iran's cyber activity typically relies on exploiting basic security weaknesses,
such as stolen credentials and social engineering,
then amplifying the impact through information operations.
A reported incident involving medical device companies,
Stryker, where attackers used legitimate access to disabled devices, illustrates this pattern.
Experts expect future activity to target organizations connected to the United States or Israel,
rather than broad infrastructure systems. For defenders, the key risk remains identity security
gaps and weak authentication controls, suggesting that routine protections like widespread
multi-factor authentication remain the most effective near-term
defense. Researchers at Sentinel One have uncovered new details about Fast 16, a previously mysterious
piece of malware dating to 2005, that appears designed for subtle long-term sabotage of scientific
and engineering calculations. Unlike destructive wiper malware or overt industrial attacks like
Stuxnet, Fast 16 silently altered outputs in simulation.
software, potentially causing faulty research results or real-world equipment failures while remaining
difficult to detect. The malware spread across networks and targeted applications including
Mohid, PKPM, and especially L.S. Dina, a physics simulation tool used in aerospace, engineering,
and nuclear-related research. Evidence suggests L.S. Dina was used by Iranian scientists linked to
nuclear weapons development, leading researchers to hypothesize Fast 16 may have been an early
cyber effort to disrupt Iran's program before Stuxnet.
Experts say the discovery pushes back the timeline of sophisticated state-sponsored cyber sabotage
and highlights how covert manipulation of technical data rather than system destruction
has long been part of advanced cyber operations.
This morning, Microsoft was investigating an ongoing outlook.com outage,
causing intermittent sign-in failures and unexpected account signouts for some users.
Since the issue began, thousands of reports have surfaced,
with many users encountering too many requests errors and mailbox access problems.
Microsoft says client sign-in interactions may be contributing to the disruption,
but has not identified a root cause or disclosed affected regions or user numbers.
The company classified the incident as service degradation rather than a full outage.
Threat Group UNC 6692 is using social engineering to deploy a custom malware suite called Snow
to steal sensitive data after gaining deep network access.
According to Google's Mandient researchers, attackers begin with U.S.
email bombing campaigns, then impersonate IT help desk staff via Microsoft Teams to trick victims
into installing a fake spam blocking patch. The download deploys components including the Snow Belt
Browser Extension, the Snow Glaze Tunneler, and the Snow Basin Back Door, Enabling stealthy command
execution, persistence, and data exfiltration. After initial compromise, the attackers conduct
internal reconnaissance, move laterally using stolen credentials, and extract active directory data
from domain controllers. The exfiltated registry hives and credential databases using limewire.
Mandiant reports the activity supports long-term access and large-scale credential theft across
compromised environments.
Utility technology provider ITron disclosed that an unauthorized third-party accessed portion
of its internal systems in a cyber attack detected on April 13th.
The company activated its incident response plan, notified law enforcement, and engaged external
advisors to investigate and contain the activity, which has since been blocked with no observed
follow-up intrusion.
Eitron says the incident caused no material disruption to business operations and did not affect
customers, though the investigation remains ongoing.
The Washington-based firm supports electricity, water, and gas infrastructure across 7,700 customers in 100 countries,
highlighting its role in critical services.
No ransomware group has claimed responsibility, and EITRON expects insurance to cover a significant portion of response-related costs.
Toronto Police have arrested three men and laid 44 charges in what they describe as,
Canada's first investigation involving SMS blasters, devices that mimic legitimate cell towers
to send fraudulent text messages to nearby phones. The suspects allegedly use the mobile systems
from vehicles across Toronto to distribute smishing messages that redirected victims to fake websites
designed to steal personal information. Police estimate tens of thousands of devices connected
to the blasters over several months, causing more than third.
million network disruptions and potentially interfering with access to emergency services.
The investigation called Project Lighthouse began in November of last year and involved multiple
law enforcement agencies, financial institutions, and telecommunications providers.
Authorities say the case highlights a growing threat to both public safety and financial security.
Italy's government has decided to extradite Chinese national Zhu Jé Wei to the United States on hacking-related charges,
following an Italian court ruling supporting the request.
U.S. prosecutors allege Zhu stole COVID-19 research and conducted cyber operations on behalf of the Chinese government,
though he denies the accusations.
Zhu was arrested in Italy in 2025 at Washington.
Washington's request and remains in custody pending formal extradition steps.
Italian officials have not publicly commented on the decision.
The move could help ease diplomatic tensions between Italy and the United States
amid broader disagreements over foreign policy issues.
Turning to our Monday business brief,
Israeli detection and response startup Artemis has emerged from stealth
with $70 million in seed and seed.
Series A funding, led by Felicit with participation from First Round Capital and Bright Mind.
They're going to expand engineering, research, and go-to-market teams as enterprise demands grow.
Meanwhile, Japanese AI security firm Almore raised $1.25 million in seed funding from
Genesia vendors, dual bridge capital, and NextT-Tokei Innovation Fund to advance research and product
development. Several acquisitions also highlight consolidation in the cybersecurity sector. Service Now
completed its acquisition of Cyber Exposure Management firm Armis to extend security visibility into
operational environments. Nexus IT acquired IT consultancy Images to expand services nationally.
Boost LLC acquired Rimstorm to strengthen CMMC Level 2 compliance support for to defend.
Contractors and Cloud Computing acquired UK-based MSSP Innovate IT to support international expansion.
Be sure to check out our weekly business briefing, part of Cyberwire Pro. You can find that on our website.
Coming up after the break, my conversation with Mick Cody from Elycity on how hospitals can best
defend against ransomware attacks. And meta's relentlessly watchful eye.
turns inward.
Stay with us.
Most environments trust far more than they should,
and attackers know it.
Threat Locker solves that by enforcing default deny
at the point of execution.
With Threat Locker Allow listing,
you stop unknown executables cold.
With ring fencing, you control how trusted applications behave.
And with Threat Locker DAC, defense against configurations,
you get real assurance that your environment
is free of misconfigurations,
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CSO's real visibility, real control, and real peace of mind.
Threat Locker make zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in
the past two years.
Guard Square delivers the highest level of security for your mobile apps.
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.
www.gardesquare.com.
Mick Cody is field CTO at Elycity.
I recently caught up with him to discuss how hospitals can best defend against ransomware attacks.
Dave, so I would say, you know, south of the Mason-Dixon line per se, you'll find
more rural option clinic type environments where they have to provide a bigger bandwidth of care.
From there, from the clinical, I'll call it the smaller, we'll call it Doc in the Box type style thing
you'll have. From there, you'll get to the regional size. From there, you'll go super regional,
which may be multi-state. And then from there, yes, you get to the largest players across the
country. And how does that break down in terms of the haves and the have-nots when
comes to cybersecurity.
Unfortunately, they have to kind of, they all have to kind of atone for meeting some basic
functions on clinical care, right?
So the rules sit in place that, you know, obviously, thou shalt do a harm, but that's all
in place.
But at the end of the day, they have to meet the basic requirements of what the HIPAA rules are.
They're in the middle of a rewrite and new versions of them are coming out or there have been
aspersions of what they are about to look like.
So at any given stage of the hospital, they've allowed them to break down what they can or cannot afford to get those things completed.
So basic bare minimums around what your security standards should be, how you would meet the privacy of any given patient record.
Those kind of things are table stakes, I would say, Dave, but then as you get into the bigger environments where you are managing, you know, millions of medical records and or, you know, particular styles of clinical care, research and or different parts and pieces,
required to, you know, meet the ultimate standards that are required, I'd say, for a larger
organization, no different than a bank.
And because of this unique combination of elements that hospitals have, that puts a bit of a
target on their backs when it comes to these threat actors, yes?
Yes, does indeed.
Yes, absolutely.
And I think some of the parts that you've seen, you know, there's been some recent public
things that have just happened, obviously, as you're well aware, last week while I was
actually sitting at a healthcare conference.
one of the ones that was announced that occurred at a large manufacturer.
Another one has occurred a couple of months back at another hospital system down in the south.
Those things are occurring regardless.
It depends on the vectors of attack of what they're looking for and what they're doing with it,
as it's been well and widely acknowledged that medical records are worth almost five or six times
what a traditional financial record would be based upon the content that would be served up in a medical jacket.
of information. So it kind of, you know, the attributes of why you would go after them are much
more rich in content. But there's also the actors who are out there looking for nefarious
pieces of activity around genomic research or looking for advantages of stealing IP that certain
hospitals in the United States would have that would be leading edge, bleeding edge that would be
supporting greater, better clinical care for all of us, that they're playing shiny objects. So they're
going after medical records to do this, but in essence, as we peel away of the layers,
you'll find out that they actually were embedded for six to nine months, and they were looking
at other things within the network that we were unaware of, and we kind of blamed it all on
pay. They just dumped, you know, 1.2 million medical records out, but actually, in fact,
what they were really doing is that they spent six months looking at your genomic research.
Well, in the work that you do, what sort of things do you find out there in terms of how well
prepared these organizations are?
It varies, obviously based upon how you would talk about structure and size.
I don't deny that I don't think in healthcare, they are doing their very best with the least.
And I say that because I've served other capacities and other industry verticals along the way in the energy sector and other sectors where there is more of an abundance of resource, both human and monetarily.
And in certain cases, they sometimes are no more advanced than where we are in healthcare.
healthcare has always had the limited margins of what they do.
Most of the environments we are talking about are non-for-profit.
So they're trying to deliver clinical care with the patient
pretty much to the forefront of what they want to do
and trying to deliver a great experience for any person,
particularly when we arrive.
You well know yourself.
You refer to yourself as you go through the glass doors of a clinic or a hospital.
You're sitting in there.
You're not in your greatest form.
So the question is how do we provide great but secure clinical care
with the least amount of resources that most other industries just don't seem to have?
So I would say in a broader answer, I would say it varies.
But I think in the greater good, everyone is doing the very best of what they can.
I don't think anybody is operating in a highly negligent manner,
as maybe we would have seen maybe a decade plus ago.
I think everyone is literally trying to get things completed
that matter most for expediency of care, both for the physician and for the patient.
Can you walk us through what happens when a hospital finds itself victimized here?
A facility gets hit with ransomware. How do people spring into action to deal with that?
Yeah, I would say an awful lot of it is based upon the experience, the size of the environment.
So if you're dealing with this, and I think there was an episode recently on a program reference
on HBO called The Pit,
and actually I think it was season
episode eight, and they were talking about it,
but they actually kind of demonstrated
some good and the bad and the ugly
of what would go on.
Most of it was fairly accurate,
some pieces and parts,
which immediately it would come to mind
is that if you're in the middle of a ransomware car,
you're not doing patient intake, right?
I mean, most everything would be,
most things would be unavailable.
You can get away with doing
isolatory type work,
which would mean doing traditional patient
monitoring with vitals. You would be able to look at some basic monitors if they were not linked
going back to the workstation that requires much more heavy resource utilization of what the nurses
and the clinicians are doing in general. But overall, you know, imaging would be available.
Pharmacology would be available, but you're going to paper, Dave, to kind of make it all work.
And then you're trying to do with what you have in the building. One of the things that would
absolutely, and I'll say it again, is that you would not have patient intake. I think in that
particular episode, they were still trying to take patients in, that most likely would never happen.
So that's kind of like the varying degrees. But if you've done, which we were kind of discussing last week,
because we released a survey with the Hems Grotter organization, we had talked about what does that
look like from tabletop exercises. How many times are you doing those a year? Are you even doing them?
If you do them, you know, who's involved from a stakeholder perspective? It's going to have an
an awful lot of people from, say, the Office of Compliance and Council. You'll have the CEO,
CFO, there's a financial responsibility. And then you'll have the leaders, both in the IT side,
the clinical side, that will be involved in running those to make sure if we flip to paper and
we're running, we can still run the hospital effectively over a period of time until the ransomware
is kind of either completed or you recover from it in any particular given minute.
Well, based on your experience here, how would you recommend that the folks who are responsible for the security of these organizations set their priorities?
How do they choose where to aim those limited resources?
Yeah, it has to go back to clinical care.
I don't believe other than one particular instance we can point to that unfortunately happened to the UK where there was loss of life.
most of it would be absolutely securing patient information and securing the patient themselves,
so no harm shall come to them.
We're an extension of that oaths that the clinical people take,
that it's our job to make sure that we don't have that kind of a situation occur where there's a loss of life.
I think that's the highest level of priority.
And then secondarily is to how through patient intake to discharge,
How do we continue to operate as a clinical environment that allows the patient to go through there in their worst of times that allows them to have a good experience, regardless if certain parts of the technologies are not available.
How do we get them in and out through the system with great care and keep them safe?
So, I mean, that is the ultimate job, I think, of anybody when a hospital system is under duress.
That is the major, you know, I would call it risk and what's basically to the forefront.
of anybody delivering care.
You know, I often ask folks, what should someone who is a consumer of these services look
for in terms of making sure that they feel though their data is being well protected?
But is this a case where the level of regulation is such that really those basics are taken
care of?
I would say, yes, that's kind of putting me on the spot.
But I would say in the grander scheme of things, for sure.
I think the 101 of anybody, whether it's running a, you know, 56 outpatient clinics that are, you know, operating between 7 to 7 on any given day in either a broader city environment or in a rural environment or in a state-based environment, your number one objective is to absolutely keep the patient, you know, patient data private.
I think everything else when it comes to clinical care of how you use advancements and technology to expedient levels of how you deliver care, that's great.
just as long as you're not introducing risk along the way.
And what unfortunately occurs,
and the capabilities of the outside actors have,
they're definitely grown in sophistication,
where med devices themselves have now become an angle
or a vector of attack because they are sitting on the network.
They, you know, probably 20 years ago,
an imaging machine may or may not have been on the network.
It would have been connected to a standby server that sat there
and all of us have done MRIs to some to greater degree,
or x-rays where it spun up a CD-ROM.
And you would take that CD-ROM to the physician
where you were referred to,
and then they would either diagnose you
or what needs to happen next.
So I think as we have all gone online in a greater way,
it opens up apertures of risk,
but it also opens up aperture of greater care,
better care, and expedient care.
So that's the balance, ultimately, Dave,
is that you're opening yourself up for these great,
advancements, and with that comes better responsibilities.
That's Mick Cody, field CTO at Elicity.
And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies,
also known as CHHS. Looking for a graduate degree that will give you an edge on your professional
career? Earn a Master of Science in Law at University of Maryland Carey School of Law.
This part-time two-year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry.
Learn from CHHS faculty, who are experts in their field.
No GRE required. Learn how you can master the law without a JD at law.u.maryland.org.
The ride that steals the spotlight every time it hits the road, that's the Volkswagen Tiguan.
Its sleek exterior makes a first impression you can't ignore.
Step inside to find available full leather seats and wood accents.
Under the hood, the available 201 turbocharged horsepower engine gives it a fun to drive edge.
The refined Tiguan, you deserve more style.
Visit vw.ca to learn more.
SUVW, German engineered for all.
And finally, meta, long known for tracking user behavior to refine ads and engagement,
is now turning similar observation inward by deploying monitoring software on employees' work computers.
According to reports from Reuters and Business Insider,
the Model Capability Initiative will capture keystrokes, mouse activity,
and periodic screenshots from work-related tools like Gmail, G-chat, VS code,
and meta's internal apps to help train AI agents that better understand how people use computers.
CTO Andrew Bosworth reportedly framed the effort as a step toward a future where AI agents handle routine tasks while humans supervise.
Meta joins peers like Anthropic, OpenAI, and Microsoft in pursuing agent-driven workflows.
Still, there's a certain symmetry in meta staff experiencing the sort of data collection the company held normalize,
especially as its vision of personal superintelligence arrives
with fewer assurances about personal workspace privacy.
Welcome to Facebook.
And that's the Cyberwire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast
where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.
The Madamy Holmes bike for brain health
supporting Baycrest returns on May 31st for its fifth anniversary
with a new start and finish at the Aga Khan Museum.
Join thousands of cyclists as we take over the DVP
and Gardner Expressway in support of dementia research and brain health.
Riders of all abilities are welcome.
and both regular bikes and e-bikes can participate.
Bring your friends, family, or corporate team, and make an impact.
Register today at bikeforbrainhealth.ca.