CyberWire Daily - War hits where it hurts.
Episode Date: April 28, 2026Conflict in the Middle East disrupts the circuit board supply chain. The Supreme Court considers arguments on geofence searches. A new report highlights Chinese digital transnational repression. The N...CSC protects HDMI and DisplayPort links. Tennessee bans cryptocurrency ATMs. Researchers expose a financially motivated subgroup of North Korea’s Lazarus Group. Medtronic confirms a ShinyHunters data breach. Tim Starks, from CyberScoop discusses telecom vulnerabilities. A helpful AI deletes everything. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest We welcome back Tim Starks, Senior Reporter for CyberScoop, discussing telecom vulnerabilities. Selected Reading Iran war disrupts the circuit board supply chain, raises costs for tech firms (Reuters) Iranian hackers expose personal details of thousands of US Marines in Middle East (Metro) Supreme Court signals location data searches should require a warrant (The Record) Tall Tales: How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression (The Citizen Lab) NCSC launches SilentGlass, a plug-in device to secure HDMI and DisplayPort links (Security Affairs) Tennessee becomes second state to ban cryptocurrency ATMs over scam concerns (The Record) BlueNoroff Uses ClickFix, Fileless PowerShell, and AI-Generated Fake Zoom Meetings to Target Web3 Sector (Arctic Wolf) Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak (SecurityWeek) Claude-powered AI coding agent deletes entire company database in 9 seconds — backups zapped, after Cursor tool powered by Anthropic's Claude goes rogue (Tom's Hardware) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Today's sponsor, Rapid 7, has an irresistible invitation for you SISOs and security practitioners out there.
A free two-day virtual summit, the subject, preemptive security.
Join the Global Cybersecurity Summit on May 12th and 13th from wherever you like.
A-list speakers will show you how organizations are disrupting attacks before they can blow towards.
your day. You'll see how
exposure management, MDR,
and AI together let you
make the decisive move.
Registration is open at
rapid 7.brighttalk.com.
Conflict in the Middle East
disrupts the circuit board supply chain.
The Supreme Court considers arguments
on geofent searches. A new report
highlights Chinese digital transnational
repression. The NCSC
protects HDI and displayport links.
Tennessee bans
cryptocurrency ATMs. Researchers expose a financially motivated subgroup of North Korea's Lazarus
group. Medtronic confirms a shiny hunter's data breach. Tim Starks from CyberScoop discusses telecom
vulnerabilities and a helpful AI deletes everything. It's Tuesday, April 26, 2026. I'm Dave Bittner
and this is your Cyberwire Intel briefing. Thanks for joining us here today. It's great as always.
to have you with us.
Conflict in the Middle East has disrupted supplies of key raw materials used to manufacture
printed circuit boards, driving sharp price increases across the electronic sector.
Strikes on Saudi Arabia's petrochemical complex halted production of high purity polyphenolene
ether resin, a critical PCB laminate input largely supplied by Sebek, which produces about
70% of global supply. Shipping disruptions in the Gulf have further tightened availability.
At the same time, demand for PCBs has surge due to expanding AI server production,
pushing prices up as much as 40% between March and April, according to analysts at Goldman Sachs.
Additional shortages of copper foil, glass fiber, and epoxy resin have compounded pressures.
Manufacturers are now renegotiated.
prices with customers as lead time, stretch, and material costs continue rising.
Meanwhile, a hacking group linked to Iran's Ministry of Intelligence, known as Handela Hack Team,
claimed it leaked personal data of just under 2,400 U.S. Marines in the Persian Gulf and threatened
further exposure. The group said it holds detailed information on families, locations, and
activities, and warned personnel they could be targeted by drones and
missiles. It also signaled plans to release U.S. Navy data.
Yesterday, during oral arguments in Chattree v. United States, the Supreme Court signaled
it is likely to rule that police geoffence searches of cell phone location data qualify
as Fourth Amendment searches and therefore require warrants. The case centers on whether
law enforcement can request data identifying all devices near a crime scene without probable
cause. Several justices expressed concern about the breadth of such searches, suggesting warrants should be
narrowly tailored. The discussion crossed ideological lines with both conservative and liberal
justices questioning the government's position. Privacy advocates view the likely outcome as significant
since a ruling against warrant requirements could have enabled broader reverse searches,
including keyword-based requests. Google supported the plaintiff,
warning that past geofence warrants have exposed thousands of users' location histories.
While the court appears unlikely to ban the practice entirely,
it seems poised to impose constitutional limits on how location data can be collected.
We'll be having a detailed discussion of the Supreme Court case on this week's caveat podcast
that drops on Thursday. Do check it out.
Citizen Lab and ICIJ identified two China-aligned threat actors targeting diaspora activists and journalists through digital transnational repression.
Glitter carp used fishing, fake security alerts, impersonation, and tracking pixels against Uyghur, Tibetan, Taiwanese, and Hong Kong activists, as well as ICIJ members.
Its goal appeared to be stealing email credentials for possible follow-on access.
Sequin carp focused on journalists, including ICIJ's Skila Alicia,
using fabricated or co-opted personas and zero-auth consent fishing,
which can grant persistent Gmail access without stealing a password.
Citizen Lab assesses with high confidence that both actors are affiliated with the Chinese government
and with medium confidence that private contractors may be involved.
The report argues these campaigns show how outsourced cyber operations can scale repression,
undermine trust among civil society groups,
and expand targeting from diaspora communities to journalists investigating China's overseas repression.
The UK's National Cyber Security Center has launched Silent Glass,
a plug-in device that protects HDIMI and display.
port links between computers and monitors. Developed through NCSC-led research and license to
Goldilock Labs, with manufacturing support from Sony UK Technology Center, the device inspects traffic
passing through display connections and blocks suspicious or unauthorized activity.
NCSC says monitors can expose sensitive information and may create overlooked pathways into larger
systems, especially where physical access, supply chain risk, or third-party maintenance are
factors. Silent Glass is designed for simple, affordable deployment across government and business
environments. Its commercialization marks a broader shift towards protecting hardware interfaces,
not just software and networks, and brings national security grade research into wider
commercial use. Tennessee has passed a law banning cryptocurrency ATM,
ATMs starting July 1st, citing their growing role in fraud schemes targeting vulnerable residents.
The state follows Indiana in restricting the kiosks, while similar legislation is advancing in Minnesota.
Law enforcement officials say scammers commonly use crypto ATMs in government impersonation,
tech support, romance, and pig-butchering scams, urging victims to deposit cash that is quickly converted to Bitcoin and transferred
to criminal wallets. According to the FBI, over 13,000 complaints in 2025 involved $389 million
in losses tied to crypto ATMs, with most victims over age 60. Regulators have also sued major
operators, including Bitcoin Depot, Coin Flip, and Athena, alleging the machines frequently
facilitate scam activity rather than legitimate transactions.
Arctic Wolf reports a targeted intrusion against a North American Web 3 company attributed with high confidence to Blue Noroff, a financially motivated subgroup of North Korea's Lazarus Group.
The attackers impersonated a fintech legal expert and sent a spearfishing calendly invite with a typo-squatted Zoom link.
The fake meeting interface covertly captured webcam footage and deployed clipboard injection malware,
enabling rapid credential theft focused on cryptocurrency wallet extensions.
The compromise progressed from initial click to full system access in under five minutes.
Investigators identified more than 100 additional global targets across 20 countries,
many in crypto and investment roles, with CEOs and founders heavily represented.
Analysis also revealed infrastructure supporting typo-squatted domains and a pipeline combining stolen webcam footage with AI-generated images to create convincing deep-fake meeting lures for future attacks.
Medical Technology Company Medtronic confirmed a cyber intrusion after the Shiny Hunter's group claimed it stole more than 9 million records and corporate data.
The company said there's no evidence the incident-affected process.
products, patient safety, manufacturing, or hospital customer networks, which remain separately managed.
Medtronic has not confirmed data theft, but is investigating whether personal information was accessed.
Shiny hunters later removed Medtronic from its leak site after issuing a ransom deadline,
suggesting a possible payment, though this remains unconfirmed.
Coming up after the break, Tim Starks from CyberScoop discusses telecom vulnerability.
Stay with us.
Most environments trust far more than they should, and attackers know it.
Threat Locker solves that by enforcing default deny at the point of execution.
With Threat Locker Allow listing, you stop unknown executables cold.
With ring fencing, you control how trusted applications behave,
and with Threat Locker DAC defense against configurations,
you get real assurance that your environment is free of misconfigurations,
and clear visibility into whether you meet compliance standards.
Threat Locker is the simplest way to enforce zero-trust principles without the operational pain.
It's powerful protection that gives CISO's real visibility, real control, and real peace of mind.
Threat Locker makes zero-trust attainable, even for small security teams.
See why thousands of organizations choose Threat Locker to minimize alert fatigue,
stop ransomware at the source, and regain control over their environments.
Schedule your demo at Threatlocker.com slash N2K today.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security incident last year,
and 92% of responders reported threat levels have increased in the past two years.
Guard Square delivers the highest level of security for your mobile apps.
without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at
www.gardesquare.com.
It's always my pleasure to welcome back to the show.
Tim Starks, he is a senior reporter at CyberScoop.
Tim, welcome back.
Dave, you say it's always my pleasure, but it's my pleasure.
It's a mutual pleasure, isn't it?
All right.
It's a very mutual pleasure.
I don't know what to make of that.
But let's talk about the story that you recently wrote and published here.
This is titled Surveillance Campaigns Use Commercial Surveillance Tools to Exploit Long-known Telecom Vulnerabilities.
That sounds a bit foreboding.
Can you unpack what you've discovered here, Tim?
Yes, it's actually, so I'll just say credit to the discoverer's in chief on this,
which are Citizen Lab, the University of Toronto outfit that,
does a lot of deep work on spyware and commercial surveillance vendors that might not just be spyware.
So what they found, do you remember SS7, Dave? It's been a while.
Signaling System 7 was this vulnerability, kind of vulnerability that people were worried about a while back years ago
related to just the protocols for sent through the telecom system
and how those signals are routed.
That was a 3G mainly problem.
There's a new system for 4G and most of 5G called diameter.
There are worries about that being secure as well.
And so what Citizen Lab found here
was the first occasion of attackers
that linked the vulnerabilities,
of diameter in SS7
to a commercial surveillance vendor.
And they found it being routed
worldwide through two campaigns.
What's interesting about this is that
the nature of the telecom system
made it hard for them to figure out who was doing this
and what vendor they were using.
So help us understand exactly what's going on here.
What's the exploit?
With these kinds of vulnerabilities,
what you're talking about
is someone intercepting information from phones,
going into the infrastructure,
and then being able to track a target.
So it's a surveillance campaign.
And anybody who basically has a phone
could be vulnerable to this, right?
The way this infrastructure works is pretty Byzantine.
What they found is that there were countries worldwide
where this was happening,
from the UK to China to Mozambique.
Now, I will say that some of the companies
whose infrastructure they found being exploited here
say, we can't verify this.
This is not necessarily something we are confirming or agreeing with.
So there is some ambiguity here about this.
But even the researchers talking to Ron Dibert over there,
this was something that was a little elaborate
and hard for them to get into.
But it involves text messages.
It involves getting into the system
and pretending to be the system,
and therefore being able to do a lot after that.
And who do we seem to be targeting here?
I mean, is this a nation-state espionage kind of thing,
or is this the kind of thing that anybody can go out
and hire this company to put a bullseye on somebody's back?
It could be a nation-state.
They talked about the typhoons,
you know, the Chinese hacking groups that have that Microsoft name,
of X typhoon, whatever the typhoon may be.
But it could also be the kinds of nation states that rely on these commercial surveillance
vendors.
You know, Israel is an area.
One of the main communications providers that was affected by this was Israel.
And Israel is a real hotbed for spyware companies.
You know, name them.
And they've probably got an Israel connection.
So that's another mystery, right?
is who's doing this and who are they doing it for,
but it could be just about anybody.
There was an unrelated story that I didn't mention
that was out this past week in The Guardian
with the UK saying that they believe
that there are 100 countries
that have access to spyware vendors
that could get into the UK's infrastructure.
So the realm of possibilities here is really large,
and one of the researchers made a comment
to another public.
that said, you know, that these are, these two surveillance campaigns are the ones we found.
There could be so many more like this.
Your reporting points out that Senator Wyden from Oregon is looking into this and has asked Sissa for some information.
Yeah, he's been asking for information from Sisa on this for, I think, going back to at least
2022.
And, you know, the Sean Planky Sissa nomination that fell apart.
One of the reasons that it was being held up was over Ron Wyden wanting this report.
And he wants to know more about the telecom vulnerabilities that are out there,
particularly related to SS7 and diameter.
The FCC also has concerns about these things, or at least they did.
In 2024, they said they were opening a probe into these vulnerabilities.
I do not know the status of that under this administration.
So it's something that people have been worried about.
for a while, but this is something that maybe should give them a little additional worry.
Yeah. It's such a weird space. Like I remember years ago digging into the stingray devices.
Yeah. And how, and one of the things I learned, just talking to folks from the FCC, you know, on background, was that the FCC is very deferential to law enforcement when it comes to those sorts of devices.
And I would have thought that anything that spoofs a cell phone tower would be verboten, but not necessarily the case.
Yeah, and there's some legal issues around that, right?
You know, we're going to get a Supreme Court argument about what kinds of surveillance the federal government can do on things like this, particularly related to cell phone records.
And, you know, the Supreme Court has rolled on some of this in the past as it related to cell site location information.
and I've got the acronym right.
It's a fertile ground for attackers.
It's a fertile ground for the government to get information about us.
But this is the off-the-book stuff.
This is the stuff that is not authorized.
This is the stuff that is not controlled by the U.S. government
that this Citizen Lab stuff has found out about.
Is there anything to be done here by mere consumers,
or is this the kind of thing where we're going to have to wait for some scrutiny
from folks like the FCC?
This is pretty much not something
that consumers have control over,
which makes it a little scarier in a certain way, right?
There's not a lot of like,
oh, I'll just set up some multi-factor authentication,
and I'm good.
This is vulnerabilities that are in the system
that would require regulators
or the companies themselves to take action,
and it's hard for them to take action on this
because we're talking about
sort of backbone-like infrastructure.
So anything that they did
would have to be deep, deep fixes.
Diameter was supposed to be a little more secure than this,
but it turns out maybe not as secure as it should have been.
Ostensibly more secure than SS7, not fixed
when they said, okay, we're going to build in some more security into this.
Well, they didn't build it in quite enough, it seems.
Yeah.
I feel like so many of the stories that you and other folks write
include the phrase
turns out.
Yeah.
I do think it turns out a lot.
It's funny.
One of the things that, you know,
when government and
people in the industry talk about
like, oh, you know,
90% of attacks could be
defended against if we just did basic
cyber hygiene, right?
Things like multifactor authentication.
Keeping up-to-date passwords,
patching.
That basic stuff.
stuff is not what this is about.
Right. Right.
Tim Starks is senior reporter at CyberScoop.
We will have a link to his reporting in our show notes.
Tim, thanks so much for joining us.
Thank you, Dave.
And now a word from our sponsor,
the Center for Cyber Health and Hazard Strategies,
also known as CHS.
Looking for a graduate degree that will give you an edge
on your professional career?
Earn a Master of Science in Law
at University of Maryland Cary School of Law.
This part-time two-year online graduate degree program
is designed for experienced professionals
to understand laws and policies that impact your industry.
Learn from CHS faculty, who are experts in their field.
No GRE required.
Learn how you can master the law without a JD at law.
At law.u-maryland.edu.
And finally, founder of PocketOS, Ger Crane, says his company's production database vanished in just nine seconds after an AI coding agent, cursor running Anthropics Claude Opus 4.6, tried to help.
Assigned a routine staging task, the agent instead deleted a shared cloud volume along with every backup stored on it.
When asked why, the AI reportedly confessed it guessed instead of verifying, skipped documentation, and ran a destructive command anyway.
A refreshingly honest post-mortem for software.
Crane places much of the blame on Railway's infrastructure design, which allowed a single API call to erase both live data and backups without confirmation.
The result wiped months of customer records, leaving staff reconstructing bookings from payment histories and emails.
A three-month-old backup survived, but the rest required manual recovery.
The episode offers a modern lesson.
Automation moves fast, especially when it's confidently wrong.
And that's The Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ivan.
Peter Kilpey is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow.