CyberWire Daily - Watch out for cybercrime frequent flyers.
Episode Date: March 16, 2026Drone strikes hit a key chip supply chain. China-linked hackers target Southeast Asian militaries. Attackers race ahead with AI. ShinyHunters claim a massive Telus breach. Microsoft issues a hotpatch.... Malware turns up on Steam. Fileless attacks grow. Airline miles become cybercrime currency. Monday business breakdown. Tim Starks from CyberScoop unpacks the Stryker attack and the nebulous nature of Iranian cyber activity. AI playmates puzzle preschoolers. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Tim Starks from CyberScoop discussing how the Stryker attack highlights the nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict. You can read more in Tim’s article here. Selected Reading Drone strikes halt a third of the world's helium supply, threatening chip production (TechSpot) China-Linked Hackers Hit Asian Militaries in Patient Espionage Operation (SecurityWeek) Attackers are exploiting AI faster than defenders can keep up, new report warns (CyberScoop) Telus Digital confirms breach after hacker claims 1 petabyte data theft (Bleeping Computer) Microsoft releases Windows 11 OOB hotpatch to fix RRAS RCE flaw (Bleeping Computer) The FBI is investigating malware hidden inside games hosted on Steam (TechCrunch) New XWorm 7.1 and Remcos RAT Attacks Abuse Windows Tools to Evade Detection (Hackread) Airline miles become underground currency in loyalty fraud schemes | brief (SC Media) Kevin Mandia-founded Armadin launches with $190 million. (N2K Pro Business Briefing) AI toys for young children need tighter rules, researchers warn (BBC News) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
AI is changing how enterprises operate and how they stay protected.
It's time to eliminate risk and protect innovation.
From March 23rd through the 26th, join Trend AI for actionable AI security insights.
Catch impactful sessions at RSC, then unwind and grab a bite at their lounge in Trapasue.
Experience industry-leading AI security.
person, engage with the experts, and get your chance to win $500,000.
San Francisco lets AI fearlessly. Learn more at trendmicro.com slash RSA.
Dron strikes hit a key chip supply chain. China-linked hackers target Southeast Asian
militaries. Attackers race ahead with AI. Shiny hunters claim a massive telos breach. Microsoft
issues a hot patch. Malware turns up on steam.
fileless attacks grow, airline miles become cybercrime currency.
We got your Monday business breakdown.
Tim Starks from CyberSoup unpacks the striker attack and the nebulous nature of Iranian cyber activity
and AI playmates puzzle preschoolers.
It's Monday, March 16, 2026.
I'm Dave Bittner and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Happy Monday.
It is great day.
have you with us. A drone attack linked to Iran has shut down Qatar Energy's Raslafan
helium facility, removing roughly 30% of global supply and exposing vulnerabilities in the
semiconductor supply chain. Helium is critical for chip manufacturing, where it cools
silicon wafers during etching and lithography, and there is no effective substitute. Qatar Energy
declared force majeure after the March 2nd strike.
strike, disrupting deliveries to global buyers. South Korea is particularly exposed, having sourced
about 65% of its helium from Qatar last year. Its government is now reviewing key semiconductor
materials tied to Middle Eastern suppliers, including bromine from Israel. Major chipmakers, such as
S.K. Heinix and TSMC say they have contingency stocks for now. However, analysts warn that if
the outage lasts beyond two weeks,
distributors may need months to reconfigure supply chains,
echoing disruption seen after Russia's 2022 invasion of Ukraine.
Palo Alto Networks reports a long-running cyber espionage campaign
targeting Southeast Asian military organizations,
attributed to a suspected China-linked threat actor
tracked as CLSTA 1087.
Active since at least 2020,
the group demonstrated patience by remaining dormant inside compromise networks for months before resuming operations.
The attackers deployed custom tools, including the Applechris and Mem Fun backdoors,
and a credential-stealing utility called GetPass.
They also used PowerShell scripts to establish reverse shells,
then moved laterally across domain controllers, web servers, IT workstations,
and executive systems using Windows.
management instrumentation and native dot-net tools.
The operation focused on collecting sensitive files related to military capabilities,
organizational structures, and joint activities with Western forces,
including command, control, communications, computers, and intelligence systems.
Researchers say infrastructure clues, language artifacts, and working hours
suggest the campaign likely originates from China.
A new report from Booz Allen Hamilton warns that cybersecurity is entering a new phase as artificial intelligence accelerates the pace of cyber attacks and compresses defenders' response times.
The report argues that threat actors, including cybercriminals and state-sponsored groups, have adopted AI faster than governments and private sector defenders.
Large language models can help attackers quickly identify subtle vulnerabilities and exploit them at machine speed once inside a network.
Booz Allen cites incidents involving AI tools and frameworks that can automate reconnaissance and exploitation across many targets simultaneously.
By contrast, many defensive processes still rely on slower human-driven workflows, such as patch timelines that can take weeks.
The report says attackers are using AI both to amplify existing hacking operations and to orchestrate automated attacks.
As a result, organizations may need to adopt AI-assisted defenses and automated remediation despite the operational risks.
Telus Digital, the business process outsourcing arm of Canadian telecom provider Telus,
has confirmed a cybersecurity incident after threat actors' claim to,
to have stolen nearly one petabyte of data in a month's long breach. The attack is attributed to
the Shiny Hunter's group, which allegedly gained access using Google Cloud Platform credentials
discovered in data from the earlier sales loft drift breach. According to the attackers,
the credentials allowed them to access internal systems, including a large Big Query database,
and then pivot further using additional secrets discovered in the data. The stolen
and information reportedly includes customer support data, call records, voice recordings,
source code, and financial information linked to companies using Telas Digital's outsourcing services.
Tellis says it's investigating the incident with forensic experts and law enforcement
and is notifying affected customers as the investigation continues.
Microsoft has released an out-of-band hot patch update to fix security vulnerabilities
affecting certain Windows 11 enterprise systems.
The flaws involve the Windows routing and remote access service management tool
and could allow remote code execution if a domain authenticated attacker
tricks a user into connecting to a malicious server.
The issues were previously addressed in the March 2026 Patch Tuesday release.
The Hot Patch version delivers the fixes without requiring a system reboot
using in-memory patching for devices managed through Windows Auto Patch that rely on continuous uptime.
The FBI is investigating a suspected hacker who allegedly published multiple malware-laden games on the Steam platform over the past two years.
Titles linked to the activity include Blockblasters, Dashverse, or DashFPS, Lampi, Lunara, PirateFi, and Tokanova.
According to the FBI, the games function normally but secretly installed malware, acting as Trojan horses to infect players' computers.
Steam later removed the files, though an unknown number of users may have been compromised before the takedown.
The FBI is now asking potential victims to come forward as the investigation continues.
Researchers at Trellix warn that cybercriminals are increasingly using fileless malware attacks,
that run in the system's temporary memory, helping them evade traditional security tools.
One example is Xworm 7.1, a malware-as-a-service remote-access Trojan,
that gives attackers full control of infected systems and has seen a 174% rise in use over the past year.
In one campaign targeting a network security firm in Taiwan,
attackers exploited a Wynrar vulnerability and distributed malicious archives,
through Discord disguised as game mods.
Once opened, the malware used a living off the land technique to run in memory.
A separate campaign used the Remcoast rat delivered through fishing emails with procurement-themed lures.
Trellick says these attacks highlight the need for behavior-based detection,
timely software updates, and stronger monitoring of trusted system tools.
airline loyalty points have become a profitable commodity in cybercrime markets,
according to research from Flair cited by bleeping computer.
Attackers typically obtain account credentials through fishing or info-stealer malware,
then verify which compromised accounts contain valuable miles.
These accounts are sold on underground forums,
where fraudsters redeem the points for flights or hotel stays
that are later resold at discounted prices. Miles often sell for about a dollar per 1,000 points,
sometimes with full email access included to prevent victims from reclaiming their accounts.
Major airlines such as United, American Airlines, and Delta are common targets,
and loyalty fraud is estimated to cost the travel industry between $1 and $3 billion annually.
Turning to our Monday business breakdown, several cybersecurity startups have secured major funding rounds
as investor interest in AI-driven security platforms continues to grow.
Armaden, an AI-powered red-teaming startup founded by Kevin Mandia, launched with $190 million
in funding led by Excel, with Mandia serving as CEO.
Kai emerged from stealth with $125 million.
for its AI platform designed to secure IT and operational technology environments.
Israeli data loss prevention startup jazz raised $61 million,
while sovereign security operations platform, Silake, launched with $45 million in seed funding.
Other notable raises include reclaim security with $26 million,
Ever Vault with $25 million, scanner at $22 million, Escape with $18 million,
and Circadence with 16.4 million.
Additional early stage investments went to Gala, Intelligrc, Quantro Security, and M-proof.
The industry also saw major deal activity.
Google completed its $32 billion acquisition of cloud security firm WIS.
OpenAI announced plans to acquire AI security platform Prompt Fu,
and Quantum E Motion acquired Secure Key Tense.
technology assets to expand its quantum resilient cybersecurity stack.
We have a much more detailed rundown of all the business news over on our website in our
CyberWire Pro Business Briefing.
Coming up after the break, Tim Starks from CyberScoop unpacks the striker attack and the nebulous
nature of Iranian cyber activity and AI playmates puzzle preschoolers.
Stay with us.
No, it's not.
not your imagination. Risk and regulation really are ramping up, and these days customers expect
proof of security before they'll even do business. That's where Vanta comes in. Vanta automates
your compliance process and brings compliance, risk, and customer trust together on one AI-powered
platform. So whether you're getting ready for a SOC2 or managing an enterprise governance risk and
compliance program, Vanta helps keep you secure and keeps your deals moving.
Companies like Ramp and writers spend 82% less time on audits with Vanta.
That means less time chasing paperwork and more time focused on growth.
For me, it comes down to this.
Over 10,000 companies from startups to large enterprises,
trust Vanta to help prove their security.
Get started at vanta.com slash cyber.
Joining me once again is Tim Starks.
he is a senior reporter with Cyberscoop. Tim, great to have you back.
Hi, Dave.
I want to focus on this article that I believe you co-wrote with your CyberSoup colleague, Drew F. Lawrence.
And this is looking at the recent Stryker attack from Iran or attributed to Iran.
Really more about what that means in the broader context here.
Let's start with Stryker. What happened to them?
Yeah, and I'll point out that an Iranian group called Handelah has taken credit.
it for that, but the analysts I've spoken to believe that they are in fact responsible.
So Stryker is a large med tech company, is one way to say it.
They make a lot of medical devices, especially those focused on communications,
that are really fundamental to a lot of hospital and emergency worker activity.
They also have defense department contracts.
They're a big company, and they're based on Michigan, and they were hacked.
And with a wiper technology, which is interesting development.
that basically put the company in terms of at least its internal communications,
but there are some reports that maybe it's put beyond that on its knees.
They just basically didn't have phones that could work.
And this was really the first attack in cyberspace since the conflict started with the U.S. and Israel
that we could say was a success, a qualified success, but still a success.
It was a pretty important target and did meaningful damage.
And if you're trying to send a message, it was the kind of target you would want to hit.
And to be clear here, it seems as though the damage is the point, like they weren't asking for ransom or anything like that.
Exactly right. Yeah, they're trying to inflict damage.
It's a grip that, for the most part, has focused on Israel to date and using these kinds of wiper technologies there.
So maybe a little different to see it hit a big U.S. target.
Well, help us understand the context here.
I mean, how does this all fit into the comparative capabilities of Iran versus the team of U.S. and Israel?
Iran is a power in cyberspace, but they are not comparable, I don't think, to the U.S. or Israel.
I think they'd probably be behind Russia and China as well.
They'd be in that next tier.
And I think that there were a lot of warnings.
You know, my inbox, one of the reasons we did this story is because my inbox and my editors' inboxes were we were getting flooded with.
warnings about the grave danger of Iranian cyber attacks.
And then, you know, for the first week and a half or so, there really wasn't much.
There was some stuff here and there.
There was an attack on the Albanian parliament's email system.
There were some targeting of cameras in the Middle East nations just before Iranian missiles were fired in their direction.
So it's not that Iran doesn't have capabilities.
It's just that they weren't showing much of them yet.
And I think one of the things that I learned from the story was,
first off, I mean, the internet has been in bad shape in Iran since the conflict started.
Right.
There have been targeted attacks on the leadership of Iranian bodies, the intelligence and military outfits
that are associated with these kinds of cyber attacks.
So they might have been hiding.
They might have been waiting for the internet to be working again.
I think that, you know, the other thing that people brought up to me, at least for the
striker attack specifically, is that it did not seem like a sophisticated,
targeting of that company.
Some of you have speculated that because there's a
family of military vehicles called Stryker,
that they might have hit the wrong target.
Maybe they were going after a different target.
That's speculation, certainly,
but it seems like the kind of speculation
that makes a certain amount of sense.
And, you know,
once they saw that they were in
the networks of a company that was U.S.
based and was a big company,
I think they took advantage of that opportunity.
So the context is,
Iran is an actor in cyberspace that I think people are justifiably worried about,
but it has not materialized on a wide scale, certainly, yet, and it may not.
You know, another thing that came up is how much things have changed since the Iran war.
And it's hard to say that these aren't things that might not be happening anyway.
You know, trying to measure the degree to which the war has caused this versus it just being regular activity that has been happening.
And there just happens to be a war happening as well.
well, that's also another part of the context.
The folks that you're
talking to, is there any
indication of
successful blocking of,
let's say, increased activity
from Iran? Yeah, I mean, certainly their company
saying that's the case, that they
block this or block that. And I, you know,
as reporters, it's always
a delicate balance to strike between
the fact that a lot of the companies that are aware
of the activity also make money off of promoting the fact
that they're aware of the activity.
So it's hard to say
if there's a volumetric way to assess how much more traffic there has been,
one of the people who was an analyst I spoke to said,
we might not know for weeks how much things are different.
But yes, there are companies saying, we block this attack,
or we're blocking it, we're seeing this.
We don't know if the volume has changed specifically because of this kind of war activity that's going on.
So to what degree do you suppose folks should take all of these warnings that we're seeing serious?
I mean, how serious is this threat?
I would say it's real, but I wouldn't say it's grave, at least not yet.
I think all the things, you know, one of the other stories I wrote this week was about a top FBI official saying, you know, we hear a lot about AI attacks and they are increasing the threat in a sense that the attacks are happening faster as a result of AI.
But all the same defensive techniques work for all of those kinds of attacks too.
So if you weren't already doing things like multi-factor authentication, well, here's a good excuse to start doing it.
If you're being scared of that particular Iranian-based attack is something that triggers you to do that, good.
But I don't know that anybody should behave all that much differently in cyberspace than they would if they were being good stewards of their own cybersecurity already.
Right.
There's a certain amount of, if you're a small company or a small business in the United States, I don't think.
think you're probably going to be the target of a massive attack.
You might be the target of a DDoS attack.
You might have your website defaced.
I think that that's that kind of low-level activity is more the kind of thing I think
you could expect to reasonably see that might be different than before.
But that's, again, this is the early days.
I think there's a chance that as this goes on, as it becomes more prolonged, that we
will see more activity.
I can't guarantee it.
I don't want to scare people unnecessarily.
And I certainly think it's viable that we're at the beginning of it.
And there could be significantly more, depending on how things break.
Yeah, I guess if nothing else, it deserves people's attention.
It does.
Yeah, I think it's worth reading and knowing what the threats are,
or at least the potential threats and knowing what has happened versus what is probably overhyped.
Tim Starks is senior reporter at CyberScoop.
Tim, thanks so much for joining us.
Thank you, Dave.
Ever wished you could rebuild your network from scratch to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking from the ground up.
Meter builds full-stack zero-trust networks, including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
Fast, reliable, and secure connectivity without the constant patching, vendor-juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN, every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
Transform complexity into simplicity and give your team time to focus on what really matters.
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
When cyber threats strike, minutes matter.
Booz Allen brings the same battle-tested expertise
trusted to protect national security
to defend today's leading global organizations.
They safeguard their data, strengthen enterprise resilience,
and mobilize in minutes across end.
energy, health care, financial services, and manufacturing.
Their teams don't just respond.
They anticipate, outthink, and stay ahead of evolving threats.
This is powerful protection for commercial leaders only from Booz Allen.
See how your organization can prepare today at booze allen.com slash commercial.
And finally, researchers at the University of Cambridge are calling for tighter regulation of AI-powered toys for toddlers.
after testing how children, age three to five,
interacted with a chatbot-enabled plush robot named Gabbo.
The toy, which uses an open-AI voice assistant
and is meant to encourage conversation and imaginative play,
proved to be a less than empathetic playmate.
In practice, Gabbo frequently talked over children,
ignored their interruptions,
and struggled to recognize emotional cues.
When one five-year-old said,
I love you, the toy responded with a reminder to follow its interaction guidelines.
When a three-year-old said, I'm sad, Gabbo cheerfully redirected the conversation.
Researchers warn that responses like these could confuse young children who are still learning
how conversations and emotional feedback work. The team says regulators should start thinking
about psychological safety in toys, not just whether a detachable eye might pose a choking
hazard because childhood imagination is powerful enough without adding a chat bot that doesn't quite
understand the assignment. And that's the Cyberwire. Or links to all of today's stories,
check out our daily briefing at thecyberwire.com. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world
of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at N2K.com.
N2K's lead producer is Liz Stokes.
We're mixed by Trey Hester with original music and sound design by Elliot Peltzman.
Our contributing host is Maria Vermazas.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bithner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it R-SAC 2026.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's
toughest challenges and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application
security incident last year, and 92% of responders reported threat levels have increased in
the past two years.
Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market, or user experience.
Discover how Guard Square provides industry-leading security for your Android and iOS apps at www.gardsquare.com.