CyberWire Daily - Wind and solar take a cyber hit.
Episode Date: February 2, 2026Poland says weak security left parts of its power grid exposed. A Russian-linked hacker alliance threatens Denmark with a promised cyber offensive. Fancy Bear moves fast on a new Microsoft Office flaw..., hitting Ukrainian and EU targets. Researchers find a sprawling supply chain attack buried in the ClawdBot AI ecosystem. A new report looks at how threats are shaping the work of journalists and security researchers. A stealthy Windows malware campaign blends Pulsar RAT with Stealerv37. A former Google engineer is convicted of stealing AI trade secrets for China. The latest cybersecurity funding and deal news. On our Afternoon Cyber Tea segment, Microsoft’s Ann Johnson chats with Dr. Lorrie Cranor from Carnegie Mellon about security design. The AI dinosaur that knew too much. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Afternoon Cyber Tea Dr. Lorrie Cranor, Director of the CyLab Security and Privacy Institute at Carnegie Mellon University joins Ann Johnson, Corporate Vice President, Microsoft, on this month's segment of Afternoon Cyber Tea to discuss the critical gap between security design and real-world usability. They explore why security tools often fail users, the ongoing challenges with passwords and password less authentication, and how privacy expectations have evolved in an era of constant data collection. You can listen to Ann and Lorrie's full conversation here, and catch new episodes Afternoon Cyber Tea every other Tuesday on your favorite podcast app. Selected Reading Russian hackers breached Polish power grid thanks to bad security, report says (TechCrunch) Newly Established Russian Hacker Alliance Threatens Denmark (Truesec) Fancy Bear Exploits Microsoft Office Flaw in Ukraine, EU Cyber-Attacks (Infosecurity Magazine) Notepad++ Hijacked by State-Sponsored Hackers (Notepad++) ClawdBot Skills Just Ganked Your Crypto (OpenSource Malware Blog) Under Pressure: Exploring the effect of legal and criminal threats on security researchers and journalists (DataBreaches.Net) Windows Malware Uses Pulsar RAT for Live Chats While Stealing Data (Hackread) U.S. convicts ex-Google engineer for sending AI tech data to China (Bleeping Computer) Upwind secures $250 million in a Series B round. (N2K Pro Business Briefing) Don't Buy Internet-Connected Toys For Your Kids (Blackout VPN) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Most security conferences talk about Zero Trust.
Zero Trust World puts you inside.
This is a hands-on cybersecurity event designed for practitioners who want real skills, not just theory.
You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents.
But Zero Trust World is more than labs.
You'll also experience expert-led sessions, practical case studies, and technical deep dives focused on real-world implementation.
Whether your blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful.
You'll earn CPE credits, connect with peers across the industry, and leave with strategies you can put into action right away.
Join us March 4th through the 6th in Orlando, Florida.
Register now at ZTW.com and take your zero-trust strategy from theory to execution.
Poland says weak security left parts of its power grid exposed.
A Russian-linked hacker alliance threatens Denmark with a promised cyber offensive.
Fancy bear moves fast on a new Microsoft office flaw, hitting Ukrainian and EU targets.
Researchers find a sprawling supply chain attack buried in the clawed by
AI ecosystem. A new report looks at how threats are shaping the work of journalists and security
researchers. A stealthy Windows malware campaign blends Pulsar rat with Steeler V-37. A former Google
engineer is convicted of stealing AI trade secrets for China. We've got the latest cybersecurity
funding and deal news. On our afternoon, CyberT segment Microsoft's Ann Johnson chats with
Dr. Lori Kraner from Carnegie Mellon about security design.
and the AI dinosaur that knew too much.
It's Monday, February 2, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
It's great as always to have you with us.
A Polish government report says Russian state-linked hackers
breached parts of Poland's energy infrastructure
by exploiting basic security failures.
including default usernames, passwords, and the absence of multi-factor authentication.
Poland's computer emergency response team, part of the Ministry of Digital Affairs,
detailed intrusions late last year affecting wind farms, solar farms, and heat and power plant.
The attackers attempted to deploy destructive wiper malware designed to erase systems
and potentially disrupt operations.
While the malware was stopped at the heat and power plant,
monitoring and control systems at the wind and solar sites were rendered inoperable.
Despite the damage, no power outages occurred, and officials said grid stability was never at risk.
Earlier reporting by cybersecurity firms linked the incident to sandworm,
but Poland's cert attributed the attack to the Russian group Berserk Bear, also known as Dragonfly.
Security firm TruSEC reports that a newly formed Russian Hacker Alliance, calling itself the Russian Legion,
has threatened Denmark with a large-scale cyber attack dubbed Op Denmark.
The group announced on January 27th is led by an assortment of hackers who recently carried out a distributed denial of service attack against a Danish public service site.
The hackers issued an ultimatum on telegram demanding Denmark withdrawals.
a planned 1.5 billion DKK military aid package to Ukraine, warning that DDoS attacks were only the beginning.
Since then, they've claimed responsibility for multiple DDoS attacks, including against energy sector organizations.
TruSEC assesses the group as likely state-aligned but not state-funded,
and notes that such campaigns often rely on intimidation and disruption rather than escalating to severe cyber-executive.
damage.
Ukrainian cyber authorities warn that the Russian-linked hacking group Fancy Bear, also known as
APT-28, is exploiting a recently disclosed Microsoft Office vulnerability to target Ukrainian and
European Union organizations.
Ukraine's National Computer Emergency Response Team, CERT UA, reported finding malicious
word documents abusing a high-severity flaw disclosed by Microsoft on January 26th.
According to CERT UA, the vulnerability was exploited in the wild before many users had applied updates.
The attack chain involved phishing emails with weaponized documents that triggered external connections,
downloaded malicious files, and ultimately deployed the Covenant Command and Control framework using calm hijacking techniques.
Microsoft confirmed active exploitation and urged users to apply updates or restart office applications.
CERT UA warned that attacks are likely to increase due to patching delays and identified additional EU-focused documents using the same exploit.
The maintainer of Notepad++ says a months-long security incident stemmed from a compromise at its former shared hosting provider,
not from vulnerabilities in Notepad Plus Plus code itself.
According to investigators, attackers intercepted and selectively redirected update traffic for certain users to malicious servers by abusing compromised hostile infrastructure and stolen internal credentials.
The activity likely began in June of last year and continued in limited form until early December.
Multiple researchers assessed the attacker as likely a Chinese state-sponsored group, citing the highly the highly targeted nature of the campaign.
The hosting provider says access to the server ended in September, but leaked credentials
allowed traffic manipulation until December.
In response, Notepad++ migrated to a new host and strengthened update verification,
adding certificate, signature, and XML signing checks.
Users are urged to update manually to the latest version.
Researchers have uncovered a large-scale supply chain attachment,
abusing the Claudebot AI Assistant ecosystem, recently renamed Multbot, where more than 230
malicious skills were published to the official ClawHub registry and GitHub between late January
and early February of this year. The skills masqueraded as cryptocurrency trading and automation
tools, but relied on social engineering to trick users into running malicious commands or downloading
fake authentication tools. Once executed, the malware targeted both Mac OS and Windows systems,
stealing cryptocurrency wallet data, exchange API keys, browser passwords, SSH credentials, and cloud secrets.
All malicious skills shared the same command and control infrastructure and showed no evidence
of security review before publication. Despite reports to maintainers, most skills reportedly remain
online, highlighting serious security gaps in emerging AI skills marketplaces and the growing risk of
trust-based supply chain attacks. A newly published report by a researcher who goes by the name
dissent Doe and journalist Zach Whitaker examines how legal and criminal threats affect security
researchers and journalists. In a pilot survey of 112 respondents, 77 percent said they have been
threatened due to their work, while 23% reported no threats. About half reported at least one legal
threat, and 69% they or their employer faced legal action or legal process, often via
emails or demand letters. Most consulted a lawyer, and 63% did not retract or change their work.
Criminal threats were reported by 39 of 86 respondents, with journalists more likely than researchers
to face them. Many threats included violence, but few were deemed credible, and only 41% contacted
law enforcement. Still, 44% said fear of threats shaped their choices, showing a chilling effect
even when work continued. Researchers at Point Wilde warn of a new Windows malware campaign
combining the Pulsar rat with Steeler V-37, designed to steal credentials, cryptocurrency,
currency and gaming accounts. The malware runs entirely in-memory, using built-in Windows tools to
evade detection and injecting itself into trusted processes. Unusually, attackers can interact with
victims through a live chat window while stealing data. The tools enable webcam and microphone
access, password theft, clipboard hacking, and broad data harvesting. Stolen information is
exfiltrated via Discord and Telegram, highlighting a highly interactive and evasive threat.
A U.S. federal jury has convicted Linway Ding, a former Google Software Engineer, of stealing
sensitive AI supercomputing trade secrets and sharing them with Chinese technology firms.
Prosecutors said Ding infiltrated more than 2,000 pages of confidential data between 2022 and 23,
including details on Google's AI infrastructure, custom chips, and large-scale orchestration systems.
While employed at Google, Ding allegedly maintained undisclosed ties to China-based companies,
negotiated a CTO role, and later founded his own AI firm in China.
Evidence showed he sought to support China's technological ambitions and applied to a government-backed talent program.
Ding also concealed his activities from Google, including his travel to China.
After an 11-day trial, he was convicted on multiple counts of economic espionage and trade secret theft, with sentencing pending.
Looking back at last week for our business breakdown, cybersecurity funding and deal activity remained strong,
with a mix of large late-stage rounds, early-stage raises, and consolidation across multiple.
regions. Upwind led the week with a $250 million series B to expand its cloud security platform
across data, AI, and code. Clarity followed with $150 million in new funding, plus $50 million
in secondary financing to accelerate global growth in cyberphysical system security.
Midstage and Seed rounds supported firms tackling fraud prevention, AI code security,
SOC automation, remote access, remediation, and application security,
reflecting continued investor interest in operational security and developer-focused tools.
Funding ranged from $37 million Series A rounds to sub-1 million-dollar pre-seed investments.
M&A activity also remained active with acquisitions spanning AI governance, GRC,
API security testing, and managed services,
underscoring ongoing platform expansion and market consolidation as vendors seek broader integrated security offerings.
We have all the details in our weekly business brief, part of CyberWire Pro.
You can learn more about that on our website.
Coming up after the break, Microsoft's Ann Johnson and Carnegie Mellon's Dr. Lori Craneer discussed security design
and the AI dinosaur that knew too much.
Stay with us.
Ever wished you could rebuild your network from scratch
to make it more secure, scalable, and simple?
Meet Meter, the company reimagining enterprise networking
from the ground up.
Meter builds full-stack zero-trust networks,
including hardware, firmware, and software,
all designed to work seamlessly together.
The result?
Fast, reliable, and secure connectivity.
without the constant patching, vendor juggling, or hidden costs.
From wired and wireless to routing, switching firewalls, DNS security, and VPN,
every layer is integrated and continuously protected in one unified platform.
And since it's delivered as one predictable monthly service,
you skip the heavy capital costs and endless upgrade cycles.
Meter even buys back your old infrastructure to make switching effortless.
transform complexity into simplicity and give your team time to focus on what really matters,
helping your business and customers thrive.
Learn more and book your demo at meter.com slash cyberwire.
That's M-E-T-E-R dot com slash cyberwire.
If securing your network feels harder than it should be, you're not imagining it.
Modern businesses need strong protection, but they don't always have the time, staff,
patients for complex setups. That's where Nordlayer comes in. Nordlayer is a toggle-ready network
security platform built for businesses. It brings VPN, access control, and threat protection
together in one place. No hardware, no complicated configuration. You can deploy it in minutes
and be up and running in less than 10. It's built on zero-trust principles, so only the right
people can get access to the right resources. It works across all major platforms, scales easily
as your teams grow, and integrates with what you already use. And now Nordlayer goes even further
through its partnership with CrowdStrike, combining Nordlayer's network security with Falcon endpoint
protection for small and mid-sized businesses. Enterprise-grade security made manageable. Try Nordlayer
risk-free and get up to 22% off yearly plans, plus an extra 10% percent.
with the code Cyberwire 10.
Visit Nordlayer.com slash Cyberwire Daily to learn more.
On today's segment from the afternoon CyberT podcast, Microsoft's Ann Johnson is joined by Dr.
Lori Kramer, Director of the SciLab Security and Privacy Institute at Carnegie Mellon University.
They're discussing ongoing challenges with passwords and passwordless authentication
and how privacy expectations have evolved in an era of constant data collection.
I think in practice, when people are designing security tools, they're focused on security.
And they often don't take the time to think about the users and how the tool would fit into their workflow.
And often the security experts behind the tools are not actually usability or human factors experts.
And so without the security people working in partnership with usability people, we often forget to consider the human and the user.
We haven't really found a great solution that is better than passwords that meets all the criteria that we have.
I think, you know, we want something that is going to be more secure than passwords, easier to use, compatible with a wide range of
different devices, and also, by the way, compatible with all sorts of legacy software.
And it's really hard to find something that meets all of that criteria.
I think in some specific domains, we've been successful.
So I think in the context of mobile phones, the biometrics that are used on a lot of mobile
phones, either face recognition or a fingerprint, are effective in that context.
but it's not effective in contexts that don't have a camera or a fingerprint reader,
and it may not be secure enough for a lot of contexts.
As a cyber professional and also a consumer,
I often think about what the user experience is because I look at it and say,
okay, if this is complex for me,
who ostensibly has been doing this a long time,
you know, what's it like for the average person?
So do you really think,
taskis are the things that are going to remove the friction?
Not anytime soon.
I think the concept behind past keys is good, but they're confusing.
And yeah, I also am confused by them.
If I accept the pass key here and then I want to access this account from another device,
what do I do?
And I often in the past key process, you know, get confused about where I am and don't
know whether it's succeeded or what's going on.
And so, you know, when my less technically sophisticated friends say, should I use pass keys,
I don't really know what to tell them.
Yes, in theory, they're more secure and it will eventually be easier.
But if you run into problems, I'm not going to be able to help you.
Now that we are in an era where we have pervasive data collection, we have AI-driven systems,
we have people voluntarily putting all of their information out on social media for the world to see.
How do you think about privacy?
Yeah, so I've been doing privacy research for about 25 years.
And I think people's attitudes have shifted some,
but not in the way that it's often characterized.
Like, I often hear the media say things like, you know, young people don't care about privacy
anymore.
Actually, nobody cares about privacy.
Look at all the data.
They give away.
And I don't really think that's true.
So when I started doing research in this area, when you talk to people about various technologies
that were invading their privacy, they actually were quite surprised.
Sometimes they didn't believe that the...
these things were real. I remember talking to people about third-party advertising on the web,
and people said, really, they can do that? That sounds like science fiction. And, you know,
they definitely didn't like it once they heard about it. They said, it sounds like they're following me
behind my back. This is terrible. Are you sure this is really happening? Today, you talk to people
about these sorts of things and even new things that are just barely happening. And people are not
surprised. They're like, yeah, I know. Everybody, everybody can spy on you all the time, and there's
nothing you can do about it. They don't like it. They still would like to protect their privacy,
but they feel powerless to do anything about it. And many of them will say, well, I've really just
given up. I like the convenience of using all these privacy invasive services. And since there's
nothing I can do about it, I've just given in and I use them. What gives you hope that we can finally
bridge the usability gap in cybersecurity?
Well, we have actually seen progress.
When I started working in this area about 25 years ago, there, first of all, was very
little research.
I started looking for usable security papers, and there were like two or three out there.
And I started looking for usable security researchers, and I found a dozen or so people.
and I looked at, well, what companies were actually thinking about this, and there were very few.
And I think today, well, there are thousands of usable security research papers
and at least hundreds, if not thousands of usable security researchers.
And we're seeing that companies are increasingly trying to make some efforts to find more usable security solutions.
There's still a lot of work to be done, but I feel that we actually have made progress.
And things like the encrypted web browsers is a good example of how far we've come.
Be sure to check out the complete afternoon CyberT Podcast wherever you get your favorite podcasts.
Investing is all about the future.
So what do you think is going to happen?
Bitcoin is sort of inevitable at this point.
I think it would come down to precious metals.
I hope we don't go cashless.
I would say land is a safe investment.
Technology companies, solar energy.
Robotic pollinators might be a thing.
A wrestler to face a robot, that will have to happen.
So whatever you think is going to happen in the future, you can invest in it at WealthSimple.
Start now at WealthSimple.com.
And finally, picture a brightly colored internet-connected dinosaur plush,
marketed as a friendly AI companion that chats with toddlers
learns their preferences and promises safe, wholesome conversations.
Now, picture that dinosaur quietly dumping its entire memory onto the open web.
Security researchers Joseph Thacker and Joel Margolis found
that Bondo's AI dinosaur toys exposed more than 50,000 private chat logs
to anyone with a Gmail account.
No hacking required.
just log in and read children's names, birthdays, family details,
and every whispered fear or favorite snack shared with a stuffed animal.
Thacker stumbled on the flaw within minutes after a neighbor asked if the toy was safe.
Bondu took the console offline quickly and said there's no evidence others accessed the data,
but the damage was already clear.
The company worked hard to stop the dinosaur from saying anything inappropriate,
even offering a bounty for bad responses while leaving the entire conversation database wide open.
The takeaway is uncomfortable.
An AI toy that remembers everything also exposes everything.
Toddlers shouldn't need operational security training to play with a plush dinosaur.
And that's The Cyberwire.
For links to all of today's stories, check out our daily briefing at the Cyberwire.com.
Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment on Jason and Brian's show every week.
You can find Grumpy Old Geeks where all the fine podcasts are listed.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app.
Please also fill out the survey in the show notes or send an email to Cyberwire at End.
N2K.com.
N2K senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Ibin.
Peter Kilpie is our publisher, and I'm Gabe Bittner.
Thanks for listening.
We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it RASAC 2026.
It's happening March 23rd.
through the 26th in San Francisco,
bringing together the global security community
for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly,
I never miss this conference.
The ideas and conversations
stay with me all year.
Join thousands of practitioners and leaders
tackling today's toughest challenges
and shaping what comes next.
Register today at rsaacconference.com slash cyberwire 26.
I'll see you in San Francisco.
Francisco.