Cybersecurity today would like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless, and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com slash CST. Criminals deploy a text message blaster for the first time ever in Canada. A major critical infrastructure supplier responds to a cyber attack. History rewritten, Stuxnet was not the first cyber weapon. And the cyber weapon behind the PDVSA attack in Venezuela revealed. This is Cybersecurity Today, and I'm your host, David Shipley. Let's get started. Somewhere in downtown Toronto, Canada last fall, a car was driving around with a cyberweapon in the trunk. It fired text messages, tens of thousands of them, straight onto the phones of anyone it drove past. Last Thursday, Toronto police announced charges against three men alleging they were using what's known as an SMS blaster. And according to the Globe and Mail, this is the first ever detected use of an SMS blaster on Canadian soil. The trio face 44 charges in total, including fraud and mischief. An SMS blaster is a portable rogue cell tower. It's a radio, battery, and laptop, small enough to run into the back of a car or even in a backpack. It can be driven around a busy area, and it tricks nearby phones into connecting to it instead of real wireless networks. Mobile phones are designed to grab the strongest signals they can find. The blaster shouts louder than legitimate towers, forcing nearby phones onto an older 2G connection, and then floods them with scam texts. Fake bank alerts, fake delivery notices, the usual fraud playbook, all pointing to phishing sites built to swipe credentials or steal financial information. Because these techs never touch a carrier's network, carrier filters don't stop them. Toronto police say tens of thousands of devices connected to this blaster over several months, and they identified more than 13 million network disruptions, moments where phones couldn't properly connect to a legitimate tower. That's not just a fraud problem. During those moments, calls to emergency services could also have been affected. The investigation started back in November when a TELUS customer flagged a suspicious text. TELUS Chief Security Officer Kerry Frey, who some of you might remember joined us earlier this year, couldn't find those messages anywhere in the network logs. That was the TEL. He suspected an SMS blaster, and he was right. Thanks to cross-carrier cooperation with police, the full picture emerged. The suspects were running the device out of a vehicle, moving it across the Greater Toronto Area, which meant no single telecom, however, could track it alone. Locating the blaster required real-time data from all of Canada's major wireless carriers, working together. Nicholas Pant, Chief Information Security Officer at Bell Canada, told the Globe and Mail the investigation showed how the telecom sector joins forces together and with law enforcement along with government to push back on criminals abusing the airwaves That's a model worth celebrating and paying attention to. Competitors sharing data to protect customers. The telecom sector also flagged the incident to the Innovation, Science and Economic Development Canada Department. That's the federal agency responsible for policing Canada's airwaves. These devices have shown up in the UK and New Zealand before now. They can also surveil calls, push malware, and interfere with emergency response. This time, the focus was just on fraud. From the story of Canada's first SMS blaster case, we now turn to an attack on a major critical infrastructure technology provider. A U.S.-based critical infrastructure IT provider has disclosed it was hit with a cyberattack. And the good news is, the impact was limited. The company is Washington-based ITRON. You may not have heard the name, but their technology sits in the background for a lot of people's daily lives. ITRON makes products for managing electricity grids, water systems, and natural gas networks. They have 100 customers, and as of 2025, more than 40 million smart electricity meters deployed. In an SEC filing last week, ITRON disclosed that on April 13th, an unauthorized third party got into their internal systems. The company activated its incident response plan, called in outside advisors, and notified law enforcement. They say the intrusion was blocked and business operations were not maturely disrupted, and that all unauthorized activity did not extend to customer environments. The attack comes amidst the ongoing conflict between the United States, Israel, and Iran. On April 7, CISA, the FBI, and the National Security Agency, along with the U.S. Department of Energy, issued a joint advisory warning that Iranian-affiliated hackers have been actively targeting American critical infrastructure, water utilities, energy companies, and local governments. The advisory says some of those intrusions have caused operational disruptions and financial loss. No group has claimed responsibility for the ITRON attack, and there's no public attribution yet. The company says the investigation is still ongoing, and in this current environment, every utility is likely going to be paying close attention to the follow-up. A key story in cybersecurity history has just been rewritten. For 16 years, we've had a tidy origin story for the era of digital weapons. Stuxnet, discovered in 2010, was thought to be the first true cyber weapon. The first piece of code built to break things in the physical world. The worm that tore apart Iran's nuclear centrifuges. Everything else came after. That story, it seems, is wrong. Or at least, incomplete. Last week at Black Hat Asia, researchers from Sentinel-1 unveiled a piece of malware they're calling Fast 16. It was compiled on August 30, 2005, five years before Stuxnet was caught, and a few months before Stuxnet's command infrastructure was even set up. Fast 16 wasn't just earlier. It had a different philosophy of sabotage entirely. Stuxnet spun centrifuges past the breaking point at Aran Natanz facility tearing them apart FAST had no interest in breaking things It went after the math. Specifically, it targeted high-precision engineering simulation software. The malware would quietly hook into these programs and introduce small, systemic errors into calculations. Sentinel-1 researchers describe it as a tool that could undermine or slow scientific research programs, degrade engineered systems over time, or even contribute to catastrophic damage. Fast 16 was technically remarkable for its time. It was now the first known Windows malware to embed a Lua scripting engine. That's a trick that later became a signature of state-grade tools like flaying. It used what the researchers describe as a cluster munition kind of architecture. One carrier program that could deliver different payloads called wormlets, each tuned for a different mission. The forensic breadcrumb that cracked it came from the 2017 Shadow Brokers leak. the trove of tools allegedly stolen from the U.S. National Security Agency. Buried in one of those files was a reference to a driver named Fast16 with the operator note, Nothing to see here. Carry on. Researchers found that exact string inside the malware. State-grade cyber-sabotage tooling aimed at the physical world was already operational in the mid-2000s. We just didn't know it was there. We thought Stuxnet was the beginning. Now, we know it wasn't. We close today by staying on the theme of geopolitics and critical infrastructure. But we move from the Middle East to the Caribbean. Russian cybersecurity firm Kaspersky published a report last week detailing malware used in a destructive attack on Venezuela's energy and utility sector in December 2025. The weapon was a previously unknown piece of malware called Lotus Wiper. It was not a ransomware operation. Where most malware wants to take something, data, money, access, a wiper just wants to erase. LotusWiper overwrites data on hard drives, deletes backups, scrubs system files, and clears the logs that would normally record its activity. A digital salting of the earth. Kaspersky stopped short of naming the target. But independent researchers picked apart the code and found something striking. The domain pedavesa.com. That's Venezuela State Oil Company. hard-coded into the wiper's trigger scripts. The hard-coding was a guardrail. If the malware ended up on a machine outside of PDVSA's domain, it wouldn't fire. This was a precision weapon configured for one target. The wiper code was compiled in late September 2025. The wiper files were uploaded to a malware repository from a computer in Venezuela on December 14th, the day after the Pedevese attack. Kaspersky has not formally tied Lotus Wiper to the Pedevese incident, but the timing and the hard-coded domain make the connection. Pedevese initially played the attack down, saying only administrative systems were hit But subsequent reporting from Bloomberg told a different story A month after the attack the company still didn have working systems Employees were running operations on WhatsApp, Telegram, and handwritten notes. Salaries weren't being paid on time, and critically, Bloomberg reported the attack had reached the SCADA systems that run processes inside refineries, compression plants, and pipelines. That's the operational or OT side of the house, the actual industrial controls. A wiper attack that reaches the OT environment is fundamentally different than one that just stays in corporate IT. PDVSA blamed the attack on the United States. It happened just weeks before US forces invaded Venezuela in January and removed Nicolas Maduro from power. There is no public evidence linking the malware to the U.S. government, but there are precedents. Reporting from Kim Zetter at Zero Day catalogues a string of U.S. cyber operations against Venezuela during the first Trump administration, the CIA hacking of the Venezuelan military's payroll system in 2019 to undermine confidence in Maduro, the CIA disabling the computer network of Venezuela's intelligence service. U.S. Cyber Command going after the satellite communications of the Wagner Group while it operated inside Venezuela. And in the days around the January 2026 raid that captured Maduro, both President Trump and a senior military official made statements that seemed to imply the U.S. had used a cyber attack to black out parts of Paracas, though no technical evidence of that attack has surfaced yet. The history of modern critical infrastructure hacking is being rewritten, and as we're seeing in some cases, rewritten almost daily. And with more advanced AI hacking tools proliferating around the world, the days when destructive attacks are solely the domain of elite government hacking teams are likely numbered. That's Cybersecurity Today for Monday, April 27th, 2026. Thanks for listening and thank you to those who sent in feedback on Friday's special episode, Diving into the Recent for Cell Hack. If you haven't given it a listen, I highly recommend it. A special thank you to everyone who's left a rating or review on their favorite podcast platform. We really appreciate it And it truly helps more people find the show. On Sunday, Cybersecurity Today was in the top 10 Apple Tech News podcast charts in Italy, Colombia, and the Philippines for the first time. That was awesome to see. I'll be back on the news desk on Wednesday with the latest headlines. We'd like to thank Meter for their support in bringing you this podcast. Meter delivers full-stack networking infrastructure, wired, wireless, and cellular, to leading enterprises. Working with their partners, Meter designs, deploys, and manages everything required to get performant, reliable, and secure connectivity in a space. They design the hardware, the firmware, build the software, manage deployments, and run support. It's a single integrated solution that scales from branch offices, warehouses and large campuses to data centers. Book a demo at meter.com slash CST. That's M-E-T-E-R dot com slash CST. you
