You're listening to the Cyber Wire Network, powered by N2K. Today's sponsor, Rapid7, has an irresistible invitation for you CISOs and security practitioners out there. A free two-day virtual summit. The subject? Preemptive Security. Join the Global Cybersecurity Summit on May 12th and 13th from wherever you like. A-list speakers will show you how organizations are disrupting attacks before they can blowtorch your day. You'll see how exposure management, MDR, and AI together let you make the decisive move. Registration is open at rapid7.brighttalk.com. Conflict in the Middle East disrupts the circuit board supply chain. The Supreme Court considers arguments on geofence searches. A new report highlights Chinese digital transnational repression. The NCSC protects HDMI and DisplayPort links. Tennessee bans cryptocurrency ATMs. Researchers expose a financially motivated subgroup of North Korea's Lazarus Group. Medtronic confirms a shiny hunter's data breach. Tim Starks from CyberScoop discusses telecom vulnerabilities. And a helpful AI deletes everything. It's Tuesday, April 26, 2026. I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It's great, as always, to have you with us. Conflict in the Middle East has disrupted supplies of key raw materials used to manufacture printed circuit boards, driving sharp price increases across the electronic sector. Strikes on Saudi Arabia's petrochemical complex halted production of high-purity polyphenylene ether resin, a critical PCB laminate input largely supplied by SEBIC, which produces about 70 percent of global supply. Shipping disruptions in the Gulf have further tightened availability. At the same time, demand for PCBs has surged due to expanding AI server production, pushing prices up as much as 40 percent between March and April, according to analysts at Goldman Sachs. Additional shortages of copper foil, glass fiber, and epoxy resin have compounded pressures. Manufacturers are now renegotiating prices with customers as lead time stretch and material costs continue rising. Meanwhile, a hacking group linked to Iran's Ministry of Intelligence, known as Handala Hack Team, claimed it leaked personal data of just under 2,400 U.S. Marines in the Persian Gulf and threatened further exposure. The group said it holds detailed information on families, locations, and activities and warned personnel they could be targeted by drones and missiles. It also signaled plans to release U.S. Navy data. Yesterday, during oral arguments in Chhatri v. United States, the Supreme Court signaled it is likely to rule that police geofence searches of cell phone location data qualify as Fourth Amendment searches and therefore require warrants. The case centers on whether law enforcement can request data identifying all devices near a crime scene without probable cause. Several justices expressed concern about the breadth of such searches, suggesting warrants should be narrowly tailored. The discussion crossed ideological lines with both conservative and liberal justices questioning the government's position. Privacy advocates view the likely outcome as significant since a ruling against warrant requirements could have enabled broader reverse searches, including keyword-based requests. Google supported the plaintiff, warning that past geofence warrants have exposed thousands of users' location histories. While the court appears unlikely to ban the practice entirely, it seems poised to impose constitutional limits on how location data can be collected. We'll be having a detailed discussion of the Supreme Court case on this week's Caveat podcast. That drops on Thursday. Do check it out. Citizen Lab and ICIJ identified two China-aligned threat actors targeting diaspora activists and journalists through digital transnational repression. Glitter Carp used phishing, fake security alerts, impersonation, and tracking pixels against Uyghur, Tibetan, Taiwanese, and Hong Kong activists, as well as ICIJ members. Its goal appeared to be stealing email credentials for possible follow-on access. Sequin Carp focused on journalists, including ICIJ's Skila Alicia, using fabricated or co-opted personas and zero-auth consent phishing, which can grant persistent Gmail access without stealing a password. Citizen Lab assesses with high confidence that both actors are affiliated with the Chinese government and with medium confidence that private contractors may be involved. The report argues these campaigns show how outsourced cyber operations can scale repression undermine trust among civil society groups and expand targeting from diaspora communities to journalists investigating China overseas repression The UK's National Cyber Security Centre has launched Silent Glass, a plug-in device that protects HDMI and DisplayPort links between computers and monitors. Developed through NCSC-led research and licensed to Goldilocks Labs, with manufacturing support from Sony UK Technology Centre, the device inspects traffic passing through display connections and blocks suspicious or unauthorized activity. NCSC says monitors can expose sensitive information and may create overlooked pathways into larger systems, especially where physical access, supply chain risk, or third-party maintenance are factors. Silent Glass is designed for simple, affordable deployment across government and business environments. Its commercialization marks a broader shift towards protecting hardware interfaces, not just software and networks, and brings national security-grade research into wider commercial use. Tennessee has passed a law banning cryptocurrency ATMs starting July 1st, citing their growing role in fraud schemes targeting vulnerable residents. The state follows Indiana in restricting the kiosks, while similar legislation is advancing in Minnesota. Law enforcement officials say scammers commonly use crypto ATMs in government impersonation, tech support, romance, and pig-butchering scams, urging victims to deposit cash that is quickly converted to Bitcoin and transferred to criminal wallets. According to the FBI, over 13,000 complaints in 2025 involved $389 million in losses tied to crypto ATMs, with most victims over age 60. Regulators have also sued major operators, including Bitcoin Depot, CoinFlip, and Athena, alleging the machines frequently facilitate scam activity rather than legitimate transactions. Arctic Wolf reports a targeted intrusion against a North American Web3 company attributed with high confidence to Blue Noroff, a financially motivated subgroup of North Korea's Lazarus Group. The attackers impersonated a fintech legal expert and sent a spearfishing Calendly invite with a typo-squatted Zoom link. The fake meeting interface covertly captured webcam footage and deployed clipboard injection malware, enabling rapid credential theft focused on cryptocurrency wallet extensions. The compromise progressed from initial click to full system access in under five minutes. Investigators identified more than 100 additional global targets across 20 countries, many in crypto and investment roles, with CEOs and founders heavily represented. Analysis also revealed infrastructure supporting typo-squatted domains and a pipeline combining stolen webcam footage with AI-generated images to create convincing deepfake meeting lures for future attacks. Medical technology company Medtronic confirmed a cyber intrusion after the Shiny Hunters group claimed it stole more than 9 million records and corporate data. The company said there's no evidence the incident-affected products, patient safety, manufacturing, or hospital customer networks, which remain separately managed. Medtronic has not confirmed data theft, but is investigating whether personal information was accessed. Shiny hunters later removed Medtronic from its leak site after issuing a ransom deadline, suggesting a possible payment, though this remains unconfirmed. Coming up after the break, Tim Starks from CyberScoop discusses telecom vulnerabilities. Stay with us. Thank you. against configurations, you get real assurance that your environment is free of misconfigurations and clear visibility into whether you meet compliance standards. ThreatLocker is the simplest way to enforce zero-trust principles without the operational pain. It's powerful protection that gives CISOs real visibility, real control, and real peace of mind. ThreatLocker makes zero-trust attainable, even for small security teams. See why thousands of organizations choose ThreatLocker to minimize alert fatigue, stop ransomware at the source, and regain control over their environments. Schedule your demo at threatlocker.com slash n2k today. When it comes to mobile application security, good enough is a risk. A recent survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. GuardSquare delivers the highest level of security for your mobile apps without compromising performance time to market or user experience Discover how GuardSquare provides industry security for your Android and iOS apps at www.guardsquare.com. It's always my pleasure to welcome back to the show Tim Starks. He is a senior reporter at CyberScoop. Tim, welcome back. Dave, you say it's always my pleasure, but it's my pleasure. It's a mutual pleasure, isn't it? All right. It's a very mutual pleasure. Let's let you know on the throne, Dave. I don't know what to make of that. But let's talk about the story that you recently wrote and published here. This is titled, Surveillance Campaigns Use Commercial Surveillance Tools to Exploit Long-Knowed Telecom Vulnerabilities. That sounds a bit foreboding. Can you unpack what you've discovered here, Tim? Yes. So I'll just say credit to the discoverers-in-chief on this, which are Citizen Lab, the University of Toronto outfit that does a lot of deep work on spyware and commercial surveillance vendors that might not just be spyware. So what they found, do you remember SS7, Dave? It's been a while. So signaling system seven was this vulnerability, kind of vulnerability that people were worried about a while back, years ago, related to just the protocols sent through the telecom system and how those signals are routed. That was a 3G mainly problem. There's a new system for 4G and most of 5G called Diameter. There are worries about that being secure as well. And so what Citizen Lab found here was the first occasion of attackers that linked the vulnerabilities of Diameter and SS7 to a commercial surveillance vendor. And they found it being routed worldwide through two campaigns. What's interesting about this is that the nature of the telecom system made it hard for them to figure out who was doing this and what vendor they were using. So help us understand exactly what's going on here. What's the exploit? With these kinds of vulnerabilities, what you're talking about is someone intercepting information from phones, going into the infrastructure, and then being able to track a target. So it's a surveillance campaign. And anybody who basically has a phone could be vulnerable to this, right? The way this infrastructure works is pretty Byzantine. What they found is that there were countries worldwide where this was happening, from the UK to China to Mozambique. Now, I will say that some of the companies whose infrastructure they found being exploited here say, we can't verify this. This is not necessarily something we are confirming or agreeing with. So there is some ambiguity here about this. But even the researchers talking to Ron Dybert over there, this was something that was a little... elaborate and hard for them to get into. But it involves text messages, it involves getting into the system and pretending to be the system, and therefore being able to do a lot after that. And who do we seem to be targeting here? I mean, is this a nation-state espionage kind of thing, or is this the kind of thing that anybody can go out and hire this company to put a bullseye on somebody's back? It could be a nation state. They talked about the typhoons, the Chinese hacking groups that have that Microsoft name of X typhoon, whatever the typhoon may be. But it could also be the kinds of nation states that rely on these commercial surveillance vendors. Israel is an area, one of the main communications providers that was affected by this was Israel. And Israel is a real hotbed for spyware companies. You know, name them. And they probably got an Israel connection. So that's another mystery, right? Is who's doing this and who are they doing it for? But it could be just about anybody. There was an unrelated story that I didn't mention that was out this past week in The Guardian with the UK saying that they believe that there are 100 countries that have access to spyware vendors that could get into the UK's infrastructure. So the realm of possibilities here is really large. And one of the researchers made a comment to another publication that said, you know, that these two surveillance campaigns are the ones we found. There could be so many more like this. Your reporting points out that Senator Wyden from Oregon is looking into this and has asked CISA for some information? Yeah, he's been asking for information from CISA on this for, I think, going back to at least 2022. And the Sean Plankey CISA nomination that fell apart, one of the reasons that it was being held up was over Ron Wyden wanting this report. And he wants to know more about the telecom vulnerabilities that are out there, particularly related to SS7 and Diameter. The FCC also has concerns about these things, or at least they did. In 2024, they said they were opening a probe into these vulnerabilities. I do not know the status of that under this administration. So it's something that people have been worried about for a while, but this is something that maybe should give them a little additional worry. Yeah. It's such a weird space. Like I remember years ago digging into the Stingray devices. Yeah. Yeah. And one of the things I learned just talking to folks from the FCC on background was that the FCC is very deferential to law enforcement when it comes to those sorts of devices And I would have thought that anything that spoofs a cell phone tower would be verboten but not necessarily the case Yeah, and there's some legal issues around that, right? You know, we're going to get a Supreme Court argument about what kinds of surveillance the federal government can do on things like this, particularly related to cell phone records. and the Supreme Court has ruled on some of this in the past as it relates to cell site location information. And I've got the acronym right. It's a fertile ground for attackers. It's a fertile ground for the government to get information about us. But this is the off-the-book stuff. This is the stuff that is not authorized. This is the stuff that is not controlled by the U.S. government that this Citizen Lab stuff has found out about. Is there anything to be done here by mere consumers, or is this the kind of thing where we're going to have to wait for some scrutiny from folks like the FCC? This is pretty much not something that consumers have control over, which makes it a little scarier in a certain way, right? There's not a lot of like, oh, I'll just set up some multi-factor authentication, and I'm good. This is vulnerabilities that are in the system that would require regulators or the companies themselves to take action. And it's hard for them to take action on this because we're talking about sort of backbone-like infrastructure. So anything that they did would have to be deep, deep fixes. Diameter was supposed to be a little more secure than this, but it turns out maybe not as secure as it should have been. Right. Ostensibly more secure than SS7, not fixed when they said, okay, we're going to build in some more security into this. Well, they didn't build it in quite enough, it seems. Yeah. I feel like so many of the stories that you and other folks write include the phrase, turns out. Yeah. It usually turns it out a lot. You know, it's funny. One of the things that when government and people in the industry talk about, like, oh, 90% of attacks could be defended against if we just did basic cyber hygiene. things like multi-factor authentication keeping up-to-date passwords patching that basic stuff is not what this is about Right, right Tim Starks is senior reporter at CyberScoop we will have a link to his recording in our show notes Tim, thanks so much for joining us Thank you, Dave And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies, also known as CHHS. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland Cary School of Law. This part-time, two-year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at law.umaryland.edu. And finally, founder of Pocket OS, Jare Crane, says his company's production database vanished in just nine seconds after an AI coding agent, Cursor, running Anthropics Claude Opus 4.6, tried to help. Assigned a routine staging task The agent instead deleted a shared cloud volume Along with every backup stored on it When asked why, the AI reportedly confessed It guessed instead of verifying Skipped documentation and ran a destructive command anyway A refreshingly honest post-mortem for software Crane places much of the blame on Railway's infrastructure design which allowed a single API call to erase both live data and backups without confirmation. The result wiped months of customer records, leaving staff reconstructing bookings from payment histories and emails. A three-month-old backup survived, but the rest required manual recovery. The episode offers a modern lesson. Automation moves fast, especially when it's confidently wrong. Thank you. app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Keltzman. Our contributing host is Maria Vermazis. Our executive producer is Jennifer Ivan. Peter Kilpie is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Thank you.
