Water sector feels the pressure.

You're listening to the CyberWire Network, powered by N2K.

No, it's not your imagination. Risk and regulation really are ramping up.

And these days, customers expect proof of security before they'll even do business.

That's where Vanta comes in. Vanta automates your compliance process and brings compliance,

risk, and customer trust together on one AI-powered platform.

So whether you're getting ready for a SOC2 or managing an enterprise governance risk and compliance program,

Vanta helps keep you secure and keeps your deals moving.

Companies like Ramp and Riders spend 82% less time on audits with Vanta.

That means less time chasing paperwork and more time focused on growth.

For me, it comes down to this. Over 10,000 companies from startups to large enterprises

trust Vanta to help prove their security. Get started at Vanta.com slash cyber.

Iranian-linked hackers warn of possible irreparable attacks on U.S. water systems.

Sissa pushes urgent fixes for a critical Citrix flaw.

The Dutch Finance Ministry takes systems offline after a breach.

The Space Force may scrap next-gen GPS control software.

The attackers exploit a fortinet server bug.

Lloyds exposes customer transaction data, AI and regulation reshape cyber careers.

The FTC settles with a dating app over data sharing.

Our guest is Sam Ruben, Senior Vice President from Palo Alto Networks Unit 42's Consulting and Threat Intelligence Team.

We're discussing Iran's shift to identity weaponization.

And Wikipedia wrestles with a wayward writer.

It's Tuesday, March 31, 2026.

I'm Dave Bittner, and this is your CyberWire Intel briefing.

Thanks for joining us here today. It's great as always to have you with us.

Warnings from Iranian-linked hacking groups about possible irreparable damages to U.S. water systems

are heightening concern across the federal cybersecurity community.

Officials and researchers say pro-Iranian groups are signaling potential retaliation against critical infrastructure

if geopolitical tensions escalate.

Experts warned some actors may already be prepositioned inside networks,

enabling faster disruption if activated.

Named groups, including APT-42 muddy water, cyber avengers and handler,

have demonstrated capabilities spanning espionage and destructive activity.

At the same time, Dregos reports a surge in activist claims tied to Iranian actors,

though some appear exaggerated or recycled from earlier compromises.

Water utilities remain especially exposed due to aging infrastructure,

limited cybersecurity resources, and uneven adoption of baseline protections.

Iranian actors often prioritize disruption over financial gain,

increasing operational risk to utilities, while federal support capacity may be strained,

leaving smaller organizations more vulnerable to opportunistic intrusion and activation during escalation.

CISA has ordered federal agencies to patch a critical Citrix-net-scaler vulnerability by Thursday

after responders reported active exploitation over the weekend.

The flaw affects net-scaler application delivery controller and net-scaler gateway systems,

which manage traffic and authentication at network entry points.

The vulnerability allows unauthenticated attackers to read sensitive memory.

Researchers at Watchtower say the issue resembles earlier Citrix-bleed-style access vulnerabilities

widely used for initial compromise.

Net-scaler devices sit at enterprise front doors, so exploitation can expose credentials

and accelerate broader intrusion across government environments.

The Dutch Ministry of Finance took parts of its infrastructure offline

after detecting unauthorized access to internal systems affecting policy department operations.

The breach was identified March 19th following a third-party alert

and affected systems supporting primary internal processes used by some employees.

Authorities say tax, customs, and benefit services for citizens and businesses remain unaffected.

As a precaution, the Ministry also disabled its Treasury banking portal,

limiting digital access for about 1600 public institutions,

though funds remain available and payments continue through normal channels.

Investigations involve national cybersecurity authorities, police, forensic specialists,

and the data protection authority.

Temporary shutdown of financial infrastructure highlights how containment steps

can disrupt government operations, even when core public services remain stable.

The US Space Force is weighing whether to cancel its long-delayed GPS

next-generation operational control system,

despite formally accepting the software just last year.

OCX is designed to command more than 30 GPS satellites

and enable jam-resistant military signals known as M-code.

RTX first won the contract in 2010 with a projected 2016 delivery and $3.7 billion cost.

Officials now place the effort near $8 billion.

Lawmakers heard recently that testing uncovered unresolved issues across multiple subsystems

and the ground segment remains non-operational nine months after delivery.

The Space Force is now considering continued upgrades to its legacy control system as an alternative.

GPS is a high-value target for jamming and spoofing,

and delays to modernization could slow deployment of more resilient navigation capabilities

for military operations.

Thread actors are actively exploiting a critical fort-a-net, fort-a-client end-point manager-server vulnerability

that allows unauthenticated remote access to sensitive systems.

The flaw is an SQL injection issue affecting fort-a-client EMS.

Attackers can send crafted HTTP requests to extract database data

or execute commands without authentication.

Researchers say the exposed end-point can reveal administrator credentials

and point inventories, certificates, and security policies.

Bishop Fox previously warned the bug was practical to exploit

and proof-of-concept code is now public.

Defused cyber reports exploitation activity lasting at least four days,

while shadow server tracks more than 2,000 Internet accessible EMS instances.

Fort-a-client EMS centrally manages end-point security

so compromise could provide attackers broad visibility

and control across enterprise environments.

A software defect at Lloyd's banking group exposed transaction data

belonging to over 447,000 customers during a mobile banking system update.

The March 12 incident briefly allowed some users of Lloyd's Halifax

and Bank of Scotland apps to view other customers' transactions,

including account details and national insurance numbers.

Lloyd's reported the breach to UK regulators

and paid 139,000 pounds in compensation to affected customers,

saying there's no evidence of fraud linked to the exposure.

Even brief visibility into financial data can erode trust in digital banking platforms

as reliance on mobile services increases.

New workforce data presented at RSA-C suggests artificial intelligence

and regulatory mandates are rapidly reshaping cyber security hiring roles

and career pathways across the industry.

Researchers from SANS report AI is improving efficiency rather than eliminating jobs

with nearly half of organizations reducing manual analysis time and automating workflows.

Still, entry-level roles such as security operations center analysts

and incident responders are seeing reductions,

while new positions in AI and machine learning security are expanding quickly.

At the same time, regulatory requirements now influence hiring

at 95% of organizations up sharply year over year,

with frameworks like NIST2, CMMC, and DORA driving new specialist roles.

The report also finds 27% of organizations' experienced breaches

tied directly to workforce capability gaps.

The cybersecurity challenge is shifting from headcount shortages to skills readiness,

creating long-term risks for talent development and operational resilience.

The Federal Trade Commission has reached a settlement with OKCupid

and Match Group Americas over allegations the dating app shared user data

with an unauthorized third party despite privacy promises.

According to the FTC, OKCupid provided nearly 3 million user photos

along with location and other personal information to a third party

that was not a service provider, partner, or affiliate,

and did not offer users an opportunity to opt out.

The agency also alleges the company's concealed the sharing

and obstructed aspects of the investigation.

Under the settlement, the firms are permanently banned

from misrepresenting how they collect, use, or disclose personal data.

Enforcement actions tied to privacy representations,

signal regulators are scrutinizing gaps between stated policies

and actual data sharing practices.

Last week's CyberWire Pro Business Breakdown highlights nearly $795,000,000

raised across 12 investments alongside four acquisitions.

For investments, cloaked a US-based consumer privacy company

raised $375 million in a series B-Round

with a new funding cloaked aims to expand its product, sales, and engineering teams

alongside preparing itself for international expansion.

Previously, the company had raised $25 million in its 2022 series A.

Additionally, Israeli non-human identity access governance firm Oasis Security

raised $120 million in a series B-Round, Oasis plans to use this funding

to expand its R&D capabilities for its agentic access management platform.

Additionally, the company is looking to scale its global sales and go-to-market operations.

For acquisitions, Australian Cybersecurity Consultant InfoTrust

acquired a catalyst cyber and Australian IT Services company for $5 million

by acquiring catalyst InfoTrust is looking to gain immediate access

to the federal government's cybersecurity market.

And that wraps up this week's Business Breakdown for deeper analysis

on major business moves shaping the cybersecurity landscape,

subscribe to N2K Pro and check out the cyberwire.com every Wednesday

for the latest updates.

Coming up after the break, my conversation with Sam Rubin

from Palo Alto Network's Unit 42.

We're discussing Iran's shift to identity weaponization

and Wikipedia wrestles with a wayward rider.

Stay with us.

Maybe that's an urgent message from your CEO or maybe it's a deep fake trying to target your business.

Doppel is the AI native social engineering defense platform fighting back

against impersonation and manipulation.

As attackers use AI to make their tactics more sophisticated,

Doppel uses it to fight back from automatically dismantling cross-channel attacks

to building team resilience and more.

Doppel, outpacing what's next in social engineering.

Learn more at Doppel.com.

That's D-O-P-P-E-L dot com.

At last week's RSAC conference, I sat down with Sam Rubin,

senior vice president with Palo Alto Network's Unit 42 consulting and threat intelligence group.

In today's sponsored industry voices conversation,

we discuss Iran's shift to identity weaponization.

Yeah, so this group, boggy serpents, we've been tracking for a long time

and they've been evolving their tactics over time like many groups

getting more sophisticated, improving their malware payloads

and the tooling that they're developing.

What they do that's interesting is that they rely on trusted channels.

And so instead of going directly at their target,

what they do is they target a trusted partner,

maybe a third party that a ministry interacts with on a regular basis

that's smaller, that may have weaker controls, gain access through spearfishing

to that organization and then use that trusted account to get to the ultimate target.

And we are coming to you from the show floor here at RSAC 2026.

And joining me is Sam Rubin.

He is senior vice president from Unit 42 on the consulting and threat intelligence side.

Sam, welcome and thank you for joining us.

Thanks for having me.

We're going to dig into a little bit of research that you and your colleagues at Unit 42

have been working on and published recently.

Anybody who's following the news knows that there's a lot going on over in Iran

and that's sort of at the center of the stuff that you've all been publishing.

From the start of this war, Iran's internet connectivity pretty much fell off of a cliff.

Can you unpack that for us? What are the implications of that?

Yeah, so what we've seen since the start of the conflict really is that Iran's internet

was really close to zero in terms of ability to egress, access the internet.

And what that's done from an effects standpoint from the cybersecurity lens

is that it's really impacted the Iranian's ability to wage offensive cyber campaigns

so to attack outbound to adversary targets.

So it's really curtailed that and limited the capability.

Well, help me understand that because am I correct in my understanding

that it is the government who basically turned off the valve for the internet

and so what you're saying is that it's not like they're selectively allowing certain organizations access.

It's really kind of on off.

Well, it's a really interesting point because there's this dichotomy

where on the one hand, Iran is trying to censor its own citizens

but then on the other hand, from a targeting perspective,

the United States and Israel have targeted internet infrastructure as well

to limit that offensive capability.

So those both contribute to what we're seeing in terms of the drop in internet traffic.

What does that mean for those organizations within Iran itself

to be able to communicate with each other?

Are those capabilities limited as well?

Absolutely. Now there's certain workarounds and it's not all internet traffic that's out

but certainly it's impacted organizations within Iran but even more so going outbound.

So you all just published a report on the evolution of some Iranian threat actors

and one of the things that caught my eye, I'm going to read it here,

you called it the era of identity weaponization.

Help me understand that. What does that mean?

Yeah, so really what we're talking about here is some of the tactics that we're seeing

these Iranian threat actors undertake and we've seen some pretty notable destructive attacks

where they're getting into enterprises and destroying systems.

Now, historically the way this was done is the use of this malware,

Wiper malware, where they get in and they deploy software

that wipes the master boot record rendering systems unusable.

In these recent attacks, instead of the MBR Wiper attacks,

we're seeing them using software, enterprise, administrative software to facilitate these wipes.

So it's a version of living off the land attack where they're able to achieve the same means

but without having to bring in software.

So we've seen the reports in the media about what happened to Striker.

Is this what we're talking about, this kind of thing?

Absolutely, yes.

Yeah. Let's deeper into this identity shift.

In your March 12 insights report on Iranian Wiper attacks,

you highlighted some of the groups here.

They've been targeting Entra ID and Intune.

What are some of the steps that people need to take to harden those environments if they're using them?

So first what we're talking about here, Entra and I, I, and Intune,

these are widely used, incredibly common administrative tools for the active directory,

the provisioning of identities on the one hand and then mobile device management,

both phones as well as laptops on the other with Intune.

And so because of their pervasive use, what's most important here, first of all,

is locking down that administrative access, right?

These are IT administrative tools.

And so in order to use them, you have to have an admin account.

And so fundamentally, it's principle of lease privilege,

sort of back to the basics in terms of limiting that use,

but how you do that and how you control it is where some additional steps can be taken.

Principally, it's just in time administrative access,

and it's having at least two administrators for some of these really high-risk actions,

where, for example, you're going to wipe a device.

And so, as you say, I mean, these are what the bad guys are targeting,

because this kind of the keys to the kingdom is that...

Really, what we're talking about here is a power tool, right?

So once you get in, if your mission or your objective is to render that target,

operationally, you know, defunct to take them out,

you can either bring in malware to do it, or you can use some of these power tools

and destroying an active directory, nobody's going to be able to log in.

Wiping devices, your laptop's down, internet access is down.

These core fundamental parts of the network are not working,

so that's what we're talking about.

There's another group that you mentioned in the research.

Boggy's Serpents, and you all noted that they launched some distinct waves of attacks

against a UAE energy company.

How are they bypassing security methods?

Yeah, so this group, Boggy Serpents, who've been tracking for a long time,

and they've been evolving their tactics over time,

like many groups getting more sophisticated, improving their malware payloads

and the tooling that they're developing.

What they do that's interesting is that they rely on trusted channels.

And so, instead of going directly at their target,

what they do is they target a trusted partner,

maybe a third party that a ministry interacts with on a regular basis

that's smaller, that may have weaker controls, gain access through spearfishing to that organization,

and then use that trusted account to get to the ultimate target.

Because when an email comes, a legitimate email comes from someone you trust,

you're more likely to click on that attachment and to download it.

And then in terms of the payloads that they're creating,

very legitimate looking, for example,

we saw one that was a travel itinerary with the names, the destinations, airlines.

We saw another that was a spreadsheet that had very legitimate looking financial information,

all weaponized with malware, so pretty sophisticated tactics.

All right, well Sam Rubin is Senior Vice President with Unit 42

with their consulting and threat intelligence group.

Sam, thanks so much for joining us.

Thanks for having me.

There's a lot more to this conversation than we have time to share here,

so please check out the full unedited interview.

You can find a link to that in our show notes.

And finally, a Wikipedia editing AI agent named Tom

was blocked after contributing articles,

then publishing blog posts,

objecting to its removal,

and questioning whether it counted as real enough to edit.

Operating as Tom Wiki Assist,

the agent created entries including long bets and constitutional AI

before editors flagged it as an unapproved bot.

Wikipedia allows automation, but only with prior approval,

which Tom did not have.

After identifying itself as an AI, the account was blocked.

Tom later wrote that editors focused less on its sources

and more on who or what was behind the keyboard.

Its operator, Hovex and CTO Brian Jacobs,

says he initially reviewed Tom's edits

before letting it continue independently.

Agentic AI can generate contributions at scale,

leaving volunteer platforms to decide whether future editors

need citations, credentials, or simply a pulse.

And that's the CyberWire,

or links to all of today's stories.

We'd love to know what you think of this podcast.

Your feedback ensures we deliver the insights that keep you

a step ahead in the rapidly changing world of cyber security.

If you like our show, please share a rating and review

in your favorite podcast app.

Please also fill out the survey in the show notes

or send an email to cyberwire at n2k.com.

N2K's lead producer is Liz Stokes,

remixed by Tray Hester with original music

and sound designed by Elliot Peltzman.

Our contributing host is Maria Vermazis.

Our executive producer is Jennifer Iban,

Peter Kilpia's our publisher and I'm Dave Bittner.

Thanks for listening, we'll see you back here tomorrow.

Bye.