Who turned out the lights?

Who turned out the lights in Venezuela? The European Space Agency confirms a series of cyberattacks. Dutch police nab the alleged operator of a notorious malware testing service. The U.S. and allies issue new guidance on OT security. Researchers warn of automated exploitation of a critical Hewlett-Packard Enterprise OneView flaw. TamperedChef cooks up trojanized PDF documents to deliver backdoor malware. A bluetooth vulnerability puts devices at risk. Cisco patches a maximum-severity zero-day exploited since November. Jen Easterly heads up RSAC. Our guest is Zak Kassas from Ohio State University, discussing GPS alternatives. Vintage phones face modern problems.

Today is Friday January 16th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Who turned out the lights in Venezuela? 

A Jan. 3 U.S. cyberoperation briefly cut power across Caracas and disrupted Venezuelan radar, enabling American military helicopters to enter the country undetected and capture Venezuelan President Nicolás Maduro, now facing drug charges in the United States. U.S. officials said the operation demonstrated precise offensive cybercapabilities, including the ability to quickly restore electricity and limit collateral damage. Most residents lost power only briefly, and hospitals relied on backup generators, with no reported fatalities. The mission, known as Operation Absolute Resolve, was publicly acknowledged by U.S. Cyber Command, though details remain classified. The operation surfaced during Senate hearings for Joshua M. Rudd, as lawmakers reviewed Cyber Command’s role. President Donald Trump alluded to the cyberattack, calling it “dark” and “deadly,” while Venezuela has a long history of blaming U.S. cyber interference for past blackouts without evidence.

The European Space Agency confirms a series of cyberattacks. 

The European Space Agency has confirmed a series of cyberattacks that resulted in sensitive data, including staff email credentials, appearing on dark web forums. The breaches began in mid-December 2025 and affected external servers used for unclassified collaborative engineering work. Attackers claim to have exfiltrated roughly 200 gigabytes of data, allegedly including source code, access tokens, and configuration files, some of which are being offered for sale. ESA said the attackers remained undetected for about a week and stressed that core mission systems and classified operations were not compromised. Cybersecurity researcher Clémence Poirier of ETH Zurich warned that leaked credentials could enable follow-on attacks through credential reuse. ESA has launched a forensic investigation, isolated affected infrastructure, and is cooperating with law enforcement, underscoring broader concerns about cyber risks facing the space sector.

Dutch police nab the alleged operator of a notorious malware testing service. 

Dutch police have arrested a 33-year-old man at Schiphol Airport, alleging he was the operator of AVCheck, a malware testing service used by cybercriminals. Authorities say AVCheck allowed attackers to test malware against antivirus tools and modify it until detection failed, helping criminals steal data unnoticed. The suspect was detained upon returning from the United Arab Emirates. The arrest is part of Operation Endgame, a multinational effort that has dismantled major malware infrastructure in recent years. Dutch police worked with the FBI and Finnish authorities, tracing evidence from servers seized when AVCheck was taken offline in mid-2025. Investigators also identified two Amsterdam-based companies allegedly linked to the service. The suspect remains in custody while seized devices are examined for ties to other criminal groups.

The U.S. and allies issue new guidance on OT security. 

U.S. and allied cyber agencies warned that insecure connectivity remains one of the fastest ways for threat actors to disrupt operational technology, or OT, environments. New guidance from the FBI, the Cybersecurity and Infrastructure Security Agency, the UK National Cyber Security Centre, and partners across the Five Eyes and Europe outlines eight secure connectivity principles. The agencies said growing links between OT, IT networks, cloud platforms, and third parties have expanded opportunities for cyber intrusions to cause physical disruption. They urged organizations to treat every new connection as a risk-based business decision, limit inbound access by default, and use brokered gateways where external access is required. The guidance also warns that legacy devices, flat networks, and fragmented remote access increase exposure, while centralized, well-segmented connectivity improves visibility and resilience.

Researchers warn of automated exploitation of a critical Hewlett-Packard Enterprise OneView flaw. 

Check Point reports large-scale, automated exploitation of a critical Hewlett-Packard Enterprise OneView flaw, CVE-2025-37164, now linked to the RondoDox botnet. The maximum-severity remote code execution bug affects OneView’s centralized control of servers and networking. Researchers observed tens of thousands of exploit attempts after the flaw was added to CISA’s actively exploited list, confirming a shift from proof-of-concept to real-world attacks. Activity was global and largely automated, underscoring the risk of delayed patching for high-privilege management platforms.

TamperedChef cooks up trojanized PDF documents to deliver backdoor malware. 

Researchers at Sophos have detailed a long-running malvertising campaign, dubbed TamperedChef, that uses trojanized PDF documents to deliver backdoor malware and infostealers. The campaign has expanded across Europe, with organizations in Germany, the UK, and France most frequently affected. Attackers target sectors that rely on specialized technical equipment, exploiting users’ searches for instruction manuals or PDF tools. Malicious ads placed prominently in search results direct victims to fake download sites, leading to credential theft and persistent network access. Sophos said the operation uses layered evasion tactics, including staged payloads, abuse of code-signing certificates, and a 56-day dormancy period to avoid detection. The firm recommends avoiding ad-based downloads, restricting approved sources, and enforcing multi-factor authentication to limit impact.

A bluetooth vulnerability puts devices at risk. 

Academic researchers have disclosed a critical flaw in Google Fast Pair that allows attackers to forcibly connect to vulnerable Bluetooth audio accessories. Tracked as CVE-2025-36911, the issue stems from improper pairing checks in some Fast Pair implementations. The attack, dubbed WhisperPair by researchers at KU Leuven, enables attackers within 14 meters to seize control of earbuds or headphones, play audio, or record sound without consent. In some cases, attackers could also track users through Google’s device-finding network. Google has issued updates for Pixel devices, but researchers warn users must also install firmware patches from accessory manufacturers to mitigate the risk.

Cisco patches a maximum-severity zero-day exploited since November. 

Cisco has patched a maximum-severity AsyncOS zero-day, CVE-2025-20393, exploited since November against Secure Email Gateway and Secure Email and Web Manager appliances with exposed Spam Quarantine features. Cisco said the flaw allows remote command execution with root privileges. Cisco Talos attributes the attacks to a China-linked group tracked as UAT-9686, which deployed persistent backdoors and tunneling tools. CISA added the bug to its exploited vulnerabilities catalog, urging rapid patching and compromise checks.

Jen Easterly heads up RSAC. 

Jen Easterly has been appointed chief executive officer of the RSA Conference, taking charge of the event’s global programming, innovation initiatives, and professional platforms. Easterly previously led the Cybersecurity and Infrastructure Security Agency, where she advanced Secure by Design principles, launched the Known Exploited Vulnerabilities catalog, and strengthened public-private coordination on ransomware. A former NSA, White House, and Morgan Stanley executive, Easterly steps into the role as RSAC prepares for its March 2026 conference in San Francisco, expected to draw more than 40,000 attendees worldwide.

 

Vintage phones face modern problems. 

Our nostalgia desk tells us the tech-weary generation is rediscovering optimism, circa June 2010, by dusting off the iPhone 4, a device last unveiled when hope was high cellular networks were slow.  Online, devotees praise its grainy photos as “vintage,” contrasting them with today’s hyper-real images from modern phones. Introduced by Steve Jobs at Apple’s 2010 developer conference, the phone has become something of a retro status symbol, with resale prices soaring and searches spiking.

But nostalgia comes with consequences. Security experts warn that using a 16-year-old smartphone is less “retro chic” and more “assume breach.” The device stopped receiving updates in 2014, long before modern protections existed. Apple considers such hardware obsolete, meaning no fixes, no parts, and no mercy. For purists determined to relive the vibe, experts suggest extreme digital minimalism: no accounts, no apps, no web browsing, maybe no signal at all. 

Like vinyl records, the iPhone 4 revival is less about technical superiority and more about longing for a simpler, more tangible era. Just as music fans accept pops, skips, and careful handling in exchange for warmth and authenticity, retro-tech devotees are embracing grainy photos, limited features, and inconvenience as part of the charm. The appeal is emotional, not rational: a deliberate step backward from frictionless modern tech, chosen for feel rather than function.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.