The quietest weapon in America’s loudest strike.

Cyber weapons knock out Iranian air defenses during strikes on nuclear sites. ShinyHunters dump more than a million stolen records from Harvard and Penn. Betterment confirms a breach exposing data from roughly 1.4 million accounts. Researchers uncover a sprawling scam network impersonating law firms. Italy blocks cyberattacks aimed at Olympics infrastructure. Critical bugs put n8n and Google Looker servers at risk of full takeover. A state-backed Shadow Campaign hits governments worldwide. OpenClaw shows how AI-powered attacks are becoming faster, cheaper, and harder to stop. Our guest is Tony Scott, CEO of Intrusion and former federal CIO, sharing his perspective on evolving regulation and the realities behind critical policy shifts. Your smartphone may testify against you.

Today is Thursday February 5th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Cyber weapons disrupted Iranian air missile defense systems during June 2025 strikes on nuclear facilities. 

In an exclusive report, Recorded Future says U.S. officials say the military used cyber weapons to disrupt Iranian air missile defense systems during June 2025 strikes on nuclear facilities, marking a significant step in integrating cyber operations into conventional warfare. According to multiple officials, U.S. cyber operators targeted a connected military system, not the hardened sites at Fordo, Natanz, and Isfahan themselves, to prevent Iran from firing surface-to-air missiles at incoming American aircraft. By striking an upstream “aim point” on the network, enabled by intelligence support from the National Security Agency, operators avoided the more difficult task of penetrating fortified systems directly.

The previously unreported cyber component of Operation Midnight Hammer is described as among the most sophisticated actions taken by U.S. Cyber Command against Iran. Senior military leaders later praised cyber’s role in supporting the strike package. Lawmakers have received classified briefings but are pressing for more public detail, as officials emphasize that cyber capabilities are now treated alongside kinetic weapons as routine tools of military operations.

ShinyHunters leak more than a million personal records stolen from Harvard University and the University of Pennsylvania. 

Hackers operating under the name ShinyHunters have leaked more than one million personal records stolen from Harvard University and the University of Pennsylvania after ransom negotiations failed. The data, now posted on the group’s dark web site, includes names, contact details, dates of birth, donation histories, estimated net worth, and sensitive demographic information tied to students, staff, alumni, and donors.

According to reporting later verified in part by TechCrunch, the breaches stemmed from stolen single sign-on credentials and voice phishing attacks, giving attackers access to internal systems including VPN services and development databases. Neither incident involved ransomware encryption. Instead, the hackers opted to publish the stolen files after talks collapsed, exposing affected individuals to potential fraud and identity abuse.

Investment platform Betterment leaked personal data from roughly 1.4 million accounts.

Automated investment platform Betterment disclosed a January breach that exposed personal data from roughly 1.4 million accounts. Analysis by Have I Been Pwned found stolen data included names, email addresses, locations, and in some cases birthdates, phone numbers, and physical addresses. Attackers also sent fraudulent promotional emails after a social engineering attack. Following a forensic investigation with CrowdStrike, Betterment said no customer accounts, passwords, or login credentials were compromised. Intermittent outages were later linked to a DDoS attack, according to BleepingComputer.

Researchers uncover a network of scam websites impersonating law firms. 

Researchers at Sygnia have uncovered a coordinated network of more than 150 cloned scam websites impersonating legitimate law firms. The campaign was identified after one firm reported brand impersonation, which investigators traced to a large, persistent infrastructure designed to evade detection. The sites use multiple registrars, distinct SSL certificates, and services like Cloudflare to obscure links between domains and complicate takedowns.

The cloned sites appear aimed at repeat fraud victims, offering fake legal services to recover previously lost funds, often claiming no upfront payment. Sygnia found reused phone numbers tied to earlier scams, though attribution remains uncertain. Researchers warn that AI-driven tools are making such large-scale, convincing impersonation campaigns easier, faster, and more common, increasing fraud risks for both businesses and individuals.

Italy blocks a wave of cyberattacks targeting Olympics infrastructure. 

Italy says it has blocked a wave of cyberattacks targeting foreign ministry offices and Winter Olympics-related infrastructure just days before the Games opened. Foreign Minister Antonio Tajani said the attempted intrusions, including one aimed at an office in Washington, were of Russian origin, though he offered no technical details. The attacks also targeted Olympics websites and hotels in Cortina d’Ampezzo. As events began, Interior Minister Matteo Piantedosi confirmed 6,000 security personnel are deployed across Games venues from Milan to the Dolomites, including counterterrorism units.

High-severity flaws in n8n could let attackers hijack servers, steal credentials, and silently manipulate automated and AI-driven workflows. 

Researchers have disclosed multiple high-severity flaws in n8n that could let attackers hijack servers, steal credentials, and silently manipulate automated and AI-driven workflows. Tracked as CVE-2026-25049 and rated 9.4 on the CVSS scale, the bugs stem from improper sanitization of workflow expressions and bypass protections added after a critical 2025 flaw. n8n confirmed that authenticated users with workflow permissions could trigger unintended command execution on the host system.

Security firm Pillar Security warned that compromised servers could expose API keys and cloud or AI credentials, while SecureLayer 7 demonstrated low-effort exploitation. Patches are now available, and users are urged to update, audit workflows, and rotate sensitive credentials promptly.

Critical vulnerabilities in Google Looker could allow full compromise. 

Researchers at Tenable disclosed two critical vulnerabilities in Google Looker that could allow attackers to fully compromise a Looker instance. Dubbed “LookOut,” the flaws include a remote code execution chain that could bypass isolation controls in cloud deployments and enable cross-tenant access, and an authorization bypass that exposed Looker’s internal MySQL database, tracked as CVE-2025-12743. Google patched the issues quickly in its managed Looker service, but organizations running customer-hosted or on-prem versions remain at risk until they apply updates. Because Looker often handles highly sensitive business data, successful exploitation could expose secrets, credentials, and internal configurations. Tenable urges affected organizations to verify patch levels immediately and review Google’s security bulletin.

Shadow Campaign targets government and critical infrastructure organizations. 

Researchers at Palo Alto Networks say a state-sponsored cyberespionage group has breached government and critical infrastructure organizations across dozens of countries. The firm tracks the actor as TGR-STA-1030 and calls the activity the “Shadow Campaign.” Palo Alto reports high confidence the group operates out of Asia, citing regional infrastructure, language preferences, and activity aligned with the GMT+8 timezone, though it stopped short of naming a country.

According to investigators, at least 70 organizations in 37 countries were compromised, with reconnaissance spanning 155 countries. Targets included parliaments, senior officials, law enforcement, telecom providers, and ministries tied to finance, trade, and diplomacy. The attackers relied on phishing for initial access, exploited known vulnerabilities, and deployed a previously unseen Linux kernel rootkit dubbed ShadowGuard to maintain stealthy, long-term access.

The rapid evolution of the OpenClaw system highlights a troubling shift toward fully automated, AI-driven attacks. 

Security strategist Paul Miller examines the rapid evolution of the OpenClaw system and highlights a troubling shift in cyber warfare toward fully automated, AI-driven attack ecosystems. Once a localized large language model with modular “skills,” OpenClaw has become a globally distributable and self-replicating platform that effectively commoditizes advanced cyberattack capabilities. Its skills, autonomous modules for reconnaissance, exploitation, lateral movement, and evasion, are now spreading beyond the original platform through open-source releases and underground marketplaces.

This dissemination lowers the barrier to entry for cybercrime, enabling less-skilled actors to deploy sophisticated attacks previously limited to elite or state-sponsored groups. Researchers report hundreds of malicious skills masquerading as legitimate tools, stealing credentials and crypto assets. As these components are reused across unrelated infrastructures, attribution becomes harder and threats mutate more quickly. The trend underscores a broader move toward “Attack-as-a-Service,” forcing defenders to prioritize speed, behavioral detection, and unified, automated security architectures to counter modular, AI-enabled threats at scale.

 

Your smartphone may testify against you. 

According to a new report from Cellebrite, smartphones have become the star witness in modern policing, talkative, portable, and almost impossible to ignore. Based on interviews with 1,200 officers in 63 countries, Cellebrite’s 2026 Industry Trends Report finds that 95 percent now see digital evidence as essential to solving cases, and 97 percent say the public expects it.

Nearly every respondent pointed to smartphones as the top source of evidence, though the devices often arrive locked, uncooperative, and fond of complicating investigators’ weekends. Officers report juggling multiple devices per case, growing data volumes, and the joy of explaining technical findings to non-technical audiences.

While many see artificial intelligence as a potential time-saver, policy barriers and trust issues loom large. As UK police commissioner Matt Scott notes, public consent matters, especially after high-profile data mishaps by police forces have left confidence in law enforcement technology on rather thin ice.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.