The lights stay on, but dimmer.

The government shutdown leaves CISA at reduced capacity. Ransomware and misconfigured AI threaten cyber-physical infrastructure. Operation DoppelBrand targets Fortune 500 financial and technology firms. Researchers uncover infostealers targeting OpenClaw AI. Identity-based attacks accounted for nearly two-thirds of initial intrusions last year. Researchers compromise popular cloud-based password managers. Authorities have arrested a man suspected of links to Phobos ransomware. Monday business breakdown. On Threat Vector, host David Moulton talks with Steve Elovitz about the 750 major breaches his team analyzed in a single year. Digital detour delivers a Dutchman to detention.

Today is Tuesday February 17th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The government shutdown leaves CISA at reduced capacity. 

CISA will remain operational during the Department of Homeland Security shutdown that began at 12:01 a.m. on February 14, 2026, but at reduced capacity. Under the Antideficiency Act, staff cannot be paid and are technically furloughed, though 888 of CISA’s 2,341 employees are required to continue working in “excepted” roles without pay. Others can be recalled if needed to address threats to life, property, or national security, such as major ransomware attacks or widespread exploitation of a critical vulnerability.

New projects are halted and regulatory work, including finalizing the CIRCIA reporting rule, will likely stop. The Known Exploited Vulnerabilities, or KEV, Catalog will remain online and may be updated for active threats, but updates are expected to be slower. Enforcement of federal compliance with KEV requirements will likely be curtailed. As acting Director Madhu Gottumukkala noted, adversaries do not pause during government shutdowns.

Ransomware and misconfigured AI threaten cyber-physical infrastructure. 

Ransomware groups sharply increased attacks on industrial organizations in 2025, exploiting weaknesses in operational technology and industrial control systems, according to Dragos.

The Dragos Annual OT Cybersecurity Year in Review for 2026 tracked 119 ransomware groups targeting industrial firms in 2025, up 49 percent from 80 in 2024. Researchers observed 3,300 industrial organizations hit globally, nearly double the prior year. Manufacturing was the most targeted sector, followed by transportation, oil and gas, electricity, and communications.

Attackers most often gained access through remote portals such as VPNs and firewall interfaces, abusing legitimate credentials stolen via phishing, infostealers, or purchased access. Average dwell time in OT environments reached 42 days. Dragos also identified three new threat groups, including an initial access broker targeting US utilities. Prolonged, credential-based access increases the risk of disruptive, multi-day outages in critical industries.

In a separate report, Gartner predicts that by 2028, a misconfigured artificial intelligence system embedded in cyber-physical infrastructure could shut down critical services in a G20 nation. Unlike traditional software bugs, AI errors in power grids, transportation, or industrial control systems can trigger real-world disruptions. Analysts warn that opaque AI models, excessive privileged access, and poorly governed service accounts increase systemic risk. As automation scales, a single flawed configuration or deployment pipeline could cascade across interconnected systems. The warning highlights governance and oversight gaps, not hackers, as the likely cause.

Operation DoppelBrand targets Fortune 500 financial and technology firms. 

Researchers at SOCRadar have uncovered a large phishing campaign targeting Fortune 500 financial and technology firms, including Wells Fargo and USAA.

Dubbed Operation DoppelBrand, the activity ran from December 2025 through January 2026 and is attributed to a financially motivated actor known as GS7. The campaign uses lookalike domains and cloned login portals to harvest credentials, which are sent to attacker-controlled Telegram bots. Investigators identified more than 150 related domains, supported by automated infrastructure and short-lived SSL certificates. In some cases, the actor deploys legitimate remote management tools such as LogMeIn Resolve to maintain persistent access. Blockchain analysis tied to the investigation showed roughly 0.28 bitcoin received.

SOCRadar assesses the actor may function as an initial access broker, selling compromised accounts. The scale and automation make the operation difficult to disrupt.

Researchers uncover infostealers targeting OpenClaw AI. 

Researchers have identified the first known case of information-stealing malware exfiltrating sensitive files from the widely adopted OpenClaw AI agent framework.

Security firm Hudson Rock reports that an infostealer infection on February 13, 2026, stole configuration files from a victim’s local OpenClaw environment. The malware, believed to be a variant of Vidar, did not specifically target OpenClaw but scanned for files containing terms like “token” and “private key.” Stolen data included authentication tokens, private signing keys, and memory files that store contextual data such as logs and messages. Researchers say this information could enable device impersonation or broader digital identity compromise.

Hudson Rock warns this marks a shift in infostealer tactics, from harvesting browser credentials to targeting AI agent environments. As OpenClaw becomes more embedded in professional workflows, researchers expect continued targeting.

Identity-based attacks accounted for nearly two-thirds of initial intrusions last year. 

Identity-based attacks accounted for nearly two-thirds of initial intrusions last year, according to Palo Alto Networks’ Unit 42.

In its annual incident response report covering 750 cases through September 2025, Unit 42 found social engineering led one-third of breaches. Compromised credentials, brute-force attacks, permissive identity policies, and insider threats were also common. Identity elements played a role in nearly 90 percent of incidents. Researchers say poor controls, misconfigurations, and overprivileged accounts allow attackers to pivot across endpoints, cloud systems, and software supply chains. Vulnerability exploits made up 22 percent of initial access, but identity abuse had broader impact. Median extortion payments rose 87 percent to $500,000, and data theft often occurred within two days.

Unit 42 warns that machine identities, AI agents, and SaaS integrations are expanding the attack surface. The report reflects cases escalated for incident response, not the full threat landscape.

Researchers compromise popular cloud-based password managers. 

Researchers at ETH Zurich found that popular cloud-based password managers could see user vaults compromised under a fully malicious server scenario.

The team analyzed Bitwarden, Dashlane, LastPass, and 1Password, focusing on zero-knowledge encryption models rather than client-side attacks. By targeting account recovery, single sign-on, backward compatibility, vault integrity, and sharing features, researchers achieved vault compromise in all tested products. They reported full vault compromise for Bitwarden, LastPass, and 1Password, and shared vault compromise for Dashlane. In some cases, attackers could both view and modify stored credentials.

Vendors noted the attacks assume total server compromise and advanced cryptographic skill. Several patches and mitigations have been issued, though some risks reflect broader industry challenges around public key authenticity and encrypted sharing.

Authorities have arrested a man suspected of links to Phobos ransomware. 

Polish authorities have arrested a 47-year-old man suspected of links to the Phobos ransomware operation, seizing devices containing stolen credentials and server access data.

Officers from Poland’s Central Bureau of Cybercrime Control detained the suspect in the Małopolska region as part of Operation Aether, an international effort coordinated by Europol. Investigators found passwords, credit card numbers, and server IP addresses that could enable unauthorized system access and ransomware attacks. Police say the suspect communicated with Phobos members via encrypted messaging platforms. He faces charges under Poland’s Criminal Code for possessing and distributing hacking tools, carrying a potential five-year sentence.

Phobos, a ransomware-as-a-service operation, has been linked by the U.S. Justice Department to over 1,000 global victims and more than $16 million in ransom payments. Operation Aether has led to multiple arrests, server seizures, and victim warnings.

Monday business breakdown. 

Cybersecurity firms across Israel, Europe, and the US announced new funding rounds and strategic acquisitions aimed at scaling AI, cloud, and identity-focused security services.

Vega raised $120 million in Series B funding led by Accel to expand product development and go-to-market efforts. GitGuardian secured $50 million to accelerate US and global expansion in secrets security and non-human identity governance. Reco closed a $30 million Series B to grow its AI SaaS security platform, while Nucleus Security raised $20 million to enhance cloud and AI-driven exposure management. Additional funding went to Backslash Security, Nullify, Zast.AI, and enclaive for product expansion and international growth.

On the M&A front, Sophos acquired Arco Cyber, Aura agreed to acquire Qoria, Zscaler bought SquareX, AEA Investors acquired Magna5, and Logicalis US purchased Maple Woods Enterprises. The deals focus on managed security, browser protection, compliance, and online safety expansion.

Digital detour delivers a Dutchman to detention. 

Dutch police arrested a 40-year-old man after he declined to delete confidential law enforcement files that were mistakenly sent to him.

The episode began when the man contacted authorities with images he believed relevant to an investigation. An officer attempted to send a secure upload link. Instead, a technical error delivered a download link, granting access to sensitive police documents. When officers realized the mistake, they instructed the man not to download the files and to delete anything already obtained. He reportedly refused, saying he would comply only if he received something in return. Police responded by arresting him and seizing storage devices. Authorities say there is no indication the documents were shared.

Police noted that knowingly downloading restricted files after being warned could constitute computer trespassing. Potential charges and penalties remain unclear.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.