When the map lies at sea.

GPS jamming hits the straight of Hormuz. An Iran linked threat actor uses AI to target Iraqi government officials. Hacktivists leak thousands of DHS contract records. A Hawaii cancer center suffers a data breach. Google patches over a hundred Android vulnerabilities. A new report tallies the scale of third party breaches. An MS-Agent AI framework flaw allows full system compromise. On today's Threat Vector segment, Evan Gordenker, Director of AI Security and DPRK Operations at Unit 42, joins David Moulton to unpack North Korea’s hiring scams. Tire tech turns tattletale.

Today is Tuesday March 3rd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

GPS jamming hits the straight of Hormuz. 

Shipping through the Strait of Hormuz has nearly stalled following the start of US and Israeli strikes against Iran on February 28, as military attacks and widespread GPS and automatic identification system, or AIS, disruptions raise safety risks. According to maritime intelligence firm Windward, more than 1,100 ships across Iranian, Emirati, Qatari, and Omani waters have experienced electronic interference, with vessels falsely appearing inland or at sensitive sites like a nuclear power plant. The firm identified 21 new clusters of AIS jamming, with most incidents involving signal jamming rather than spoofing. Maritime authorities have labeled the threat “critical,” warning that degraded positioning data increases the risk of collisions, groundings, or oil spills. As the conflict expands, analysts say broader attacks could further escalate electronic interference and navigational danger in the region.

Amazon confirmed drone strikes damaged three AWS data centers in the United Arab Emirates and one in Bahrain, disrupting cloud services across the Middle East.

The company says facilities in the AWS Middle East, UAE Region, ME CENTRAL 1, and the AWS Middle East, Bahrain Region, ME SOUTH 1, sustained structural damage, power disruptions, and in some cases water damage from fire suppression efforts. Two UAE facilities were directly struck, and a nearby strike affected infrastructure in Bahrain. Three availability zones remain significantly impaired or affected by localized power issues. Amazon is restoring physical infrastructure and pursuing software based recovery paths. Customers have been advised to activate disaster recovery plans and migrate workloads to other regions. The United Kingdom’s National Cyber Security Centre also warned of heightened Iranian cyber risk amid the conflict.

An Iran linked threat actor uses AI to target Iraqi government officials. 

An Iran linked threat actor targeted Iraqi government officials by impersonating Iraq’s Ministry of Foreign Affairs and using AI assisted malware.

Zscaler ThreatLabz detected the campaign in January 2026 and tracks the actor as Dust Specter, attributing it to Iran with medium to high confidence. Government related infrastructure in Iraq was compromised to host malicious payloads. Researchers identified previously undocumented malware, including SplitDrop, TwinTask, TwinTalk, and a .NET remote access trojan called GhostForm. One attack chain used a password protected RAR archive delivering a dropper that deployed DLLs for command execution and data exfiltration. A second chain consolidated capabilities into a single binary using Google Forms lures and in memory PowerShell execution. ThreatLabz observed emojis and unusual Unicode patterns in the code, suggesting generative AI tools were used in development.

Hacktivists leak thousands of DHS contract records. 

Hacktivists calling themselves “Department of Peace” claim they breached the Department of Homeland Security and leaked thousands of contract records.

The nonprofit DDoSecrets published data Sunday tied to contracts between DHS, Immigration and Customs Enforcement, and more than 6,000 companies. Named firms include defense contractors Anduril, L3Harris, and Raytheon, surveillance provider Palantir, and tech companies Microsoft and Oracle. The hackers say the data came from DHS’s Office of Industry Partnership, which procures private sector technology. Security researcher Micah Lee organized the records into a searchable website listing contract amounts and contractor contact details. DHS and ICE did not respond to requests for comment.

The group said it acted in response to the killings of two protesters and to expose companies supporting DHS operations, including immigration enforcement and deportations.

A Hawaii cancer center suffers a data breach. 

The University of Hawaii says a ransomware attack on its Cancer Center’s Epidemiology Division exposed data tied to nearly 1.2 million individuals. The August 2025 breach affected research files, including names, Social Security numbers, driver’s license numbers, and health data from long running epidemiological studies and public records. Clinical operations and student records were not impacted. The attackers encrypted systems, delaying recovery, and the university says it paid for a decryption tool and the “secure destruction” of stolen data.

Google patches over a hundred Android vulnerabilities. 

Google has released March Android security updates addressing 129 vulnerabilities, including an actively exploited zero day in a Qualcomm display component.

Tracked as CVE-2026-21385, the flaw involves an integer overflow in Qualcomm’s Graphics subcomponent that can lead to memory corruption. Google says there are indications of limited, targeted exploitation. Qualcomm disclosed the issue in February, noting it affects 235 chipsets and that customers were notified earlier that month. The March bulletin also patches 10 critical flaws in Android’s System, Framework, and Kernel components, including one that could allow remote code execution without user interaction. Google issued two patch levels, with broader fixes in the March 5 release. Pixel devices receive updates immediately, while other vendors may face delays.

Elsewhere, researchers have disclosed a high severity Google Chrome flaw that let malicious extensions hijack the browser’s Gemini Live AI panel and inherit elevated privileges.

Tracked as CVE-2026-0628, the bug was discovered by Palo Alto Networks Unit 42. Rogue extensions could abuse Chrome’s extension network rules to intercept traffic to the embedded Gemini Live panel and inject their own JavaScript. Because Gemini Live is tightly integrated with Chrome and can access screenshots, local files, cameras, and microphones, a compromised panel could grant extensions access beyond their intended permissions. Researchers say this could have enabled webcam or microphone activation, file access, or phishing content injection. Google patched the issue in January with Chrome 143 stable updates. The case highlights how deeply integrated AI features can expand the browser threat model.

A new report tallies the scale of third party breaches. 

A new report from Black Kite finds third party breaches affected more than 433 million individuals across 136 verified incidents in 2025, underscoring the expanding blast radius of supply chain attacks.

The firm identified an average of 5.28 named downstream victims per breached vendor, totaling 719 companies. Vendors also reported 26,000 additional unnamed corporate victims, suggesting the total impact may be higher. Software services providers accounted for 28 percent of breaches, with healthcare, education, and financial services most affected downstream. Detection and disclosure delays were significant, with a median 10 days to detect intrusions and 73 days to notify customers. Black Kite also found widespread critical vulnerabilities and exposed credentials among major vendors, warning that traditional third party risk management is failing to keep pace with evolving threats.

An MS-Agent AI framework flaw allows full system compromise. 

A high severity flaw in the open source ModelScope MS-Agent framework allows attackers to execute arbitrary operating system commands through crafted input. Tracked as CVE-2026-2256, the issue stems from the framework’s Shell tool, which relies on an unsafe regex based blacklist to filter dangerous commands. Researchers say attackers can inject malicious content into prompts or other data sources, tricking the agent into generating and executing attacker influenced shell commands. Successful exploitation could lead to full host compromise, data exfiltration, and persistence. The vendor has not responded to coordination efforts.

Tire tech turns tattletale. 

Your car’s tire pressure sensors may be keeping tabs on more than your air pressure. Researchers have shown they can also help track your movements.

Academics from Spain, Switzerland, and Luxembourg found that Tire Pressure Monitoring Systems, now mandatory worldwide, broadcast a unique identifier in plain text. Using five roadside receivers costing about $100 each, the team collected more than 6 million TPMS messages from roughly 20,000 vehicles over 10 weeks. Because the identifier does not change during a tire’s lifetime, researchers could match signals to specific cars and infer movement patterns, vehicle type, and even driving behavior.

They warn that low cost equipment and unencrypted transmissions make large scale tracking feasible. In theory, attackers could also spoof flat tire alerts to force vehicles to stop, turning a safety feature into a surveillance tool.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.