Podcasts
CyberWire Daily
Ep 2539
The CyberWire Daily Podcast 4.27.26
Ep 2539 | 4.27.26

The Supreme Court sits on the geofence.

Show Notes
Transcript

 

The Supreme Court weighs geofence warrants. Iran leans toward quieter cyber ops. Researchers unpack Fast16 sabotage malware. Microsoft tracks an Outlook outage. Snow malware moves deep inside networks. Itron reports a breach. SMS blasters hit Canada. Italy extradites an accused hacker to the U.S. Monday business brief. Our guest is Mick Coady, Field CTO of Elisity, on how hospitals can best defend against ransomware attacks. Meta’s relentlessly watchful eye turns inward. 

Today is Monday April 27th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Supreme Court considers geofence warrants. 

The U.S. Supreme Court is considering whether “geofence warrants,” a law enforcement technique that identifies people near crime scenes using tech-company location data, violate the Fourth Amendment’s protections against unreasonable searches. In the case before the Court, police used Google’s Location History data to identify suspects after a 2019 Virginia bank robbery, ultimately arresting one man while also sweeping in innocent bystanders. Supporters argue users who opted into location tracking reduced their expectation of privacy and that such warrants can help solve crimes efficiently. Critics counter that geofencing resembles a digital dragnet, allowing searches across millions of accounts without individualized suspicion. The Court must decide whether geofence requests count as constitutional searches and whether voluntarily stored location data forfeits privacy rights. The ruling could shape how digital records are treated under the Constitution and define limits on law enforcement access to large-scale location data.

Experts expect patient, targeted attacks from Iran. 

U.S. officials and cybersecurity experts say recent warnings about Iranian-linked cyber threats are more likely to signal opportunistic intrusions than large-scale disruptive attacks on critical infrastructure. Former NSA director Tim Haugh and incident response expert Kevin Mandia noted that Iran’s cyber activity typically relies on exploiting basic security weaknesses, such as stolen credentials and social engineering, then amplifying the impact through information operations. A reported incident involving medical device company Stryker, where attackers used legitimate access to disable devices, illustrates this pattern. Experts expect future activity to target organizations connected to the United States or Israel rather than broad infrastructure systems. For defenders, the key risk remains identity security gaps and weak authentication controls, suggesting that routine protections like widespread multifactor authentication remain the most effective near-term defense.

Researchers decode the mysterious Fast16 sabotage malware.

Researchers at SentinelOne have uncovered new details about Fast16, a previously mysterious piece of malware dating to 2005 that appears designed for subtle, long-term sabotage of scientific and engineering calculations. Unlike destructive “wiper” malware or overt industrial attacks like Stuxnet, Fast16 silently altered outputs in simulation software, potentially causing faulty research results or real-world equipment failures while remaining difficult to detect. The malware spread across networks and targeted applications including MOHID, PKPM, and especially LS-DYNA, a physics simulation tool used in aerospace, engineering, and nuclear-related research. Evidence suggests LS-DYNA was used by Iranian scientists linked to nuclear weapons development, leading researchers to hypothesize Fast16 may have been an early cyber effort to disrupt Iran’s program before Stuxnet. Experts say the discovery pushes back the timeline of sophisticated state-sponsored cybersabotage and highlights how covert manipulation of technical data, rather than system destruction, has long been part of advanced cyber operations.

Microsoft flags an ongoing Outlook.com outage.

This morning, Microsoft was investigating an ongoing Outlook.com outage causing intermittent sign-in failures and unexpected account sign-outs for some users. Since the issue began, thousands of reports have surfaced, with many users encountering “too many requests” errors and mailbox access problems. Microsoft says client sign-in interactions may be contributing to the disruption but has not identified a root cause or disclosed affected regions or user numbers. The company classified the incident as service degradation rather than a full outage.

Snow malware steals sensitive data after gaining deep network access.

Threat group UNC6692 is using social engineering to deploy a custom malware suite called “Snow” to steal sensitive data after gaining deep network access. According to Google’s Mandiant researchers, attackers begin with email-bombing campaigns, then impersonate IT helpdesk staff via Microsoft Teams to trick victims into installing a fake spam-blocking patch. The download deploys components including the SnowBelt browser extension, the SnowGlaze tunneler, and the SnowBasin backdoor, enabling stealthy command execution, persistence, and data exfiltration. After initial compromise, the attackers conduct internal reconnaissance, move laterally using stolen credentials, and extract Active Directory data from domain controllers. They exfiltrated registry hives and credential databases using LimeWire. Mandiant reports the activity supports long-term access and large-scale credential theft across compromised environments.

Utility technology provider Itron discloses a breach.

Utility technology provider Itron disclosed that an unauthorized third party accessed portions of its internal systems in a cyberattack detected on April 13, 2026. The company activated its incident response plan, notified law enforcement, and engaged external advisors to investigate and contain the activity, which has since been blocked with no observed follow-up intrusion. Itron says the incident caused no material disruption to business operations and did not affect customers, though the investigation remains ongoing. The Washington-based firm supports electricity, water, and gas infrastructure across 7,700 customers in 100 countries, highlighting its role in critical services. No ransomware group has claimed responsibility, and Itron expects insurance to cover a significant portion of response-related costs.

SMS blasters cross the Canadian border.

Toronto Police have arrested three men and laid 44 charges in what they describe as Canada’s first investigation involving “SMS blasters,” devices that mimic legitimate cell towers to send fraudulent text messages to nearby phones. The suspects allegedly used the mobile systems from vehicles across Toronto to distribute smishing messages that redirected victims to fake websites designed to steal personal information. Police estimate tens of thousands of devices connected to the blasters over several months, causing more than 13 million network disruptions and potentially interfering with access to emergency services. The investigation, called Project Lighthouse, began in November 2025 and involved multiple law enforcement agencies, financial institutions, and telecommunications providers. Authorities say the case highlights a growing threat to both public safety and financial security.

Italy extradites an accused hacker to the US.

Italy’s government has decided to extradite Chinese national Xu Zewei to the United States on hacking-related charges, following an Italian court ruling supporting the request. U.S. prosecutors allege Xu stole COVID-19 research and conducted cyber operations on behalf of the Chinese government, though he denies the accusations. Xu was arrested in Italy in 2025 at Washington’s request and remains in custody pending formal extradition steps. Italian officials have not publicly commented on the decision. The move could help ease diplomatic tensions between Italy and the United States amid broader disagreements over foreign policy issues.

Monday business brief.

 

Israeli detection and response startup Artemis has emerged from stealth with $70 million in seed and Series A funding led by Felicis, with participation from First Round Capital and Brightmind, to expand engineering, research, and go-to-market teams as enterprise demand grows. Meanwhile, Japanese AI security firm Almure raised $1.25 million in seed funding from Genesia Ventures, Dual Bridge Capital, and NEX-T Tokai Innovation Fund to advance research and product development. Several acquisitions also highlight consolidation in the cybersecurity sector. ServiceNow completed its acquisition of cyber exposure management firm Armis to extend security visibility into operational environments. Nexus IT acquired IT consultancy Imagis to expand services nationally. BOOST LLC acquired Rimstorm to strengthen CMMC Level 2 compliance support for defense contractors, and Cloudcomputing acquired UK-based MSSP Innovate IT to support international expansion.

Meta's relentlessly watchful eye turns inward.

 

Meta, long known for tracking user behavior to refine ads and engagement, is now turning similar observation inward by deploying monitoring software on employees’ work computers. According to reports from Reuters and Business Insider, the “Model Capability Initiative” will capture keystrokes, mouse activity, and periodic screenshots from work-related tools like Gmail, GChat, VSCode, and Meta’s internal apps to help train AI agents that better understand how people use computers. CTO Andrew Bosworth reportedly framed the effort as a step toward a future where AI agents handle routine tasks while humans supervise. Meta joins peers like Anthropic, OpenAI, and Microsoft in pursuing agent-driven workflows. Still, there is a certain symmetry in Meta staff experiencing the sort of data collection the company helped normalize, especially as its vision of “personal superintelligence” arrives with fewer assurances about personal workspace privacy.

 

And that’s the CyberWire.

 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

Don’t forget to check out the “Grumpy Old Geeks'' podcast where I contribute to a regular segment on Jason and Brians’s show, every week. You can find “Grumpy Old Geeks'' where all the fine podcasts are listed. 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.

CyberWire Daily
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monday-Friday
Creator: N2K Networks, Inc.