
State of the router.
The U.S. and its allies warn of Russian cyber threats targeting critical infrastructure as Europe rolls out new sanctions. Apple sues OpenAI over alleged trade secret theft. Progress investigates a potential ShareFile security incident, Zimbra patches a critical flaw, and researchers uncover the new CrashStealer macOS malware. Plus, the EPA tests water utility resilience, scammers clone trusted news sites, and our Monday business briefing. Our guest is Brandon Karpf, from NTT, discussing the 11th Japan-U.S. Cyber Dialogue. Californians smash that delete button.
Today is Monday July 13th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The U.S. with global allies warn Russian hackers target critical infrastructure, while the EU and UK issues sanctions.
Cybersecurity agencies from the United States and eight allied countries have issued a joint advisory warning that Russian state-sponsored hackers linked to the FSB’s Center 16 are targeting vulnerable and poorly configured routers to gain access to critical infrastructure networks. The group scans internet-connected devices for default or weak Simple Network Management Protocol (SNMP) credentials, steals router configuration files, and exploits known Cisco vulnerabilities, including the Smart Install flaw tracked as CVE-2018-0171. Sectors at greatest risk include energy, communications, healthcare, finance, defense, and government. The advisory urges organizations to upgrade to SNMPv3, disable Cisco Smart Install, use strong unique passwords, block SNMP and Trivial File Transfer Protocol (TFTP) traffic where appropriate, keep devices updated, and replace end-of-life hardware. It also follows a separate international operation that disrupted Russian router-based espionage infrastructure.
The European Union and the United Kingdom have imposed new sanctions on dozens of Russian individuals and entities, accusing Moscow of directing a network of cyber operations targeting governments and critical infrastructure across Europe. The measures target Russian military intelligence (GRU) officers, cybercriminals, private companies, and members of the Lumma Stealer malware operation and Rybar media network. The EU also publicly identified the FSB’s 16th Centre as overseeing several hacking groups, including Turla, which officials say has conducted espionage campaigns against European government and defense organizations for more than a decade. Authorities linked Turla to a failed attack on Poland’s energy infrastructure and cited other recent Russian cyber operations targeting Polish institutions. The sanctions coincide with broader European efforts to strengthen cybersecurity and counter state-backed cyber threats.
Apple sues OpenAI over alleged stolen trade secrets.
Apple has sued OpenAI in federal court, accusing the company of building its emerging AI hardware business using stolen trade secrets and confidential information from former Apple employees. The lawsuit centers on OpenAI’s $6.4 billion acquisition of io Products, co-founded by former Apple executive Tang Yew Tan, who Apple alleges emailed himself confidential supplier information before leaving the company and later encouraged Apple job candidates to bring proprietary hardware details to interviews. Apple also accuses former employee Chang Liu of accessing its internal network after departing and downloading confidential files on unreleased products by exploiting an authentication flaw. Apple claims it warned OpenAI about its concerns in February but received no response, and argues the alleged misconduct extends beyond the known cases. OpenAI denied the allegations, saying it has “no interest in other companies’ trade secrets.” The lawsuit could complicate OpenAI’s planned initial public offering by raising legal and investor concerns.
Progress Software warned of a potential ShareFile security incident.
Progress Software has warned of a potential security incident affecting ShareFile Storage Zone Controllers, its private enterprise storage solution, after detecting what it described as a credible external threat. As a precaution, the company temporarily disabled customer access and instructed organizations to shut down servers hosting affected Storage Zone Controllers while investigations continue. Progress said it has found no evidence of unauthorized access to customer accounts or data and has not identified an active threat, although it has provided few details about the nature of the incident. Customer frustration grew after several days without public updates, fueling speculation about possible vulnerability exploitation, which the company has not confirmed. By July 12, cloud access had been restored, but customers were told to keep Storage Zone Controllers offline pending the completion of Progress’ internal and external security investigations.
Zimbra patches a critical vulnerability.
Zimbra has released patches for a critical vulnerability in its Classic Web Client that could allow zero-click code execution when a user opens a specially crafted email. The stored cross-site scripting (XSS) flaw could expose mailbox data, session information, and account settings. Although the vulnerability has not yet received a CVE identifier, Zimbra is urging all customers using the Classic Web Client to upgrade to version 10.1.19 immediately. The flaw was reported by Google’s Threat Analysis Group, which often identifies vulnerabilities exploited by state-sponsored threat actors.
The EPA simulates water utility preparedness.
The U.S. Environmental Protection Agency conducted a national cybersecurity exercise to help water utilities prepare for a worst-case communications outage caused by a simulated cyberattack on a major telecommunications provider. Based on intelligence about the Chinese threat group Salt Typhoon, the scenario forced utilities to consider how they would maintain safe water operations without internet, phone service, cloud applications, or remote SCADA access. More than 200 utilities participated in discussions covering incident response, alternative communications, staffing, and transitioning to manual or local operations. Participants highlighted challenges such as maintaining water quality, sustaining 24-hour staffing, and balancing operational priorities during extended outages. The exercise underscored that preparedness varies widely among utilities depending on their size, infrastructure, and reliance on remote operations, emphasizing the importance of planning for prolonged communications disruptions.
Fraudsters create convincing clones of trusted news websites.
Fraudsters are creating convincing clones of trusted news websites, including The Guardian, to lure victims into fake investment scams. The counterfeit articles feature fabricated stories about well-known figures such as Jim Ratcliffe, David Attenborough, and Martin Lewis, often using AI-generated images and the bylines of real journalists to appear authentic. The stories include links to fake versions of legitimate trading platforms, where victims are prompted to provide personal information before being persuaded by scammers to invest money in nonexistent opportunities. Security experts warn that the goal is simply to steal victims’ funds. Readers are advised to verify website URLs, be wary of sensational investment claims, and remember that reputable news organizations do not endorse investment platforms. Companies such as Kraken say they actively work to remove impersonation sites and report those responsible to law enforcement.
Researchers identified a new macOS information-stealing malware family dubbed CrashStealer.
Jamf Threat Labs has identified a new macOS information-stealing malware family dubbed CrashStealer, which has evolved from an apparent development-stage sample into an actively deployed threat. First spotted in May, the malware masquerades as Apple’s crash reporting framework and is written in native C++, distinguishing it from many other macOS stealers. CrashStealer validates a victim’s login password before collecting data from browsers, cryptocurrency wallets, password managers, and the macOS keychain. It encrypts stolen information using AES-GCM before exfiltrating it and establishes persistence by copying and re-signing itself. Researchers also discovered a signed and Apple-notarized dropper, distributed as a disk image named “Werkbit Setup,” that bypasses Gatekeeper, downloads the payload, and launches it. Jamf considers CrashStealer a distinct malware family due to its unique architecture and capabilities.
Monday business briefing.
Cybersecurity companies continued to attract significant investment and consolidation activity this week. Encryption management firm Keyfactor raised more than $1 billion in a growth round led by Summit Partners to support product development, global expansion, acquisitions, and hiring. Dutch managed security services provider Eye Security secured €60 million to expand across Europe and invest in AI capabilities, while AI surveillance firm Hakimo, identity security company Wultra, and maritime cybersecurity startup CYTUR also announced new funding rounds to fuel growth and international expansion. Merger and acquisition activity remained strong, with seven deals across five countries. Notable transactions included Infoblox’s planned acquisition of network observability company Kentik, Akamai’s completion of its $205 million acquisition of enterprise browser security firm LayerX, Qualcomm’s purchase of SAM Seamless Network, and Aikido’s acquisition of Israeli container security startup Root. The deals reflect continued investment in AI, identity security, Zero Trust, and infrastructure protection.
Californians smash that delete button.
More than 300,000 Californians have pressed what state officials call the “great delete button in the sky,” invoking the nation’s first Delete Act to force hundreds of registered data brokers to erase their personal information. Beginning Aug. 1, brokers must start processing requests to delete sensitive data ranging from location histories and financial details to health information and demographic profiles, while also stopping future sales of that data. The law aims to curb an industry that quietly assembles digital dossiers from loyalty cards, web browsing, social media, and countless everyday interactions, often selling them to advertisers, governments, AI developers, and, as officials dryly note, seemingly anyone with a credit card. Regulators are pursuing unregistered brokers and warning that companies ignoring deletion requests could face steep fines. The process takes only a few minutes, a small investment for anyone hoping their personal life stops circulating quite so enthusiastically.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
