Sign up to save your podcasts
Or
Share Cleartext β April 16, 2026
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Cleartext β April 16, 2026
Cleartext β April 16, 2026
Daily cybersecurity briefing for CISOs and security leaders.
π§ Listen to this episode
Episode Summary
Today's episode covers 9 stories across 6 topic areas, including: Sweden blames Russian hackers for attempting βdestructiveβ cyberattack on thermal plant; Two US nationals jailed over scheme that generated $5 million for the North Korean regime; UK warns businesses to address cyber risks amid Anthropic AI panic.
Stories Covered
π Geopolitical
Sweden blames Russian hackers for attempting βdestructiveβ cyberattack on thermal plant
TechCrunch Security Β· Apr 15 Β· Relevance: ββββββββββ 9/10
Why it matters to CISOs: Russian state-sponsored destructive attacks on European critical infrastructure signal escalating cyber operations that could target energy and industrial sectors globally, requiring CISOs to reassess OT/ICS defenses.
π Read full article
Two US nationals jailed over scheme that generated $5 million for the North Korean regime
Help Net Security Β· Apr 16 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Prison sentences for US facilitators of North Korean IT worker fraud schemes underscore the insider threat risk from fraudulent remote employees and the need for robust identity verification in hiring processes.
π Read full article
π‘ Macro Trends
UK warns businesses to address cyber risks amid Anthropic AI panic
The Record (Recorded Future) Β· Apr 15 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Government-level warnings about frontier AI models reshaping the threat landscape signal that regulators expect enterprises to proactively adapt defenses, and boards will be asking CISOs about AI-augmented threat preparedness.
π Read full article
Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway.
VentureBeat Security Β· Apr 15 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Microsoft assigning CVEs to prompt injection flaws in agentic AI platforms signals a new vulnerability class CISOs must track, as every enterprise deploying AI agents now inherits prompt injection risk requiring formal remediation workflows.
π Read full article
π Data Breach
Data breach at edtech giant McGraw Hill affects 13.5 million accounts
BleepingComputer Β· Apr 16 Β· Relevance: ββββββββββ 8/10
Why it matters to CISOs: A Salesforce environment breach exposing 13.5 million accounts highlights the persistent risk of SaaS platform compromises and the need for robust third-party SaaS security controls.
π Read full article
βοΈ Governance & Policy
Executive orders likely ahead in next steps for national cyber strategy
CyberScoop Β· Apr 15 Β· Relevance: ββββββββββ 8/10
Why it matters to CISOs: Forthcoming executive orders implementing the national cyber strategy could impose new compliance obligations on enterprises, particularly around software supply chain security and incident reporting.
π Read full article
NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities
CyberScoop Β· Apr 15 Β· Relevance: ββββββββββ 8/10
Why it matters to CISOs: NIST's decision to only enrich CVEs for critical software, federal systems, and actively exploited flaws fundamentally changes how enterprise vulnerability management programs source enrichment data, requiring CISOs to diversify their intelligence feeds.
π Read full article
π Startup Ecosystem
Artemis Gets $70M to Build AI Agents for Detection, Response
BankInfoSecurity Β· Apr 16 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: A $70M Series A for an AI-driven SIEM alternative led by a former Amazon GuardDuty leader signals significant investor confidence in agentic AI for detection and response, potentially reshaping the SIEM market CISOs depend on.
π Read full article
π¨ Critical Vulnerability
Critical Nginx UI auth bypass flaw now actively exploited in the wild
BleepingComputer Β· Apr 15 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Active exploitation of CVE-2026-33032 (CVSS 9.8) in nginx-ui enables full server takeover without authentication; enterprises running nginx management interfaces need immediate patching.
π Read full article
Further Reading
Full Transcript
Click to expand full episode transcript
Jordan: Sweden just publicly blamed Russia for attempting a destructive cyberattack on a thermal plant. Not espionage. Not data theft. Destructive. That word is doing a lot of work, and it should have every CISO with OT exposure paying close attention this morning.
Alex: This is Cleartext. Thursday, April 16th, 2026. I'm Alex Chen.
Jordan: And I'm Jordan Reeves. On today's show: Russian destructive operations targeting European critical infrastructure, what two prison sentences tell you about your hiring process, the CVE that signals a whole new vulnerability class in your AI stack, and why NIST just quietly changed how your vuln management program works β whether you noticed or not. Let's get into it.
Alex: So Jordan, Sweden. The civil defense minister standing up and saying Russian hackers are now attempting destructive cyberattacks against European organizations. That framing is deliberate.
Jordan: Extremely deliberate. Attribution at the ministerial level is a policy decision, not just an intelligence one. Sweden is signaling something. And the word "destructive" is significant because it distinguishes this from the years of Russian cyber operations that were primarily about intelligence collection or pre-positioning. This was an attempt to cause physical consequence β in this case, to a thermal plant's operational technology. That's a different category of threat.
Alex: For CISOs in energy, utilities, manufacturing β any sector with OT or ICS exposure β the question you need to be asking isn't whether your IT environment is hardened. It's whether your operational technology sits behind a meaningful security boundary from that IT environment. In most organizations, the honest answer is still no.
Jordan: And the attack surface has gotten worse over the past few years because of remote monitoring, cloud-connected OT, digital twin infrastructure. All of that connectivity that makes operations more efficient also makes it easier for someone to reach the thermal controls. The Purdue model isn't dead, but it needs to be actively enforced, not assumed.
Alex: This is a board conversation. If you're a CISO at an organization with physical infrastructure β energy, water, healthcare facilities, manufacturing β you need to be able to answer whether a nation-state could cause a physical outage from a cyber intrusion. If you can't answer that with confidence, that's your priority this quarter.
Jordan: And don't wait for your sector to be the named target. Sweden today. The Baltic states last year. Russia does not distinguish between NATO members and partners when it comes to infrastructure pressure campaigns.
Alex: Let's pivot to a story that feels different on the surface but hits a very similar nerve for a lot of organizations. North Korean IT worker fraud. Two US nationals sentenced β 108 and 92 months respectively β for running a scheme that placed DPRK workers inside over a hundred American companies, including Fortune 500 firms, using stolen identities. The operation generated five million dollars for the North Korean government.
Jordan: This has been a persistent threat for three years now, and it keeps scaling. What's notable here is the prosecution of the facilitators β the US nationals who ran the laptop farms and handled the identity laundering. That's the supply chain of this operation getting disrupted. But it doesn't stop the demand side, which is DPRK's ongoing need to generate hard currency.
Alex: From a CISO perspective, the insider threat angle here is underappreciated. These weren't hackers breaking in. They were on your payroll, with access to your systems, your code, your IP β sometimes for months. The identity verification problem in remote hiring is real, and it's not an HR problem, it's a security program problem.
Jordan: The practical controls are live video verification during hiring, device attestation requirements before network access, behavioral analytics once someone's in. But honestly, the companies that got burned were largely not thinking about their hiring pipeline as an attack surface. That mindset shift still hasn't happened broadly.
Alex: It needs to. Especially for any company hiring remote contractors in software development, cloud infrastructure, or anything touching sensitive systems. Okay, two governance stories that I want to cover together because they both reshape the compliance and vulnerability management landscape.
Jordan: Start with NIST because that one has immediate operational impact.
Alex: Agreed. NIST announced that the National Vulnerability Database will now only enrich CVEs for critical software, systems used by the federal government, and vulnerabilities under active exploitation. Everything else β pre-March 2026 vulnerabilities included β no longer gets that enrichment. This is a resource decision driven by the sheer volume of CVEs overwhelming NIST's capacity.
Jordan: And it's a problem that's been building for two years. But here's the practical consequence: if your vulnerability management program was relying on NVD enrichment as its primary source of severity context, you now have a gap. You need to diversify your intel feeds β CISA KEV, vendor advisories, commercial threat intel sources. NVD alone is no longer sufficient.
Alex: On the executive order front β National Cyber Director Sean Cairncross confirmed this week that the national cyber strategy is moving forward actively, with executive orders as the likely implementation mechanism. Watch for impacts on software supply chain security requirements and incident reporting obligations, particularly if you're in a regulated industry or touch federal contracts.
Jordan: The supply chain piece is the one I'd prioritize tracking. Post-XZ Utils, post-SolarWinds, there's genuine appetite in policy circles to impose real requirements on how software is built and verified. That will land on CISOs, not just their vendors.
Alex: McGraw Hill. ShinyHunters leaked data from 13.5 million user accounts. The breach vector was their Salesforce environment. This is a story we've seen before β different company, same vector.
Jordan: ShinyHunters is consistent. They go after SaaS environments, particularly Salesforce. The question for every CISO is: what does your Salesforce environment contain, who has access to it, and are you monitoring for abnormal data access or export activity? Most organizations treat Salesforce as a business application, not as a data store requiring security controls. That's the gap.
Alex: Third-party SaaS posture management is not optional anymore. The McGraw Hill breach affects 13.5 million people. The reputational and regulatory exposure from that is significant. Build that SaaS security layer into your program.
Jordan: Quick takes now. Microsoft assigned CVE-2026-21520 β CVSS 7.5 β to a prompt injection flaw in Copilot Studio. The patch is deployed. But the story here isn't the patch, it's the precedent. Microsoft assigning a CVE to an agentic AI platform is, as Capsule Security noted, highly unusual. It signals that prompt injection is now a formal vulnerability class, not just a research curiosity.
Alex: Which means if you're running AI agents β Copilot, Salesforce Agentforce, anything with autonomous action capability β you need a prompt injection assessment in your security review process. Your AI vendors should be answering questions about their injection mitigations the same way they answer questions about auth and encryption.
Jordan: Nginx UI. CVE-2026-33032. CVSS 9.8. Actively exploited. Full server takeover without authentication. If you're running nginx management interfaces with MCP support, patch now. Don't schedule it. Don't queue it. Now.
Alex: Artemis β $70 million Series A, founded by the former Amazon GuardDuty product lead, building an AI-driven SIEM alternative. Worth watching. The fact that Felicis is leading at that size for a SIEM challenger says investors believe the legacy SIEM market is genuinely disruption-ready. We'll see if the technology delivers.
Jordan: The SIEM market has needed disruption for a decade. Agentic telemetry correlation is a compelling pitch. I'd want to see how it handles noisy enterprise environments before pulling any incumbent contracts.
Alex: So stepping back β what's the theme of this week?
Jordan: Convergence of threat surfaces. You have Russian state actors going after physical infrastructure through OT. You have North Korean intelligence operations running through your HR pipeline. You have AI platforms introducing vulnerability classes that your existing security frameworks weren't built to handle. And the regulatory infrastructure that's supposed to help β NVD, compliance frameworks β is straining under volume and velocity.
Alex: The common thread for me is that the perimeter keeps expanding in unexpected directions. OT networks, hiring pipelines, AI agent contexts β none of these were primary attack surfaces ten years ago. The CISO role is fundamentally about being ahead of that expansion, and right now the expansion is faster than most programs can absorb.
Jordan: What to watch next: any escalation in European critical infrastructure targeting as we head into summer. The Russia-Ukraine dynamic has historically driven more aggressive cyber operations during warmer months. And watch for the first executive order under the new cyber strategy β that will set the compliance agenda for the next two years.
Alex: That's Cleartext for Thursday, April 16th. If this episode was useful, share it with a peer who needs it. We'll be back Monday. Stay sharp.
Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-04-16.
Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.
View all episodes
By CleartextCleartext β April 16, 2026
Daily cybersecurity briefing for CISOs and security leaders.
π§ Listen to this episode
Episode Summary
Today's episode covers 9 stories across 6 topic areas, including: Sweden blames Russian hackers for attempting βdestructiveβ cyberattack on thermal plant; Two US nationals jailed over scheme that generated $5 million for the North Korean regime; UK warns businesses to address cyber risks amid Anthropic AI panic.
Stories Covered
π Geopolitical
Sweden blames Russian hackers for attempting βdestructiveβ cyberattack on thermal plant
TechCrunch Security Β· Apr 15 Β· Relevance: ββββββββββ 9/10
Why it matters to CISOs: Russian state-sponsored destructive attacks on European critical infrastructure signal escalating cyber operations that could target energy and industrial sectors globally, requiring CISOs to reassess OT/ICS defenses.
π Read full article
Two US nationals jailed over scheme that generated $5 million for the North Korean regime
Help Net Security Β· Apr 16 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Prison sentences for US facilitators of North Korean IT worker fraud schemes underscore the insider threat risk from fraudulent remote employees and the need for robust identity verification in hiring processes.
π Read full article
π‘ Macro Trends
UK warns businesses to address cyber risks amid Anthropic AI panic
The Record (Recorded Future) Β· Apr 15 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Government-level warnings about frontier AI models reshaping the threat landscape signal that regulators expect enterprises to proactively adapt defenses, and boards will be asking CISOs about AI-augmented threat preparedness.
π Read full article
Microsoft patched a Copilot Studio prompt injection. The data exfiltrated anyway.
VentureBeat Security Β· Apr 15 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Microsoft assigning CVEs to prompt injection flaws in agentic AI platforms signals a new vulnerability class CISOs must track, as every enterprise deploying AI agents now inherits prompt injection risk requiring formal remediation workflows.
π Read full article
π Data Breach
Data breach at edtech giant McGraw Hill affects 13.5 million accounts
BleepingComputer Β· Apr 16 Β· Relevance: ββββββββββ 8/10
Why it matters to CISOs: A Salesforce environment breach exposing 13.5 million accounts highlights the persistent risk of SaaS platform compromises and the need for robust third-party SaaS security controls.
π Read full article
βοΈ Governance & Policy
Executive orders likely ahead in next steps for national cyber strategy
CyberScoop Β· Apr 15 Β· Relevance: ββββββββββ 8/10
Why it matters to CISOs: Forthcoming executive orders implementing the national cyber strategy could impose new compliance obligations on enterprises, particularly around software supply chain security and incident reporting.
π Read full article
NIST narrows scope of CVE analysis to keep up with rising tide of vulnerabilities
CyberScoop Β· Apr 15 Β· Relevance: ββββββββββ 8/10
Why it matters to CISOs: NIST's decision to only enrich CVEs for critical software, federal systems, and actively exploited flaws fundamentally changes how enterprise vulnerability management programs source enrichment data, requiring CISOs to diversify their intelligence feeds.
π Read full article
π Startup Ecosystem
Artemis Gets $70M to Build AI Agents for Detection, Response
BankInfoSecurity Β· Apr 16 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: A $70M Series A for an AI-driven SIEM alternative led by a former Amazon GuardDuty leader signals significant investor confidence in agentic AI for detection and response, potentially reshaping the SIEM market CISOs depend on.
π Read full article
π¨ Critical Vulnerability
Critical Nginx UI auth bypass flaw now actively exploited in the wild
BleepingComputer Β· Apr 15 Β· Relevance: ββββββββββ 7/10
Why it matters to CISOs: Active exploitation of CVE-2026-33032 (CVSS 9.8) in nginx-ui enables full server takeover without authentication; enterprises running nginx management interfaces need immediate patching.
π Read full article
Further Reading
Full Transcript
Click to expand full episode transcript
Jordan: Sweden just publicly blamed Russia for attempting a destructive cyberattack on a thermal plant. Not espionage. Not data theft. Destructive. That word is doing a lot of work, and it should have every CISO with OT exposure paying close attention this morning.
Alex: This is Cleartext. Thursday, April 16th, 2026. I'm Alex Chen.
Jordan: And I'm Jordan Reeves. On today's show: Russian destructive operations targeting European critical infrastructure, what two prison sentences tell you about your hiring process, the CVE that signals a whole new vulnerability class in your AI stack, and why NIST just quietly changed how your vuln management program works β whether you noticed or not. Let's get into it.
Alex: So Jordan, Sweden. The civil defense minister standing up and saying Russian hackers are now attempting destructive cyberattacks against European organizations. That framing is deliberate.
Jordan: Extremely deliberate. Attribution at the ministerial level is a policy decision, not just an intelligence one. Sweden is signaling something. And the word "destructive" is significant because it distinguishes this from the years of Russian cyber operations that were primarily about intelligence collection or pre-positioning. This was an attempt to cause physical consequence β in this case, to a thermal plant's operational technology. That's a different category of threat.
Alex: For CISOs in energy, utilities, manufacturing β any sector with OT or ICS exposure β the question you need to be asking isn't whether your IT environment is hardened. It's whether your operational technology sits behind a meaningful security boundary from that IT environment. In most organizations, the honest answer is still no.
Jordan: And the attack surface has gotten worse over the past few years because of remote monitoring, cloud-connected OT, digital twin infrastructure. All of that connectivity that makes operations more efficient also makes it easier for someone to reach the thermal controls. The Purdue model isn't dead, but it needs to be actively enforced, not assumed.
Alex: This is a board conversation. If you're a CISO at an organization with physical infrastructure β energy, water, healthcare facilities, manufacturing β you need to be able to answer whether a nation-state could cause a physical outage from a cyber intrusion. If you can't answer that with confidence, that's your priority this quarter.
Jordan: And don't wait for your sector to be the named target. Sweden today. The Baltic states last year. Russia does not distinguish between NATO members and partners when it comes to infrastructure pressure campaigns.
Alex: Let's pivot to a story that feels different on the surface but hits a very similar nerve for a lot of organizations. North Korean IT worker fraud. Two US nationals sentenced β 108 and 92 months respectively β for running a scheme that placed DPRK workers inside over a hundred American companies, including Fortune 500 firms, using stolen identities. The operation generated five million dollars for the North Korean government.
Jordan: This has been a persistent threat for three years now, and it keeps scaling. What's notable here is the prosecution of the facilitators β the US nationals who ran the laptop farms and handled the identity laundering. That's the supply chain of this operation getting disrupted. But it doesn't stop the demand side, which is DPRK's ongoing need to generate hard currency.
Alex: From a CISO perspective, the insider threat angle here is underappreciated. These weren't hackers breaking in. They were on your payroll, with access to your systems, your code, your IP β sometimes for months. The identity verification problem in remote hiring is real, and it's not an HR problem, it's a security program problem.
Jordan: The practical controls are live video verification during hiring, device attestation requirements before network access, behavioral analytics once someone's in. But honestly, the companies that got burned were largely not thinking about their hiring pipeline as an attack surface. That mindset shift still hasn't happened broadly.
Alex: It needs to. Especially for any company hiring remote contractors in software development, cloud infrastructure, or anything touching sensitive systems. Okay, two governance stories that I want to cover together because they both reshape the compliance and vulnerability management landscape.
Jordan: Start with NIST because that one has immediate operational impact.
Alex: Agreed. NIST announced that the National Vulnerability Database will now only enrich CVEs for critical software, systems used by the federal government, and vulnerabilities under active exploitation. Everything else β pre-March 2026 vulnerabilities included β no longer gets that enrichment. This is a resource decision driven by the sheer volume of CVEs overwhelming NIST's capacity.
Jordan: And it's a problem that's been building for two years. But here's the practical consequence: if your vulnerability management program was relying on NVD enrichment as its primary source of severity context, you now have a gap. You need to diversify your intel feeds β CISA KEV, vendor advisories, commercial threat intel sources. NVD alone is no longer sufficient.
Alex: On the executive order front β National Cyber Director Sean Cairncross confirmed this week that the national cyber strategy is moving forward actively, with executive orders as the likely implementation mechanism. Watch for impacts on software supply chain security requirements and incident reporting obligations, particularly if you're in a regulated industry or touch federal contracts.
Jordan: The supply chain piece is the one I'd prioritize tracking. Post-XZ Utils, post-SolarWinds, there's genuine appetite in policy circles to impose real requirements on how software is built and verified. That will land on CISOs, not just their vendors.
Alex: McGraw Hill. ShinyHunters leaked data from 13.5 million user accounts. The breach vector was their Salesforce environment. This is a story we've seen before β different company, same vector.
Jordan: ShinyHunters is consistent. They go after SaaS environments, particularly Salesforce. The question for every CISO is: what does your Salesforce environment contain, who has access to it, and are you monitoring for abnormal data access or export activity? Most organizations treat Salesforce as a business application, not as a data store requiring security controls. That's the gap.
Alex: Third-party SaaS posture management is not optional anymore. The McGraw Hill breach affects 13.5 million people. The reputational and regulatory exposure from that is significant. Build that SaaS security layer into your program.
Jordan: Quick takes now. Microsoft assigned CVE-2026-21520 β CVSS 7.5 β to a prompt injection flaw in Copilot Studio. The patch is deployed. But the story here isn't the patch, it's the precedent. Microsoft assigning a CVE to an agentic AI platform is, as Capsule Security noted, highly unusual. It signals that prompt injection is now a formal vulnerability class, not just a research curiosity.
Alex: Which means if you're running AI agents β Copilot, Salesforce Agentforce, anything with autonomous action capability β you need a prompt injection assessment in your security review process. Your AI vendors should be answering questions about their injection mitigations the same way they answer questions about auth and encryption.
Jordan: Nginx UI. CVE-2026-33032. CVSS 9.8. Actively exploited. Full server takeover without authentication. If you're running nginx management interfaces with MCP support, patch now. Don't schedule it. Don't queue it. Now.
Alex: Artemis β $70 million Series A, founded by the former Amazon GuardDuty product lead, building an AI-driven SIEM alternative. Worth watching. The fact that Felicis is leading at that size for a SIEM challenger says investors believe the legacy SIEM market is genuinely disruption-ready. We'll see if the technology delivers.
Jordan: The SIEM market has needed disruption for a decade. Agentic telemetry correlation is a compelling pitch. I'd want to see how it handles noisy enterprise environments before pulling any incumbent contracts.
Alex: So stepping back β what's the theme of this week?
Jordan: Convergence of threat surfaces. You have Russian state actors going after physical infrastructure through OT. You have North Korean intelligence operations running through your HR pipeline. You have AI platforms introducing vulnerability classes that your existing security frameworks weren't built to handle. And the regulatory infrastructure that's supposed to help β NVD, compliance frameworks β is straining under volume and velocity.
Alex: The common thread for me is that the perimeter keeps expanding in unexpected directions. OT networks, hiring pipelines, AI agent contexts β none of these were primary attack surfaces ten years ago. The CISO role is fundamentally about being ahead of that expansion, and right now the expansion is faster than most programs can absorb.
Jordan: What to watch next: any escalation in European critical infrastructure targeting as we head into summer. The Russia-Ukraine dynamic has historically driven more aggressive cyber operations during warmer months. And watch for the first executive order under the new cyber strategy β that will set the compliance agenda for the next two years.
Alex: That's Cleartext for Thursday, April 16th. If this episode was useful, share it with a peer who needs it. We'll be back Monday. Stay sharp.
Cleartext is an automated daily podcast for CISOs and security leaders. Generated 2026-04-16.
Sources are pulled from: CyberScoop, The Record, SecurityWeek, Krebs on Security, Dark Reading, Cybersecurity Dive, BleepingComputer, Wired, Ars Technica, TechCrunch, Help Net Security, VentureBeat, Risky Business News, The Hacker News, CISA, and BankInfoSecurity.