A Long Day Without Bars

Quick Summary

This CyberWire Daily episode covers major cybersecurity incidents from January 15, 2026, including a massive Verizon wireless outage affecting thousands across the US, Poland's successful defense against a Russian cyberattack on its power grid, a 45-million-record French citizen database breach, and Microsoft's takedown of a major cybercrime-as-a-service platform. The episode also features an interview with John Serafini, CEO of Hawkeye 360, on commercial signals intelligence capabilities.

Key Topics

• Verizon Wireless Outage: A day-long service disruption affecting major US cities with no confirmed cyber attack cause
• Critical Infrastructure Defense: Poland's successful mitigation of a coordinated Russian attack targeting renewable energy communications
• Data Breaches & Privacy: Massive exposure of French citizen records compiled from multiple breaches; FTC settlement with GM over location data
• Cybercrime Disruption: Microsoft's coordinated takedown of RedVDS, a cybercrime-as-a-service platform enabling phishing and BEC scams
• AI-Generated Abuse: California investigation into xAI's Grok for creating non-consensual deepfake sexual imagery
• Digital ID Reversal: UK government abandons mandatory digital ID requirements following public backlash
• Critical Vulnerabilities: Palo Alto Networks patches high-severity DoS flaw affecting next-generation firewalls
• Press Freedom Concerns: FBI search of Washington Post reporter's home raises constitutional and security implications
• Commercial Signals Intelligence: Hawkeye 360's acquisition of Innovative Signal Analysis and Series E funding

Main Points

• Verizon Outage - Service Disruption Without Clear Cause:

The outage lasted most of Wednesday, January 15th, affecting over 177,000 customers at peak with complaints concentrated in New York, Houston, Atlanta, Dallas, and Miami. Verizon apologized and promised account credits but did not disclose the root cause, though officials ruled out cyberattacks. Experts suggested potential causes include third-party vendor issues or software deployment problems. The FCC announced it would investigate, with FCC member Anna Gomez calling for formal inquiry. Secondary impacts affected AT&T and T-Mobile users due to call routing effects.

• Poland's Power Grid Defense - New Coordinated Attack Tactics:

Polish officials reported stopping the most serious cyberattack on the nation's energy infrastructure in years, narrowly preventing a nationwide blackout. The late December attack targeted communications between renewable energy sites (wind and solar installations) and electricity distributors, showing signs of coordinated sabotage. Officials blamed Russia and warned that this represents a new tactic that could recur, reflecting escalating threats to Polish infrastructure since Russia's invasion of Ukraine.

• French Citizen Database Breach - Aggregated Data Increases Risk:

CyberNews researchers discovered a massive exposed database containing tens of millions of records on French citizens, likely compiled from at least five separate data breaches. The unsecured cloud server archive included voter and demographic data, healthcare registry records, contact details, financial information, and vehicle registration data. Security experts believe a cybercriminal or data broker merged these datasets to increase resale value. The database was taken offline after notification but posed significant privacy risks and fraud opportunities.

• RedVDS Takedown - Cybercrime-as-a-Service Disruption:

Microsoft disrupted RedVDS, a cybercrime-as-a-service platform linked to fraud campaigns causing over $40 million in losses in the US alone. The platform sold low-cost access to disposable virtual servers used for phishing and business email compromise (BEC) scams, impacting nearly 190,000 organizations worldwide, primarily in the US, Canada, and UK. Attackers leveraged generative AI, deepfake video, and voice cloning to create realistic scams. Microsoft coordinated with international law enforcement including Europol and, notably, UK authorities in their first joint action of this type.

• UK Digital ID Reversal - Policy U-Turn on Mandatory Requirements:

The UK government abandoned plans requiring workers to sign up for a new digital ID system to prove employment eligibility, following political backlash and declining public support. Instead, Labour ministers plan to fully digitize existing right-to-work checks using documents like biometric passports by 2029. The reversal represents the latest in a series of policy U-turns, drawing criticism from opposition parties and frustration within Labour's own ranks. Officials maintain that mandatory digital checks will still apply but frame digital ID more broadly as a tool for accessing public services rather than employment verification.

• Grok Deepfake Investigation - AI-Generated Sexual Abuse Content:

California Attorney General Rob Bonta announced an investigation into xAI over allegations that Grok has been used at scale to create non-consensual sexual deepfake images of women and children without consent, often using publicly available photos. Reports cite Grok's "spicy mode" as a contributing factor to the proliferation of such content. The material has been distributed online, including on X (formerly Twitter), and used for harassment. Bonta emphasized California's zero-tolerance stance and broader efforts to hold AI companies accountable for protecting children and preventing AI-enabled abuse, noting potential violations of state laws and possible child sexual abuse material.

• FTC-GM Settlement - Location Data Restrictions:

The FTC finalized a settlement with General Motors and its OnStar unit over allegations that they collected and sold driver location and behavior data without proper consent. Millions of vehicles transmitted precise geolocation and driving data every few seconds via OnStar's Smart Driver feature, which was marketed as a self-assessment tool. The data was sold to third parties including insurers. The settlement bans certain data sharing for five years and requires explicit consent, greater transparency, and consumer controls for 20 years.

• Palo Alto Networks Vulnerability - DoS Flaw in Firewalls:

Palo Alto Networks patched a high-severity vulnerability enabling unauthenticated attackers to trigger denial-of-service attacks and force firewalls into maintenance mode. The flaw affects next-generation firewalls running PanOS 10.1 or later and Prisma Access deployments with Global Protect enabled. While nearly 6,000 Palo Alto firewalls are visibly online, there is no confirmation of active exploitation. The company has released fixes for all affected versions and urges administrators to update promptly. This disclosure follows repeated recent targeting of Palo Alto firewalls by both zero-day exploits and DoS attacks.

• Washington Post Reporter Search - Press Freedom and Security Implications:

Federal agents searched the home of Washington Post reporter Hannah Natanson, seizing personal and work devices in connection with a leak investigation involving a government contractor accused of improperly retaining classified materials. The FBI stated Natanson is not a target but was involved due to alleged messaging with the contractor. Such raids on journalists are exceptionally rare and have alarmed press freedom advocates and security professionals. Critics warn the action sends a chilling message to reporters and sources. The incident underscores practical security lessons: journalists and professionals should encrypt both personal and work devices and assume sensitive data may face government scrutiny. With policy changes weakening longstanding reporter protections, digital security has become a frontline defense for press independence.

• Blue Spark Global Exposure - Shipping Infrastructure Vulnerability:

Researchers discovered that Blue Spark Global, a New York-based shipping tech firm handling significant global cargo movement, left its platform exposed through an unauthenticated API containing plain-text passwords, admin access, and decades of shipment data. Security researcher Eton Zverei discovered the flaws but faced weeks of unanswered messages. Attention only followed when TechCrunch demonstrated the risk by emailing part of the CEO's password to the company. Blue Spark reports the bugs are fixed with new security policies coming. No evidence of misuse exists according to the company, though the incident illustrates how cybercrime sometimes thrives through silence rather than sophistication, particularly when combined with organized crime targeting cargo theft.

Speaker Insights

John Serafini, Founder and CEO of Hawkeye 360:

Serafini provided detailed insights on commercial signals intelligence during an interview on the T-Minus podcast:

• Company Overview: "We have a constellation of 30-plus satellites that very uniquely fly in clusters of three... we can detect it, we can process it, we can geolocate it, we can analyze it, and we can convert that into actionable intelligence for our customers."
• ISA Acquisition Rationale: "From a strategic fit, this is a home run... we have our own commercial constellation of satellites that produces RF data... and ISA is truly the best in the world at doing the processing off of certain other types of data."
• Processing as Differentiator: "RF data is not understandable by a typical human unless you analyze it through certain processing tools... It's not until you actually do the processing and the analysis that you can start to extract intelligence."
• Force Multipliers: Serafini emphasized three key levers: increasing revisit rate (more satellites overhead for faster coverage), accelerating data delivery to ground (through ground station densification, onboard processing, and mesh relay networks), and leveraging AI/machine learning for intelligence conversion.
• Team Strength: "We have today now 400 individuals working within Hawkeye and ISA together combined. These are some of the world's experts in signals intelligence."
• Investment Perspective: Serafini expressed satisfaction with Series E investors Night Dragon (returning investors from Series C) and new investor Center15 (led by Ian Weiner), combined with debt from SVB and Hercules.

Referenced Links

• Verizon Says Service Restored After Thousands Affected by Outage (Bloomberg)
• Poland says it repelled major cyberattack on power grid, blames Russia (The Record)
• Massive breach leaks 45 million French records (TechRadar)
• Criminal Subscription Service Behind AI-Powered Cyber-Attacks Taken Out By Microsoft (Infosecurity Magazine)
• Government drops plans for mandatory digital ID to work in UK (BBC News)
• Attorney General Bonta Launches Investigation into xAI, Grok Over Undressed, Sexual AI Images (California Department of Justice)
• FTC bans GM from selling drivers' location data for five years (Bleeping Computer)
• Palo Alto Networks warns of DoS bug letting hackers disable firewalls (Bleeping Computer)
• FBI executes search warrant at Washington Post reporter's home (Washington Post)
• US cargo tech company publicly exposed shipping systems and customer data (TechCrunch)
• T-Minus Podcast - Hawkeye 360 Episode (CyberWire)
• Daily Briefing Newsletter (CyberWire)

Takeaways

• Encryption is Essential for Journalists and Professionals: The Washington Post reporter search illustrates that digital security is no longer optional—encrypt both personal and work devices and assume sensitive data may face government scrutiny, particularly as policy protections weaken.
• Cybercrime Thrives on Silence: The Blue Spark Global incident demonstrates that many security breaches persist not due to attacker sophistication but because companies ignore vulnerability disclosures. Establish clear security contact procedures and respond promptly to researcher reports.
• Data Aggregation Multiplies Risk: The French citizen database breach shows that compiled datasets from multiple sources increase fraud and privacy risks exponentially. Organizations should minimize data retention and implement strict access controls.
• Critical Infrastructure Requires Layered Defense: Poland's successful defense against the Russian power grid attack involved detecting coordinated sabotage attempts on renewable energy communications. Critical infrastructure operators should monitor for novel attack vectors targeting inter-system communications.
• AI-Generated Abuse Requires Rapid Regulatory Response: The Grok deepfake investigation demonstrates that AI companies must implement safeguards against non-consensual sexual content generation. Regulatory bodies are moving quickly to hold companies accountable.
• Signal Intelligence Processing Capabilities Matter as Much as Collection: Hawkeye 360's ISA acquisition illustrates that converting raw RF data into actionable intelligence requires world-class processing expertise, not just satellite capacity. Organizations should invest in both sensors and analytical capabilities.
• Revisit Rate and Data Delivery Speed Drive Tactical Value: For space-based intelligence systems, increasing satellite coverage frequency and reducing data latency to analysts are critical force multipliers that enhance operational relevance.
• Cybercrime-as-a-Service Platforms Require Coordinated International Takedowns: Microsoft's RedVDS disruption involved unprecedented UK law enforcement participation, showing that transnational cybercrime requires coordinated international responses and shared intelligence.
• Mandatory Digital ID Systems Face Public Resistance: The UK's policy reversal demonstrates that governments must balance security benefits with public privacy concerns and political feasibility when implementing identity systems.
• Investigate Outage Root Causes Thoroughly: The Verizon outage's undisclosed cause highlights the need for transparent investigation and disclosure of critical infrastructure disruptions to build public confidence and identify systemic vulnerabilities.