Alex: Welcome to Cleartext. It's Friday, March 6th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: So Jordan, you wanted to open with the FBI story.

Jordan: Yeah, because this one deserves the cold water treatment. The FBI confirmed yesterday it's investigating a breach of its own surveillance and wiretap infrastructure. Not a peripheral system. Not an email server. The networks used to manage lawful intercept warrants. If you're a CISO listening to this and you've ever had to provision a lawful intercept interface for law enforcement, you now need to ask yourself a very uncomfortable question about the integrity of that channel.

Alex: Let's be clear about the magnitude here. Lawful intercept systems are among the most sensitive infrastructure any government operates. They sit at the intersection of telecommunications, law enforcement, and national security. A breach here doesn't just compromise investigations. It potentially exposes the identities of targets, the scope of surveillance programs, and the technical architecture of how intercepts are executed. Multiple outlets, CNN, CyberScoop, have confirmed the bureau's acknowledgment. What we don't have yet is attribution, but the sophistication required to hit these specific systems narrows the suspect list considerably.

Jordan: You're being diplomatic. This has nation-state written all over it. And the timing is notable given what else is happening on the geopolitical front, which we'll get to. But for CISOs, the immediate takeaway is this: if your organization interfaces with federal law enforcement systems for compliance or lawful intercept obligations, you need to be reviewing those connections now. Assume the trust model may be compromised and act accordingly.

Alex: That's the right framing. Now let's pivot to what I think is the most strategically important story this week, even if it doesn't involve a single line of exploit code. The Pentagon is threatening to label Anthropic, one of the leading AI safety companies, a supply-chain risk. This stems from a dispute over surveillance safeguards. Major tech firms, defense leaders, and a bipartisan group of lawmakers are pushing back hard.

Jordan: This is fascinating and deeply consequential. The supply-chain risk label exists for a reason. It's the mechanism the government uses to essentially blacklist a vendor from federal contracting. It was designed for companies with demonstrable ties to adversary nations or proven security deficiencies. Using it as leverage in a policy disagreement over surveillance safeguards is a fundamentally different application of that tool.

Alex: And that's what has the industry spooked. If the Pentagon can threaten a supply-chain designation to pressure an AI company into building surveillance capabilities it doesn't want to build, what does that mean for every other technology vendor doing business with the federal government? The chilling effect on AI investment could be substantial. But for CISOs specifically, here's what I want you thinking about: your vendor risk frameworks likely incorporate government designations as a signal. If those designations become politicized rather than purely security-driven, the signal degrades. You need to be doing your own independent assessment of AI vendor risk, not outsourcing that judgment to a designation that may be wielded for reasons that have nothing to do with actual supply-chain security.

Jordan: Exactly right. And there's a second-order effect. If Anthropic gets labeled, enterprise procurement teams are going to get skittish about any AI vendor that isn't perfectly aligned with whatever the current administration wants. That's not a security posture. That's political risk management masquerading as security.

Alex: Let's stay on the geopolitical thread because MuddyWater is back in the news and this one demands attention. Broadcom's Symantec team and Carbon Black have identified the Iranian state-sponsored group embedded inside several U.S. organizations, including banks and airports, using a new backdoor they're calling Dindoor.

Jordan: MuddyWater, also tracked as Seedworm, is MOIS-affiliated. Iranian Ministry of Intelligence. They've been active for years, but this campaign represents a meaningful evolution. Dindoor is purpose-built for persistence. They're not smashing and grabbing. They're embedding. Banks, airports, nonprofits, and notably the Israeli arm of a software company. The target set tells you this is intelligence collection with optionality for disruption.

Alex: If you're in financial services, aviation, or critical infrastructure, the action item is immediate. Get the IOCs from the Symantec and Carbon Black reports, run them against your environment today, and brief your threat hunting teams. This isn't theoretical. These are confirmed compromises in U.S. networks right now.

Jordan: And connect this to the CISA leadership story. Sean Plankey has left his post at DHS, which puts his nomination as CISA director in serious jeopardy. So at the exact moment Iranian state hackers are actively inside U.S. critical infrastructure, the agency responsible for coordinating federal civilian cyber defense has no confirmed leader. That's not a coincidence anyone should be comfortable with. For CISOs who rely on CISA's threat intelligence feeds, their joint advisories, their incident response coordination, you need to be thinking about what a weakened CISA means for your own operational tempo.

Alex: It means you lean harder on your own capabilities, your ISACs, and your commercial threat intel relationships. You cannot assume the federal coordination layer will be operating at full capacity.

Jordan: Let's talk about the Tycoon 2FA takedown because this is actually good news and we should acknowledge it when it happens. Europol and Microsoft collaborated to disrupt one of the most effective phishing-as-a-service platforms operating. Tycoon 2FA was specifically engineered to bypass multifactor authentication, and it was fueling a significant volume of business email compromise and ransomware initial access.

Alex: This is meaningful. Tycoon 2FA was a favorite among mid-tier threat actors precisely because it made MFA bypass turnkey. You didn't need to be sophisticated. You bought access, pointed it at a target, and the platform handled the adversary-in-the-middle session hijacking for you. Taking it down removes a significant enabler from the ecosystem, at least temporarily.

Jordan: Temporarily is the operative word. The operators will reconstitute, probably under a different brand. But the disruption matters because it imposes cost. Every day a platform like that is offline, some number of attacks don't happen. And the intelligence gathered during the takedown will feed future operations.

Alex: For CISOs, the lesson isn't that you can relax on MFA bypass. It's that you should be using this window to strengthen your detection of adversary-in-the-middle techniques. Phishing-resistant MFA, FIDO2, hardware tokens, should be the standard for high-value accounts. If you're still relying on push notifications or SMS as your primary MFA, Tycoon's successors will eat your lunch.

Jordan: Now, the camera hacking story from Wired is one I want to flag because it represents a category shift. Research shows Iranian state hackers made hundreds of attempts to hijack consumer-grade security cameras, timed to coincide with missile and drone strikes. Israel, Russia, and Ukraine are all doing the same thing. This is now doctrine, not experimentation.

Alex: This should change how every CISO thinks about internet-connected cameras on their physical perimeter. These devices were already known as soft targets for botnets and network pivoting. But when state actors are weaponizing them for kinetic military targeting, the risk calculus changes entirely. If your organization has facilities in contested regions or near critical infrastructure, your camera exposure is now a physical safety issue, not just a cyber hygiene issue.

Jordan: Run a scan of every internet-facing camera on your network. If it doesn't need to be internet-accessible, take it off the internet. Full stop.

Alex: Let's cover the Google Threat Intelligence Group's zero-day report quickly because the numbers validate what many of us have been arguing for two years. Ninety zero-days exploited in the wild in 2025, up from 78 in 2024. Almost half targeted enterprise software and appliances, specifically firewalls, VPNs, and virtualization platforms.

Jordan: This is the perimeter device problem in a single statistic. Your edge infrastructure, your VPN concentrators, your firewalls, these are the number one target class for zero-day exploitation. Not endpoints. Not cloud workloads. The boxes that sit between your network and the internet. Patch them first. Patch them fast. And where possible, reduce your reliance on them through zero-trust architectures that don't funnel everything through a single chokepoint.

Alex: Two more stories to close the news. The Trizetto breach is a healthcare supply chain story that should make every CISO uncomfortable. A billing vendor compromised, 3.4 million individuals affected, and a dwell time of nearly a year. The breach started in 2024 and wasn't discovered until October 2025.

Jordan: Revenue cycle management vendors handle some of the most sensitive data in healthcare. Insurance records, patient information, billing details. And Trizetto is not a small player. This is a third-party risk management failure at scale, and it's a reminder that your vendor assessment at onboarding is meaningless if you don't have continuous monitoring and detection capabilities extending into your supply chain.

Alex: And finally, the Phobos ransomware leader, a 43-year-old Russian national, pleaded guilty after impacting over a thousand organizations and extracting 39 million dollars. Arrested in South Korea, extradited to the U.S. Good outcome. International law enforcement cooperation working as designed.

Jordan: It's worth noting 39 million from a thousand victims. That's an average of 39 thousand per victim. Phobos was deliberately targeting small and medium businesses that couldn't afford sophisticated defenses and couldn't afford not to pay. The conviction matters, but the business model he exploited is still very much alive.

Alex: So Jordan, looking at the week as a whole, what's the thread you're pulling on?

Jordan: Institutional resilience. Or the lack of it. The FBI's own surveillance systems get breached. CISA's leadership is in limbo. The Pentagon is weaponizing supply-chain designations for policy disputes. Meanwhile, Iran is inside U.S. banks and airports and the zero-day count keeps climbing. The institutions we depend on for coordination and defense are under stress from within and without. CISOs need to be building organizational resilience that assumes degraded support from the federal apparatus.

Alex: I'd add that the AI governance question is going to accelerate dramatically. The Anthropic situation isn't just about one company. It's about whether the government's vendor risk tools remain credible or become instruments of policy coercion. That distinction matters enormously for how we build our own risk frameworks. Watch that space very closely.

Jordan: Agreed. And patch your edge devices this weekend. Don't make us say it again.

Alex: That's Cleartext for Friday, March 6th, 2026. We're back Monday. Stay sharp.

Jordan: Have a good weekend, everybody.