Jordan: This was the week cyber war stopped being a metaphor. US and Israeli cyber operations integrated directly into kinetic strikes against Iran, Iran hit back with backdoors already sitting inside American banks and airports, and the FBI quietly confirmed someone breached their own wiretap systems. If you're running security at any organization that matters, the threat landscape just fundamentally shifted.

Alex: Welcome to the Cleartext Week in Review. I'm Alex Chen, alongside Jordan Reeves. It's Saturday, March 7th, 2026. If you couldn't keep up this week, here's what mattered and what it means. We've got four big themes to unpack. First, the one that dominated everything: the Iran conflict and what it means for enterprise security right now. Second, the uncomfortable reality that AI has become a force multiplier on both sides of the ball. Third, a string of breaches and vulnerabilities that reinforce a pattern we've been warning about. And fourth, governance moves in Washington that every CISO needs to be tracking. Jordan, let's start where we have to start.

Jordan: Yeah, look. Monday, TechCrunch published a detailed account of how US and Israeli cyber operations directly supported the bombing campaign against Iran. Traffic cameras hacked for surveillance and targeting. Television sets hijacked for psychological operations. Iran's internet went dark within four hours of the first strikes. This is the full integration of cyber into kinetic warfare, and it's not theoretical anymore. By Thursday, Wired had research showing hundreds of attempts by Iranian state hackers to hijack consumer-grade IP cameras timed to their own missile and drone strikes. Both sides are doing this. Israel, Russia, Ukraine — camera hacking is now a standard page in the wartime playbook.

Alex: And here's why this matters if you're a CISO who doesn't work at the Pentagon. The techniques being used against Iranian infrastructure are the same techniques that work against your infrastructure. IoT cameras, broadcast systems, network-connected displays — these are in every corporate campus, every hospital, every manufacturing floor. If state actors are treating these as legitimate military targets, retaliatory actors will absolutely treat your versions of these devices as legitimate targets too.

Jordan: Which brings us to the story that should have every critical infrastructure CISO on high alert. Help Net Security reported Thursday that Seedworm, also known as MuddyWater, linked to Iran's Ministry of Intelligence, has been inside US networks since early February. A bank, an airport, a non-profit. They deployed a new backdoor called Dindoor. Symantec and Carbon Black researchers confirmed the attribution. These intrusions predate the military strikes. They were pre-positioned.

Alex: Pre-positioned. That's the word that should keep people up at night. This wasn't reactive. Iran had operators inside American organizations before the bombs started falling. And now we've got reporting from Cybersecurity Dive that pro-Russia hacking groups have formed a loose alliance with Iran-linked actors specifically targeting US and Middle Eastern critical infrastructure. The threat model just changed. You're not dealing with one nation-state. You're dealing with a coalition.

Jordan: If you're in energy, transportation, financial services, healthcare — frankly, if you're in any critical sector — you need to be hunting right now. Not waiting for alerts. Actively hunting for indicators associated with MuddyWater, Seedworm, and their known tooling. CISA published indicators. Symantec published indicators. Use them. And segment your IoT. Cameras, building management systems, digital signage — get them off your production networks if you haven't already.

Alex: Let's pivot to our second theme because it's deeply connected. AI as a force multiplier across the threat landscape. Microsoft published a report Friday documenting that threat actors are now using AI across every stage of cyberattacks. Reconnaissance, social engineering, code generation, lateral movement, exfiltration. Every stage. This isn't a future concern. It's current operations.

Jordan: The most concrete example was the North Korea story. Microsoft documented how DPRK threat groups are using generative AI to scale their fake worker schemes. We're talking AI-generated resumes, face-swapping for video interviews, and automated email responses to maintain the cover of operatives who've been placed inside companies globally. These aren't sophisticated hacks. They're sophisticated social engineering at scale, and AI is what makes the scale possible.

Alex: CISOs, this means your hiring pipeline is an attack surface. Your HR team is on the front line. Background verification, identity proofing during onboarding, behavioral analytics after hire — all of these need hardening. And if you think your company isn't a target because you're not in defense, remember, North Korea does this for revenue generation too. They'll take a job at your fintech startup just as happily as they'll infiltrate a defense contractor.

Jordan: Now, the flip side. Anthropic published results from a security partnership with Mozilla where Claude found 22 vulnerabilities in Firefox in two weeks. Fourteen were high-severity. That's remarkable. And it demonstrates that AI-powered vulnerability discovery is real and it's here. The defensive implications are enormous. But so are the offensive ones. If a commercial AI can find 14 high-severity bugs in a major browser in two weeks, what are well-resourced state actors finding in your custom applications?

Alex: Exactly. And this connects to a strategic question every CISO should be asking their board: are we using AI defensively at the same pace our adversaries are using it offensively? Because right now, the answer for most organizations is no. If you're not evaluating AI-augmented code review, AI-assisted threat hunting, AI-driven anomaly detection — you are falling behind against adversaries who have no procurement cycles and no committee approvals.

Jordan: Let's move to theme three. Breaches and vulnerabilities that reinforce a pattern. The biggest story here, and it's stunning, is the FBI confirming that someone breached their surveillance and wiretap systems. The systems used to manage lawful intercept warrants. The FBI hasn't attributed it yet. But this follows the Salt Typhoon telecom breaches that targeted similar systems. Let that sink in. The systems the US government uses to surveil adversaries are themselves being compromised.

Alex: The implications cascade everywhere. Every telco that participates in lawful intercept programs. Every vendor that builds those systems. Every enterprise whose communications pass through infrastructure that has lawful intercept capabilities baked in. The trust framework around lawful intercept is fundamentally damaged. I expect we'll see regulatory and contractual ripple effects from this for years.

Jordan: Meanwhile, Google's Threat Intelligence Group published their zero-day exploitation report for 2025. Ninety zero-days exploited in the wild last year. Almost half targeted enterprise software and appliances. And the most targeted category? Security and networking devices. Firewalls. VPNs. The irony is brutal. The tools you deploy to protect your network are the primary attack surface.

Alex: Which is why the Cisco story this week matters so much. Two maximum-severity vulnerabilities in Cisco Secure Firewall Management Center. Remote root access. No active exploitation yet, but given the Google data showing firewalls are top targets, "no active exploitation yet" is not a reason to wait. Patch immediately. And while you're at it, audit every edge device and network appliance in your environment. If it faces the internet and it's not patched, it's a liability.

Jordan: Two more quick ones. The Cognizant TriZetto breach exposed health data on 3.4 million patients. It happened in 2024 and went undetected for nearly a year. Third-party risk management isn't optional in healthcare — it's existential. And the Coruna iPhone exploit toolkit, likely originally built for the US government, is now in the hands of criminals and foreign spies. Tens of thousands of phones infected. Government-grade exploits don't stay in government hands. They never do. Enforce iOS updates. Evaluate mobile threat defense for your executives.

Alex: On the positive side, the Tycoon 2FA phishing kit takedown was a genuine win. Microsoft led the effort, seized 330 domains, Europol and industry partners collaborated, and the alleged creator was named in a civil complaint. This was a platform that bypassed MFA to enable business email compromise and ransomware. Its destruction validates two things: phishing-resistant authentication like FIDO2 should be your standard, and coordinated public-private takedowns can work. Similarly, the Phobos ransomware leader pleading guilty after impacting a thousand victims and extracting 39 million dollars — that's deterrence. Imperfect, but real.

Jordan: Now let's talk governance, because Washington had a busy week. Friday afternoon — classic news dump timing — Trump signed an executive order and published a five-page cybersecurity strategy. The EO directs federal prosecutors, cyber defense officials, and diplomats to ramp up efforts against cybercriminal gangs. The strategy promises increased government use of AI for rapid cyber defense. Details are thin, but the signal is clear: the administration wants to be seen as tough on cybercrime.

Alex: CISOs should read that five-page strategy carefully. When the federal government telegraphs its priorities, compliance frameworks and regulatory expectations follow. If AI-driven defense is in the strategy, expect questions from regulators about whether you're using AI in your security program. If cybercrime prosecution is a priority, expect increased pressure to report incidents and cooperate with law enforcement. Get ahead of this.

Jordan: And then there's the DHS story that got less attention but matters more operationally. The DHS CISO and deputy CISO both departed this week as part of a broader IT leadership overhaul. This is happening while Sean Plankey's CISA nomination is reportedly in jeopardy. So at the exact moment Iran is pre-positioning inside American critical infrastructure and the FBI's own systems are being breached, the federal government's cybersecurity leadership is in flux. CISOs who rely on CISA for advisories, for coordination, for incident response — plan accordingly.

Alex: One quick mention on the startup front. Fig Security emerged from stealth with 38 million dollars. They trace data flows through your security stack and alert you when changes — a firewall rule update, a SIEM configuration drift, a log pipeline break — silently degrade your detection or response capabilities. It's addressing a real problem. Every CISO has had the experience of discovering that a critical detection was silently broken by a change somewhere upstream. Worth watching.

Jordan: Alright. Let's step back. Alex, what defined this week?

Alex: This was the week the lines between geopolitical conflict and enterprise cybersecurity dissolved completely. We've talked about this convergence for years. This week it happened. Iranian operators were inside American organizations before the first bomb fell. Camera systems became military intelligence platforms. The FBI's own surveillance tools were compromised. And AI accelerated all of it. If you're a CISO going into next week, your priorities are clear. Hunt for Iranian indicators in your environment. Segment your IoT. Patch your edge devices and firewalls. Verify your MFA is phishing-resistant. And have an honest conversation with your board about whether your security program is calibrated for the threat environment we're actually in — not the one we were in six months ago.

Jordan: Agreed. And I'd add one thing. Watch the Russia-Iran cyber alliance closely. Loose coalitions of threat actors sharing infrastructure and targeting data can escalate faster than formal state programs. We saw this with ransomware gangs. We're about to see it with nation-state proxies. If you're in critical infrastructure, assume you're targeted. Don't wait for confirmation.

Alex: That's our week. The daily show returns Monday. Stay sharp out there. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. This has been Cleartext.