Jordan: Iranian hackers just moved from watching to breaking things. Operational disruption at US critical infrastructure sites. That's not espionage. That's a message.

Alex: Welcome to Cleartext. It's Thursday, April 9th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves.

Alex: Today we have a loaded show. Iranian and Russian threat actors both making moves against critical infrastructure. A four-month-old Adobe zero-day that nobody caught until now. The bug bounty model showing signs of structural collapse. And two breach stories that should make every CISO rethink their data sprawl assumptions. Let's get into it.

Jordan: So let's start with Iran, because this is the one that should be keeping OT security teams up at night. CISA and the FBI issued a joint advisory yesterday following confirmed operational disruptions at US critical infrastructure sites linked to Iranian threat actors. And I want to be precise about the word "disruption" here. This is not exfiltration. This is not reconnaissance. They broke things. They targeted exposed programmable logic controllers — PLCs — and they caused actual operational impact.

Alex: The timing is not accidental. As US-Israel military coordination around Iran has intensified, we're seeing the cyber domain activated as a pressure valve. Iran has been running ICS-targeted operations for years, but what's changed is the willingness to cross the disruption threshold. That's a strategic decision, not a technical one.

Jordan: And the technical entry point is embarrassingly basic. Exposed PLCs. Internet-facing industrial controllers with default credentials or no authentication at all. If you are running OT environments and you have not done an exposure audit in the last ninety days, that audit is overdue. Shodan will tell you what Iran already knows about your network perimeter.

Alex: For CISOs in energy, water, and manufacturing — this is a board conversation, not just a security team conversation. If your OT systems are operationally connected to anything internet-adjacent, you need to be able to answer two questions in your next board meeting: what is our blast radius if a PLC is manipulated, and how fast can we detect and isolate it? If you can't answer both, that's your gap.

Jordan: Now let's stay in the geopolitical lane, because Russia had a busy week too. The FBI successfully disrupted an APT28 campaign that had compromised thousands of end-of-life SOHO routers across 120 countries. The technique here is worth understanding — this wasn't traditional malware infection in the way most people picture it. APT28 was manipulating DNS settings on these routers to silently redirect traffic and steal credentials. Clean, persistent, and almost invisible to the end user.

Alex: The word that jumps out to me is end-of-life. We talk about EOL software constantly, but EOL hardware is the blind spot. When someone's remote employee is sitting at home on a five-year-old router that hasn't seen a firmware update in two years, and that router is touching your corporate VPN — that is an attack surface your security team has essentially zero visibility into.

Jordan: And APT28 knows this. They've been running this playbook for a while. The FBI operation evicted them from these devices, but eviction is not remediation. Those routers are still end-of-life. They will be recompromised. The fix is replacement, not a one-time cleanup.

Alex: This connects directly to APT28's other headline this week. Trend Micro dropped research on a new malware suite called PRISMEX being deployed against Ukraine and NATO allies via spear-phishing. The technical sophistication here is significant — steganography to hide payloads, COM hijacking for persistence, and legitimate cloud services for command-and-control. That last piece is the hard part to defend against.

Jordan: When your C2 traffic looks like Microsoft OneDrive or Google Drive activity, traditional network detection falls apart. Your DLP sees cloud sync traffic. Your firewall sees allowed destinations. The signal is buried in noise you've already decided is legitimate. For any organization with defense, government, or NATO-adjacent contracts, update your detection rules now. PRISMEX indicators are public.

Alex: Let's move to the breach stories, because there are two this week that illustrate a theme I keep coming back to: data sprawl kills you on the timeline you didn't choose. In Los Angeles, the World Leaks extortion gang exfiltrated 7.7 terabytes of sensitive LAPD data — but the breach didn't come through LAPD systems. It came through the LA City Attorney's Office.

Jordan: This is the third-party data sharing problem at its most concrete. Law enforcement data, presumably sensitive case files, flowing into a city attorney's digital storage system, and that system had insufficient controls. The attack surface isn't just your environment. It's every environment where your data lives.

Alex: If you're a CISO managing any data sharing arrangements with public sector entities — municipalities, county systems, state agencies — this is your prompt to ask hard questions about their security posture. You probably don't have contractual leverage the way you would with a private vendor, but you have the ability to limit what data you share and how long it persists in their systems. That's your control.

Jordan: And then there's Winona County, Minnesota. Governor Walz deployed the National Guard after a cyberattack took down critical county systems. When a governor has to sign an executive order to respond to a cyberattack, that tells you the incident response capability at the local level was exhausted.

Alex: The relevance for enterprise CISOs is about cascade effects. Local government systems touch more things than people realize — permitting, utilities, emergency services, healthcare coordination. If your operations have any dependency on county or municipal systems, and many do, you need to think about what a prolonged outage of those systems means for your business continuity plan.

Jordan: Okay, let's talk about something that affects almost every enterprise on the planet. Adobe Reader. A zero-day vulnerability that has been actively exploited since at least December 2025 — possibly since November — and we're hearing about it in April 2026. Four months of exploitation window on a PDF reader that is installed on virtually every corporate endpoint.

Alex: The delivery mechanism is weaponized PDFs. Think about your email workflows for one second. Invoices. Legal documents. Vendor agreements. PDFs are trusted by default in most organizations because they have to be. That's what makes this particularly nasty.

Jordan: The exploit itself is described as highly sophisticated, which means this is not a commodity threat actor. Someone spent real resources developing this. Patch Adobe Reader immediately — Adobe has released a fix. But also check your EDR telemetry for anomalous activity originating from Acrobat processes going back to December. If you were hit, you may not know it yet.

Alex: Finally, the HackerOne story is one I think deserves more attention than it's getting. They've paused bug bounty programs because AI-automated vulnerability discovery has created a remediation bottleneck. Researchers and AI tools are finding bugs faster than engineering teams can fix them. And bounties fund discovery, not remediation.

Jordan: This is a structural problem, not a platform problem. The economics of bug bounties were built on the assumption that finding vulnerabilities was the hard part. That assumption is dead. AI killed it.

Alex: CISOs who rely heavily on bug bounty programs need to have an honest conversation with their engineering leadership about remediation capacity. If you're incentivizing the top of the funnel without investing in the bottom, you're building a backlog of known vulnerabilities that aren't being fixed. That is a liability posture problem, not just a security posture problem.

Jordan: So what's the theme this week? Because I think it's clear.

Alex: State actors are in an operational phase, not a reconnaissance phase. Iran is disrupting. Russia is harvesting. APT28 is deploying new tooling. And they're all targeting the same categories of weakness — exposed OT systems, unmanaged remote infrastructure, and trusted software delivery channels.

Jordan: The board question this quarter isn't "are we being targeted." It's "what happens when disruption hits us." Resilience planning, OT segmentation, EOL hardware replacement — these are budget conversations that need to happen now, not after an incident.

Alex: And on the AI vulnerability discovery point — the volume of known exploitable issues is about to grow dramatically. Your remediation capacity is the constraint. Start investing there.

Jordan: That's Cleartext for Thursday, April 9th. If this was useful, share it with a peer. We'll be back tomorrow.

Alex: Stay sharp.