Jordan: Sweden just publicly blamed Russia for attempting a destructive cyberattack on a thermal plant. Not espionage. Not data theft. Destructive. That word is doing a lot of work, and it should have every CISO with OT exposure paying close attention this morning.

Alex: This is Cleartext. Thursday, April 16th, 2026. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. On today's show: Russian destructive operations targeting European critical infrastructure, what two prison sentences tell you about your hiring process, the CVE that signals a whole new vulnerability class in your AI stack, and why NIST just quietly changed how your vuln management program works — whether you noticed or not. Let's get into it.

Alex: So Jordan, Sweden. The civil defense minister standing up and saying Russian hackers are now attempting destructive cyberattacks against European organizations. That framing is deliberate.

Jordan: Extremely deliberate. Attribution at the ministerial level is a policy decision, not just an intelligence one. Sweden is signaling something. And the word "destructive" is significant because it distinguishes this from the years of Russian cyber operations that were primarily about intelligence collection or pre-positioning. This was an attempt to cause physical consequence — in this case, to a thermal plant's operational technology. That's a different category of threat.

Alex: For CISOs in energy, utilities, manufacturing — any sector with OT or ICS exposure — the question you need to be asking isn't whether your IT environment is hardened. It's whether your operational technology sits behind a meaningful security boundary from that IT environment. In most organizations, the honest answer is still no.

Jordan: And the attack surface has gotten worse over the past few years because of remote monitoring, cloud-connected OT, digital twin infrastructure. All of that connectivity that makes operations more efficient also makes it easier for someone to reach the thermal controls. The Purdue model isn't dead, but it needs to be actively enforced, not assumed.

Alex: This is a board conversation. If you're a CISO at an organization with physical infrastructure — energy, water, healthcare facilities, manufacturing — you need to be able to answer whether a nation-state could cause a physical outage from a cyber intrusion. If you can't answer that with confidence, that's your priority this quarter.

Jordan: And don't wait for your sector to be the named target. Sweden today. The Baltic states last year. Russia does not distinguish between NATO members and partners when it comes to infrastructure pressure campaigns.

Alex: Let's pivot to a story that feels different on the surface but hits a very similar nerve for a lot of organizations. North Korean IT worker fraud. Two US nationals sentenced — 108 and 92 months respectively — for running a scheme that placed DPRK workers inside over a hundred American companies, including Fortune 500 firms, using stolen identities. The operation generated five million dollars for the North Korean government.

Jordan: This has been a persistent threat for three years now, and it keeps scaling. What's notable here is the prosecution of the facilitators — the US nationals who ran the laptop farms and handled the identity laundering. That's the supply chain of this operation getting disrupted. But it doesn't stop the demand side, which is DPRK's ongoing need to generate hard currency.

Alex: From a CISO perspective, the insider threat angle here is underappreciated. These weren't hackers breaking in. They were on your payroll, with access to your systems, your code, your IP — sometimes for months. The identity verification problem in remote hiring is real, and it's not an HR problem, it's a security program problem.

Jordan: The practical controls are live video verification during hiring, device attestation requirements before network access, behavioral analytics once someone's in. But honestly, the companies that got burned were largely not thinking about their hiring pipeline as an attack surface. That mindset shift still hasn't happened broadly.

Alex: It needs to. Especially for any company hiring remote contractors in software development, cloud infrastructure, or anything touching sensitive systems. Okay, two governance stories that I want to cover together because they both reshape the compliance and vulnerability management landscape.

Jordan: Start with NIST because that one has immediate operational impact.

Alex: Agreed. NIST announced that the National Vulnerability Database will now only enrich CVEs for critical software, systems used by the federal government, and vulnerabilities under active exploitation. Everything else — pre-March 2026 vulnerabilities included — no longer gets that enrichment. This is a resource decision driven by the sheer volume of CVEs overwhelming NIST's capacity.

Jordan: And it's a problem that's been building for two years. But here's the practical consequence: if your vulnerability management program was relying on NVD enrichment as its primary source of severity context, you now have a gap. You need to diversify your intel feeds — CISA KEV, vendor advisories, commercial threat intel sources. NVD alone is no longer sufficient.

Alex: On the executive order front — National Cyber Director Sean Cairncross confirmed this week that the national cyber strategy is moving forward actively, with executive orders as the likely implementation mechanism. Watch for impacts on software supply chain security requirements and incident reporting obligations, particularly if you're in a regulated industry or touch federal contracts.

Jordan: The supply chain piece is the one I'd prioritize tracking. Post-XZ Utils, post-SolarWinds, there's genuine appetite in policy circles to impose real requirements on how software is built and verified. That will land on CISOs, not just their vendors.

Alex: McGraw Hill. ShinyHunters leaked data from 13.5 million user accounts. The breach vector was their Salesforce environment. This is a story we've seen before — different company, same vector.

Jordan: ShinyHunters is consistent. They go after SaaS environments, particularly Salesforce. The question for every CISO is: what does your Salesforce environment contain, who has access to it, and are you monitoring for abnormal data access or export activity? Most organizations treat Salesforce as a business application, not as a data store requiring security controls. That's the gap.

Alex: Third-party SaaS posture management is not optional anymore. The McGraw Hill breach affects 13.5 million people. The reputational and regulatory exposure from that is significant. Build that SaaS security layer into your program.

Jordan: Quick takes now. Microsoft assigned CVE-2026-21520 — CVSS 7.5 — to a prompt injection flaw in Copilot Studio. The patch is deployed. But the story here isn't the patch, it's the precedent. Microsoft assigning a CVE to an agentic AI platform is, as Capsule Security noted, highly unusual. It signals that prompt injection is now a formal vulnerability class, not just a research curiosity.

Alex: Which means if you're running AI agents — Copilot, Salesforce Agentforce, anything with autonomous action capability — you need a prompt injection assessment in your security review process. Your AI vendors should be answering questions about their injection mitigations the same way they answer questions about auth and encryption.

Jordan: Nginx UI. CVE-2026-33032. CVSS 9.8. Actively exploited. Full server takeover without authentication. If you're running nginx management interfaces with MCP support, patch now. Don't schedule it. Don't queue it. Now.

Alex: Artemis — $70 million Series A, founded by the former Amazon GuardDuty product lead, building an AI-driven SIEM alternative. Worth watching. The fact that Felicis is leading at that size for a SIEM challenger says investors believe the legacy SIEM market is genuinely disruption-ready. We'll see if the technology delivers.

Jordan: The SIEM market has needed disruption for a decade. Agentic telemetry correlation is a compelling pitch. I'd want to see how it handles noisy enterprise environments before pulling any incumbent contracts.

Alex: So stepping back — what's the theme of this week?

Jordan: Convergence of threat surfaces. You have Russian state actors going after physical infrastructure through OT. You have North Korean intelligence operations running through your HR pipeline. You have AI platforms introducing vulnerability classes that your existing security frameworks weren't built to handle. And the regulatory infrastructure that's supposed to help — NVD, compliance frameworks — is straining under volume and velocity.

Alex: The common thread for me is that the perimeter keeps expanding in unexpected directions. OT networks, hiring pipelines, AI agent contexts — none of these were primary attack surfaces ten years ago. The CISO role is fundamentally about being ahead of that expansion, and right now the expansion is faster than most programs can absorb.

Jordan: What to watch next: any escalation in European critical infrastructure targeting as we head into summer. The Russia-Ukraine dynamic has historically driven more aggressive cyber operations during warmer months. And watch for the first executive order under the new cyber strategy — that will set the compliance agenda for the next two years.

Alex: That's Cleartext for Thursday, April 16th. If this episode was useful, share it with a peer who needs it. We'll be back Monday. Stay sharp.