Jordan: Someone just built malware specifically to mess with Israel's water supply. Not power grids, not financial systems — water. Desalination plants. The infrastructure that keeps people alive in an arid region. That's where we are on a Monday morning. Welcome to Cleartext.

Alex: Good morning. I'm Alex Chen, and with me as always is Jordan Reeves. Today we're covering a lot of ground — OT attacks on critical infrastructure, a design-level RCE flaw threatening the AI supply chain, a breach at Vercel that's a case study in third-party AI risk, a guilty plea from Scattered Spider, AI-powered voice phishing going turnkey, and global finance officials sounding alarms about AI outpacing regulatory frameworks. Busy day. Let's get into it.

Jordan: ZionSiphon is the lead, and it deserves to be. Darktrace researchers identified purpose-built malware targeting Israeli water treatment and desalination OT systems. We're talking about malware engineered for a specific industrial environment — it establishes persistence, tampers with configuration files, and scans for OT-relevant services on the local subnet. This isn't commodity malware repurposed for ICS. Someone spent real time and resources building this for one target type.

Alex: And for CISOs running OT environments, that specificity is exactly what should keep you up at night. The threat model has shifted. The question is no longer whether sophisticated actors will target industrial control systems — it's whether your segmentation and monitoring would even detect something this tailored. Most OT networks still have inadequate east-west visibility. If ZionSiphon is scanning the subnet, it needs to be somewhere it can do that. That means your segmentation assumptions may be wrong.

Jordan: The geopolitical context here is obvious — this is the Middle East conflict extending into cyber-physical space. But the operational lesson transcends the geography. Attacks on water infrastructure are not new — Oldsmar, Florida in 2021 was a wake-up call that most people snoozed through. What's different now is the sophistication. Config file tampering in OT systems can have consequences that don't manifest for hours or days after the attacker is long gone. By the time you see the effects, you've lost the forensic window.

Alex: The board conversation here is straightforward: cyber-physical incidents are liability events, not just security events. If you have OT in your environment — manufacturing, utilities, building systems, doesn't matter — and you can't answer basic questions about segmentation, monitoring coverage, and incident response playbooks specific to those systems, that's a governance gap with real legal exposure.

Jordan: Staying on the geopolitical thread, let's talk about what came out of Washington last week. Global finance officials — we're talking IMF-level conversations — issued formal warnings that advanced AI models are accelerating vulnerability discovery and exploitation faster than regulators can respond. That's not a think tank white paper. That's finance chiefs publicly acknowledging that AI is breaking their regulatory timeline assumptions.

Alex: This matters to CISOs for a specific reason: it gives you board-level credibility when you're making the case for proactive AI governance investment. When the IMF is saying the gap between AI-driven threat acceleration and regulatory response is widening, your CFO can't argue that the risk is theoretical. The counter-argument to investing in AI security controls just got weaker.

Jordan: And it's not abstract. Let's talk about ATHR. This is an AI-powered voice phishing platform available right now for four thousand dollars and a cut of whatever the criminals take. One operator runs fully automated vishing campaigns. The platform spoofs alert emails from Google, Microsoft, Coinbase — embeds a callback number — and when the victim calls, an AI voice agent handles the entire interaction. No human required until there's money to collect.

Alex: Four thousand dollars. That's the price of entry for a sophisticated, scalable social engineering operation. The talent requirement is gone. The scale requirement is gone. This is a direct threat to any organization that still treats phone-based authentication or help desk callbacks as a security control. And that is most organizations. Scattered Spider — which we'll come back to — used manual social engineering to breach some of the biggest names in hospitality. Now that playbook is automated and available to anyone with the startup capital of a used car.

Jordan: The action item here isn't complicated but it is urgent: your help desk needs to be operating with zero-trust assumptions on voice interactions. No resets, no credential handoffs, no exceptions based on a convincing caller. If you don't have out-of-band verification that's genuinely independent of the channel the caller is using, you have a gap that ATHR will find.

Alex: On Scattered Spider — Tyler Buchanan pleaded guilty Friday to wire fraud conspiracy and aggravated identity theft. At least eight million in cryptocurrency. This group hit MGM and Caesars with social engineering so effective it caused hundreds of millions in losses. Law enforcement catching up is meaningful, but the techniques they pioneered are now table stakes for criminal groups operating at much lower sophistication levels. The guilty plea closes a chapter. It doesn't close the threat.

Jordan: Now let's talk about the Vercel breach, because this one is a preview of what the next two years of supply chain risk looks like. Vercel's breach didn't originate in Vercel's systems. It originated in Context.ai — a third-party AI tool one of their employees was using. Attacker compromised Context.ai, pivoted into that employee's Google Workspace account, and from there into internal Vercel systems. ShinyHunters is claiming credit and trying to sell the data.

Alex: This is the AI tool sprawl problem made concrete. The average enterprise employee is now using anywhere from five to fifteen AI tools — some sanctioned, many not. Each of those tools is an OAuth connection, a data pipeline, a trust relationship that your security team probably didn't review and almost certainly isn't monitoring. Context.ai isn't some obscure tool — it's used by engineering teams at well-known companies. The attack surface here scales with AI adoption, and right now AI adoption is outpacing any governance framework most organizations have in place.

Jordan: The immediate ask for your teams: inventory the AI tools employees are using, not just the ones IT approved. Look at OAuth grants across your Google and Microsoft environments. Anything with broad permissions from a third-party AI service is a potential pivot point. Revoke what you can't justify.

Alex: And speaking of AI supply chain risk, the MCP vulnerability from this morning demands attention. Researchers found a critical design-level flaw in Anthropic's Model Context Protocol — MCP is the emerging standard for connecting AI models to external tools and data sources. This isn't a bug that gets patched in the next release. It's an architectural weakness that enables remote code execution on any system running a vulnerable MCP implementation. And MCP adoption is growing fast.

Jordan: "By design" flaws are the hardest category. There's no CVE patch cycle that fixes this cleanly. If you have engineering teams building on MCP — and increasingly they are — you need to understand your blast radius now. This is the kind of vulnerability that becomes a supply chain incident at scale before most organizations realize they're even exposed.

Alex: Let's close with Europe before the outlook. The EU awarded a €180 million cloud services tender to four European providers — OVHcloud, CleverCloud, STACKIT, Scaleway, Proximus. This is the EU institutionalizing cloud sovereignty in a very concrete way. For multinational CISOs, this is a signal, not just a procurement story. Data residency requirements tied to EU operations are going to tighten, and the assumption that your US hyperscaler footprint cleanly covers European regulatory obligations is increasingly fragile.

Jordan: What's the thread this week? Everything we've covered today has a common denominator: the attack surface is expanding faster than organizational governance is adapting. ZionSiphon is targeting gaps in OT monitoring. ATHR is targeting gaps in voice authentication. Context.ai-to-Vercel is targeting gaps in AI tool oversight. MCP is targeting gaps in AI architecture review. The finance officials in Washington are worried about regulatory frameworks failing to keep pace. That's not coincidence — that's the operating environment.

Alex: The CISOs who are going to be in the strongest position twelve months from now are the ones who this week pick two or three of those gaps and actually close them. Not commission a working group. Not add it to the risk register. Close them. Board-level pressure on AI risk is real and growing. The ATHR story gives you a concrete, low-cost threat example that any audit committee will understand. Use it.

Jordan: Watch for MCP-related disclosures to accelerate. The research community has been looking at AI protocol security hard for the last six months, and ZionSiphon copycat variants targeting OT environments outside the Middle East are a legitimate concern for anyone in critical infrastructure globally.

Alex: That's Cleartext for Monday, April 20th. We'll be back tomorrow. If this episode was useful, share it with someone on your team who needs the brief. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Stay sharp.