Alex: Good morning. It's Friday, May 29th, 2026. You're listening to Cleartext. I'm Alex Chen.

Jordan: And I'm Jordan Reeves. Let's get into it.

Alex: We have a packed show today. The head of GCHQ goes on record saying Russia is hitting the UK every single day, from the ocean floor to the cloud. China's using the Iran conflict as cover for espionage campaigns against maritime and energy targets. Dutch police just dismantled a 17-million-device botnet. We've got two massive breaches at Charter Communications and Carnival Cruise Lines. Microsoft is suing a researcher over zero-day disclosures. A FortiClient EMS vulnerability is being actively exploited in a way that should genuinely alarm anyone running that platform. And we'll talk about the growing collision between shadow AI and enterprise data governance. A lot to cover. Jordan, take us into the geopolitical picture.

Jordan: Yeah, so the big frame this week is that state-sponsored hybrid warfare is not theoretical anymore. It's operational, it's daily, and it's being acknowledged at the highest levels of Western intelligence. Anne Keast-Butler, the director of GCHQ, gave a briefing this week where she confirmed that Russia is conducting daily attacks on UK critical infrastructure. And when she says daily, she's not being rhetorical. She's talking about operations spanning subsea cables, energy pipelines in British waters, technology smuggling networks, and cyber operations. She also referenced countering sabotage and assassination attempts on UK soil.

Alex: And for the CISO audience, the operational takeaway here isn't abstract. If your organization has UK or European exposure, whether that's subsidiaries, data centers, supply chain partners, critical vendors, this is your threat environment. Daily state-level operations against infrastructure means your third-party risk assessments need to account for the possibility that the physical and digital infrastructure you depend on is being actively probed or degraded by a nation-state adversary. This isn't a scenario planning exercise anymore. The director of GCHQ just told you it's happening today.

Jordan: And it's not just Russia. ESET released their 2026 APT Activity Report this week, and one of the key findings is that China-linked threat groups are opportunistically weaponizing the Iran conflict to target maritime and energy companies globally. They're using the geopolitical chaos as both lure material for phishing campaigns and as operational cover. The logic is straightforward: when the world's attention is on a kinetic conflict, defenders are distracted, and intelligence collection against adjacent sectors gets easier.

Alex: Maritime logistics and energy are the connective tissue of global supply chains. If you're a CISO in any industry that depends on shipping, fuel, or petrochemical inputs, and that's most industries, you need to reassess whether Chinese state actors have reason to be interested in your data. The targeting criteria for these groups is expanding, and they're following the geopolitical fault lines.

Jordan: The third piece of the geopolitical picture is GREYVIBE, a newly documented Russian-linked threat actor that WithSecure attributed this week. They've been active since at least August 2025, targeting Ukraine and Ukraine-adjacent entities. What makes this group notable isn't just the targeting, it's the tooling. They're using AI-generated lures, specifically content created through ChatGPT and Gemini, paired with a custom malware toolset. WithSecure assessed Kremlin alignment based on time zone analysis and targeting patterns.

Alex: So for CISOs tracking the operationalization of AI by adversaries, this is a concrete data point. AI-generated phishing lures are no longer theoretical. A state-aligned group is using commercially available generative AI to create more convincing attack material at scale. If your threat intelligence program doesn't account for AI-enhanced social engineering, you're behind.

Jordan: Now, shifting from nation-states to infrastructure. The Dutch National Police and the Netherlands' NCSC took down a botnet this week that controlled at least 17 million compromised devices. Computers, phones, IoT devices, routers. They seized over 200 servers at a local hosting provider. The investigation started with a tip from a single security researcher.

Alex: Seventeen million devices. That's the kind of infrastructure that gets rented out for DDoS, credential stuffing, residential proxy abuse, ad fraud, you name it. For enterprise defenders, botnets at this scale are the substrate that powers a huge portion of the attack surface you're dealing with daily. The takedown is good news, but the fact that something this massive was operating should inform how you think about volumetric attacks and the availability of cheap, distributed attack infrastructure to any motivated threat actor.

Jordan: And it underscores how much of the internet's attack surface is just compromised consumer and IoT devices that nobody's patching or monitoring. One researcher's tip led to this. Imagine what's still running.

Alex: Let's move to breaches. Two significant ones this week. Charter Communications confirmed that ShinyHunters compromised 4.9 million accounts in early April. And Carnival Cruise Lines disclosed that a threat actor accessed personal data on nearly 6 million individuals after compromising an employee account.

Jordan: ShinyHunters is a name every CISO should know by now. They've been behind multiple high-profile extortion campaigns. Charter is a major US telecom, so the third-party data exposure here is significant. If Charter is anywhere in your vendor ecosystem, whether for corporate connectivity, employee services, or customer-facing infrastructure, you need to assess what data they held on your behalf and whether notification obligations apply.

Alex: The Carnival breach is instructive from a different angle. Initial access was through a compromised employee account. Not a zero-day, not a sophisticated exploit chain. An account compromise. The attacker moved laterally, exfiltrated data on 6 million people before detection by end of April. This is the identity-based attack pattern that keeps showing up. MFA enforcement, account anomaly detection, rapid containment. These aren't advanced capabilities. They're baseline. And yet, here we are with another breach at scale because the basics weren't enough or weren't applied consistently.

Jordan: Two different companies, two different sectors, same fundamental story. Credential-based access and data exfiltration at scale. The blast radius is in the millions in both cases.

Alex: Now let's talk about a story that's going to generate a lot of debate. Microsoft is pursuing legal action against a researcher who publicly released six Windows zero-days with working proof-of-concept exploit code on GitHub. The researcher, operating under the handle Chaotic Eclipse, did this after coordinated disclosure talks with Microsoft broke down. Microsoft has called public zero-day releases "never justifiable." The researcher has threatened to release more.

Jordan: This is messy. On one hand, dropping working exploit code for six unpatched Windows vulnerabilities is objectively dangerous to every enterprise running Windows, which is essentially all of them. On the other hand, the security research community has legitimate grievances about how some vendors handle disclosure timelines, communication, and compensation. When coordination breaks down, the incentive structure can push researchers toward public disclosure as leverage.

Alex: For CISOs, there are two action items. First, operationally: there are six unpatched Windows zero-days with public exploit code. Your vulnerability management and threat intelligence teams need to be tracking this actively. Second, strategically: if your organization has a bug bounty program or engages with external researchers, this is the moment to review your disclosure policies, your legal posture, and your communication processes. Microsoft's decision to pursue legal action could have a chilling effect on responsible disclosure broadly. Whether you think that's good or bad, you need to be prepared for how it reshapes the researcher ecosystem you depend on for early warning.

Jordan: And the researcher threatening to release more vulnerabilities means this isn't over. The exposure window is open and expanding.

Alex: Let's pivot to a vulnerability that demands immediate action. CVE-2026-35616 is an authentication bypass in FortiClient Enterprise Management Server, and it is being actively exploited in the wild right now.

Jordan: This one is particularly nasty. FortiClient EMS is the centralized management platform that pushes configurations and updates to all your Fortinet-managed endpoints. Attackers are bypassing authentication on the EMS server and then disguising a credential stealer, an undocumented tool called EKZ, as a legitimate Fortinet endpoint update. It gets pushed through trusted VPN scripting workflows to every managed endpoint simultaneously.

Alex: So let me be very clear about what this means. This is your security toolchain being used as the delivery mechanism. The blast radius isn't one endpoint. It's every endpoint managed by that EMS instance. If you're running FortiClient EMS, this is a drop-everything priority. Patch, isolate, verify integrity of your EMS servers, and audit what's been pushed to endpoints. This is supply-chain-style risk inside your own security infrastructure.

Jordan: The irony of your endpoint security management platform being the vector for mass credential theft is not lost on anyone, but it's also not surprising. These centralized management platforms are the highest-value targets in any environment because they have trusted push access to everything.

Alex: Two more stories to close the segment. First, TechCrunch reported that US officials confirmed active-duty military personnel were tracked using commercially purchased cell phone location data. A senior senator called the adtech industry a "national security threat" and is pushing for legislation. For enterprise security leaders, this is the leading edge of regulatory pressure on data brokerage, location tracking, and the commercial data ecosystem. If your organization buys, sells, or processes location data, or if your employees use mobile devices that generate it, this is a governance issue that's heading toward legislation.

Jordan: And if commercially available location data can be used to track and target US military personnel, it can absolutely be used to track your executives, your board members, your employees with access to sensitive systems. This isn't just a government problem.

Alex: Finally, Okta released research this week showing a growing gap between executive AI usage policies and actual employee behavior. Enterprise data is flowing into unsanctioned AI tools without IT visibility. Employees are using shadow AI for productivity, and the governance frameworks haven't kept pace.

Jordan: This is the CISO's version of the cloud migration debate from ten years ago, except the timeline is compressed. You can't stop adoption. You have to instrument it. DLP controls tuned for generative AI destinations, acceptable use policies with teeth, and board-level reporting on where enterprise data is actually going.

Alex: Alright, let's look at the bigger picture as we close the week. Jordan, what's the thread you're pulling on?

Jordan: The theme this week is that trusted infrastructure is the attack surface. Whether it's subsea cables being probed by Russia, FortiClient EMS being weaponized to push credential stealers, employee accounts at Carnival and Charter being the door in, or shadow AI tools silently ingesting your corporate data. The pattern is the same. Adversaries, whether nation-states or criminal groups, are exploiting the things you trust. The things inside your perimeter, inside your security stack, inside your vendor relationships. Trust is the vulnerability.

Alex: I agree. And the corollary for CISOs is that your risk model has to account for degradation of trust at every layer. Trusted vendors get breached. Trusted security tools get exploited. Trusted employees use unsanctioned tools. Trusted disclosure processes break down. The organizations that perform well in this environment are the ones that build detection and response capabilities around the assumption that trusted channels will be compromised. Not if. When.

Jordan: And this week gave us a lot of data points to support that assumption.

Alex: That's our show for today. Show notes and links to every story we covered are at cleartext.fm. Have a good weekend. We'll see you Monday.

Jordan: Stay sharp.