📰 The CyberSignal Daily — April 25, 2026

Researchers just rewrote the history of state-sponsored cyberwarfare — a 2005 malware predates Stuxnet by five years and silently corrupted physics simulations in Iran's nuclear program, a new attack called PIBuster can permanently brick 60% of a city's EV chargers in 30 seconds, a Chinese engineer spent five years phishing NASA employees for stealth fighter blueprints, a Cisco firewall backdoor is surviving patches on US government networks, and the federal government's AI agent explosion has created a 3,600-use-case attack surface that security teams can't keep up with.

Nation-State Threats

At Black Hat Asia 2026, SentinelOne researchers unveiled FAST16 — a precision-engineered malware sample dating to 2005 that predates Stuxnet by five years and fundamentally changes what we know about the origins of state-sponsored cyber-sabotage. While Stuxnet destroyed hardware in 2010, FAST16 did something far more insidious: it corrupted the laws of physics inside engineering simulation software — specifically LS-DYNA 970, the exact tool Iranian scientists used to model nuclear triggers — rendering years of research useless without anyone ever knowing they were under attack.

The malware worked by intercepting Floating Point Unit outputs and introducing minute, non-linear errors into calculations. A nuclear reaction model would produce "failed" results on screen. A bridge design would look perfect but collapse in reality. Files weren't altered, software didn't crash — the research itself became a faulty foundation. The trail began with the 2016 ShadowBrokers leak, which contained a cryptic reference to "fast16" dismissed for a decade. A VirusTotal upload finally reverse-engineered with 2026-level forensic tools revealed a driver-level rootkit designed for the Windows XP single-core systems standard in mid-2000s engineering facilities — spreading air-gap to air-gap via infected USB drives, the same "Sneakernet" vector Stuxnet would later perfect.

→ Read the full story

Critical Infrastructure

DEF CON 33 researchers have unveiled PIBuster — a physical attack that can permanently disable a public EV charger in under 30 seconds, with no software fix available. Testing across 69 public CCS connectors in California found a 60% vulnerability rate. The attack requires only physical access to a charging cable: the attacker connects a custom device emulating an EV, joins the charger's internal Power Line Communication network via ISO 15118, and overwrites the Parameter Information Block at the hardware level. The charger becomes permanently non-functional — not rebooted, not reset. Bricked.

Because the PIB is corrupted at the hardware level, there is no patch, no firmware update, no remote fix. Recovery requires full physical replacement at $5,000–$15,000 per unit. A coordinated drive-by attack on a city's charging network could disable over half of its capacity in a single afternoon and cost millions in replacements. The strategic implication is stark: as cities mandate EV transition, the charging grid is becoming a fragile, hardware-destructible piece of critical infrastructure that current threat models don't adequately cover.

→ Read the full story

Spearphishing

Song Wu — an engineer at AVIC, China's state-owned military aviation conglomerate — ran a five-year spear-phishing campaign from 2017 to 2021, impersonating US researchers on Gmail to trick NASA employees, Air Force, Navy, Army, and FAA personnel into emailing him export-controlled aerospace source code. His method: research targets on LinkedIn and in academic journals, create accounts mimicking their colleagues, then ask for "copies of software" referencing mutual projects. The targets, believing they were helping a peer, handed over ITAR-controlled aerodynamic modeling software that fed directly into China's J-20 stealth fighter and Z-20 helicopter development programs.

The campaign spanned six states and multiple research universities before a suspicious Gmail account attempting to impersonate a known NASA collaborator triggered an OIG investigation. Wu faces 14 counts of wire fraud and 14 counts of aggravated identity theft — a theoretical sentence of 300+ years. He remains in China and is on the FBI's Most Wanted list. For the US defense research community, the lesson is uncomfortable: the instinct to collaborate with apparent peers is a more effective attack vector than any zero-day.

→ Read the full story

Vulnerabilities

CISA has confirmed a US federal agency was breached via the Firestarter malware — part of the LineRunner family used in the China-linked ArcaneDoor campaign — and that the implant is surviving standard patching and reboots. The mechanism: Firestarter injects shellcode into LINA, Cisco's core firewall process, then manipulates the internal filesystem mount list so it copies itself to a hidden secondary location and rewrites the boot sequence to auto-restore on startup. Firmware updates don't touch it. Software reboots don't clear it. The implant was still redeploying its companion toolkit as recently as March 2026 — seven months after initial patches were issued.

The only confirmed removal method is a full hard power cycle — physically unplugging the device to clear volatile memory. The federal agency had patched CVE-2025-20333 and CVE-2025-20362 — the two initial access vulnerabilities — but the implant was already established before patching occurred. The operational implication is a fundamental shift in firewall security posture: "patch and reboot" is no longer sufficient. The new standard is "patch, hard power cycle, and forensically verify the device's boot sequence."

→ Read the full story

Artificial Intelligence

A new IDC/Salesforce survey confirms that 82% of US government organizations have adopted AI agents — double the 41% adoption rate in the private sector. The official OMB inventory documents a surge from 710 use cases in 2023 to 3,611 across 56 agencies today, led by HHS (447 cases), NASA (425), and DOE (340). The acceleration is driven by the Trump AI Action Plan and GSA's FedRAMP 20x initiative, which has cut authorization timelines from months to weeks — creating what policy experts are calling "agent sprawl" in sensitive and classified networks.

Three security failure modes are emerging at scale: unvetted third-party agents introduced under accelerated FedRAMP baselines acting as supply chain trojans; agent-to-agent communication bypassing Zero Trust controls and creating lateral movement channels EDR tools can't monitor; and model poisoning attacks where compromised training data turns autonomous decision-making into a weapon. The OMB's 3,611 figure is almost certainly an undercount — shadow agents deployed by individual contractors and departments without reporting are likely pushing the real number significantly higher.

→ Read the full story

Yesterday’s top five stories converge on a theme that has defined this entire week: the attacks that matter most in 2026 are the ones that were already inside.

FAST16 corrupted Iran's nuclear research for years — from inside the physics simulations. Firestarter persisted on US government firewalls for seven months after patching — from inside the boot sequence. Song Wu spent five years inside the trust networks of US researchers — from inside the peer collaboration culture of academia. PIBuster enters from the charging cable — the physical layer nobody modeled as an attack surface. Government AI agents are multiplying from inside FedRAMP authorization pipelines faster than security teams can audit them.

The perimeter was never the boundary. This week confirmed it across five different attack surfaces simultaneously. The boundary is wherever you stopped verifying.

Stay sharp. Stay ahead.

Till next time,

Our News Site | Get the Weekly Briefing

Most creators spend years building an audience on platforms that own it. The reach is real. The relationship isn't. One algorithm change and the people who chose you stop seeing you.

A newsletter is different. Your list is yours. Every subscriber is earned and stays earned. And on beehiiv, the tools to grow it, monetize it, and own it completely are built in from day one.

30% off your first 3 months with code LIST30. Start building today.