The Canvas Breach, AI-Enabled Intrusions, and APT-29's Easter Bunny

This week on Dragon News Bytes, Eli Woodward and Stephen Campbell break down a chaotic week of critical breaches, the accelerating weaponization of AI by both defenders and adversaries, and long-term state-sponsored espionage. From the massive educational data breach impacting Instructure to a Mexican water utility targeted via AI-generated frameworks, the team explores how the threat landscape is evolving at scale.

‍

Topics & References

‍

Part 1: The Canvas/Instructure Breach & Shiny Hunters

• Massive Educational Impact: Around May 1st, Instructure notified potential victims of a breach impacting nearly 9,000 institutions.
• The Scope: Shiny Hunters claimed responsibility for accessing over 275 million records, including names, emails, and student IDs.
• Widespread Reach: The platform serves 41% of US higher education institutions, alongside K-12 schools and government agencies.
• Infrastructure Analysis: The team discusses Push Security's research into Shiny Hunters' phishing panels and how Team Cymru is utilizing NetFlow to uncover additional targets.

Part 2: The Double-Edged Sword of AI

• Defensive "Vibe Coding": Eli Woodward shares how analysts are using tools like Claude, Gemini, and Team Cymru's new MCP servers to automate complex CTI workflows and rapidly query telemetry.
• Trust But Verify: The hosts emphasize that while AI acts as a powerful analyst assistant, LLMs still require human oversight to prevent hallucinations.

Part 3: Adversary AI in Critical Infrastructure

• Dragos OT Report: An adversary with no prior IoT experience successfully targeted a Mexican government water utility's IT environment.
• Automated Frameworks: The attacker utilized commercial LLMs (Claude and ChatGPT) to generate custom Python frameworks for reconnaissance and lateral movement into OT-adjacent systems.
• The Outcome: While no OT disruption occurred, vast amounts of sensitive government data were stolen, showcasing the low barrier to entry AI provides for complex intrusions.

Part 4: APT-29's "Easter Bunny" Espionage

• Labs 52 Report: An analysis of a sophisticated, secretive implant dubbed "Easter Bunny," attributed to APT-29 (Cozy Bear/SVR).
• Long-Term Stealth: The malware ties back to a 2019 incident, demonstrating the SVR's dedication to long-term, stealthy persistence against diplomatic and government entities.

Events & Community:

‍

• RISEx Frankfurt: May 28th in Frankfurt, Germany‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026

• RISEx Chicago: June 3rd in Chicago, IL‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-chicago-2026
• RISEx New York: June 16 in New York City, US‍
  
  • 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026

• RISEx DC: June 11 in Washington DC, US
  
  • 🔗 to register: https://www.team-cymru.com/events/risex-dc
• Underground Economy: September 7th -9th in Strasbourg, France‍
  
  • 🔗 to register: https://www.team-cymru.com/events/underground-economy-2026

Connect with Us:

‍

• Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru
• Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

‍