Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: critical-infrastructure (11 articles)Clear

Iran-linked Handala steals data from California water utility Cal Water

The Iran-linked group Handala claims it breached California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a 5GB sample to prove it. Analysts say the attackers reached a customer billing database holding personal data (names, addresses, account and payment details) and an internal GPS-correction server, leaking administrative credentials in the process. Handala framed the attack as retaliation for US actions against Iran and boasted it could disrupt water supply, but researchers stress the evidence does not support that claim, neither system controls water treatment, and the group is known to exaggerate. Cal Water has not yet publicly confirmed the incident.

Check
Water and other critical-infrastructure operators should verify strict isolation between IT and operational-technology networks, and review access logs and exposed credentials on internet-facing billing and GPS or telemetry systems.
Affected
California Water Service customers whose billing data was exposed, and the utility's internal GPS-correction systems; the broader US water sector faces heightened Iran-linked targeting per CISA warnings.
Fix
Rotate all exposed credentials and take the affected GPS server offline to audit it, enforce phishing-resistant MFA on privileged accounts, segment IT from OT, and report to CISA and WaterISAC.

Cyberattack halts Australia's second-largest sugar producer mid-harvest

Mackay Sugar, Australia's second-largest sugar producer, has shut down two of its Queensland mills after a cybersecurity incident, halting production and stopping sugarcane harvesting at the peak of the season. The company confirmed the attack on Wednesday and has brought in outside cybersecurity experts and local authorities to investigate and restore systems. It has not yet said who was responsible or whether data was stolen, but the operational shutdown is consistent with a ransomware attack. The incident is the latest example of attackers disrupting food and agriculture operations, a sector whose industrial systems are increasingly targeted for maximum pressure.

Check
Food, agriculture, and manufacturing operators should review how cleanly their IT and operational-technology networks are separated, and confirm a ransomware shutdown of IT could not halt production lines.
Affected
Industrial and agricultural organizations where a compromise of business IT systems can cascade into operational-technology environments and force a full production shutdown, as happened at Mackay Sugar's mills.
Fix
Segment IT from operational-technology networks, keep offline tested backups, rehearse ransomware recovery for production systems, and pre-arrange incident-response and authority contacts before an attack hits.

Iranian intelligence (MOIS) behind LA Metro hack disguised as 'Ababil of Minab' hacktivists - hundreds of terabytes wiped

Israeli firm Gambit Security has forensically linked the late-March attack on the Los Angeles County Metropolitan Transportation Authority to Iran's Ministry of Intelligence and Security (MOIS), despite the attackers branding themselves as the pro-Iran hacktivist collective 'Ababil of Minab.' The group posted videos claiming it wiped hundreds of terabytes and stole over a terabyte of files. LA Metro confirmed the breach on April 2, 2026, and had to check hundreds of servers for compromise before bringing them back online. The case illustrates a recurring pattern of state operations wearing a hacktivist costume to provide deniability while targeting critical infrastructure.

Check
Critical-infrastructure and transit operators: treat 'hacktivist' claims of destructive attacks as possible state-operation cover. Hunt for wiper precursors and bulk-deletion activity. Validate offline backup integrity.
Affected
US critical infrastructure, especially transit authorities. Iran's MOIS uses fake-hacktivist fronts (here, Ababil of Minab) to claim destructive attacks while preserving deniability.
Fix
Maintain tested offline backups resilient to wipers. Segment OT/IT networks. Monitor for mass-deletion and destructive commands. Coordinate with CISA and ISACs on Iranian APT indicators.

Huawei VRP router zero-day crashed Luxembourg's entire telecom network for 3+ hours (July 2025, disclosed now)

Recorded Future News has connected last summer's three-hour POST Luxembourg outage - which took down landline, 4G, and 5G networks across the country and left residents unable to dial emergency services - to a zero-day in Huawei enterprise routers running VRP. Specially crafted network traffic merely passing through caused the routers to enter a continuous restart loop. Luxembourg's prosecutor concluded no one had targeted Luxembourg specifically; the data was just transit traffic. Huawei has not assigned a CVE for the bug and routes its enterprise advisories through a restricted customer portal rather than publicly, leaving operators with little ability to track exposure.

Check
Inventory Huawei VRP-based routers (NetEngine, AR series, CloudEngine) and software versions. Confirm direct access to Huawei's restricted customer portal so you receive enterprise advisories.
Affected
Huawei enterprise routers running VRP that process untrusted internet traffic. Service providers are most exposed; downstream enterprise customers face transit risk.
Fix
Apply the latest Huawei VRP updates via your customer portal. Where possible, deploy multi-vendor diversity at network borders so a single buggy product cannot take down your entire WAN.

Iran-linked hackers breached US gas station fuel-tank gauges - online ATG systems with no password protection

US officials believe Iranian-affiliated actors broke into internet-exposed automatic tank gauge (ATG) systems at gas stations across multiple states, then changed the displayed fuel levels without altering the actual amounts. The intrusions caused no shortages, but falsified ATG readings could theoretically hide a real fuel leak. ATGs have been a known soft target for over a decade. The activity tracks with a broader Iranian push during the war that began in late February: disruptions at US oil, gas, and water sites, shipping delays at Stryker, and the leak of FBI Director Kash Patel's emails. Attribution is preliminary because intruders left almost no forensic evidence.

Check
Inventory ATG and fuel-management endpoints. Search Shodan for your /27s on port 10001 (Veeder-Root) and similar ATG signatures. Pull access logs from internet-reachable OT controllers for unexpected reads or display changes.
Affected
US fuel retailers and distributors operating ATG systems (Veeder-Root, Franklin Electric INCON, Gilbarco) exposed to the internet with weak credentials. Same pattern applies to water utilities and other internet-facing ICS endpoints.
Fix
Remove ATG and OT management interfaces from the public internet. Put them behind VPN with MFA, segment OT from IT networks, and document manual gauging procedures for outages.

Polish intelligence says hackers attacked control systems at Polish water treatment plants

Polish intelligence service ABW announced Wednesday that hackers attacked the industrial control systems at multiple Polish water treatment plants. The Record reports the targeting profile is consistent with state-aligned activity - patient reconnaissance, careful access, no data destruction. Polish authorities have not formally attributed the attack but the timing (alongside Russia-Ukraine conflict and Russia's interest in Polish infrastructure as a NATO frontline state) is unmistakable. Similar incidents have been reported in Germany, Austria, and the Netherlands over the past 12 months. No service disruption was reported, but the access establishes pre-positioning.

Check
If you run water, electric, gas, or transport infrastructure, audit your industrial control system (ICS) and SCADA networks for unfamiliar VPN connections, new remote access tool installations, or anomalous outbound traffic since January.
Affected
Water utilities, power grid operators, and other critical infrastructure operators in NATO frontline states (Poland, Baltic states, Romania, Finland) and adjacent countries. Acute risk for utilities running internet-reachable HMI or engineering workstations. Smaller municipal water utilities without dedicated OT security staff are most exposed because they cannot detect patient state-actor reconnaissance.
Fix
Air-gap or one-way-data-diode-isolate ICS networks from corporate IT where possible. Inventory and remove any unauthorized remote-access tools (TeamViewer, AnyDesk, ScreenConnect) on engineering workstations. Apply CISA's water utility cyber guidance and Poland's CERT.PL recommendations. Conduct a tabletop exercise focused on prolonged ICS reconnaissance scenarios.

China-linked spies breached the IBM subsidiary that runs IT for Italian government agencies and critical industries

La Repubblica reported a significant breach at Sistemi Informativi, a wholly-owned IBM Italy subsidiary that manages IT infrastructure for Italian public agencies and key industries. Multiple intelligence sources attribute the attack to Salt Typhoon, the China-linked espionage group that has hit US telecoms (AT&T, Verizon, Viasat), Canadian telecom firms, the US Army National Guard, Dutch government networks, and now Italian critical infrastructure. Salt Typhoon's hallmark is patience - prolonged data exfiltration, silent network observation, and infrastructure compromise rather than fast theft. The group has been active since at least 2019 and has reportedly hit 200+ companies across 80 countries.

Check
If your organization uses managed IT services for critical infrastructure (utilities, transport, healthcare, government), audit your provider's separation between corporate IT and customer environments this week.
Affected
Italian government agencies and key industries using Sistemi Informativi for IT infrastructure. More broadly: any organization where a single integrator holds access to multiple government databases - the breach pattern lets Salt Typhoon map critical infrastructure across many victims through one compromise. European telecoms and managed service providers are at acute risk.
Fix
Demand from any managed IT provider written attestation that customer environments are network-segregated from their corporate IT. Hunt for Salt Typhoon indicators: unauthorized configuration changes on edge devices, traffic to known Demodex C2 infrastructure, and anomalous data flows to Asian hosting providers. Treat the Italian breach as a reason to escalate vendor security reviews this quarter.

Cyber spies are quietly stealing engineering blueprints and GPS data from Russian aviation companies

Kaspersky disclosed a previously undocumented cyber-espionage group called HeartlessSoul that has been targeting Russian government agencies and aviation companies since at least September 2025 to steal geographic information system (GIS) data - the specialized files containing detailed maps of roads, engineering networks, terrain, and strategic facilities. The targeting suggests state-aligned interest in Russian infrastructure mapping rather than financial gain. Kaspersky did not name a likely sponsor but the targeting profile is consistent with a Ukraine-aligned or Western-aligned operator. The group uses tailored phishing, custom malware, and persistent network access.

Check
If your organization handles GIS data for any government or critical infrastructure customer, assume your sector is now an active target and tighten access controls on map data this week.
Affected
Russian government agencies and aviation companies are the named targets, but the technique is generic: any organization holding detailed GIS files for critical infrastructure (electric grid, telecoms, water, road, rail, military bases) is in the broader target pool. Engineering and architecture firms working on infrastructure projects are particularly exposed.
Fix
Treat GIS files as high-value data and apply DLP rules that flag bulk transfers of .shp, .gdb, .kml, .gpx, and .tif files. Restrict GIS server access to named users with logging on every download. For engineering firms: require two-person approval for downloading complete map sets. Western firms holding sensitive infrastructure maps face the same risk from China, Russia, and others.

US utility tech giant Itron breached - hackers reached internal IT systems but no impact on the 112 million customer endpoints it manages

Itron, the Washington-based utility technology company that manages 112 million energy and water meter endpoints across 7,700 customers in 100 countries, disclosed a cyberattack in an SEC 8-K filing April 24. An unauthorized third party reached parts of Itron's corporate IT network on April 13. Itron says it has expelled the attackers and seen no follow-up activity, and that customer-hosted environments (the actual utility infrastructure) were untouched. No ransomware group has claimed the attack. The incident is significant because Itron sits in the middle of US critical infrastructure - meter data, billing, and grid telemetry pass through its software at thousands of utilities.

Check
If you work with any utility tech vendor, confirm in writing whether your relationship touches their corporate IT or only their isolated customer-hosted environment.
Affected
Utilities running Itron software, meters, or services - particularly those whose contracts let Itron staff reach into utility systems. Any organization where a critical-infrastructure vendor has remote access without strict segmentation. Itron's segregation of customer-hosted from corporate IT is what limited this incident.
Fix
Review which Itron-side accounts can reach your utility infrastructure and rotate any credentials, API keys, or VPN profiles Itron staff have used since January. Demand a written attestation that customer-hosted environments are network-segregated from corporate IT. Map every critical-infrastructure vendor's reachability into your network, including informal paths.

Lotus Wiper destroys Venezuelan energy and utility systems in apparent state-sponsored attack

Kaspersky has documented a previously undocumented data wiper, dubbed Lotus Wiper, used in destructive attacks on the Venezuelan energy and utilities sector at the end of 2025 and into 2026. The malware has no ransom note, no payment instructions, and no recovery mechanism - this is pure destruction, consistent with state-aligned or geopolitically-motivated sabotage rather than cybercrime. The attack begins with two batch scripts that prepare the environment: one checks for a NETLOGON share (the Active Directory login-scripts share) to confirm the machine is domain-joined, then fetches a remote XML file and runs a second script. The second script disables cached logins, logs off active sessions, kills network interfaces, runs 'diskpart clean all' to wipe all logical drives, uses robocopy to recursively overwrite or delete folders, and uses fsutil to fill remaining free space. Once the environment is prepped, the Lotus Wiper binary deletes restore points, zeros out physical sectors, clears NTFS journal USN records, and erases every file on every mounted volume. Kaspersky notes one script tries to stop the Windows UI0Detect service, a feature removed after Windows 10 version 1803 - meaning the attackers knew they would hit legacy Windows systems and had deep prior knowledge of the target environment, implying long-running domain compromise before the destructive payload fired. The sample was uploaded to a public malware-sharing platform from Venezuela in mid-December 2025, weeks before the U.S. military action in the country in early January 2026.

Check
Regardless of geography, hunt for the living-off-the-land pattern this wiper uses: 'diskpart clean all', fsutil filling free space, robocopy recursively mirroring empty directories, and attempts to stop UI0Detect on any Windows host.
Affected
Windows environments with long-running Active Directory compromise, particularly those still running pre-Windows 10 1803 builds where the UI0Detect service exists. Operational-technology organisations in energy, utilities, and critical infrastructure - especially in Venezuela but globally given the playbook is reusable.
Fix
Alert on any process chain matching: cmd.exe spawning 'diskpart.exe /s' with 'clean all', fsutil.exe creating zero-sized fill files, or robocopy.exe with /MIR into an empty source. Watch NETLOGON share for new or modified .xml and .bat files arriving on domain controllers. Enforce immutable offline backups - this wiper explicitly destroys restore points, shadow copies, and USN journals, so any backup reachable from the domain is at risk. Review privileged AD admin activity for the past 90 days. Monitor for unauthorized scripts pushed via GPO or scheduled tasks across the domain.