Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: iran (6 articles)Clear

Iran-linked Handala steals data from California water utility Cal Water

The Iran-linked group Handala claims it breached California Water Service (Cal Water), one of the largest US investor-owned water utilities, and published a 5GB sample to prove it. Analysts say the attackers reached a customer billing database holding personal data (names, addresses, account and payment details) and an internal GPS-correction server, leaking administrative credentials in the process. Handala framed the attack as retaliation for US actions against Iran and boasted it could disrupt water supply, but researchers stress the evidence does not support that claim, neither system controls water treatment, and the group is known to exaggerate. Cal Water has not yet publicly confirmed the incident.

Check
Water and other critical-infrastructure operators should verify strict isolation between IT and operational-technology networks, and review access logs and exposed credentials on internet-facing billing and GPS or telemetry systems.
Affected
California Water Service customers whose billing data was exposed, and the utility's internal GPS-correction systems; the broader US water sector faces heightened Iran-linked targeting per CISA warnings.
Fix
Rotate all exposed credentials and take the affected GPS server offline to audit it, enforce phishing-resistant MFA on privileged accounts, segment IT from OT, and report to CISA and WaterISAC.

CISA, FBI, NSA warn hackers are modifying internet-exposed fuel tank gauge (ATG) systems - prior activity linked to Iran

CISA, the FBI, the NSA, the Department of Energy, and partners have warned that threat actors are targeting internet-exposed automatic tank gauge (ATG) systems used to monitor fuel and liquid storage across the Energy, Chemical, Food and Agriculture, and Transportation sectors. Attackers gain access via authentication-bypass flaws, hardcoded credentials, OS command-execution bugs, SQL injection, and privilege escalation, then modify network settings, product identifiers, tank volumes, and pump controls, and can disable alerts - raising the risk of leaks or equipment failure. The advisory does not formally attribute the activity, but it follows May CNN reporting linking Iranian hackers to similar ATG breaches. Agencies urge removing ATG systems from the internet.

Check
Inventory automatic tank gauge (ATG) systems and confirm none are internet-exposed. Replace default passwords, enable MFA, and review device logs for unauthorized changes to settings, volumes, or pump controls.
Affected
Internet-exposed ATG systems across Energy, Chemical, Food and Agriculture, and Transportation sectors. Access via auth-bypass, hardcoded credentials, command-execution, SQL injection, and privilege-escalation flaws. Prior activity linked to Iran.
Fix
Remove ATG systems from the internet; restrict remote access via firewalls, VPNs, or ACLs. Replace default credentials, enforce MFA, apply updates, and monitor for unauthorized configuration changes.

Iran-linked hackers breached US gas station fuel-tank gauges - online ATG systems with no password protection

US officials believe Iranian-affiliated actors broke into internet-exposed automatic tank gauge (ATG) systems at gas stations across multiple states, then changed the displayed fuel levels without altering the actual amounts. The intrusions caused no shortages, but falsified ATG readings could theoretically hide a real fuel leak. ATGs have been a known soft target for over a decade. The activity tracks with a broader Iranian push during the war that began in late February: disruptions at US oil, gas, and water sites, shipping delays at Stryker, and the leak of FBI Director Kash Patel's emails. Attribution is preliminary because intruders left almost no forensic evidence.

Check
Inventory ATG and fuel-management endpoints. Search Shodan for your /27s on port 10001 (Veeder-Root) and similar ATG signatures. Pull access logs from internet-reachable OT controllers for unexpected reads or display changes.
Affected
US fuel retailers and distributors operating ATG systems (Veeder-Root, Franklin Electric INCON, Gilbarco) exposed to the internet with weak credentials. Same pattern applies to water utilities and other internet-facing ICS endpoints.
Fix
Remove ATG and OT management interfaces from the public internet. Put them behind VPN with MFA, segment OT from IT networks, and document manual gauging procedures for outages.

Iran-linked MuddyWater (Seedworm) spent a week inside a major South Korean electronics maker - DLL sideloading off Fortemedia audio and SentinelOne binaries, ChromElevator credential theft

Symantec's Threat Hunter Team detailed a global cyber-espionage campaign by MuddyWater (a.k.a. Seedworm, Static Kitten, Temp Zagros), an APT linked to Iran's Ministry of Intelligence and Security. The group hit at least nine organizations on four continents in Q1 2026 - including a major unnamed South Korean electronics manufacturer where attackers maintained access from February 20 to 27. They abused signed legitimate binaries fmapp.exe (a Fortemedia audio utility) and sentinelmemoryscanner.exe (a SentinelOne component) to sideload malicious DLLs called fmapp.dll and sentinelagentcore.dll, both carrying the ChromElevator post-exploitation tool that lifts data from Chrome-based browsers. Stolen files were staged through public file-transfer service sendit[.]sh to blend in.

Check
Hunt endpoints for fmapp.exe or sentinelmemoryscanner.exe loading non-standard DLLs, search proxy and DNS logs for connections to sendit[.]sh from non-IT users, and review Chrome profile access patterns from sideloaded DLL contexts.
Affected
High-tech manufacturing, electronics, industrial firms, financial services, and government agencies with intellectual-property or downstream-customer value to Iran. Operations in Asia and the Middle East are most exposed, but victims span four continents.
Fix
Add detection rules for fmapp.dll and sentinelagentcore.dll in unexpected paths, block sendit[.]sh outbound where it has no business need, watch for unusual Node.js process trees spawning cmd.exe, and review LSASS access events around the 90-second beaconing window.

Iran operating like a criminal actor, ex-NSA director says - opportunistic credentials and amplification, not novel exploits

At the Asness Summit in Nashville on April 24, former NSA director Tim Haugh and Mandiant founder Kevin Mandia argued Iran's current cyber posture more closely resembles a criminal actor than a sophisticated APT - reliant on dark-web-purchased credentials, basic security gaps, and information operations to amplify modest intrusions. They cited the March 11 Stryker attack as the template: no malware, no zero-day, just legitimate credentials used to abuse MDM and delete data the attacker had permission to delete. Mandia's CISO advice: assume valid credentials for your staff are already on sale and build detection around their misuse.

Check
Run a credential-monitoring service against your domain this week and put alerts in place for impossible-travel and unusual-MDM-action patterns on admin accounts.
Affected
Any organization with US or Israeli ties, plus their suppliers and contractors, fits the Iranian targeting profile. Acute risk: organizations where MDM, RMM, or any endpoint-management platform can issue destructive commands without out-of-band approval; environments without credential-monitoring services watching dark-web markets for staff logins.
Fix
Subscribe to a credential-monitoring service (HaveIBeenPwned Enterprise, SpyCloud, Flare) and alert on staff credentials surfacing in stealer logs. Require step-up auth on any MDM or RMM destructive action (wipe, uninstall, mass-deploy). Brief comms staff that any Iran-claimed breach should be verified before public response - operators routinely overclaim to amplify modest access.

FBI and CISA warn Iranian hackers are targeting internet-exposed Rockwell PLCs at US water and energy facilities

A joint FBI/CISA advisory warns that Iranian-affiliated APT actors are actively targeting internet-exposed Rockwell Automation and Allen-Bradley programmable logic controllers across US critical infrastructure - specifically Government Services, Water and Wastewater Systems, and Energy sectors. The attacks have caused financial losses and operational disruptions since March 2026, with the FBI confirming attackers extracted PLC project files and manipulated data displayed on HMI and SCADA systems. The escalation is linked to ongoing hostilities between Iran, the US, and Israel.

Check
If you operate or support organizations with industrial control systems, check whether any Rockwell/Allen-Bradley PLCs are directly exposed to the internet.
Affected
Organizations running internet-exposed Rockwell Automation and Allen-Bradley PLCs, particularly in water treatment, energy, and government facilities. Any PLC reachable from the public internet without VPN or network segmentation is at risk.
Fix
Remove all PLC management interfaces from internet exposure immediately - these should only be accessible via dedicated OT networks or VPN. Change all default credentials on PLCs and HMI systems. Monitor for unauthorized access to PLC project files and unexpected changes to HMI/SCADA displays. Follow the joint advisory's indicators of compromise and detection signatures.