CyberHappenings logo
☰

Potential Iranian Cyber Activity Targeting U.S. Critical Infrastructure

First reported
Last updated
📰 1 unique sources, 1 articles

Summary

Hide ▲

U.S. cybersecurity agencies warn of potential targeted cyber activity against U.S. critical infrastructure by Iranian state-sponsored or affiliated threat actors. These actors exploit known vulnerabilities in unpatched or outdated software, compromise internet-connected accounts and devices with weak passwords, and collaborate with ransomware affiliates to encrypt, steal, and leak sensitive information. No coordinated campaign has been observed, but vigilance is advised.

Timeline

  1. 30.06.2025 15:00 📰 1 articles

    U.S. Agencies Warn of Potential Iranian Cyber Activity Against Critical Infrastructure

    U.S. cybersecurity agencies issued a joint statement warning of potential targeted cyber activity against U.S. critical infrastructure by Iranian state-sponsored or affiliated threat actors. The warning highlights tactics such as exploiting vulnerabilities in unpatched software, compromising devices with weak passwords, and collaborating with ransomware affiliates. No coordinated campaign has been observed, but vigilance is advised.

    Show sources

Information Snippets

Similar Happenings

WhatsApp Zero-Day Exploited in Targeted Spyware Campaign

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.

Chinese State-Sponsored Actors Compromise Global Critical Infrastructure Networks

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

XenoRAT malware campaign targets foreign embassies in South Korea

A state-sponsored espionage campaign has targeted foreign embassies in South Korea since March 2025, deploying XenoRAT malware from malicious GitHub repositories. The campaign has launched at least 19 spearphishing attacks against high-value targets, including Central and Western European embassies. The attacks have been attributed to North Korean actor Kimsuky (APT43) with medium confidence, but there are indications of possible Chinese involvement. The malware, XenoRAT, is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams and microphones, performing file transfers, and facilitating remote shell operations. The campaign used highly contextual and multilingual email lures, often timed to match real events, and delivered password-protected archives containing malicious .LNK files. The campaign used cloud storage solutions like Dropbox and Daum Cloud to deliver the XenoRAT payload. The campaign's activity patterns, including timezone analysis and holiday pauses, suggest possible Chinese involvement. The attackers used a decoy document to mask the malicious activity. The campaign's activity was largely originating from a timezone consistent with China. The attackers practiced 'rapid' infrastructure rotation to avoid detection. The campaign used cloud infrastructure to help malicious activities fly under the radar. The attackers used Korean services and infrastructure to blend into the South Korean network.