@cyberpress.org
//
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against critical U.S. infrastructure, with a notable 133% surge in activity observed during May and June 2025. The transportation and manufacturing sectors have been identified as the primary targets of these intensified operations. This trend aligns with ongoing geopolitical tensions, as well as recent warnings issued by U.S. authorities like CISA and the Department of Homeland Security, which highlighted U.S. entities as prime targets for Iranian cyber actors.
Nozomi Networks Labs reported a total of 28 distinct cyber incidents linked to Iranian APTs during May and June, a substantial increase from the 12 incidents recorded in the preceding two months. Among the most active groups identified are MuddyWater, which targeted at least five U.S. companies primarily in the transportation and manufacturing sectors, and APT33, responsible for attacks on at least three U.S. entities. Other groups such as OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice were also observed conducting attacks against U.S. companies in these critical industries.
The resurfacing of the Iranian-backed Pay2Key ransomware, now operating as Pay2Key.I2P, further highlights the evolving threat landscape. This ransomware-as-a-service operation, linked to the Fox Kitten APT group, is reportedly offering an 80% profit share to affiliates targeting Iran's adversaries, including the U.S. and Israel. This financially motivated scheme has also demonstrated an ideological commitment, with claims of over 51 successful ransom payouts, netting substantial profits. The use of the Invisible Internet Project (I2P) for its infrastructure represents a notable shift in RaaS operations, potentially enhancing its evasiveness.
Recommended read:
References :
- industrialcyber.co: Nozomi Networks Labs reported a 133% spike in cyberattacks linked to well-known Iranian threat groups during May and...
- cyberpress.org: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
- gbhackers.com: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks
- Industrial Cyber: Nozomi finds 133% surge in Iranian cyberattacks targeting US, as transportation and manufacturing most affected
- gbhackers.com: Nozomi Networks Labs cybersecurity researchers have reported a startling 133% increase in cyberattacks linked to well-known Iranian advanced persistent threat (APT) groups in May and June 2025, following current tensions with Iran.
Sam Silverstein@cybersecuritydive.com
//
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.
UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales.
This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032.
Recommended read:
References :
- Zack Whittaker: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders. A UNFI spox. wouldn't say if the company has received any demands from the hacker.
- techcrunch.com: UNFI, a grocery distributor for Whole Foods and others, warned of disruptions to customer orders after a cyberattack.
- cyberinsider.com: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
- The Register - Security: Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack
- www.cybersecuritydive.com: UNFI, a grocery retailer and wholesaler, is working to resume full operations following “unauthorized activity†involving its IT systems.
- go.theregister.com: North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders.
- techcrunch.com: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
- Threats | CyberScoop: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
- CyberInsider: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
- Catalin Cimpanu: A cyberattack is disrupting the operations of United Natural Foods, a distributor of grocery products in the US. United Natural Foods is the largest grocery carrier and the 14th largest logistics company in the US.
- cyberscoop.com: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
- www.ttnews.com: UNFI hit by cyberattack, orders may be disrupted
- Techzine Global: Cyber incident disrupted food wholesalers’ operations
- The Register: GeekNews.chat post about major organic supplier to Whole Foods, Walmart, hit by cyberattack
- techcrunch.com: United Natural Foods said it is "diligently managing through the cyber incident" that sparked disruption outages.
- www.techradar.com: Key Whole Foods supplier hit by major cyberattack - delays possibly on the way
- BleepingComputer: Grocery wholesale giant United Natural Foods hit by cyberattack
- SecureWorld News: Whole Foods Supplier United Natural Foods Hit in Cyber Attack
- cyberscoop.com: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
- The Dysruption Hub: NFI's cyberattack disrupts deliveries to 30,000+ stores, including Whole Foods. Stock drops 8% amid fears of ransomware and food shortages.
- industrialcyber.co: Grocery wholesaler UNFI faces operational disruptions after cyberattack
- Zack Whittaker: US grocery distribution giant United Natural Foods (UNFI) said it's working to bring its systems online after a cyberattack.
- Tech Monitor: UNFI, a grocery wholesale distributor in North America, experienced a cyberattack that necessitated the shutdown of some specific systems.
- Threats | CyberScoop: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
- techcrunch.com: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the primary distributor to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
- Industrial Cyber: UNFI's systems are affected by the cyberattack.
- www.cybersecuritydive.com: UNFI’s operations remain hobbled following cyberattack
- Metacurity: US grocery distributor United Natural Foods is the latest retail-related cyber victim
- www.itpro.com: Everything we know so far about the United Natural Foods cyber attack
- techcrunch.com: Zack Whittaker's report on TechCrunch about the UNFI cyberattack.
- www.esecurityplanet.com: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
- www.bitdefender.com: The spate of cyber attacks impacting the retail industry continues, with the latest victim being United Natural Foods (UNFI), which supplies organic produce to Whole Foods, Amazon, Target, and Walmart, amongst many others.
- bsky.app: United Natural Foods (UNFI), one of the USA's largest wholesale distributors of healthy and specialty food, has been hit by a cyber attack The supplier of organic produce to Whole Foods, Amazon, Walmart, and others, revealed its breach in a SEC filing
- Graham Cluley: The supplier of organic produce revealed in a SEC filing that after discovering unauthorised network activity it had "activated its incident response plan and implemented containment measures, including proactively taking certain systems offline."
- techxplore.com: With retail cyberattacks on the rise, customers find orders blocked and shelves empty
- Lukasz Olejnik: Cyberattack on food store chain Whole Foods is leaving shelves empty as key distributor scrambles to restore systems. Shoppers and small grocers feel the heat—our food supply chain is fragile. In the digital age, cybersecurity is food security.
- eSecurity Planet: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
- Graham Cluley: The spate of cyber attacks impacting the retail industry continues. The latest victim is UNFI, one of the USA's largest wholesale distributors of healthy and specialty food.
- Vulnerable U: UNFI Cyberattack Halts Deliveries to Whole Foods and 30,000+ Grocery Stores
- www.metacurity.com: US grocery distributor United Natural Foods is the latest retail-related cyber victim
- techcrunch.com: Whole Foods warns of shortages after cyberattack at its primary distributor UNFI
- securityaffairs.com: securityaffairs.com describes the cyberattack on United Natural Foods caused bread shortages and bare shelves.
- ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
- ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
- The Record: United Natural Foods (UNFI) said in a weekend update that it “made significant progress" toward restoring its ordering systems after a cyberattack affected the company's ability to keep grocery stores stocked.
- Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
- Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
- techcrunch.com: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month. The hack left grocery stores and supermarkets across the U.S. and Canada without food supplies and caused shelf shortages, including at Whole Foods and others.
Jacob Finn@Cisco Talos Blog
//
A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.
The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment.
Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms.
Recommended read:
References :
- Cisco Talos Blog: Newly identified wiper malware “PathWiper†targets critical infrastructure in Ukraine
- Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
- securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
- bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
- securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
- The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
- bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
- cyberpress.org: New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment
- securityaffairs.com: Russia-linked threat actors targets Ukraine with PathWiper wiper
- blog.talosintelligence.com: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
- Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor.
- The Register - Security: Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.
- RedPacket Security: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
- ciso2ciso.com: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure - Source: go.theregister.com
- BleepingComputer: A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
- Cisco Talos Blog: In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.
- Security Affairs: Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy PathWiper across the victim network.
- Catalin Cimpanu: Multiple sources indicate the use of PathWiper malware against Ukrainian critical infrastructure.
- Industrial Cyber: Industrial Cyber article on PathWiper malware targeting Ukrainian critical infrastructure.
- hackread.com: News article about a new New PathWiper Malware Strikes Ukraine’s Critical Infrastructure
- industrialcyber.co: Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously...
- www.csoonline.com: A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.
- www.scworld.com: Ukraine's critical infrastructure subjected to novel PathWiper compromise
- ciso2ciso.com: New PathWiper Malware Strikes Ukraine’s Critical Infrastructure – Source:hackread.com
@industrialcyber.co
//
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.
Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean.
The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business.
Recommended read:
References :
- industrialcyber.co: Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized
- securityaffairs.com: Canadian electric utility Nova Scotia Power and parent company Emera suffered a cyberattack
- cyberinsider.com: Nova Scotia Power Says Cybersecurity Incident Impacting IT Systems
- www.scworld.com: Cyberattack impacts Nova Scotia Power's systems
- www.cybersecurity-insiders.com: Canadian electric utility Nova Scotia Power and parent company Emera are facing a cyberattack that disrupted their IT systems and networks.
|
|
FlagThis - #CriticalInfrastructure