CyberSecurity news

FlagThis - #criticalinfrastructure

Sam Silverstein@cybersecuritydive.com //
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.

UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales.

This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032.

Recommended read:
References :
  • Zack Whittaker: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders. A UNFI spox. wouldn't say if the company has received any demands from the hacker.
  • techcrunch.com: UNFI, a grocery distributor for Whole Foods and others, warned of disruptions to customer orders after a cyberattack.
  • cyberinsider.com: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
  • The Register - Security: Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack
  • www.cybersecuritydive.com: UNFI, a grocery retailer and wholesaler, is working to resume full operations following “unauthorized activity†involving its IT systems.
  • go.theregister.com: North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders.
  • techcrunch.com: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
  • Threats | CyberScoop: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
  • CyberInsider: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
  • Catalin Cimpanu: A cyberattack is disrupting the operations of United Natural Foods, a distributor of grocery products in the US. United Natural Foods is the largest grocery carrier and the 14th largest logistics company in the US.
  • cyberscoop.com: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
  • www.ttnews.com: UNFI hit by cyberattack, orders may be disrupted
  • Techzine Global: Cyber incident disrupted food wholesalers’ operations
  • The Register: GeekNews.chat post about major organic supplier to Whole Foods, Walmart, hit by cyberattack
  • techcrunch.com: United Natural Foods said it is "diligently managing through the cyber incident" that sparked disruption outages.
  • www.techradar.com: Key Whole Foods supplier hit by major cyberattack - delays possibly on the way
  • BleepingComputer: Grocery wholesale giant United Natural Foods hit by cyberattack
  • SecureWorld News: Whole Foods Supplier United Natural Foods Hit in Cyber Attack
  • cyberscoop.com: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
  • The Dysruption Hub: NFI's cyberattack disrupts deliveries to 30,000+ stores, including Whole Foods. Stock drops 8% amid fears of ransomware and food shortages.
  • industrialcyber.co: Grocery wholesaler UNFI faces operational disruptions after cyberattack
  • Zack Whittaker: US grocery distribution giant United Natural Foods (UNFI) said it's working to bring its systems online after a cyberattack.
  • Tech Monitor: UNFI, a grocery wholesale distributor in North America, experienced a cyberattack that necessitated the shutdown of some specific systems.
  • Threats | CyberScoop: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
  • techcrunch.com: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the primary distributor to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
  • Industrial Cyber: UNFI's systems are affected by the cyberattack.
  • www.cybersecuritydive.com: UNFI’s operations remain hobbled following cyberattack
  • Metacurity: US grocery distributor United Natural Foods is the latest retail-related cyber victim
  • www.itpro.com: Everything we know so far about the United Natural Foods cyber attack
  • techcrunch.com: Zack Whittaker's report on TechCrunch about the UNFI cyberattack.
  • www.esecurityplanet.com: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
  • www.bitdefender.com: The spate of cyber attacks impacting the retail industry continues, with the latest victim being United Natural Foods (UNFI), which supplies organic produce to Whole Foods, Amazon, Target, and Walmart, amongst many others.
  • bsky.app: United Natural Foods (UNFI), one of the USA's largest wholesale distributors of healthy and specialty food, has been hit by a cyber attack The supplier of organic produce to Whole Foods, Amazon, Walmart, and others, revealed its breach in a SEC filing
  • Graham Cluley: The supplier of organic produce revealed in a SEC filing that after discovering unauthorised network activity it had "activated its incident response plan and implemented containment measures, including proactively taking certain systems offline."
  • techxplore.com: With retail cyberattacks on the rise, customers find orders blocked and shelves empty
  • Lukasz Olejnik: Cyberattack on food store chain Whole Foods is leaving shelves empty as key distributor scrambles to restore systems. Shoppers and small grocers feel the heat—our food supply chain is fragile. In the digital age, cybersecurity is food security.
  • eSecurity Planet: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
  • Graham Cluley: The spate of cyber attacks impacting the retail industry continues. The latest victim is UNFI, one of the USA's largest wholesale distributors of healthy and specialty food.
  • Vulnerable U: UNFI Cyberattack Halts Deliveries to Whole Foods and 30,000+ Grocery Stores
  • www.metacurity.com: US grocery distributor United Natural Foods is the latest retail-related cyber victim
  • techcrunch.com: Whole Foods warns of shortages after cyberattack at its primary distributor UNFI
  • securityaffairs.com: securityaffairs.com describes the cyberattack on United Natural Foods caused bread shortages and bare shelves.
  • ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
  • ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
  • The Record: United Natural Foods (UNFI) said in a weekend update that it “made significant progress" toward restoring its ordering systems after a cyberattack affected the company's ability to keep grocery stores stocked.
  • Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
  • Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
  • techcrunch.com: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month. The hack left grocery stores and supermarkets across the U.S. and Canada without food supplies and caused shelf shortages, including at Whole Foods and others.

Jacob Finn@Cisco Talos Blog //
References: Cisco Talos Blog , Cisco Talos , bsky.app ...
A new destructive malware, dubbed PathWiper, has been discovered targeting critical infrastructure in Ukraine. Cisco Talos researchers identified the wiper after observing an attack on a Ukrainian entity. The attackers, believed to be a Russia-nexus APT actor, gained access to a legitimate endpoint administration framework and used it to deploy PathWiper across connected endpoints. The malware is designed to overwrite data with random bytes, effectively disrupting the targeted systems. The discovery highlights the continued cyber threat to Ukrainian critical infrastructure amidst the ongoing conflict.

The attack unfolded through a compromised administrative console. Attackers issued commands via the console, which were received by clients running on the endpoints and executed as batch files. These files contained commands to execute a malicious VBScript file named "uacinstall.vbs", which in turn, dropped and executed the PathWiper executable. The filenames and actions used throughout the attack were designed to mimic those of the administrative utility, suggesting the attackers had prior knowledge of the console and its functionality within the targeted environment.

Once executed, PathWiper identifies connected storage media and overwrites crucial file system artifacts with random data. It targets physical drives, volume names, network drive paths, and critical files like the Master Boot Record (MBR). The malware creates a thread for each drive and volume, overwriting the contents with randomly generated bytes, effectively destroying data and disrupting system operations. While PathWiper shares some similarities with HermeticWiper, another wiper used in previous attacks against Ukraine, there are notable differences in their data corruption mechanisms.

Recommended read:
References :
  • Cisco Talos Blog: Newly identified wiper malware “PathWiper†targets critical infrastructure in Ukraine
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • securityonline.info: PathWiper: Russia-Linked APT Deploys New Wiper Malware Against Ukrainian Infrastructure
  • The Hacker News: New PathWiper Data Wiper Malware Disrupts Ukrainian Critical Infrastructure in 2025 Attack
  • bsky.app: Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, using a previously unknown wiper called PathWiper
  • cyberpress.org: New pathWiper Malware Strikes Critical Infrastructure with Admin Tool Deployment
  • securityaffairs.com: Russia-linked threat actors targets Ukraine with PathWiper wiper
  • blog.talosintelligence.com: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor. Learn how the attack unfolded:
  • Cisco Talos: New destructive malware alert: Talos uncovered "PathWiper," a wiper targeting Ukrainian critical infrastructure, which we attribute with high confidence to a Russia-nexus APT actor.
  • The Register - Security: Destructive malware has been a hallmark of Putin's multi-modal war A new strain of wiper malware targeting Ukrainian infrastructure is being linked to pro-Russian hackers, in the latest sign of Moscow's evolving cyber tactics.
  • RedPacket Security: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure
  • ciso2ciso.com: Fresh strain of pro-Russian wiper flushes Ukrainian critical infrastructure - Source: go.theregister.com
  • BleepingComputer: A new data wiper malware named 'PathWiper' is being used in targeted attacks against critical infrastructure in Ukraine, aimed at disrupting operations in the country.
  • Cisco Talos Blog: In this week's newsletter, Martin emphasizes that awareness, basic cyber hygiene and preparation are essential for everyone, and highlights Talos' discovery of the new PathWiper malware.
  • Security Affairs: Cisco Talos researchers reported that attackers utilized a legitimate endpoint administration tool, indicating they had access to the administrative console, then used it to deploy PathWiper across the victim network.
  • Catalin Cimpanu: Multiple sources indicate the use of PathWiper malware against Ukrainian critical infrastructure.
  • Industrial Cyber: Industrial Cyber article on PathWiper malware targeting Ukrainian critical infrastructure.
  • hackread.com: News article about a new New PathWiper Malware Strikes Ukraine’s Critical Infrastructure
  • industrialcyber.co: Researchers from Cisco Talos observed a destructive attack on a critical infrastructure entity within Ukraine, involving a previously...
  • www.csoonline.com: A destructive new malware, dubbed PathWiper, has struck Ukraine’s critical infrastructure, erasing data and disabling essential systems, according to a recent Cisco Talos report.
  • www.scworld.com: Ukraine's critical infrastructure subjected to novel PathWiper compromise
  • ciso2ciso.com: New PathWiper Malware Strikes Ukraine’s Critical Infrastructure – Source:hackread.com

@industrialcyber.co //
Nova Scotia Power and its parent company, Emera Inc., are actively responding to a cybersecurity incident that has impacted their Canadian IT network. The companies detected unauthorized access to parts of their network and servers which support certain business applications. Immediately upon discovering the intrusion, both companies activated their incident response and business continuity protocols. Top-tier third-party cybersecurity experts have been engaged to assist in isolating the affected systems and preventing any further unauthorized access.

Law enforcement agencies have been notified and an investigation is currently underway. Despite the breach, Emera and Nova Scotia Power stated that there has been no disruption to any of their Canadian physical operations. This includes Nova Scotia Power's generation, transmission, and distribution facilities, as well as the Maritime Link and the Brunswick Pipeline. The incident has not affected the utility's ability to safely and reliably serve its customers in Nova Scotia, nor has it impacted Emera's utilities in the U.S. or the Caribbean.

The IT team is working diligently with cybersecurity experts to restore the affected portions of the IT system back online. Nova Scotia Power customers can find the latest updates online. Emera is scheduled to publish its first quarter financial statements and management disclosure on May 8, 2025, as planned. Currently, the incident is not expected to have a material impact on the financial performance of the business.

Recommended read:
References :
  • industrialcyber.co: Emera, Nova Scotia Power respond to cybersecurity breach; incident response teams mobilized
  • securityaffairs.com: Canadian electric utility Nova Scotia Power and parent company Emera suffered a cyberattack
  • cyberinsider.com: Nova Scotia Power Says Cybersecurity Incident Impacting IT Systems
  • www.scworld.com: Cyberattack impacts Nova Scotia Power's systems
  • www.cybersecurity-insiders.com: Canadian electric utility Nova Scotia Power and parent company Emera are facing a cyberattack that disrupted their IT systems and networks.

@cyble.com //
References: cyble.com , threatmon.io
Hacktivist groups are increasingly adopting sophisticated and destructive attack methods, moving beyond basic DDoS attacks to target critical infrastructure with ransomware. These groups, motivated by ideological goals, are focusing on government platforms and industrial manufacturers. Pro-Russian hacktivists are primarily targeting NATO-aligned nations and supporters of Ukraine, while pro-Ukrainian, pro-Palestinian, and anti-establishment groups are focusing on Russia, Israel, and the United States. This evolution reflects a shift towards hybrid warfare tactics, combining DDoS, credential leaks, and ICS disruption to overcome single-layer defenses.

The energy sector is particularly vulnerable, with successful cyber breaches posing severe risks to national security, economic stability, and public safety. The CyberAv3ngers, an Iranian state-sponsored hacker group, exemplifies this threat. Despite masquerading as hacktivists, they are actively targeting industrial control systems in water, gas, oil and gas, and other critical infrastructure sectors worldwide. The group has already caused global disruption and shows no signs of slowing down. Their actions represent a rare example of state-sponsored cybersaboteurs crossing the line and disrupting critical infrastructure.

Reports and investigations highlight vulnerabilities within power grids and other key systems. Recent investigations have revealed hidden capabilities in Chinese-manufactured power transformers that could allow remote shutdown from overseas. This discovery prompted concerns about potential "sleeper cells" within critical national systems. Furthermore, ransomware attacks continue to be a major threat, causing operational disruptions, data breaches, and financial losses. The industry is responding with increased cybersecurity investment and proactive strategies as professionals see cybersecurity as the greatest risk to their business.

Recommended read:
References :
  • cyble.com: Cyble report on hacktivists moving into ransomware attacks.
  • threatmon.io: Reports Reports Spyware Based on SpyMax Download Report Ransomware attacks remain one of the most critical threats to modern businesses, leading to severe operational disruptions, data breaches, and substantial financial losses.

@www.wsj.com //
References: Sam Bent , DataBreaches.Net , WIRED ...
China has reportedly acknowledged its role in cyberattacks against U.S. critical infrastructure, specifically those attributed to the Volt Typhoon campaign. This admission occurred during a secret meeting with U.S. officials in December, according to SecurityWeek. U.S. officials noted that Volt Typhoon's actions, which involved infiltrating various industries' systems through zero-day exploits and other advanced tactics, were an attempt to deter U.S. support for Taiwan. Furthermore, cyberespionage by the Chinese state-backed Salt Typhoon group against U.S. telecommunications firms was also discussed, revealing the compromise of U.S. officials' communications.

These attacks are part of a broader pattern of Chinese state-backed hackers increasing their activity against infrastructure in the U.S., Europe, and the Asia-Pacific region. Recent intelligence indicates groups like Volt Typhoon and Salt Typhoon have infiltrated power grids, telecommunications networks, and transportation systems. Their apparent goal is to preposition for potential wartime disruption or coercive retaliation during periods of geopolitical tension. This approach involves installing dormant "logic bombs" designed to be triggered during a conflict or crisis, maintaining persistent access while minimizing detection risk.

The intensified cyber activities are viewed as a component of China's cyber-enabled irregular warfare strategy. Recent incidents include a power grid failure in Taiwan linked to a Volt Typhoon logic bomb, along with similar occurrences reported in European infrastructure. The attacks' sophistication lies in their "Living Off the Land" techniques, blending state-sponsored hacking with proxy groups and disinformation to achieve strategic objectives without triggering conventional military responses. Such actions, as analyzed by IT security professional Simone Kraus, raise concerns due to their potential for devastating real-world consequences if critical infrastructure is compromised.

Recommended read:
References :
  • Sam Bent: In a closed-door Geneva summit, Chinese officials admitted—albeit indirectly—to orchestrating Volt Typhoon cyberattacks on US infrastructure. The move signals escalating covert conflict over Taiwan and exposes the US grid’s vulnerability to prolonged foreign infiltration.
  • DataBreaches.Net: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
  • www.metacurity.com: China acknowledged US cyberattacks at a secret meeting, report
  • WIRED: China Secretly (and Weirdly) Admits It Hacked US Infrastructure
  • Risky Business Media: China privately admits to hacking American critical infrastructure, the US Treasury was compromised by password spraying, America will sign a global spyware agreement after all, and a Chinese APT is abusing the Windows Sandbox to hide its malware.
  • securityaffairs.com: China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure, WSJ reports.
  • The Register - Security: China reportedly admitted directing cyberattacks on US infrastructure at a meeting with their American counterparts, according to The Wall Street Journal.…
  • Schneier on Security: China Sort of Admits to Being Behind Volt Typhoon
  • oodaloop.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure: Report
  • www.scworld.com: US critical infrastructure attacks reportedly acknowledged by China
  • OODAloop: In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal.
  • cybersecuritynews.com: Chinese Hackers Attacking Critical Infrastructure to Sabotage Networks
  • Metacurity: China acknowledged US cyberattacks at a secret meeting, report
  • ciso2ciso.com: China Sort of Admits to Being Behind Volt Typhoon – Source: www.schneier.com
  • WIRED: Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows