@cyble.com
//
Hacktivist groups are increasingly adopting sophisticated and destructive attack methods, moving beyond basic DDoS attacks to target critical infrastructure with ransomware. These groups, motivated by ideological goals, are focusing on government platforms and industrial manufacturers. Pro-Russian hacktivists are primarily targeting NATO-aligned nations and supporters of Ukraine, while pro-Ukrainian, pro-Palestinian, and anti-establishment groups are focusing on Russia, Israel, and the United States. This evolution reflects a shift towards hybrid warfare tactics, combining DDoS, credential leaks, and ICS disruption to overcome single-layer defenses.
The energy sector is particularly vulnerable, with successful cyber breaches posing severe risks to national security, economic stability, and public safety. The CyberAv3ngers, an Iranian state-sponsored hacker group, exemplifies this threat. Despite masquerading as hacktivists, they are actively targeting industrial control systems in water, gas, oil and gas, and other critical infrastructure sectors worldwide. The group has already caused global disruption and shows no signs of slowing down. Their actions represent a rare example of state-sponsored cybersaboteurs crossing the line and disrupting critical infrastructure.
Reports and investigations highlight vulnerabilities within power grids and other key systems. Recent investigations have revealed hidden capabilities in Chinese-manufactured power transformers that could allow remote shutdown from overseas. This discovery prompted concerns about potential "sleeper cells" within critical national systems. Furthermore, ransomware attacks continue to be a major threat, causing operational disruptions, data breaches, and financial losses. The industry is responding with increased cybersecurity investment and proactive strategies as professionals see cybersecurity as the greatest risk to their business.
Recommended read:
References :
- cyble.com: Cyble report on hacktivists moving into ransomware attacks.
- threatmon.io: Reports Reports Spyware Based on SpyMax Download Report Ransomware attacks remain one of the most critical threats to modern businesses, leading to severe operational disruptions, data breaches, and substantial financial losses.
@www.wsj.com
//
China has reportedly acknowledged its role in cyberattacks against U.S. critical infrastructure, specifically those attributed to the Volt Typhoon campaign. This admission occurred during a secret meeting with U.S. officials in December, according to SecurityWeek. U.S. officials noted that Volt Typhoon's actions, which involved infiltrating various industries' systems through zero-day exploits and other advanced tactics, were an attempt to deter U.S. support for Taiwan. Furthermore, cyberespionage by the Chinese state-backed Salt Typhoon group against U.S. telecommunications firms was also discussed, revealing the compromise of U.S. officials' communications.
These attacks are part of a broader pattern of Chinese state-backed hackers increasing their activity against infrastructure in the U.S., Europe, and the Asia-Pacific region. Recent intelligence indicates groups like Volt Typhoon and Salt Typhoon have infiltrated power grids, telecommunications networks, and transportation systems. Their apparent goal is to preposition for potential wartime disruption or coercive retaliation during periods of geopolitical tension. This approach involves installing dormant "logic bombs" designed to be triggered during a conflict or crisis, maintaining persistent access while minimizing detection risk.
The intensified cyber activities are viewed as a component of China's cyber-enabled irregular warfare strategy. Recent incidents include a power grid failure in Taiwan linked to a Volt Typhoon logic bomb, along with similar occurrences reported in European infrastructure. The attacks' sophistication lies in their "Living Off the Land" techniques, blending state-sponsored hacking with proxy groups and disinformation to achieve strategic objectives without triggering conventional military responses. Such actions, as analyzed by IT security professional Simone Kraus, raise concerns due to their potential for devastating real-world consequences if critical infrastructure is compromised.
Recommended read:
References :
- Sam Bent: In a closed-door Geneva summit, Chinese officials admitted—albeit indirectly—to orchestrating Volt Typhoon cyberattacks on US infrastructure. The move signals escalating covert conflict over Taiwan and exposes the US grid’s vulnerability to prolonged foreign infiltration.
- DataBreaches.Net: Chinese officials acknowledged in a secret December meeting that Beijing was behind a widespread series of alarming cyberattacks on U.S. infrastructure, according to people familiar with the matter, underscoring how hostilities between the two superpowers are continuing to escalate.
- www.metacurity.com: China acknowledged US cyberattacks at a secret meeting, report
- WIRED: China Secretly (and Weirdly) Admits It Hacked US Infrastructure
- Risky Business Media: China privately admits to hacking American critical infrastructure, the US Treasury was compromised by password spraying, America will sign a global spyware agreement after all, and a Chinese APT is abusing the Windows Sandbox to hide its malware.
- securityaffairs.com: China admitted its role in Volt Typhoon cyberattacks on U.S. infrastructure, WSJ reports.
- The Register - Security: China reportedly admitted directing cyberattacks on US infrastructure at a meeting with their American counterparts, according to The Wall Street Journal.…
- Schneier on Security: China Sort of Admits to Being Behind Volt Typhoon
- oodaloop.com: China Admitted to Volt Typhoon Cyberattacks on US Critical Infrastructure: Report
- www.scworld.com: US critical infrastructure attacks reportedly acknowledged by China
- OODAloop: In a secret meeting that took place late last year between Chinese and American officials, the former confirmed that China had conducted cyberattacks against US infrastructure as part of the campaign known as Volt Typhoon, according to The Wall Street Journal.
- cybersecuritynews.com: Chinese Hackers Attacking Critical Infrastructure to Sabotage Networks
- Metacurity: China acknowledged US cyberattacks at a secret meeting, report
- ciso2ciso.com: China Sort of Admits to Being Behind Volt Typhoon – Source: www.schneier.com
- WIRED: Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows
solomon.klappholz@futurenet.com (Solomon@Latest from ITPro
//
Cyber experts are raising serious concerns about operational technology (OT) security after the Volt Typhoon threat group went undetected within the US electric grid for almost a year. This prolonged compromise, lasting over 300 days, marks the first known infiltration of the US electric grid by the Voltzite subgroup, linked to the Chinese APT Volt Typhoon. The attackers targeted critical OT infrastructure data, underscoring the persistent and sophisticated cyber espionage efforts aimed at US infrastructure.
The security breach, discovered in November 2023, involved the Littleton Electric Light and Water Department (LELWD) in Massachusetts. Investigations revealed that Volt Typhoon likely gained access to LELWD's IT environment in February 2023. During the attack the Chinese hackers sought specific data related to operational technology operating procedures and spatial layout data relating to energy grid operations, The incident led to LELWD expediting the deployment of its OT security solutions.
Recommended read:
References :
- hackread.com: Chinese Volt Typhoon Hackers Infiltrated US Electric Utility for Nearly a Year
- PCMag UK security: Chinese Hackers Sat Undetected in Small Massachusetts Power Utility for Months
- www.itpro.com: Cybersecurity firm Dragos has revealed the Volt Typhoon threat group remained undetected in the US electric grid for nearly a year.
- www.scworld.com: US electric utility subjected to almost year-long Volt Typhoon compromise
- CyberInsider: Revealing the Volt Typhoon threat group's covert access to a Massachusetts electric utility network.
- bsky.app: Massachusetts Power Utility hacked by Chinese 'hackers' (cyber operators) for more than 300 days.
- : Volt Typhoon Accessed US OT Network for Nearly a Year
- Information Security Buzz: Volt Typhoon Found Inside Massachusetts Electric Utility for Nearly a Year
- Industrial Cyber: Dragos details the hacking of LELWD and the VOLTZITE group.
- Matthias Schulze: China’s Volt Typhoon Hackers Dwelled in US Electric Grid for 300 Days
@zdnet.com
//
Federal cybersecurity agencies, including the FBI and CISA, have issued an urgent advisory regarding the escalating threat of Medusa ransomware. Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The group's activities have accelerated in recent months, prompting immediate action recommendations for organizations. Medusa operates as a Ransomware-as-a-Service (RaaS) model, now recruiting affiliates from criminal forums to launch attacks, encrypt data, and extort victims worldwide.
Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities. They employ a double extortion strategy by encrypting victim data and threatening to publicly release it if the ransom is not paid. To mitigate the risk, CISA and the FBI recommend organizations update systems regularly to close known vulnerabilities, implement network segmentation to restrict lateral movement, and enable multi-factor authentication for all services. They also urge organizations to report incidents promptly to aid in tracking and combating the growing threat.
Recommended read:
References :
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- securityaffairs.com: SecurityAffairs article: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- www.cybersecuritydive.com: Medusa ransomware slams critical infrastructure organizations
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released joint advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
- : FBI and CISA Warn of Medusa Ransomware Impacting Critical Infrastructure
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Explore the impact of Medusa ransomware on critical infrastructure and learn strategies to enhance cybersecurity defenses.
- www.scworld.com: Medusa ransomware, a ransomware-as-a-service group, has increased attacks targeting critical infrastructure, potentially preparing for geopolitical conflicts. Recent attacks indicate a 150% increase in this activity.
- Tenable Blog: Tenable article: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: SOC Prime blog: Medusa Ransomware Attacks Covered in AA25-071A Detection
- be4sec: Medusa Ransomware is Targeting Critical Infrastructure
- be4sec: This advisory summarizes the key activities of prominent ransomware groups in January 2025, highlighting a significant increase in Medusa attacks.
- aboutdfir.com: Medusa ransomware group has been actively targeting critical infrastructure organizations, employing a double extortion tactic.
- www.techradar.com: US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
- cyble.com: The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a well-timed advisory on the Medusa ransomware group last week, as Cyble has detected an acceleration in the group’s activities in recent months.
- Email Security - Blog: Medusa Ransomware: Multi-Industry Threat on the Rise
- techxplore.com: Cybersecurity officials warn against potentially costly Medusa ransomware attacks
- Security | TechRepublic: Medusa Ransomware Strikes 300+ Targets: FBI & CISA Urge Immediate Action to #StopRansomware
- eSecurity Planet: Medusa Ransomware Warning: CISA and FBI Issue Urgent Advisory
- Blue Team Con: CISA and the FBI warn about Medusa ransomware, urging organizations to update security, enable MFA, and report incidents to mitigate the growing threat.
- thecyberexpress.com: Medusa Ransomware Surge: 60 Victims in 3 Months—Are You Next?
- www.zdnet.com: How to guard against a vicious Medusa ransomware attack - before it's too late
- www.cysecurity.news: The Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory, warning organizations about the increasing threat of Medusa ransomware.
- Sam Bent: Cybercriminal Group Medusa Targets Critical Infrastructure Sectors A sophisticated cybercriminal group known as Medusa has been targeting many critical infrastructure sectors in the United States.
- The Hacker News: Medusa Ransomware Uses Malicious Driver to Disable Anti-Malware with Stolen Certificates
- www.cybersecuritydive.com: Medusa ransomware using malicious driver as EDR killer
do son@Daily CyberSecurity
//
The Medusa ransomware operation has significantly impacted critical infrastructure sectors, affecting over 300 organizations in the United States by February 2025. According to CISA, these attacks have targeted essential services across various industries, including medical, education, legal, insurance, technology, and manufacturing. This widespread impact highlights the vulnerability of critical infrastructure and the potential for severe disruptions. The healthcare sector has been a primary target, with ransom demands ranging from $100,000 to $15 million, potentially disrupting patient care and compromising sensitive data.
Educational institutions have also been significantly affected, with 21 attacks reported in February 2025 alone. These attacks disrupt academic activities and compromise personal information of students and staff. In response, CISA, in partnership with the FBI and MS-ISAC, released a joint Cybersecurity Advisory providing tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity. The advisory encourages organizations to ensure operating systems and software are up to date, segment networks to restrict lateral movement, and filter network traffic to prevent unauthorized access.
Recommended read:
References :
- Industrial Cyber: Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as...
- securityaffairs.com: Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.
- : Symantec found that Medusa has listed almost 400 victims on its data leaks site since early 2023, demanding ransom payments as high as $15m
- Broadcom Software Blogs: Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.
- bsky.app: CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
- The DefendOps Diaries: Medusa Ransomware: A Growing Threat to Critical Infrastructure
- RedPacket Security: CISA: CISA and Partners Release Cybersecurity Advisory on Medusa Ransomware
- gbhackers.com: Medusa Ransomware Hits 300+ Critical Infrastructure Organizations Worldwide
- securityonline.info: FBI, CISA, and MS-ISAC Warn Organizations About Medusa Ransomware Attacks
- www.bleepingcomputer.com: CISA: Medusa ransomware hit over 300 critical infrastructure orgs
- securityaffairs.com: Medusa ransomware hit over 300 critical infrastructure organizations until February 2025
- Industrial Cyber: US exposes Medusa ransomware threat, as over 300 organizations targeted across critical infrastructure sector
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
- CyberInsider: FBI: Medusa Ransomware Has Breached 300 Critical Infrastructure Organizations
- www.tripwire.com: The Medusa ransomware gang continues to present a major threat to the critical infrastructure sector, according to a newly-released - with at least one organisation hit with a "triple-extortion" threat. Read more in my article on the Tripwire State of Security blog.
- Resources-2: On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
- : CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
- www.cybersecuritydive.com: The ransomware-as-a-service gang tallied more than 300 victims in industries such as healthcare, manufacturing and technology.
- The Register - Security: Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
- DataBreaches.Net: #StopRansomware: Medusa Ransomware
- hackread.com: FBI and CISA Urge Enabling 2FA to Counter Medusa Ransomware
- Talkback Resources: #StopRansomware: Medusa Ransomware | CISA [net] [mal]
- Tenable Blog: Cybersecurity Snapshot: Medusa Ransomware Impacting Critical Infrastructure, CISA Warns, While NIST Selects New Quantum-Resistant Algorithm
- SOC Prime Blog: Medusa Ransomware Detection: The FBI, CISA & Partners Warn of Increasing Attacks by Ransomware Developers and Affiliates Against Critical Infrastructure
- www.itpro.com: CISA issues warning over Medusa ransomware after 300 victims from critical sectors impacted
|
|
FlagThis - #criticalinfrastructure