@industrialcyber.co
//
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against U.S. infrastructure, with a notable 133% surge reported by Nozomi Networks Labs. This increase in malicious activity, observed during May and June of 2025, directly coincides with heightened geopolitical tensions involving Iran. The primary sectors targeted by these operations are transportation and manufacturing, indicating a strategic focus on critical infrastructure within the United States. U.S. government agencies, including CISA and the Department of Homeland Security, have issued advisories warning of these threats, urging organizations to bolster their cybersecurity postures.
The resurgence of the Pay2Key Ransomware-as-a-Service (RaaS) is a key element in this escalation. This operation, linked to the Fox Kitten APT group, is reportedly offering an increased profit share of 80% to affiliates specifically targeting perceived enemies of Iran, such as the United States and Israel. This financially motivated scheme has already collected substantial extortion payments, underscoring the real-world impact of these cyber operations. Several well-known Iranian APT groups, including MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice, have been identified as active participants in these campaigns, employing tactics ranging from sophisticated espionage to disruptive attacks. In response to this evolving threat landscape, organizations within the transportation and manufacturing sectors are strongly advised to enhance their cyber defenses. This includes vigilant monitoring for Iranian APT activity and reviewing overall security frameworks. The U.S. government’s warnings highlight the strategic intent behind these attacks, which aim to advance foreign policy objectives and potentially disrupt critical services. Security professionals must remain informed about the evolving capabilities and targeting methodologies of these nation-state actors to effectively mitigate the growing cybersecurity risks. Recommended read:
References :
Rescana@Rescana
//
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.
The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%. In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange. Recommended read:
References :
Nicholas Kitonyi@NFTgators
//
A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).
The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks. The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region. Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.
GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries. The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified. Recommended read:
References :
|