CyberSecurity news

FlagThis - #cyberattacks

@industrialcyber.co //
Iranian advanced persistent threat (APT) groups have significantly escalated their cyberattacks against U.S. infrastructure, with a notable 133% surge reported by Nozomi Networks Labs. This increase in malicious activity, observed during May and June of 2025, directly coincides with heightened geopolitical tensions involving Iran. The primary sectors targeted by these operations are transportation and manufacturing, indicating a strategic focus on critical infrastructure within the United States. U.S. government agencies, including CISA and the Department of Homeland Security, have issued advisories warning of these threats, urging organizations to bolster their cybersecurity postures.

The resurgence of the Pay2Key Ransomware-as-a-Service (RaaS) is a key element in this escalation. This operation, linked to the Fox Kitten APT group, is reportedly offering an increased profit share of 80% to affiliates specifically targeting perceived enemies of Iran, such as the United States and Israel. This financially motivated scheme has already collected substantial extortion payments, underscoring the real-world impact of these cyber operations. Several well-known Iranian APT groups, including MuddyWater, APT33, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice, have been identified as active participants in these campaigns, employing tactics ranging from sophisticated espionage to disruptive attacks.

In response to this evolving threat landscape, organizations within the transportation and manufacturing sectors are strongly advised to enhance their cyber defenses. This includes vigilant monitoring for Iranian APT activity and reviewing overall security frameworks. The U.S. government’s warnings highlight the strategic intent behind these attacks, which aim to advance foreign policy objectives and potentially disrupt critical services. Security professionals must remain informed about the evolving capabilities and targeting methodologies of these nation-state actors to effectively mitigate the growing cybersecurity risks.

Recommended read:
References :
  • industrialcyber.co: Nozomi Networks Labs reported a 133% spike in cyberattacks linked to well-known Iranian threat groups during May and...
  • cyberpress.org: Iranian APTs Launch Active Cyberattacks on Transportation and Manufacturing Industries
  • gbhackers.com: Iranian APT Hackers Targeting Transportation and Manufacturing Sectors in Active Attacks
  • gbhackers.com: Nozomi Networks Labs cybersecurity researchers have reported a startling 133% increase in cyberattacks linked to well-known Iranian advanced persistent threat (APT) groups in May and June 2025, following current tensions with Iran.

Rescana@Rescana //
Amidst escalating regional conflicts, Iran has taken the drastic measure of shutting down internet access for its citizens, a move the government defends as a necessary precaution against Israeli cyberattacks. This disruption has severely impacted communication within the country, leaving Iranians abroad unable to connect with loved ones. One such individual, Amir Rashidi, expressed his anxiety, stating he hadn't heard from his family in two days and was relying on someone else for updates. The situation highlights the growing intersection of cyber warfare and real-world consequences for civilians.

The internet blackout is not the first instance of Iran limiting connectivity. In the past, similar restrictions were imposed during periods of political unrest, such as protests in 2019 and 2022. These shutdowns are implemented by pushing people towards domestic apps, which are often less secure, while also severely restricting access to vital information. Experts like Doug Madory from Kentik have documented significant drops in internet connectivity within Iran following recent Israeli airstrikes, with reductions of 54% initially, followed by further declines of 49% and, subsequently, a staggering 90%.

In a defensive maneuver against cyber threats, Iran is throttling its National Internet Infrastructure. The country claims it is restricting internet connectivity to counter cyber attacks amid regional conflict. The stated aim is to impede cyber intrusions and the synchronization of adversarial operations. An example of the threats Iran faces is demonstrated by the Israeli-linked hackers who seized and burned $90 million from Iran's Nobitex exchange.

Recommended read:
References :
  • infosec.exchange: NEW: Iran's government has now admitted that it took down the internet in the country, arguing that it did to protect against Israeli cyberattacks. I spoke to two Iranians who live abroad and can't communicate with their loved ones back home because of the blackout.
  • WIRED: Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information. —
  • Rescana: Iran National Internet Infrastructure Throttling: Cyber Defense Strategy to Prevent Attacks Amid Regional Conflict
  • Cyber Florida at USF: CIP Flash Bulletin | Heightened Iranian Cyber Threat Activity
  • www.scworld.com: DHS: Attacks on US critical infrastructure likely following Iran strikes
  • Arctic Wolf: Cybersecurity Risks Amid Rising Iran–U.S. Tensions
  • : Sysdig Threat Bulletin: Iranian Cyber Threats
  • Tidal Cyber Blog: Iran Cyber Threat Assessment and Defensive Guidance
  • arcticwolf.com: Cybersecurity risks amid rising Iran-U.S. tensions after US strikes.
  • Metacurity: DHS warns of likely Iranian cyberattacks following US missile strikes.
  • nsfocusglobal.com: The Hacktivist Cyber Attacks in the Iran-Israel Conflict
  • www.esecurityplanet.com: US Warns of Iranian Cyber Threats as Tensions Rise Over Middle East Conflict
  • Security Risk Advisors: Iran-Linked Cyber Fattah Leaks Saudi Games Athletes and Visitors Data
  • abcnews.go.com: Iranian-backed hackers at work after US strikes
  • news.sky.com: Businesses urged to strengthen cyber defences amid increase in Iran-adjacent attacks
  • Unit 42: Threat Brief: Escalation of Cyber Risk Related to Iran
  • Tenable Blog: Cybersecurity Snapshot: U.S. Gov’t Urges Adoption of Memory-Safe Languages and Warns About Iran Cyber Threat

Nicholas Kitonyi@NFTgators //
A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).

The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks.

The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region.

Recommended read:
References :
  • Zack Whittaker: This article also discusses the attack against Nobitex, noting the financial losses and the involvement of a pro-Israel hacking group.
  • techcrunch.com: This news source provides information about the attack against Nobitex, mentioning the theft and destruction of cryptocurrency.
  • Metacurity: This article reports on the attack against Nobitex by the Predatory Sparrow group, highlighting the financial impact and geopolitical context of the event.
  • NFTgators: This news piece details the financial impact of the attack on Nobitex and the potential geopolitical implications.
  • WIRED: This article covers the same event with additional details about the actions of the attacker group and their motives.
  • aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
  • fortune.com: Pro-Israel group hacks Iranian crypto exchange for $90 million—but throws away the money
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • www.elliptic.co: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.

info@thehackernews.com (The@The Hacker News //
Scattered Spider, a cybercrime collective known for targeting U.K. and U.S. retailers, has shifted its focus to the U.S. insurance industry, according to warnings issued by Google Threat Intelligence Group (GTIG). The group, tracked as UNC3944, is known for utilizing sophisticated social engineering tactics to breach organizations, often impersonating employees, deceiving IT support teams, and bypassing multi-factor authentication (MFA). Google is urging insurance companies to be on high alert for social engineering schemes targeting help desks and call centers, emphasizing that multiple intrusions bearing the hallmarks of Scattered Spider activity have already been detected in the U.S.

GTIG's warning comes amidst a recent surge in Scattered Spider activity, with multiple U.S.-based insurance companies reportedly impacted over the past week and a half. The threat group has a history of targeting specific industries in clusters, with previous attacks impacting MGM Resorts and other casino companies. Security specialists emphasize that Scattered Spider often targets large enterprises with extensive help desks and outsourced IT functions, making them particularly susceptible to social engineering attacks. The group is also suspected of having ties to Western countries.

The shift in focus towards the insurance sector follows Scattered Spider's previous campaigns targeting retailers, including a wave of ransomware and extortion attacks on retailers and grocery stores in the U.K. in April. To mitigate against Scattered Spider's tactics, security experts recommend enhancing authentication, enforcing rigorous identity controls, implementing access restrictions, and providing comprehensive training to help desk personnel to effectively identify employees before resetting accounts. One insurance company, Erie Insurance, has already reported a cyberattack earlier this month, although the perpetrators have not yet been identified.

Recommended read:
References :
  • Threats | CyberScoop: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • The Hacker News: Google Warns of Scattered Spider Attacks Targeting IT Support Teams at U.S. Insurance Firms
  • www.cybersecuritydive.com: Threat group linked to UK, US retail attacks now targeting insurance industry
  • hackread.com: Scattered Spider Aims at US Insurers After UK Retail Hit, Google Warns
  • The Record: Security analysts at Google’s Threat Intelligence Group published a warning this week to insurance companies, writing that it is “now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity.â€
  • www.scworld.com: Scattered Spider group attacking US insurance industry, Google says
  • SecureWorld News: Scattered Spider Swarms Insurance Sector with Targeted Cyber Attacks, Google Warns
  • Zack Whittaker: Google's John Hultquist says in an emailed statement that the company is seeing "multiple intrusions in the US" that bear the hallmarks of Scattered Spider activity and "now seeing incidents in the insurance industry." Google spokesperson confirmed there's more than one U.S.-based insurance victim.
  • cyberscoop.com: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • www.cybersecuritydive.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • www.cyjax.com: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
  • eSecurity Planet: Aflac confirms a cyberattack exposed sensitive customer data, citing social engineering tactics amid a wave of breaches targeting US insurers.
  • CYJAX: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
  • cyberscoop.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • DataBreaches.Net: Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Threats | CyberScoop: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • www.prnewswire.com: Aflac incorporated discloses cybersecurity incident.
  • cyberpress.org: Aflac Incorporated, a major U.S.-based insurance company, reported a significant cybersecurity breach involving unauthorized access to its corporate network.
  • www.techradar.com: Reports details on a cyberattack targeting Aflac
  • techcrunch.com: US insurance giant Aflac says customers’ personal data stolen during cyberattack