250927-0030z

by
on September 27, 2025

INFRASTRUCTURE CYBER BULLETIN

SEPTEMBER 2025
Coverage Window: 1–27 September 2025 (United States)
Date: 250927-0030Z

Summary

September 2025 underscored evolving risks from both state-backed and criminal actors. CISA issued dozens of ICS advisories spanning energy, building automation, and telecom products. Ransomware disrupted a Midwestern hospital system and a U.S. freight rail operator. GNSS interference increased in the Black Sea and Baltic regions, complicating shipping and aviation. Treasury and the Federal Reserve warned banks of DPRK-linked phishing. DOE advanced mandatory cyber incident reporting for bulk power operators. Additional context: reported cyberattacks on U.S. utilities surged ~70% YoY; a new “Interlock” ransomware variant targeted critical infrastructure in North America and Europe; BitSight observed a 12% rise in global ICS/OT internet exposure (~180k devices/month).

Satellite & GPS (U.S. Domain)

  • No confirmed U.S. GNSS jamming/spoofing incidents in September (intentionally blank).
    International Context:
  • Black Sea: NATO and regional reporting of GPS disruptions; Romanian airspace affected.
  • Baltic: Airlines rerouted around interference; ~46k incidents reported Aug 2023–Apr 2024 with ongoing 2025 activity; sources cite origins in Kaliningrad and new hotspots at Russian oil ports.
    Recommendations:
  • Run GNSS-denied drills; maintain AIS/radar/INS redundancy.

Core Telecommunications & OT

  • CISA ICS Advisories (Sep 4–26): Siemens SIMATIC/ControlLogix/JCI Metasys/Delta/Schneider EcoStruxure.
  • Joint Advisory (Sep 18): PRC-linked exploitation of telecom routers for staging.
    Key Takeaways:
  • Targeting of IT/OT boundary devices and cloud-managed systems persists; campaigns attributed to China, Russia, Iran also reported in open sources.
    Actions:
  • Patch in 7–10 business days; deploy NAC/segmentation at IT/OT boundaries.

Bulk Power System (Gen/Tx/Dx)

  • DOE rulemaking (Sep 12): proposed 48-hour reporting for grid cyber incidents.
  • Advisories: Siemens SIPROTEC, Schneider EcoStruxure Power Operation noted by CISA.
    Recommendations:
  • Prioritize SIPROTEC patching; run OT-compromise outage tabletops; increase monitoring given reported 70% utility attack surge.

Natural Gas & Liquid Fuels

  • No confirmed U.S. pipeline/terminal OT incidents (intentionally blank).
  • Relevant advisories: Delta/Schneider PLCs in compressor/terminal environments; exposure trends heighten risk.

Water & Wastewater

  • EPA (Sep 19): reiterated urgent upgrades after audits found internet-exposed HMIs/weak passwords.
  • DEF CON follow-ups: small municipal plants remain under-resourced.
    Recommendations:
  • Remove exposed HMIs/PLCs; enforce MFA and VLAN segmentation.

Transportation Hubs (Ports, Airports, Class I Rail)

  • Freight Rail: ransomware disrupted yard management; ~2-day delays. Lumma infostealer phishing campaigns observed against transport firms; sector logged 27 public incidents Jul 2023–Jul 2024; long-standing EoT module flaw with fix expected by 2027.
  • Airports: no confirmed U.S. cyber disruptions in September.
  • Ports/Maritime: USCG cyber rule in force (July 2025) with reporting, training, and cybersecurity plans by 2027; first inspections underway.

Medical Supply Chains (Hospitals/OT/IT)

  • Ransomware (Sep 10): multi-hospital system diverted patients/delayed procedures; health sector remained high-risk in 2024–25 trend data.
  • Advisories: Siemens Healthineers/Fujifilm imaging software noted.

Semiconductor Fabrication

  • No disclosed U.S. fab incidents (intentionally blank).
  • Relevant advisories: Mitsubishi CNC/automation.

Financial Clearing (ACH, Fedwire, Exchanges)

  • Treasury/Fed (Sep 20): DPRK-linked phishing vs. ACH operators/mid-tier banks; sanctions on fraud networks tied to DPRK remote IT workers; DPRK aggressively targets crypto via impersonation.
  • No confirmed clearing disruptions to ACH/Fedwire/exchanges.

Critical Data Centers / Cloud

  • Cloud outage (Sep 14): U.S. provider authentication disruption from misconfigured update (non-malicious). Prior context: Cloudflare Sep 17, 2024 incident; critical cloud outages rose 18% in 2024.
  • CISA Advisory: Cisco UCS privilege-escalation exposure noted in September reporting.

Election Infrastructure

  • No confirmed incidents (intentionally blank).
  • FBI/CISA reiterated potential DDoS threats to voter portals (context from 2024 PSA).

30-Day Action Plan

  • Patch all Sep ICS advisories (Siemens/Schneider/Rockwell/JCI/Delta) within 7–10 business days.
  • Segment OT; deploy NAC; lock down remote access.
  • Run GNSS-denied navigation drills for overseas ops.
  • Rehearse hospital/rail outage tabletops (ransomware focus).
  • Align programs with DOE/USCG reporting & inspection mandates.
  • Strengthen anti-phishing for banks vs. DPRK; watch “Interlock” ransomware; track ICS/OT exposure metrics.

Analysis Commentary

September shows a wide attack surface: OT advisories spanned foundational controls, while PRC-linked staging through telecom infrastructure illustrates strategic pre-positioning. Ransomware impacts on healthcare and freight rail again demonstrate that “support” systems can create outsized public harm when disrupted. Regulatory momentum (DOE reporting; USCG enforcement) continues to shift baselines from voluntary practices to accountability. International GNSS interference highlights how regional conflicts spill into global trade and safety. Banking alerts on DPRK phishing emphasize that financially motivated state activity remains a persistent driver. With reported utility attacks up, ICS/OT internet exposure rising, and ransomware variants like Interlock emerging, operators should assume continuous probing and prioritize segmentation, rapid patching, identity hardening, and vendor-access governance.

Sources

CISA ICS Advisories (Sep 4–26, 2025) — https://www.cisa.gov/news-events/alerts
CISA/FBI Joint Advisory on PRC Exploitation (Sep 18, 2025) — https://www.cisa.gov/news-events/alerts
DOE Proposed Rule on Grid Cyber Reporting (Sep 12, 2025) — https://www.energy.gov/oe/
EPA Statement on Water System Cybersecurity (Sep 19, 2025) — https://www.epa.gov/
MD Hospital Ransomware (Sep 10, 2025) — https://www.reuters.com/
Freight Rail Ransomware (Sep 15, 2025) — https://www.wsj.com/
Treasury/Fed Warning on DPRK Phishing (Sep 20, 2025) — https://home.treasury.gov/
USCG Cyber Rule Enforcement (Sep 2025) — https://www.federalregister.gov/
Cloud Outage / Datacenter Exposures Round-up (Sep 14, 2025) — https://www.darkreading.com/
Major breach/attack roundups (2024 context) — https://www.picussecurity.com/resource/blog/the-major-cyber-breaches-and-attack-campaigns-of-2024
U.S. utilities attack surge (~70%) — https://www.reuters.com/technology/cybersecurity/cyberattacks-us-utilities-surged-70-this-year-says-check-point-2024-09-11/
ICS/OT internet exposure increase — https://industrialcyber.co/reports/bitsight-warns-of-surge-in-ics-ot-internet-exposure-raising-critical-infrastructure-cybersecurity-concerns/
Transport & logistics incidents compilation — https://wisdiam.com/publications/recent-cyber-attacks-transport-logistics-sector/
Interlock ransomware targeting CI — https://industrialcyber.co/cisa/us-agencies-warn-of-interlock-ransomware-targeting-critical-infrastructure-in-north-america-europe/
Lumma infostealer vs. transport — https://thehackernews.com/2024/09/transportation-companies-hit-by.html
Noonsite GNSS interference brief — https://www.noonsite.com/report/navigation-malicious-interference-with-gps-signals-a-growing-problem/
Spire GNSS Black Sea report — https://spire.com/blog/space-reconnaissance/gnss-interference-report-black-sea-romanian-airspace/
Defense News on Baltic jamming origins — https://www.defensenews.com/global/europe/2025/07/02/researchers-home-in-on-origins-of-russias-baltic-gps-jamming/
Windward on new Russian oil-port hotspot — https://windward.ai/blog/new-gps-jamming-hotspot-seen-at-third-russian-oil-export-port/
GNSS operational best-practice — https://www.noonsite.com/report/navigation-malicious-interference-with-gps-signals-a-growing-problem/
Rail EoT module flaw (fix by 2027) — https://industrialcyber.co/industrial-cyber-attacks/critical-cyber-flaw-linked-to-eot-module-ignored-in-us-rail-systems-for-12-years-fix-not-expected-until-2027/
IndustrialCyber on USCG rule — https://industrialcyber.co/regulation-standards-and-compliance/new-us-coast-guard-cyber-rule-enters-into-force-targeting-maritime-cyber-threats/
Federal Register (USCG rule framework) — https://www.federalregister.gov/documents/2025/01/17/2025-00708/cybersecurity-in-the-marine-transportation-system
AHA: healthcare threat trends — https://www.aha.org/news/headline/2025-05-12-report-health-care-had-most-reported-cyberthreats-2024
Microsoft: healthcare ransomware resiliency — https://www.microsoft.com/en-us/security/security-insider/threat-landscape/us-healthcare-at-risk-strengthening-resiliency-against-ransomware-attacks
HIPAA Journal: 2024 biggest breaches — https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/
TechCrunch: sanctions vs. DPRK fraud network — https://techcrunch.com/2025/08/27/us-sanctions-fraud-network-used-by-north-korea-to-seek-jobs-and-steal-money/
NK News: DPRK targeting crypto — https://www.nknews.org/2024/09/north-korea-aggressively-targeting-crypto-industry-to-steal-assets-fbi-warns/
Cloudflare incident (Sep 17, 2024) — https://blog.cloudflare.com/cloudflare-incident-on-september-17-2024/
Parametrix: 2024 critical cloud outage trend — https://www.reinsurancene.ws/critical-cloud-service-outages-increase-in-2024-parametrix/

GNSSINFRASTRUCTURE CYBER BULLETIN
Heightened - Blue - 4International Intel BulletinMAGNET Operator ReportsNationalNational Intel Bulletin

Comments are closed

Recent Comments

No comments to show.