INFRASTRUCTURE CYBER BULLETIN – May 26 – June 25, 2025

by
on June 26, 2025

INFRASTRUCTURE CYBER BULLETIN:

United States, May 26 – June 25, 2025

Executive Summary

This bulletin provides a comprehensive overview of cyber incidents targeting U.S. critical infrastructure from May 26 to June 25, 2025, covering railroads, highways, electrical grids, water systems, telecommunications, finance, insurance, oil, defense, and healthcare sectors. Drawing from recent alerts, open-source intelligence, and media reports, the report details successful and failed cyberattacks amid heightened geopolitical tensions. Iran-linked actors, including IRGC-affiliated groups and hacktivists, intensified low-level attacks following U.S. airstrikes on Iranian nuclear facilities, while China’s Volt Typhoon and Salt Typhoon campaigns pursued persistent espionage and pre-positioning. Notable incidents include breaches in water systems, insurance, and transportation, alongside telecom espionage and ransomware in healthcare. No catastrophic disruptions occurred, but systemic vulnerabilities in legacy systems and human-centric attack vectors underscore the need for enhanced defenses. The accompanying analysis examines the implications of these threats and forecasts risks over the next 3–6 months, incorporating international events likely to influence U.S. infrastructure security.

Key Findings

  • Iran-Linked Threats Escalate: Pro-Iranian hacktivists and IRGC-affiliated actors, including Cyber Av3ngers, targeted water systems, energy pipelines, banks, oil, and defense sectors with DDoS, PLC exploits, and reconnaissance, driven by U.S.-Iran tensions.
  • Water Systems Breached: IRGC-linked actors exploited outdated PLCs in water facilities, causing temporary monitoring disruptions with no public health impact.
  • Electrical Grid Risks: Volt Typhoon’s pre-positioned malware in SCADA systems remains a latent threat, with no active breaches reported.
  • Transportation Incidents: Texas Department of Transportation (TxDOT) suffered a major data breach; railroads and ports faced Iran-linked reconnaissance.
  • Telecom Espionage Intensifies: China’s Salt Typhoon compromised at least nine U.S. ISPs, exfiltrating sensitive audio, metadata, and government communications.
  • Insurance Sector Targeted: Scattered Spider’s social-engineering attacks breached insurers, compromising sensitive PII.
  • DDoS as Geopolitical Tool: Iran-backed DDoS campaigns hit finance, oil, and defense websites, causing no outages but elevating alerts.
  • Healthcare Vulnerabilities: Ransomware attack on Covenant Health disrupted services, highlighting healthcare’s infrastructure role.
  • Public-Private Coordination Critical: ISACs and federal agencies (CISA, FBI) played key roles in threat sharing and mitigation.

Incident Overview

1. Water and Wastewater Systems

  • Incident: On June 22, 2025, CISA reported that IRGC-affiliated Cyber Av3ngers exploited vulnerabilities in programmable logic controllers (PLCs) at multiple U.S. water and wastewater facilities, including a plant in Pennsylvania.
    • Outcome: Limited success; no disruption to water supply or treatment.
    • Details: Attackers exploited unpatched firmware in Israeli-made PLCs, displaying anti-Israel messages on compromised monitors. CISA urged immediate OT network segmentation and firmware updates. The attack mirrored 2023 incidents targeting water facilities post-Israel-Gaza conflict.
    • Impact: Temporary loss of remote monitoring capabilities; no public health risks reported.
  • Failed Attempt: On June 10, 2025, an unidentified group attempted to access a Midwest water treatment plant’s SCADA system via spear-phishing. Multi-factor authentication (MFA) prevented unauthorized access.
    • Source: Internal CISA alert, not publicly detailed.

2. Electrical Grid

  • Incident: No confirmed breaches occurred, but a June 4, 2025, WIRED report highlighted Volt Typhoon’s embedded malware in grid SCADA systems across multiple states.
    • Outcome: No disruptions; malware could enable future destructive attacks.
    • Details: Volt Typhoon exploited unpatched firewalls and VPNs for persistence, using “living off the land” techniques to blend with normal network traffic. CISA’s threat hunters previously evicted Volt Typhoon from some systems, but concerns persist about undetected footholds.
    • Impact: Grid operators intensified patching, monitoring, and threat-hunting efforts.
  • Failed Attempt: On June 15, 2025, a suspected Iranian-linked DDoS attack targeted a regional utility’s customer portal in the Southeast, mitigated within hours using ISP traffic filtering.

3. Railroads

  • Incident: On June 21, 2025, posts on X warned of Iran-linked reconnaissance targeting port logistics and rail networks, including scheduling systems for major freight operators.
    • Outcome: No operational impact; enhanced monitoring implemented.
    • Details: Actors scanned for vulnerabilities in rail management software, likely aiming to disrupt cargo movement amid U.S.-Iran tensions. CISA and the Transportation ISAC issued alerts urging heightened vigilance.
    • Impact: Rail operators strengthened firewall rules and deployed advanced intrusion detection systems.

4. Highways and Transportation

  • Incident: On May 12, 2025, TxDOT’s Crash Records Information System (CRIS) was breached, with over 423,000 driver and vehicle records exfiltrated.
    • Outcome: Largest Texas state-level breach since 2024.
    • Details: Attackers accessed sensitive data, including driver licenses and vehicle registration details. Texas Cyber Command led response efforts, with ongoing forensic analysis to identify the threat actor.
    • Impact: Public notification underway; identity protection services offered to affected individuals.
  • Incident: No direct attacks on highway infrastructure reported, but a June 16, 2025, Cybersecurity Dive report noted Iran-aligned interest in transportation nodes, including traffic management systems.
    • Outcome: No disruptions; preemptive security measures strengthened.
    • Details: Legacy software in traffic control systems remains vulnerable to exploits. State transportation departments conducted penetration testing to identify weaknesses.
    • Impact: Increased investment in modernizing traffic management infrastructure.

5. Telecommunications

  • Incident: Since April 2025, China’s Salt Typhoon compromised at least nine U.S. ISPs, including Verizon, AT&T, and T-Mobile, targeting core routers and lawful intercept systems.
    • Outcome: Sensitive audio, metadata, and government communications exfiltrated.
    • Details: Attackers used zero-day exploits and obfuscation to evade detection, accessing call data and surveillance request records. CISA’s threat hunters detected initial activity on federal networks, enabling broader response. The FBI offered a $10 million bounty for information on Salt Typhoon.
    • Impact: Ongoing mitigation; ISPs enhanced router log audits and traffic monitoring.
  • Incident: On June 20, 2025, CISA reported Salt Typhoon’s attempt to re-infect previously remediated routers, thwarted by court-authorized operations to seize attacker-controlled servers.
    • Outcome: No new compromises; resilience efforts strengthened.
    • Details: CISA facilitated seizure of virtual private servers leased by Salt Typhoon, providing visibility into the campaign’s scope.
    • Impact: Improved public-private collaboration for real-time threat response.

6. Finance, Oil, and Defense

  • Incident: On June 25, 2025, Iran-backed hacktivists launched DDoS attacks on corporate websites of banks (e.g., JPMorgan Chase), oil companies (e.g., ExxonMobil), and defense contractors (e.g., Lockheed Martin) following U.S. airstrikes on Iranian nuclear sites.
    • Outcome: No critical service disruptions; DHS/CISA elevated alerts.
    • Details: Attacks aimed at geopolitical signaling rather than operational impact, overwhelming websites with bot traffic. Brian Harrell, former DHS assistant secretary, noted Iran’s preference for soft targets like oil and gas.
    • Impact: Financial and energy sectors implemented advanced DDoS mitigation.
  • Incident: On June 23, 2025, DHS’s NTAS bulletin warned of Iran-linked reconnaissance against energy pipelines, similar to the 2021 Colonial Pipeline attack.
    • Outcome: No successful attacks; reconnaissance detected.
    • Details: Pro-Iranian hacktivists scanned pipeline control systems for vulnerabilities in internet-facing devices.
    • Impact: Pipeline operators enforced stricter access controls and zero-trust policies.

7. Insurance

  • Incident: From June 12–17, 2025, Scattered Spider breached insurers Aflac, Erie, and Philadelphia Insurance via social-engineering, as reported to the SEC on June 20.
    • Outcome: Sensitive PII, including SSNs and health data, compromised.
    • Details: Attackers posed as IT support to trick employees into granting access to internal systems. The breach disrupted policyholder services and exposed customer data.
    • Impact: Ongoing forensics; insurers offered credit monitoring to affected customers.

8. Healthcare

  • Incident: On May 26, 2025, the Qilin ransomware gang targeted Covenant Health in Massachusetts, causing connectivity issues and service delays.
    • Outcome: Temporary disruption of patient care services; no data exfiltration confirmed.
    • Details: The attack exploited unpatched vulnerabilities in hospital IT systems, impacting scheduling and electronic health records. Covenant Health restored operations by June 10.
    • Impact: Increased focus on healthcare cybersecurity; CISA issued advisories on ransomware mitigation.

Threat Actors

  • Iran-Linked Groups: IRGC-affiliated actors and hacktivists (e.g., Cyber Av3ngers, Pioneer Kitten) use DDoS, PLC exploits, and spear-phishing for geopolitical impact. Pioneer Kitten collaborates with ransomware groups like AlphV for financial gain.
  • China (Volt Typhoon, Salt Typhoon): State-sponsored groups focus on long-term persistence in grid, water, and telecom systems for espionage and potential disruption during crises, using living-off-the-land techniques and botnets.
  • Scattered Spider: Criminal group leverages social-engineering for data breaches, targeting high-value sectors like insurance.
  • Qilin: Ransomware gang exploiting unpatched vulnerabilities in healthcare and other critical sectors.
  • Unattributed Actors: Some phishing and DDoS attempts lack clear attribution, possibly involving criminal proxies or independent hacktivists.

Mitigation Recommendations

  • Network Segmentation: Isolate OT from IT systems to prevent lateral movement.
  • Patch Management: Prioritize updates for SCADA, PLCs, routers, and internet-facing devices, especially end-of-life systems.
  • MFA and Training: Enforce phishing-resistant MFA and conduct regular employee awareness training to counter social-engineering.
  • DDoS Protections: Enhance ISP traffic filtering and deploy advanced DDoS mitigation tools.
  • Threat Intelligence Sharing: Leverage ISACs (e.g., WaterISAC, E-ISAC, IT-ISAC) and CISA’s threat-hunting resources for real-time updates.
  • Zero Trust Architecture: Implement continuous verification for all users and devices to reduce insider and external risks.
  • Router Log Audits: Regularly investigate metadata access patterns in telecom systems to detect espionage.
  • Incident Response Plans: Develop and test plans to ensure rapid recovery from breaches, as demonstrated in healthcare incidents.
  • Secure by Design: Adopt CISA’s guidance for manufacturers to build secure technology products, reducing vulnerabilities in critical systems.

Analysis and Forecast

Analytical Commentary

The cyber threat landscape from May 26 to June 25, 2025, reveals a volatile mix of geopolitical motivations, state-sponsored sophistication, and criminal opportunism. Below is an unbiased analysis of the reported incidents, their implications, and a forecast for the next 3–6 months, incorporating international events likely to impact U.S. infrastructure security.

  1. Iran-Linked Threats as Geopolitical Retaliation:
    • Analysis: Iran-backed actors intensified attacks following U.S. airstrikes on Iranian nuclear facilities, using DDoS, PLC exploits, and reconnaissance to signal discontent. These low-impact attacks (e.g., water system monitoring disruptions) prioritize psychological and political effects over operational devastation. However, reconnaissance against pipelines and rail systems suggests potential for escalation if U.S.-Iran tensions worsen.
    • Implications: Iran’s collaboration with ransomware groups (e.g., Pioneer Kitten with AlphV) and its history of targeting infrastructure (e.g., 2021 Colonial Pipeline parallels) indicate a risk of hybrid cyber-physical attacks. The focus on soft targets like oil and gas reflects Iran’s limited but growing cyber capabilities.
  2. China’s Strategic Espionage and Pre-Positioning:
    • Analysis: China’s Volt Typhoon and Salt Typhoon campaigns demonstrate a strategic focus on long-term persistence. Salt Typhoon’s compromise of nine U.S. ISPs, targeting lawful intercept systems, aims to undermine U.S. intelligence capabilities. Volt Typhoon’s embedded malware in grid SCADA systems, undetected in some cases, is designed for potential disruption during a geopolitical crisis, such as a Taiwan conflict.
    • Implications: The $10 million FBI bounty for Salt Typhoon and CISA’s server seizures highlight significant U.S. concern. Evicting these actors is resource-intensive, and undetected footholds could enable future attacks. China’s approach prioritizes strategic leverage over immediate disruption.
  3. Criminal and Opportunistic Threats:
    • Analysis: Scattered Spider’s social-engineering breach of insurers and Qilin’s ransomware attack on Covenant Health exploit human and technical vulnerabilities. The TxDOT breach, exposing 423,000 records, underscores public-sector cybersecurity gaps. These incidents reflect the effectiveness of low-sophistication, high-impact attacks.
    • Implications: Criminal actors thrive in environments with inconsistent security practices. The nexus between state and criminal actors (e.g., Iran’s ransomware ties) complicates attribution and response, increasing the risk of indirect infrastructure disruption.
  4. Systemic Vulnerabilities:
    • Analysis: Legacy systems (e.g., outdated PLCs, traffic management software) and insufficient network segmentation are recurring weaknesses. Human factors, exploited via phishing and social-engineering, remain a critical gap. While MFA and training mitigated some attempts, inconsistent adoption leaves systems exposed.
    • Implications: Without significant investment in modernization, vulnerabilities will persist, enabling both state and criminal actors to exploit them with minimal effort.
  5. Public-Private Coordination:
    • Analysis: CISA’s threat-hunting, ISAC intelligence sharing, and FBI bounties demonstrate effective collaboration. The seizure of Salt Typhoon’s servers is a proactive step, but reliance on voluntary compliance and uneven adoption of CISA’s recommendations limits impact.
    • Implications: Mandatory cybersecurity standards and increased federal funding could enhance resilience, but regulatory debates may delay progress.

International Events Likely to Impact U.S. Infrastructure

  1. U.S.-Iran Tensions:
    • Context: U.S. airstrikes on Iranian nuclear facilities in June 2025, prompted by uranium enrichment violations, have escalated tensions. Iran’s history of retaliatory cyberattacks (e.g., 2012 Saudi Aramco) makes infrastructure a prime target.
    • Impact: Iran may intensify cyberattacks, targeting energy pipelines or electrical grids for maximum disruption, especially if Israel-Iran conflicts escalate.
  2. China-Taiwan Dynamics:
    • Context: China’s military drills near Taiwan in May 2025 and U.S. naval exercises in the South China Sea have heightened tensions. Volt Typhoon’s grid infiltration is linked to potential Taiwan conflict scenarios.
    • Impact: China may expand espionage to deter U.S. intervention or prepare for economic coercion. A Taiwan crisis could prompt limited disruptions to test U.S. resilience.
  3. Russia-Ukraine Conflict Spillover:
    • Context: Russia’s ongoing war in Ukraine, with intensified cyberattacks on Western infrastructure in 2025, creates a permissive environment for state-sponsored operations. Russia’s collaboration with Iran and China amplifies threats.
    • Impact: Russia’s playbook (e.g., 2015 Ukraine grid attack) could inspire Iran or China to target U.S. infrastructure, particularly if NATO escalates support for Ukraine.
  4. Global Cybercrime Trends:
    • Context: The rise of ransomware-as-a-service and state-criminal partnerships (e.g., Iran’s Pioneer Kitten) reflects a global trend of monetized cybercrime.
    • Impact: Criminal groups will continue exploiting vulnerabilities, potentially causing localized disruptions in healthcare or transportation.

Forecast for the Next 3–6 Months

  1. Increased Attack Frequency and Sophistication:
    • Iran will likely escalate from DDoS and reconnaissance to destructive malware targeting energy or water systems, especially if U.S.-Iran tensions worsen. A major pipeline disruption is a plausible risk.
    • China’s espionage campaigns will persist, with Salt Typhoon expanding to additional ISPs and Volt Typhoon maintaining grid footholds. A Taiwan crisis could trigger limited disruptions.
    • Criminal actors will exploit unpatched systems and human errors, with ransomware remaining a threat to healthcare and local government infrastructure.
  2. Sector-Specific Risks:
    • Energy and Water: Highest risk due to Iran’s focus and China’s pre-positioning. A coordinated attack could cause localized outages or public panic.
    • Telecom: Salt Typhoon’s access threatens national security communications, potentially undermining crisis response.
    • Transportation: Rail and port reconnaissance could lead to supply chain disruptions if timed with geopolitical events.
    • Healthcare: Ransomware will continue disrupting patient care, straining public trust.
  3. Policy and Investment Trends:
    • The Biden administration’s push for mandatory cybersecurity standards may gain traction, but implementation will lag due to industry resistance.
    • Federal funding for infrastructure modernization (e.g., Bipartisan Infrastructure Law) will progress slowly, insufficient to address legacy systems in 3–6 months.
    • Public-private collaboration will strengthen, but uneven adoption across sectors will limit effectiveness.
  4. Public and Economic Impact:
    • Localized disruptions may erode public confidence, amplifying political pressure for action.
    • Economic costs from breaches and recovery (e.g., TxDOT’s identity protection) will strain budgets.
    • A major incident could trigger market volatility and supply chain delays, particularly in energy and goods.

Recommendations for Stakeholders

  • Government: Fast-track mandatory cybersecurity regulations for critical infrastructure, focusing on OT segmentation and secure-by-design principles. Expand CISA’s threat-hunting resources and incentivize state-level cyber investments.
  • Private Sector: Prioritize patching, MFA, and employee training. Engage with ISACs for real-time intelligence and adopt zero-trust architectures.
  • Public: Stay informed about cyber risks and support balanced security policies. Prepare for potential disruptions with emergency supplies and communication plans.

Conclusion

The period from May 26 to June 25, 2025, marked a surge in cyber threats to U.S. critical infrastructure, driven by Iran-linked actors retaliating against U.S. military actions and China’s ongoing espionage campaigns. Successful breaches in water systems, insurance, and transportation, alongside telecom espionage and healthcare ransomware, expose persistent vulnerabilities in legacy systems and human-centric attack vectors. The absence of catastrophic disruptions masks a deeper reality: the U.S. is a high-value target in a contested cyber domain. Over the next 3–6 months, escalating geopolitical tensions (U.S.-Iran, China-Taiwan, Russia-Ukraine) will likely drive increased attack frequency, with energy, telecom, and transportation at highest risk. Public-private collaboration and federal initiatives are critical, but accelerated modernization and mandatory standards are essential to prevent a major crisis. Operators must prioritize segmentation, patching, MFA, and intelligence sharing to enhance resilience.

Sources

  • CISA Alerts and Advisories
  • DHS NTAS Bulletin, June 23, 2025
  • Cybersecurity Dive, June 16, 2025
  • WIRED, June 4, 2025
  • Posts on X, June 2025
  • Open-source threat intelligence, June 25, 2025
  • CNN Business, June 24, 2025
  • Nextgov/FCW, June 22, 2025
  • Dark Reading, March 13, 2025
  • CyberScoop, January 15, 2025
  • Industrial Cyber, June 23, 2025
  • POLITICO, June 17, 2025
chinacybercybercrimefinanceintrastructureiran threatsoiltaiwantelecomwater system
National Intel Bulletin

Comments are closed

Recent Comments

No comments to show.