DHS warns of retaliatory Iranian cyberattacks
Iranian cyber threat actors are expected to ramp up operations against U.S. targets following President Trump’s recent airstrikes on three Iranian nuclear sites. DHS issued a national advisory warning that state-sponsored hackers and pro-Iranian hacktivists are likely to escalate low-level cyberattacks, with the potential for more serious retaliation. Iranian-linked groups have already called for attacks in response to the conflict, the country’s track record includes targeting critical infrastructure, political campaigns, and even operational tech in the U.S. primarily by using malware.
(DHS), (Security Week), (Infosecurity Magazine)
Steel giant Nucor confirms breach
North America’s largest steel producer, Nucor, confirmed a cyberattack that led to data theft and the temporary shutdown of operations at several facilities. In an SEC filing, the company said limited data was exfiltrated, affected systems have been restored, and there’s no indication attackers still have access. While Nucor hasn’t confirmed ransomware was involved, the incident bears the hallmarks of a double-extortion attack, though no group has claimed responsibility.
(Bleeping Computer), (Security Week)
Ransomware hits healthcare system again
McLaren Health Care has confirmed a ransomware attack that compromised sensitive data for over 743,000 patients, marking the second major cyber incident to hit the Michigan hospital network in less than a year. The hackers had access to systems between July and August 2024, stealing names, Social Security numbers, medical records, and other personal information. Victims are now being notified and offered one year of free credit monitoring. While McLaren hasn’t named the group behind the attack, a ransom note shared online points to the INC ransomware gang.
Salt Typhoon hits Canadian telecom
A warning to Canadian telecom providers: the Chinese state-sponsored hacking group Salt Typhoon is actively targeting networks, with a confirmed breach in February 2025 that exploited a critical Cisco flaw—months after it was publicly disclosed. The Canadian Centre for Cyber Security and the FBI say the attackers used the vulnerability to steal network configurations and set up tunnels for data exfiltration, raising alarms about ongoing risk. Despite earlier warnings, some critical infrastructure remains unpatched, prompting renewed urgency as Salt Typhoon ramps up activity across telecom and other key sectors.
(Security Week), (Bleeping Computer)
Huge thanks to our sponsor, ThreatLocker
Iran-linked attacks hit globally
As tensions with Iran escalate, recent cyberattacks abroad serve as a stark reminder that Iranian-linked hackers are already actively targeting critical systems worldwide—one of the reasons why the DHS is warning of potential retaliation on U.S. soil. In Albania, the group Homeland Justice—linked to Iran’s Islamic Revolutionary Guard Corps—disrupted multiple public services in the capital, Tirana, by taking down the city’s website, wiping servers, and exfiltrating data. The group cited Albania’s support of an exiled opposition group as motivation. Meanwhile, in Saudi Arabia, the pro-Iranian hacktivist group Cyber Fattah leaked thousands of personal records tied to the Saudi Games 2024, exposing passport scans, medical certificates, and bank details from athletes and officials. Security researchers say the attack is part of a broader information warfare campaign designed to advance Iran’s anti-U.S., anti-Israel, and anti-Saudi agenda.
(The Record), (Infosecurity Magazine)
Fake Zoom calls used to deploy malware
We are now learning that a scheme of fake Zoom calls to deploy malware is greater than first thought. We first reported this story last where security researchers say North Korea’s BlueNoroff hacking group is behind a new wave of social engineering attacks using fake Zoom calls to deploy malware and steal credentials. Now multiple incidents have been reported with victims—mostly in cryptocurrency and financial sectors—being tricked into running fake “Zoom audio fix” scripts or downloading malicious extensions after experiencing staged technical issues. The attackers used deepfakes, spoofed domains, and Telegram to deliver payloads, with infections resulting in data theft, keyloggers, and persistent backdoors.
UK retailers lose millions
Cyberattacks targeting major UK retailers like Marks & Spencer and Co-op are estimated to cost up to £440 million ($591 million), according to Britain’s Cyber Monitoring Centre (CMC). This marks the CMC’s first real-world incident classification since launching earlier this year to define what qualifies as a systemic cyber event—a move designed to bring clarity for insurers and policymakers. The attacks were labeled a “category 2” event, with M&S hit hardest financially and Co-op facing greater operational impact in rural communities.