Iranian government hackers are launching disruptive cyberattacks on American energy and water infrastructure, U.S. government agencies “urgently” warned Tuesday.

The hackers are taking aim at devices and systems that control industrial processes, and have harmed victims in the last month following the onset of U.S.-Israel strikes against Iran, according to the joint alert from the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency, Environmental Protection Agency, Energy Department and Cyber Command.

“Iran-affiliated advanced persistent threat (APT) actors are conducting exploitation activity targeting internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley,” the alert states. “This activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays.”

U.S. government agencies have warned before about Iranian hackers going after similar targets with those similar methods. The first such warning came after an Iranian government-linked group took credit for attacking a Pennsylvania water facility in late 2023.

Since March of this year, however, the agencies said they have seen new victims emerge from an advanced persistent threat group tied to Iran.

“The authoring agencies identified (through engagements with victim organizations) an Iranian-affiliated APT-group that disrupted the function of PLCs,” the alert reads. “These PLCs were deployed across multiple U.S. critical infrastructure sectors (including Government Services and Facilities, WWS, and Energy sectors) within a wide variety of industrial automation processes. Some of the victims experienced operational disruption and financial loss.”

The earlier campaign compromised at least 75 devices, the alert states.

The latest disruptions include “maliciously interacting with project files, and manipulating data displayed on HMI and SCADA displays,” according to the agencies’ warning.

After the U.S.-Israel conflict with Iran began, Tehran-connected hackers claimed victims including major medtech company Stryker, local governments and more.

The FBI warned last month that Iranian hackers were deploying malware over the Telegram app, although that campaign also predated the current Iran conflict.

The post Iranian hackers launching disruptive attacks at U.S. energy, water targets, feds warn appeared first on CyberScoop.

SAN FRANCISCO — Four former National Security Agency directors shared varying concerns about a lack of earnest and widespread response to growing threats in cyberspace during a discussion at the RSAC 2026 Conference on Tuesday.

Accelerating threats posed by artificial intelligence, China and cybercriminals at large are testing the country’s resolve and determination to foster meaningful public-private collaboration, the former commanders of U.S. Cyber Command said. 

While the four-star military officials remain confident in the country’s resources and people committed to defending the nation from cyberattacks, they voiced unease about challenges that could upend technological dominance and diminish a collective response to serious intrusions. 

“I think we’ve become numb to it,” retired Gen. Paul Nakasone said. “We continue to see these different intrusions, and intrusions have gotten to a size that the scale is just incredible to me.”

The nation and industry aren’t keeping up with adversaries amid a brain drain across the U.S. government,  the founding director of Vanderbilt University’s Institute of National Security said. 

“We’ve lost ground with regards to our outreach to the private sector” within the Cybersecurity and Infrastructure Security Agency, the Joint Cyber Defense Collaborative and NSA’s Cybersecurity Collaboration Center, Nakasone said. 

Retired U.S. Navy Admiral Mike Rogers also criticized the U.S. government for areas of inaction and decay. “I see a government that’s unwilling to expend political capital to really drive fundamental change in cyber, and it’s a reflection of the fact that politically we are so divided, and as a society we are so divided,” he said. 

“We’re the largest economy in the world. We don’t have a single federal privacy framework. We don’t have a single major piece of cyber legislation,” Rogers added. “That frustrates the hell out of me.”

Retired Gen. Keith Alexander, the first chief of U.S. Cyber Command, said the key players remain committed and are working as hard as ever to combat cyber threats. Yet, he’s concerned about what the nation is doing to confront China and all the ways it could inflict harm, particularly in the realm of AI.

“We will be challenged in this area. We will fight in this area, and it will be both the government and you all helping to protect this country to ensure that we live through it,” Alexander said.

The U.S. government’s collaborative efforts with private companies provides an incredible intelligence advantage, said retired Gen. Tim Haugh. But, he warned, China has replicated similar capabilities and pre-positioned itself inside critical infrastructure networks.

Under his leadership, Haugh said he tried to encourage debate among policymakers to consider more offensive responses to China’s malicious cyber activities, particularly actions that might be equivalent to effects that would occur in armed conflict. 

Frustration and mounting concern was palpable as the former NSA and U.S. Cyber Command bosses held court on stage together for the first time this week. 

“We’re starting to accept this, in some ways, as the price of living in the digital age. And we have not yet had a level of trauma that has driven fundamental behavioral change,” Rogers said. “We haven’t had thousands die. I hope we never do, don’t get me wrong, but it seems like we just haven’t had a level of pain that’s fundamentally shifted the calculus.”

The post Former NSA chiefs worry American offensive edge in cybersecurity is slipping appeared first on CyberScoop.

The post Trump’s cyber chief pick tells lawmakers he’ll assess efficacy of Cybercom-NSA dual-hat role, if confirmed appeared first on CyberScoop.

When President Trump referenced America’s ability to “darken” parts of Caracas during Operation Absolute Resolve, the comment stood out not because of what it confirmed, but because of what it implied. Delivered without technical detail, the remark hinted at capabilities that sit somewhere between diplomacy and force, and between cyber operations and traditional military action.

Whether or not the statement reflected a specific technical action in the raid on Venezuela is almost beside the point. What mattered was the signal: cyber-enabled disruption of civilian or economic systems is no longer treated as an abstract possibility, but as a plausible instrument of state power operating below the threshold of open conflict.

This framing aligns with events that preceded any visible kinetic or political resolution. Venezuela’s state-owned oil sector, the backbone of the country’s economy and a primary source of regime revenue, reportedly experienced cyber-related disruptions that affected operations and exports. Attribution remains contested, and no public confirmation has been offered. But the timing and the target were notable. Pressure seemed to be applied not during the confrontation itself, but earlier—targeting the systems that sustain national power.

These developments point toward a more deliberate “gray zone” approach, one that uses cyber interference against economic and civilian infrastructure as part of sustained pressure campaigns rather than isolated, surgical actions.

For a global power operating in an environment of constant competition, this shift may be less radical than it initially appears.

Why the gray zone matters

Gray zone conflict is often framed as a deviation from traditional deterrence. But in practice, it reflects how competition among major powers increasingly unfolds. Rarely does rivalry manifest as declared war. Instead, it plays out through incremental pressure applied across economic, informational, political, and technological domains.

Cyber capabilities are particularly well suited in this space. They allow nation-states to impose friction, degrade confidence, and shape behavior without crossing clear thresholds that would trigger conventional military escalation. Unlike kinetic force, cyber effects can be reversible, deniable, and calibrated over time.

From a technical perspective, this flexibility is not accidental. Modern cyber operations rely less on single exploits and more on persistent access, identity abuse, supply chain dependencies, and detailed mapping of complex systems. These attributes make cyber tools effective not just for disruption, but for long-term leverage.

For years, the United States invested heavily in advanced cyber capabilities while remaining cautious about integrating them openly into broader coercive strategies. This restraint, however, was not universally shared.

Lessons from the Russian model

For more than a decade, U.S. officials criticized Russia’s use of hybrid warfare, particularly its integration of cyber operations, economic pressure, information campaigns, and civilian infrastructure disruption. In Ukraine and elsewhere, civilian impact was not incidental, as it was a key part of the strategy.

From a technical standpoint, Russia demonstrated that persistent interference against power grids, telecommunications networks, healthcare systems, election infrastructure, and government services could impose strategic costs without provoking decisive military retaliation. Even relatively limited actions, such as GPS jamming affecting civilian aviation in the Baltics and Eastern Europe, reinforced the same lesson: disruption does not need to be catastrophic to be effective.

These operations often relied on modest technical effects amplified through operational timing and uncertainty. Intermittent outages, degraded reliability, and ambiguous attribution created pressure on governments and populations without crossing clear red lines.

 Regardless of how Moscow’s objectives are judged, the effectiveness of cyber and electronic interference as tools of statecraft did not go unnoticed. In recent  years, other countries, particularly China and Iran, have steadily expanded these operations and capabilities

How gray zone campaigns operate

From a cyber perspective, gray zone operations rarely resemble single attacks. They unfold as campaigns.

Access is often established years in advance through credential compromise, third-party vendors, or exposed management interfaces. Once inside, operators map dependencies, understand failover mechanisms, and identify points where limited disruption can produce outsized operational impact.

These effects, when applied, are typically restrained. Rather than causing prolonged blackouts or physical damage, campaigns may induce intermittent failures, data integrity concerns, or operational delays that erode confidence and consume resources. The goal is not destruction, but pressure: forcing leaders and operators to operate under uncertainty.

They are also designed to be reversible and deniable. The ability to stop, pause, or modulate disruption is as important as the ability to initiate it. This control allows cyber operations to be synchronized with diplomatic signals, economic sanctions, or other forms of statecraft.

Statecraft in an era of constant competition

The events in Venezuela underscore a broader reality: cyber-enabled pressure is now a standard component of how states pursue political outcomes. It shapes environments well before traditional markers of conflict appear.

The strategic question is no longer whether cyber-enabled economic interference will be used, but how seamlessly it is integrated with other tools. Sanctions, diplomacy, military posture, and cyber operations increasingly function as parts of a single continuum rather than separate domains.

This raises natural questions about where such pressure may be applied next. In the Western Hemisphere, U.S. attention has turned toward Cuba and Colombia. Beyond the region, Iran remains a focal point of coercive strategy, where cyber operations have already been used to strain industrial systems and public confidence without crossing into open conflict.

The point is not to predict specific operations, but to recognize that pressure via cyber operations has moved from the margins of policy into its core.

What this means going forward

For a global power, ignoring gray zone dynamics is increasingly unrealistic. However, embracing them does introduce new forms of risk. Cyber interference below the threshold of war offers flexibility and deniability, but it also creates ambiguity around control, proportionality, and long-term stability.

Escalation in this space rarely arrives as a single dramatic event. Instead, it accumulates through repeated disruptions that gradually blur the line between competition and conflict, often without clear signaling or agreed-upon thresholds.

Managing that risk requires more than technical capability. It demands disciplined judgment, an understanding of complex systems, and an appreciation for how seemingly modest cyber effects can cascade politically and economically.

The gray zone may be unavoidable, but how states operate within it will shape whether it becomes an effective tool of competition, or a source of sustained instability.

Aaron Estes, Vice President at Binary Defense, is a three-time Lockheed Martin Fellow with more than 25 years of experience in cybersecurity and software engineering.  Estes has spent much of his career advancing mission resilience and adaptive defense for the Department of Defense, intelligence community, and leading defense contractors.

The post Is the US adopting the gray zone cyber playbook? appeared first on CyberScoop.

The Defense Department would require that senior leaders have secure mobile phones, that personnel would get cybersecurity training that includes a focus on artificial intelligence and that cyber troops would have access to mental health services under a compromise annual defense policy bill released over the weekend.

The deal between House and Senate negotiators on the fiscal 2026 National Defense Authorization Act (NDAA) is a massive piece of legislation that runs the gamut of the Pentagon, including a record-breaking $901 billion topline figure. It also has a grab bag of cybersecurity policy provisions. The House could take it up as soon as this week.

The legislation states that the secretary of defense “shall ensure” that wireless mobile phones the department provides to its senior leaders and others working on sensitive national security missions meets a list of cybersecurity requirements, such as data encryption. A Pentagon watchdog last week published long-awaited examinations of the Signalgate incident that enveloped Defense Secretary Pete Hegseth. 

The bill directs the department to make sure that behavioral health specialists with proper security clearances are dispatched to United States Cyber Command and the Cyber Mission Force. It follows in the tradition of past provisions of defense policy bills to address the mental health needs of personnel there.

The department is told to revise mandatory training on cybersecurity for members of the Armed Forces and civilian employees “to include content related to the unique cybersecurity challenges posed by the use of artificial intelligence.”

There are plenty of other cybersecurity provisions contained in the bill.

It would set up barriers to splitting the leadership of Cyber Command and the National Security Agency by prohibiting any department funding from being used to “reduce or diminish the responsibilities, authorities or organizational oversight of the Commander of the United States Cyber Command.”

On behalf of defense contractors, the bill orders the department to “harmonize the cybersecurity requirements” across the department and reduce the number of cybersecurity requirements “that are unique to specific contracts.” That’s a focus of the forthcoming Trump administration cybersecurity strategy.

It also includes a statement of policy on the use of commercial spyware. It says that policy is to oppose the misuse of commercial spyware to include groups like journalists and human rights activists, to coordinate with allies to prevent the export of commercial spyware to those who are likely to misuse them and to “establish robust guardrails,” as well as work with the private sector counter abuse.

Such statements of policy don’t carry legal force but give a sense of lawmaker consensus and intentions.

The post Defense bill addresses secure phones, AI training, cyber troop mental health appeared first on CyberScoop.

Politicization of intelligence in the Trump administration, as well as the “hollowing out” of government expertise, is leaving the United States dangerously vulnerable to cyberattacks and other threats, the top Democrat on the Senate Intelligence Committee said in a floor speech Thursday.

Mark Warner of Virginia chastised the president over what he called the politically-motivated personnel decisions that he said jeopardized national security, including layoffs of one-third of the workforce at the Cybersecurity and Infrastructure Agency, the firing of a top FBI cyber official and the vacant leadership at the National Security Agency and U.S. Cyber Command.

“One-third of CISA, the agency established for the absolutely explicit purpose of protecting our critical infrastructure — water, power, our elections — to prevent those entities from being attacked by cyber tools, a third of that agency, fired,” Warner said. 

The administration has eliminated election security workers at CISA, he noted — rolling back improvements innovated when Trump was first president.

“The irony is stark: despite persistent efforts by China, Russia, Iran and other adversaries, the 2020 presidential election was one of the most secure in history, thanks in large part due to steps taken during the Trump administration’s first term to safeguard our critical infrastructure,” he said. “Yet now, much of that hard-won protection has been dismantled, leaving Americans more vulnerable than ever.”

Warner criticized the firing of Michael Nordwall, the former head of the FBI’s criminal cyber response branch that oversees the bureau’s fight against ransomware, online fraud and more.

He also criticized the firing of former NSA/Cyber Command boss Tim Haugh, and his deputy, Wendy Noble, “at the behest of the conspiracy theorist Laura Loomer.” Warner pointed out that those positions remain vacant, after the firings occurred in April. Many national security firings have come in retaliation for work under the prior administration to which Trump objected, or even because the fired personnel are friendly with administration critics, he said.

The cutbacks and firings are happening at a time when Trump administration national security leaders are warning about cyberattacks and malign foreign influence from China, Russia and Iran, in addition to non-cyber threats, Warner said.

“Firing agents who investigate terrorists, foreign spies, cyber hackers and child predators does not make America safer, especially when the president’s own intelligence officials warn, publicly and repeatedly, of the many threats facing our nation,” he said.

If the administration fails to keep classified information safe, if it fails to protect critical infrastructure, “We will beat the costs later,” Warner said. “A cost that could be catastrophic.”

A National Security Council spokesperson did not immediately respond to a request for comment. In the past, Trump administration officials have characterized firings and government layoffs as necessary for getting those agencies focused on their primary missions, and has refuted allegations of politicizing intelligence, saying it was the Biden administration that did so instead.

The post Top Senate Intel Dem warns of ‘catastrophic’ cyber consequences of Trump admin national security firings, politicization appeared first on CyberScoop.

The Trump administration’s top cyber officials have emphasized the urgent need to take aggressive action to deter increasingly brazen foreign cyberattacks. Trump himself, however, has repeatedly brushed aside the notion that foreign cyber activity is anything even really noteworthy.

When Trump’s team talks about foreign hacking, be it China’s alleged massive cyberespionage campaign against telecommunications companies or its efforts to take root in U.S. critical infrastructure, they insist the actions can’t be tolerated and must be deterred.

“We need to find some way to communicate that this is not acceptable,” Alexei Bulezel, senior director for cybersecurity at the National Security Council, said in May when asked about the groups thought to be behind those campaigns, Salt Typhoon and Volt Typhoon.

More recently, last month, National Cyber Director Sean Cairncross cast a wider net about foreign adversaries who want to “do us harm,” saying, “To date I don’t think the United States has done a tremendous job of sending the signal, in particular to China, that their behavior in this space is unacceptable.”

Trump, by contrast, has framed all that differently, to the point of dismissiveness.

Asked in June about Chinese hacking of U.S. telecoms, theft of intellectual property and more, Trump answered, “You don’t think we do that to them? We do. We do a lot of things. … That’s the way the world works. It’s a nasty world.”

Asked in August about whether he would discuss alleged Russian hacking of U.S. courts with Vladimir Putin, Trump replied, “I guess I could, are you surprised? … They hack in, that’s what they do. They’re good at it, we’re good at it, we’re actually better at it.”

The gulf between what Trump says about cyber compared to what his top deputies say provokes a variety of reactions from cyber experts and former officials. It sends mixed signals to adversaries, some say, while others say it might just reflect facts of life about today’s cyber environment or a president who doesn’t behave or think conventionally.

At the same time, Trump’s casual messaging about cyber may reflect a broader trend of nations increasingly treating cyber operations as a routine instrument of power.

A need for consistency?

A lack of consistency between the president and his personnel muddles a clear message to adversaries, and downplaying cyberattacks is unwise, said Christopher Painter, who served as the top State Department cyber official under President Obama.

“Either cyber and cyberattacks are a priority or they’re not, and it’s [a] problem if you communicate they’re not serious by saying, ‘Oh, we don’t care now,” said Painter, now a nonresident senior adviser at the Center for Strategic and International Studies. Cyberattacks are serious, he said, and “We need to say it, and we need to be consistent about it, and we need to make sure we take it seriously. So I am concerned that it undermines the narrative that I think we need.”

Trump downplayed foreign cyber activity during his first term, too, both publicly and privately, in the latter case shunting away an adviser while the president tried to watch a golf tournament by saying “You and your cyber … are going to get me in a war — with all your cyber s—t.” According to Painter, Trump often links the issue to Russian interference in the 2016 presidential election, a subject he resents because he believes it undermines the legitimacy of his presidency.

But Painter also noted Trump wasn’t the first to downplay any kind of foreign cyber activity, with former Director of National Intelligence James Clapper remarking about the 2015 Office of Personnel Management hack, “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

Clapper also drew a line between the OPM breach, which he said was “passive intelligence collection activity” and a full-fledged cyberattack. There’s a long-lasting debate over whether cyberespionage constitutes a cyberattack.

Trump officials, too, have emphasized they’re more worried about the activity of Volt Typhoon, with its potential for disruption, than that of Salt Typhoon, which is more espionage-focused.

Some analysts acknowledge that Trump has a point when he dismisses cyberespionage as a fact of modern life rather than something that requires retaliation. “My own experience says that it’s extremely difficult, if not impossible, to deter espionage,” said Michael Daniel, who held the White House’s top cyber position under Obama and is now president of the Cyber Threat Alliance.

Any threat in an attempt to deter cyberespionage has to be credible to be effective, said Erica Lonergan, an assistant professor at Columbia University’s School of International and Public Affairs. And there are a few things working against the United States making credible threats.

“We do it, because we all do it, and everyone knows we do it,” she said. Next, the potential consequence has to be more harmful than the value of cyberespionage, which is extremely useful to have. “We’re not going to go to war over cyberespionage. No matter how many times a member of Congress calls it an act of war or not, we didn’t go to war over the spy balloon.”

Yet other analysts read Trump’s comments on foreign cyber activity differently. He might have an aggressive reaction to a more clearly damaging attack than the incidents he’s downplayed, said James Siebens, a fellow with Stimson Center’s Strategic Foresight Hub.

“If we were talking about a genuinely destructive cyberattack that cost people’s lives, I would imagine that there would be a fairly forceful response,” said Siebens, who recently co-authored a study on cyber deterrence. “My view is that President Trump was doing something that he often does, which is to state plainly things that make people uncomfortable, but are nonetheless observable and rooted in an important truth.”

Richard Harknett, director of the Center for Cyber Strategy and Policy at the University of Cincinnati, took Trump’s recent remarks as a comment more on the potency of U.S. capabilities compared to its adversaries.

“It wasn’t sort of a complacency, it was more confidence,” said Harknett, who served as the first scholar-in-residence at United States Cyber Command and National Security Agency beginning in 2016. Of course, he said, “The president tends to speak in confident terms regardless.”

Daniel said that some  contradictions between Trump and his cyber team are to be expected. Different officials are bound to have differences of opinion, including in the Trump administration, which has hardly been a “paragon of consistency” in its messaging to the world, he said. Daniel added that deterrence is a challenge for every administration; throughout history, the United States has often threatened not to tolerate certain actions, but then failed to respond when those actions occurred. 

Several experts said they were willing to give the administration time to iron out any potential contradictions. Harknett said it’s hard to read too much into public comments alone right now. More important, Harknett and others said, will be what the administration says in a forthcoming cyber strategy.

A global trend?

Trump is not the only world leader in recent months to speak about his nation’s cyber activity in a more casual manner. At the beginning of this month, Chinese President Xi Jinping and South Korean President Lee Jae Myung joked about the security of a cell phone gift that Xi gave his counterpart, which ended in Xi quipping, “You can check if there’s a backdoor.”

It was “weird for Xi, especially because the Chinese are loath to ever admit they do anything,” Painter said, even if he was joking.

The openness about cyber doesn’t end there, extending to a number of cases where nations that historically haven’t pointed the finger at other countries over alleged cyberattacks are more willing to do so by releasing technical analyses.

“We’re starting to see more non-Western countries, and notably China, making attributions back now,” said Allison Pytlak, director of the Cyber Program at the Stimson Center think tank and the co-author of the deterrence report with Siebens. Singapore recently made its first cyber attribution as well.

Trump officials have been touting offensive operations, which used to be a topic of very little public discussion. And other nations have been growing more open about cyber operations, from Japan’s recent active cyber defense legislation to Australia establishing its own Cyber Command last year.

‘There is more openness about cyber in general, the strategic level, in terms of leaders being willing to talk about cyberespionage, cyber offense,” Lonergan said. “No one talked about cyber offense in the U.S. government for years.”

That openness could turn out to be a good thing, Pytlak said. It could “spark debate” in the public about the very nature of cyber, about the differences between the harm espionage causes and the kind of national security threat other kinds of activity poses.

The post While White House demands deterrence, Trump shrugs appeared first on CyberScoop.