The hackers gained the ability to modify equipment operational parameters, creating a direct risk to the public water supply.
The post Polish Security Agency Reports ICS Breaches at Five Water Treatment Plants appeared first on SecurityWeek.
Campaigns employing commercial surveillance vendors tracked targets by exploiting mobile phone network vulnerabilities in what researchers said Thursday was the first-ever linking of “real-world attack traffic to mobile operator signalling infrastructure.”
The two unknown parties behind the campaigns mimicked the identities of mobile phone operators with customized surveillance tools, and manipulated signaling protocols and steered traffic through network pathways to hide, according to research from the University of Toronto’s Citizen Lab.
“Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate,” a report published Thursday reads.
“Despite repeated public reporting, this activity continues unabated and without consequence,” Gary Miller and Swantje Lange wrote for Citizen Lab. “The continued use of mobile networks, built on a close inter-operator trust model and relied upon by users worldwide, raises broader questions for national regulators, policymakers, and the telecom industry about accountability, oversight, and global security.”
The attackers relied on identifiers and infrastructure associated with operators around the world, including networks based in Cambodia, China, the self-governing Island of Jersey, Israel, Italy, Lesotho, Liechtenstein, Morocco, Mozambique, Namibia, Poland, Rwanda, Sweden, Switzerland, Thailand, Uganda and the United Kingdom.
They shifted between SS7 and Diameter protocols, the signalling protocols known for 3G and 4G/most of 5G, respectively, according to the report. While Diameter was meant to be more secure than SS7, the Federal Communications Commission in 2024 opened a probe into both its vulnerabilities and SS7’s, and Sen. Ron Wyden, D-Ore., has asked for a Cybersecurity and Information Security Agency report about telecommunications vulnerabilities rooted in both protocols.
But identifying the vendors used in the two surveillance campaigns, or who was behind them, was beyond the researchers’ reach.
“The reality is that there are a number of known surveillance vendors and bad actors in this space, but given the opaque nature of telecommunications signalling protocols, those vendors are able to operate without revealing exactly who they really are,” Ron Deibert, director of Citizen Lab, wrote in his newsletter. “Much of the malicious things they are doing blend into the otherwise voluminous flow of billions of normal messages and roaming signals. They are ‘ghost operators’ within the global telecom ecosystem.”
One of the operators mentioned in Citizen Lab’s report, Israel-based 019 Mobile, wrote back that it didn’t recognize the hostnames referenced in the report as 019 Mobile’s network nodes, and couldn’t attribute the signaling activity it represents to 019 Mobile-operated infrastructure.
Another operator, Sure, said it has taken preventative measures to defend against misuse.
“Sure acknowledges that digital services can be misused, which is why we take a number of
steps to mitigate this risk,” CEO Alistair Beak said in a statement to CyberScoop. “Sure has implemented several protective measures to prevent the misuse of signalling services, including monitoring and blocking inappropriate signalling. Any evidence or valid complaint relating to the misuse of Sure’s network results in the service being immediately suspended and, where malicious or inappropriate activity is confirmed following investigation, permanently terminated.”
019 Mobile and a third operator, Tango Networks UK, didn’t respond to requests for comment from CyberScoop. The Citizen Lab report afforded some grace to the operators.
“It is important to note that the operator signalling addresses observed in the attacks do not necessarily imply direct operator involvement,” it states. “In some cases, access to the signalling ecosystem can be obtained through third-party providers, commercial leasing arrangements, or other intermediary services that allow actors to send messages using operator identifiers from legitimate networks.”
Updated 4/24/26: to include quote from Alistair Beak.
The post Surveillance campaigns use commercial surveillance tools to exploit long-known telecom vulnerabilities appeared first on CyberScoop.
The attacks included a destructive infiltration of Poland's energy system in December and was suspected of originating in Russia.
The post Poland Faced a Surge in Cyberattacks in 2025, Including a Major Assault on the Energy Sector appeared first on SecurityWeek.
A cyberattack that an Iranian hacking group said it carried out against medical device manufacturer Stryker might mark Tehran’s first significant cyber action since the start of the joint U.S.-Israel conflict.
But even that may have been a happy accident for Iranian hackers in what has been a low buzz of activity during that timeframe, with the attackers striking paydirt by happenstance rather than on purpose.
Cybersecurity firms, threat intelligence trackers and critical infrastructure owners have been fighting to separate the noise about proclaimed attacks out of Iran, and the warnings and threats related to the conflict, from what is actually happening and poses any significant danger.
“Everybody is scrambling right now,” said Alex Orleans, a long-time Iran threat analyst and head of threat intelligence at Sublime Security. Others said the nascent nature of the conflict is making assessments difficult.
“What we see is quite difficult to quantify or characterize about whether there’s been an increase or decrease,” said Saher Naumaan, senior threat researcher at Proofpoint. “I think since we’re only a couple weeks into the conflict, and the regular cadence of Iranian actors isn’t very consistent, necessarily, we don’t have enough data points or enough time to really judge.”
In the early days of the conflict, there were indications that physical attacks on Iran might have hampered Iranian retaliatory efforts or other cyber activity, as those who would carry out cyberattacks were probably “hiding in bunkers,” Orleans said, and as Iran suffered internet outages.
In recent days, however, the Stryker attack and other indicators suggest that Iranian cyber activity could be heating up.
“For several days following the outbreak of the conflict, there was a noted decrease in cyber threat activity emanating from Iran,” a group of industry information and sharing analysis centers warned Wednesday. “However, there are signs of life in Iranian offensive cyber operations.”
The Stryker attack stands out for both the size and location of the target, a Michigan-based medical device manufacturer with more than $25 billion in revenue in 2025.
But both Orleans and Sergey Shykevich, threat intelligence group manager at Check Point Research, said the attack has the hallmarks of an opportunistic one rather than a deliberate, focused one. The group claiming credit for the attack, Handala — a Ministry of Intelligence-linked outfit — is known more for seizing advantage of weaknesses they happen upon rather than doggedly pursuing particular targets.
Notably, Stryker is also the class of a military vehicle used by U.S. forces. That military connection, even if confused with the medical device manufacturer, could possibly explain why the company was a target.
Still, “it was a much higher-profile attack than we expected from Handala,” Shykevich said. “Unfortunately, it’s possible to define it as a relatively big success for them.”
There have been reports of other cyber activity that might be connected to the conflict. Albania said the email system of its parliament had been targeted, with Iranian hackers taking credit. There was the targeting of cameras from Iran-linked infrastructure in countries that Iran then launched missiles into. Poland said it was looking into whether Iran was behind an attempted cyberattack on a nuclear research facility.
Some of the claims don’t match reality. “There are many hacktivist groups that are very active in Telegram, but actually they don’t have any significant successes,” Shykevich said.
There are other cyber-related developments in the conflict, too, like espionage, the proliferation of artificial intelligence-fueled misinformation and the possibility of Russia or China helping out in cyberspace on Iran’s behalf, even if some experts doubt the likelihood of the latter.
How effective any of it has been is still unclear. Stryker, for instance, said the attack mainly affected its internal networks, although there were signs it might be affecting communications at hospitals, too.
But the damage might be beside the point. Orleans said the attacks could be psychological in nature, aimed at producing fear abroad and affirming hackers’ standing with domestic leaders in Iran during the conflict.
Even low-level defacement or distributed denial-of-service attacks can play a role.
“Coming into work and finding an Iranian flag on your workstation would be a little bit disconcerting, because they’re letting you know that, ‘I can reach out and touch you,’” said Sarah Cleveland, senior director of federal strategy at ExtraHop and a former cyber officer in the U.S. Air Force.
While primarily known as a medical supply company, Stryker has received sizable contracts with the military for hospital equipment and surgical supplies, for example. It is unclear whether the hackers intended to use Stryker’s military connection to exploit government systems.
The Pentagon has long warned of increased, complex cyberattacks against the defense industrial base, a vast network of companies — with disparate levels of cybersecurity — that the military relies on for advanced weaponry to basic stretchers. The DIB is often seen by adversaries as a backdoor into military systems.
While he did not directly address the Stryker hack, the Army’s principal cyber adviser, Brandon Pugh, outlined some of the challenges to the DIB and the service’s part in trying to protect it during a webinar Thursday in response to a question on the topic.
He said adversaries “right or wrong” see companies “as an extension of the military” and that they believe an attack on private industry would have a secondary impact on the armed forces.
“Some are very large, sophisticated multinational companies,” he said, noting that security needs across the DIB aren’t universal. “Others are very small companies that are lucky to have a director of IT, let alone a sophisticated cyber team, and I think that’s where it’s really important to lean into.”
Pugh said that agencies across the federal government have been working with the DIB to boost its resilience to attacks, and that the Army’s cyber effort emphasizes entrenching cybersecurity from the beginning of the acquisition process.
“Cyber can’t be an afterthought — not saying it is,” Pugh added. “I’d say the Army does a great job here, but making sure it’s never forgotten and is always considered along that way.”
Matt Tait, the CEO and president of MANTECH, said in response to a question about the Stryker attack and DIB protections that defending against such incidents includes leveraging government agreements and access, such as with the NSA, and quickly sharing information following an attack.
“To me, it’s about real time information sharing,” he said. “You need real time information sharing when you’re getting attacked to be able to actually share that information with the rest of industry, as well as with government, because they can actually share that information across” federal cybersecurity entities.
“If you want to do mission focused technology work, this is the world you have to live in, and that you should be sharing this information on a real time basis,” he added. “24 hours later, 48 hours later, I call that ambulance chasing. That’s too far after the fact from a cyber perspective.”
The post Stryker attack highlights nebulous nature of Iranian cyber activity amid joint U.S.-Israel conflict appeared first on CyberScoop.
Tycoon 2FA, a major phishing kit and platform that allowed low-skilled cybercriminals to bypass multifactor authentication and conduct large-scale adversary-in-the-middle attacks, was dismantled Wednesday by a global coalition of security companies and law enforcement agencies.
Microsoft, which led the effort alongside Europol and authorities from six countries and 11 security firms or organizations, said it seized 330 domains that powered Tycoon 2FA’s core infrastructure, including control panels and fraudulent login pages.
The platform, which emerged in August 2023, was responsible for tens of millions of phishing messages that reached more than 500,000 organizations globally each month, according to Microsoft Threat Intelligence. Thousands of cybercriminals used Tycoon 2FA to break into email and online services, including Microsoft 365, Outlook, SharePoint, OneDrive and Google services.
“By mid‑2025, Tycoon 2FA accounted for approximately 62% of all phishing attempts Microsoft blocked, including more than 30 million emails in a single month. That placed Tycoon 2FA among the largest phishing operations globally,” Steven Masada, assistant general counsel at Microsoft’s Digital Crimes Unit, said in a blog post about the takedown.
“Despite extensive defenses, the service is linked to an estimated 96,000 distinct phishing victims worldwide since 2023, including more than 55,000 Microsoft customers,” Masada added.
The phishing kit, which was developed and advertised by a group Microsoft tracks as Storm-1747, was sold to cybercriminals on Telegram and Signal for $350 a month. The platform provided core components for phishing on a single dashboard that allowed cybercriminals to configure, track and refine their campaigns.
The platform also provided cybercriminals with pre-built templates, attachment files for common phishing lures, domain and hosting configuration and redirect logic, Microsoft said. The monthly volume of phishing messages attributed to Tycoon 2FA peaked at more than 30 million messages in November 2025.
Organizations in education and health care were hit hardest by phishing attacks enabled by Tycoon 2FA. More than 100 members of Health-ISAC, a co-plaintiff in the court case filed in the U.S. District Court for the Southern District of New York, were successfully phished, Masada said.
Two hospitals, six schools and three universities in New York confronted attempts or successful compromises via Tycoon 2FA, resulting in incidents that disrupted operations, diverted resources and delayed patient care, he added.
Microsoft and Health-ISAC filed a civil complaint against alleged creator Saad Fridi and four unnamed associates, demanding a $10 million injunction, for developing, running and selling Tycoon 2FA. The court order allowed Microsoft to dismantle and take ownership of Tycoon 2FA’s technical infrastructure.
Authorities from Latvia, Lithuania, Portugal, Poland, Spain and the United Kingdom assisted with the operation alongside Cloudflare, Coinbase, Crowell & Moring, eSentire, Intel 471, Proofpoint, Resecurity, Shadowserver, SpyCloud and Trend Micro.
Selena Larson, staff threat researcher at Proofpoint who provided a formal declaration in support of the court order, said Tycoon 2FA was responsible for the highest volume of adversary-in-the-middle phishing attacks observed by Proofpoint.
“Tycoon was the biggest MFA phishing threat in our data, and we anticipate seeing a significant decrease after this operation,” she told CyberScoop.
“Many customers will find their hacking tool is no longer working, and even if Tycoon 2FA is able to create new domains and infrastructure, the brand will be significantly harmed, with customers either purchasing less effective phishing kit, or potentially rethinking their life choices and getting out of the game,” Larson added.
Tycoon 2FA’s easy-to-use and robust capabilities contributed to its popularity, researchers said. The platform’s codebase was updated regularly and operators generated a high volume of subdomains for brief periods before abandoning them and moving on to new domains.
Researchers said the rapid turnover and shifts to temporary infrastructure complicated efforts to detect and block new campaigns.
The Tycoon 2FA takedown follows a recent wave of cybercrime crackdowns, including actions against Racoon0365 and the Lumma Stealer infostealer operation, which infected about 10 million systems.
The post Global coalition dismantles Tycoon 2FA phishing kit appeared first on CyberScoop.
Authorities from 14 countries shut down LeakBase, seized its domains and arrested multiple people allegedly involved in the cybercrime marketplace for stolen data and hacking tools, the Justice Department said Wednesday.
LeakBase had more than 142,000 members, ranking it among the world’s largest forums for cybercriminals. The site, which was available on the open web, contained a massive archive of hacked databases including hundreds of millions of account credentials, officials said.
The stolen databases, which included data from U.S. corporations and individuals, were linked to many high-profile attacks, according to officials. Data seized by authorities revealed a trove of credit and debit card numbers, banking account and routing information, credentials for account takeovers, sensitive business records and personally identifiable information.
“The FBI, Europol, and law enforcement agencies from around the world executed a takedown of LeakBase, one of the largest online cybercriminal platforms, seizing users’ accounts, posts, credit details, private messages and IP logs for evidentiary purposes,” Brett Leatherman, assistant director at the FBI’s cyber division, said in a statement.
Law enforcement agencies involved in the globally coordinated takedown operation, which began Tuesday, executed search warrants, made arrests and interviewed people in the United States, Australia, Belgium, Poland, Portugal, Romania, Spain and the United Kingdom.
Officials did not immediately name any suspects, but some of the activity occurred in San Diego and Provo, Utah. Officials said the FBI’s field offices in San Diego and Salt Lake City, which is investigating the case, participated in the operation domestically. The Provo Police Department was also involved.
“Hiding behind a screen does not shield cybercriminals from accountability,” Robert Bohls, special agent in charge at the FBI Salt Lake City field office, said in a statement.
Authorities identified multiple users who believed they were operating anonymously by seizing the forum’s database.
“This international operation demonstrates the strength of our global alliances and our shared commitment to disrupting platforms that facilitate the theft of data and the victimization of innocent people and organizations worldwide,” Bohls added. “Together, we will continue to identify, dismantle, and hold accountable those who seek to profit from cybercrime, no matter where they operate.”
Europol, which hosted the coordinated operation in The Hague, described LeakBase as a “central hub in the cybercrime ecosystem” that specialized in leaked databases and stealer logs. The English-language site, which has been active since 2021, contained more than 32,000 posts and more than 215,000 private messages.
Authorities collectively engaged in around 100 enforcement actions globally and took measures against 37 of the platform’s most active users Tuesday, according to Europol.
The technical disruption phase got underway Wednesday and the site now displays a seizure page. Officials from Canada, Germany, Greece, Kosovo, Malaysia and The Netherlands also support the investigation.
“Together with our partners, we are sending a message that no criminal is truly anonymous online and removing an easy point of access to stolen information on American businesses and individuals,” Leatherman said. “The FBI will continue to defend the homeland by dismantling the key services that cybercriminals use to facilitate their attacks.”
The post Authorities from 14 countries shut down major cybercrime forum LeakBase appeared first on CyberScoop.
Polish officials arrested a 47-year-old man accused of participating in ransomware attacks as an affiliate for the Phobos ransomware group, the country’s Central Bureau for Combating Cybercrime said Tuesday.
Authorities did not name the man who was arrested during a raid on his apartment in the Małopolskie province, but said he faces up to five years in prison for his alleged crimes.
The arrest is the latest in a series of coordinated law enforcement actions targeting people involved with Phobos ransomware attacks, which were also carried out by the 8base ransomware group. Polish officials said they identified the suspect through the “Phobos Aetor” operation, a Europol-led effort involving agencies across Europe, Asia and North America that took place in February 2025.
Officials accused the 47-year-old man of possessing credentials, credit card numbers and IP addresses for servers that may have been used to conduct various attacks. He also had tools that could breach servers and used encrypted messaging platforms to communicate with others linked to Phobos, police said.
During the raid, police said they seized a computer and multiple mobile phones that were used to commit cyberattacks. The unnamed suspect was charged with producing, obtaining and sharing computer programs used to illegally obtain information stored on IT systems.
Phobos ransomware had claimed more than 1,000 victims globally and received more than $16 million in extortion payments by February 2025, according to the Justice Department. Victims of Phobos ransomware attacks, which date back to at least November 2020, include hospitals, schools, non-profit organizations, and a company that contracted with the Defense Department, officials said.
Malicious activity linked to Phobos significantly declined when Russian national Evgenii Ptitsyn, the alleged developer and administrator of Phobos ransomware, was extradited from South Korea to the United States in November 2024.
Ptitsyn, also known as “derxan” and “zimmermanx,” was charged with multiple counts of cybercrime, including wire fraud, wire fraud conspiracy, conspiracy to commit computer fraud and abuse, extortion in relation to hacking and causing intentional damage to protected computers.
Pretrial motions for his case are due this week in the U.S. District Court of Maryland.
The post Polish authorities arrest alleged Phobos ransomware affiliate appeared first on CyberScoop.
A recent attempt at a destructive cyberattack on Poland’s power grid has prompted the Cybersecurity and Infrastructure Security Agency to publish a warning for U.S. critical infrastructure owners and operators.
Tuesday’s alert follows a Jan. 30 report from Poland’s Computer Emergency Response Team concluded the December attack overlapped significantly with infrastructure used by a Russian government-linked hacking group, and that it targeted 30 wind and photovoltaic farms, among others.
CISA said its warning was meant to “amplify” that Polish report. In particular, CISA said the attack highlighted the threats to operational technology and industrial control systems, most commonly used in the energy and manufacturing sectors.
And CISA’s alert continues a recent agency focus on securing edge devices like routers or firewalls, after a binding operational directive last week to federal agencies to strip unsupported products from their systems.
“The malicious cyber activity highlights the need for critical infrastructure entities with vulnerable edge devices to act now to strengthen their cybersecurity posture against cyber threat activities targeting OT and ICS,” the alert reads.
“A malicious cyber actor(s) gained initial access in this incident through vulnerable internet-facing edge devices, subsequently deploying wiper malware and causing damage to remote terminal units (RTUs),” it states. “The malicious cyber activity caused loss of view and control between facilities and distribution system operators, destroyed data on human machine interfaces (HMIs), and corrupted system firmware on OT devices. While the affected renewable energy systems continued production, the system operator could not control or monitor them by their intended design.”
CISA urged owners and operators to review the Polish report, as well as security guidance from other U.S. agencies.
The attack directed at Poland — which its CERT compared to “deliberate arson,” and had a “purely destructive objective” at a time when the nation was struggling with cold temperatures and snowstorms — has had ripples in other parts of the world, too.
“Operators of UK critical national infrastructure (CNI) must not only take note but, as we have said before, act now,” Jonathon Ellison, director for national resilience at the United Kingdom’s National Cyber Security Centre, said in a LinkedIn post Monday.
Dragos, a cybersecurity firm that specializes in industrial control systems, said the attack represented a new frontier.
“This is the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and CHP [combined heat and power] facilities being added to grids worldwide,” the company wrote in a report last month. “Unlike the centralized systems impacted in electric grid attacks in 2015 and 2016 in Ukraine, these distributed systems are more numerous, require extensive remote connectivity, and often receive less cybersecurity investment. This attack demonstrates they are now a valid target for sophisticated adversaries.”
Poland’s analysis concluded that the infrastructure used in the attack overlapped with that used by the group known alternately as Static Tundra, Berserk Bear, Ghost Blizzard and Dragonfly.
The post After major Poland energy grid cyberattack, CISA issues warning to U.S. audience appeared first on CyberScoop.
Login