Security Intelligence for Real-World Decisions
← Back to Archive

Iranian Hackers Strike California Water Utility as Cisco SD-WAN Zero-Day Exploited for Months; FCC Overhauls Emergency System Cybersecurity Rules

Executive Summary

This week's critical infrastructure landscape is dominated by three significant developments requiring immediate attention from security professionals and infrastructure operators:

  • Iranian Threat Actor Activity: The Iranian hacking group Handala successfully compromised California Water Service (Cal Water), exploiting user credentials. While Mandiant's investigation confirms no operational technology (OT) systems were breached, the incident underscores the persistent targeting of U.S. water infrastructure by nation-state actors amid heightened geopolitical tensions.
  • Cisco SD-WAN Zero-Day Exploitation: CVE-2026-20245, a high-severity vulnerability in Cisco Catalyst SD-WAN Manager, was exploited as a zero-day for at least two months before its June disclosure and patching. This marks the seventh Cisco SD-WAN vulnerability exploited in 2026, indicating sustained adversary interest in network infrastructure.
  • FCC Regulatory Action: The Federal Communications Commission passed sweeping new cybersecurity rules for national emergency alert systems and undersea cable infrastructure, representing a significant regulatory shift for communications sector operators.
  • CISA ICS Advisory Surge: Seven new Industrial Control System advisories were released on June 25, affecting products from Schneider Electric, Yokogawa, Delta Electronics, and others deployed across energy, manufacturing, and transportation sectors.

Water ISAC has issued a TLP:AMBER+STRICT situation report warning of potential Iranian retaliation following recent U.S. military strikes, elevating the threat posture for all critical infrastructure sectors.

Threat Landscape

Nation-State Threat Actor Activities

  • Iranian Handala Group Targets U.S. Water Sector: The Iranian hacktivist group Handala successfully breached Cal Water, one of California's largest water utilities. According to SecurityWeek reporting, Mandiant's forensic investigation confirmed that while user credentials were exploited, no OT systems controlling water treatment or distribution were compromised. This incident follows a pattern of Iranian targeting of U.S. water infrastructure and occurs amid a heightened threat environment. Water ISAC has updated its TLP:AMBER+STRICT situation report warning of potential Iranian retaliation following U.S. strikes on Iran.
  • Russian Use of Cellebrite for Surveillance: Citizen Lab research reveals Russian authorities continue using Cellebrite phone-cracking technology to surveil human rights activist Andrey Pivovarov, despite the company's cancellation of its Russian contract. This demonstrates the persistent availability of commercial surveillance tools to adversarial governments.
  • Chinese Government-Sponsored Insider Threats: Water ISAC released TLP:GREEN guidance on managing risks from Chinese government-sponsored insider threats, reflecting ongoing concerns about state-directed infiltration of critical infrastructure organizations.

Ransomware and Cybercriminal Developments

  • European Ransomware Surge: Black Kite research documents a 50%+ increase in ransomware attacks targeting European organizations over the past year, with supply chain attacks showing particular growth. Critical infrastructure operators with European operations or supply chain dependencies should assess exposure.
  • Bluekit Phishing-as-a-Service Evolution: The Bluekit phishing platform has added browser-in-the-middle (BitM) capabilities, with nearly 70 new hostnames identified in the past week. This technique enables real-time credential theft and session hijacking, bypassing many traditional phishing defenses.
  • SIM-Swapping Gang Arrests: Polish authorities arrested four members of an organized cybercrime group conducting SIM-swapping attacks through compromised telecommunications partners, resulting in millions in cryptocurrency theft.
  • Mistic Backdoor Campaign: A new stealthy backdoor named Mistic has been deployed in financially motivated attacks against insurance, education, IT, and professional services organizations, linked to the KongTuke threat cluster.

Emerging Attack Vectors

  • Lantronix Serial-to-IP Converter Exploitation: CVE-2025-67038, a vulnerability in Lantronix serial-to-IP converters disclosed in April as part of the BRIDGE:BREAK research project, is now being actively exploited in the wild. These devices are commonly deployed in OT environments to connect legacy serial equipment to IP networks.
  • Gaslight macOS Malware with AI Evasion: A new Rust-based macOS implant dubbed "Gaslight" embeds prompt injection payloads designed to confuse AI-assisted malware analysis tools, representing an emerging technique to evade automated security analysis.
  • Chrome Extension Supply Chain Risk: An ad blocker extension for YouTube with over 10 million installations was found to contain dormant script injection capabilities, highlighting ongoing supply chain risks in browser extensions.
  • Proxy Network Abuse: A Digital Citizens Alliance report indicates approximately 20 million U.S. IP connections are being used by proxy services, potentially without users' knowledge, enabling cybercriminals to mask malicious activity behind legitimate residential IP addresses.

Sector-Specific Analysis

Water & Wastewater Systems

ELEVATED THREAT LEVEL

  • Cal Water Incident Analysis: The Handala cyberattack on California Water Service represents the most significant publicly disclosed attack on a major U.S. water utility in 2026. Key findings from the Mandiant investigation:
    • User credentials were successfully exploited
    • No evidence of OT system compromise
    • IT/OT segmentation appears to have prevented operational impact
    • Investigation ongoing with continued monitoring
  • Physical Security Incident: Water ISAC reported a major theft and vandalism incident at a water treatment plant resulting in temporary water service disruption, highlighting the continued importance of physical security measures.
  • Iranian Retaliation Warning: Water ISAC's updated TLP:AMBER+STRICT situation report warns of heightened potential for Iranian threat actor retaliation against U.S. water infrastructure following recent geopolitical developments. Utilities should review incident response plans and ensure 24/7 monitoring capabilities.
  • Funding Opportunity: FEMA announced $1.5 billion in funding to help critical infrastructure entities, including water utilities, prevent terrorism and enhance security posture.

Recommended Actions for Water Sector:

  • Review and validate IT/OT network segmentation
  • Audit user credentials and implement MFA where not already deployed
  • Verify incident response and communication plans
  • Engage with Water ISAC for sector-specific threat intelligence

Energy Sector

  • Schneider Electric PowerLogic P7 Advisory: CISA issued advisory ICSA-26-176-07 for vulnerabilities in Schneider Electric PowerLogic P7 power meters, widely deployed in energy sector facilities for power monitoring and management. Organizations should review the advisory and apply mitigations.
  • Yokogawa FAST/TOOLS and CI Server: ICSA-26-176-01 addresses vulnerabilities in Yokogawa's FAST/TOOLS SCADA system and CI Server, used extensively in oil & gas, chemical, and power generation facilities.
  • EV Charging Infrastructure: ICSA-26-176-02 covers vulnerabilities in EVoke Systems Charging Station Management System, relevant to utilities managing EV charging infrastructure.

Communications & Information Technology

  • FCC Emergency Systems Cybersecurity Rules: The FCC passed significant new cybersecurity requirements for national emergency alert systems and undersea cable providers. Key provisions include:
    • Overhaul of security requirements for Emergency Alert System (EAS) and Wireless Emergency Alerts (WEA)
    • Updated federal security review rules for undersea cable providers
    • Enhanced protections against system hijacking
    Communications sector operators should prepare for compliance requirements.
  • Cisco SD-WAN Zero-Day (CVE-2026-20245): Google's threat intelligence team confirmed this high-severity vulnerability was exploited for at least two months before disclosure. The flaw enables attackers to gain root access to affected Cisco Catalyst SD-WAN Manager systems. This is the seventh Cisco SD-WAN vulnerability exploited in 2026, indicating:
    • Sustained adversary interest in network infrastructure
    • Need for enhanced monitoring of SD-WAN environments
    • Importance of rapid patching for network management systems
  • Undersea Cable Security: The FCC's new rules reflect growing concerns about the security of undersea cable infrastructure, which carries over 95% of intercontinental data traffic.

Transportation Systems

  • Daktronics Controller Firmware: ICSA-26-176-04 addresses vulnerabilities in Daktronics controller firmware. Daktronics systems are widely deployed in transportation for digital signage, including highway message boards, airport displays, and transit information systems.
  • H.VIEW IP Camera Vulnerabilities: ICSA-26-176-05 covers security flaws in H.VIEW HV-500S6 IP cameras, commonly used in transportation facility surveillance.

Healthcare & Public Health

  • Healthcare Cyberattack Concerns: An Omega Systems report reveals 61% of healthcare organizations predict experiencing a "fatal" cyberattack within the next five years. This sobering assessment reflects:
    • Increasing sophistication of attacks targeting healthcare
    • Legacy system vulnerabilities
    • Resource constraints limiting security investments
    • Growing attack surface from connected medical devices
  • HIPAA Security Conference: HHS OCR and NIST ITL announced the "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" conference scheduled for September 2, 2026, focusing on updated security requirements and best practices.

Financial Services

  • DraftKings Hack Sentencing: Nathan Austad, known as "Snoopy," was sentenced for his role in the 2022 DraftKings breach, where he sold access to compromised accounts through a criminal storefront. This concludes prosecution of all three defendants in the case.
  • Cryptocurrency Theft via SIM-Swapping: The Polish SIM-swapping gang arrests highlight continued targeting of cryptocurrency holdings through telecommunications compromise.

Sports & Entertainment Venues

  • Madison Square Garden Data Exposure: Hackers released New York Knicks and Madison Square Garden customer and corporate data. Organizations managing large venues should review data protection measures and incident response capabilities.

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE/Advisory Product Severity Status Action Required
CVE-2026-20245 Cisco Catalyst SD-WAN Manager High Actively Exploited Patch immediately; review logs for compromise indicators
CVE-2025-67038 Lantronix Serial-to-IP Converters High Actively Exploited Patch or isolate affected devices
ICSA-26-176-07 Schneider Electric PowerLogic P7 TBD Advisory Released Review advisory; apply mitigations
ICSA-26-176-01 Yokogawa FAST/TOOLS, CI Server TBD Advisory Released Review advisory; apply mitigations
ICSA-26-176-06 Delta Electronics DTM Soft TBD Advisory Released Review advisory; apply mitigations

Notable Patches and Updates

  • Chrome 149 Security Update: Google released Chrome 149 addressing 18 severe vulnerabilities, more than half of which are use-after-free defects potentially enabling remote code execution. Enterprise administrators should prioritize deployment.
  • GitLab CE/EE Updates: GitLab patched 13 vulnerabilities including three high-severity defects enabling code execution and information disclosure. Organizations using GitLab for CI/CD pipelines should update promptly.
  • Curl 25-Year Vulnerability: The curl project patched a vulnerability that existed for 25 years, along with 17 other medium and low-severity issues. Given curl's ubiquitous deployment, organizations should inventory and update affected systems.

CISA ICS Advisories (June 25, 2026)

CISA released seven Industrial Control System advisories:

  1. ICSA-26-176-01: Yokogawa FAST/TOOLS and CI Server
  2. ICSA-26-176-02: EVoke Systems Charging Station Management System
  3. ICSA-26-176-03: Horner Automation Cscape
  4. ICSA-26-176-04: Daktronics Controller Firmware
  5. ICSA-26-176-05: H.VIEW HV-500S6 IP Camera
  6. ICSA-26-176-06: Delta Electronics DTM Soft
  7. ICSA-26-176-07: Schneider Electric PowerLogic P7

CISA Guidance

  • Zero Trust and SASE Implementation: CISA released new guidance helping federal agencies adopt Secure Access Service Edge (SASE) architectures to transition from legacy TIC 2.0 to zero trust security models. While targeted at federal agencies, this guidance provides valuable reference for all critical infrastructure organizations modernizing network security.

Recommended Defensive Measures

  • For Cisco SD-WAN Environments:
    • Apply CVE-2026-20245 patch immediately
    • Review authentication logs for anomalous root-level access since March 2026
    • Implement network segmentation to limit SD-WAN manager exposure
    • Enable enhanced logging and forward to SIEM
  • For OT Environments with Serial-to-IP Converters:
    • Inventory all Lantronix devices
    • Apply patches or implement compensating controls
    • Ensure devices are not directly internet-accessible
    • Monitor for anomalous traffic patterns

Resilience & Continuity Planning

Lessons Learned from Recent Incidents

  • Cal Water Incident - IT/OT Segmentation Value: The Handala attack on Cal Water demonstrates the critical importance of IT/OT network segmentation. Despite successful credential compromise, proper segmentation appears to have prevented operational impact. Key takeaways:
    • Network segmentation remains a fundamental control
    • Credential compromise in IT environments should trigger OT security reviews
    • Incident response plans should address scenarios where IT is compromised but OT integrity is uncertain
    • Third-party forensic support (Mandiant in this case) provides valuable independent validation
  • Cisco SD-WAN Zero-Day - Detection Gap Analysis: The two-month exploitation window before disclosure highlights the challenge of detecting sophisticated attacks against network infrastructure. Organizations should:
    • Implement behavioral monitoring for network management systems
    • Maintain threat hunting capabilities for high-value targets
    • Participate in threat intelligence sharing to reduce detection gaps

Supply Chain Security Developments

  • Browser Extension Supply Chain Risk: The discovery of dormant malicious capabilities in a Chrome extension with 10+ million users reinforces the need for:
    • Enterprise browser extension policies and allowlisting
    • Regular audits of approved extensions
    • User awareness training on extension risks
  • Telecommunications Partner Compromise: The Polish SIM-swapping arrests reveal attackers compromised telecommunications partners to conduct attacks, highlighting third-party risk in the communications supply chain.

Cross-Sector Dependencies

  • Communications-Water Nexus: The Cal Water incident and FCC emergency systems rules highlight the dependency of water sector operations on secure communications infrastructure for SCADA, telemetry, and emergency notifications.
  • Energy-Transportation Nexus: Vulnerabilities in EV charging management systems (ICSA-26-176-02) affect both energy distribution and transportation electrification initiatives.

Public-Private Coordination

  • Water ISAC Engagement: Water ISAC's rapid dissemination of threat intelligence regarding the Cal Water incident and Iranian threat warnings demonstrates the value of sector-specific ISACs. Non-member utilities should consider membership for access to TLP:AMBER and TLP:GREEN intelligence products.
  • FEMA Critical Infrastructure Funding: The $1.5 billion FEMA announcement for terrorism prevention and security enhancement represents a significant funding opportunity for critical infrastructure entities to improve resilience.

Regulatory & Policy Developments

Federal Regulatory Changes

  • FCC Emergency Systems and Undersea Cable Rules: The FCC's new cybersecurity rules represent significant regulatory expansion:
    • Emergency Alert Systems: Enhanced security requirements for EAS and WEA systems to prevent hijacking and ensure integrity of emergency communications
    • Undersea Cables: Updated federal security review requirements for undersea cable providers, reflecting concerns about foreign adversary access to critical communications infrastructure
    • Compliance Timeline: Operators should monitor FCC announcements for implementation deadlines and specific requirements
  • NIST IoT Security Guidance: NIST opened updated IoT security guidance for public review, establishing product cybersecurity requirements for IoT devices integrated into federal agency networks. While focused on federal procurement, this guidance will likely influence broader IoT security standards affecting critical infrastructure.
  • FedRAMP 20x and GRC Modernization: Analysis from CSO Online examines how FedRAMP 20x may address longstanding challenges in governance, risk, and compliance (GRC) processes, potentially streamlining security authorization for cloud services used by critical infrastructure.

Legal Developments

  • Election Security Executive Order Ruling: A federal court ruled provisions of a Trump administration election-focused executive order illegal, including those establishing federal voter lists and restricting mail ballots through USPS. This ruling may affect election infrastructure security planning and federal-state coordination.
  • AI Liability Precedent: A German court ruling declared Google liable for false information provided by its AI Overviews feature, establishing that AI-generated content constitutes the company's "own words." This precedent has implications for AI deployment in critical infrastructure decision support systems.

International Policy

  • Mexico National Cybersecurity Plan: Recorded Future analysis evaluates Mexico's 2025-2030 National Cybersecurity Plan, examining how the country addresses ransomware, organized crime, and AI-driven attacks. U.S. critical infrastructure operators with Mexican operations or supply chain connections should review for potential impacts.

Training & Resource Spotlight

New Tools and Frameworks

  • CISA SASE/Zero Trust Guidance: New CISA guidance provides a roadmap for transitioning from legacy Trusted Internet Connections (TIC) 2.0 architectures to zero trust using Secure Access Service Edge (SASE). Available through CISA's website, this resource is valuable for organizations modernizing network security.
  • Water ISAC Q1 Quarterly Incident Report: Water ISAC members can access the Q1 2026 quarterly incident report, providing sector-specific trend analysis and lessons learned.

Funding Opportunities

  • FEMA Critical Infrastructure Security Grants: $1.5 billion announced for terrorism prevention and security enhancement. Critical infrastructure entities should monitor FEMA announcements for application windows and eligibility requirements.

Research and Analysis

  • AI Security Analysis Evasion: The Gaslight malware's use of prompt injection to confuse AI analysis tools represents an emerging area requiring security tool vendor attention and analyst awareness.
  • Prompt Injection Research: New academic research explores how LLMs recognize and fall for prompt injection attacks based on text style patterns, providing insights for organizations deploying AI in security operations.
  • Network Detection and Response (NDR): Industry analysis from Richard Bejtlich makes the case for NDR capabilities in addressing fundamental incident investigation questions despite abundant telemetry.

Trust in AI Security Tools

  • Declining Confidence in Automated AI Scanning: A Cobalt study found trust in automated AI vulnerability scanning collapsed to 9%, a 20-percentage-point drop in organizations relying solely on AI automation for security testing. This reinforces the need for human oversight in security operations.

Looking Ahead: Upcoming Events

Conferences and Training

  • NCCoE Cybersecurity Connections Event: Mobile Driver's Licenses
    Date: July 21, 2026, 11:00 AM – 1:30 PM EDT
    Host: NIST National Cybersecurity Center of Excellence
    Focus: Accelerating adoption of mobile driver's licenses with cybersecurity considerations
    Details: NIST Website
  • 2026 Time and Frequency Seminar
    Date: July 21, 2026
    Host: NIST Time and Frequency Division
    Focus: Precision clocks, atomic frequency standards, synchronization technologies relevant to critical infrastructure timing systems
    Details: NIST Website
  • Safeguarding Health Information: HIPAA Security 2026
    Date: September 2, 2026
    Hosts: HHS Office for Civil Rights and NIST Information Technology Laboratory
    Focus: HIPAA security requirements and healthcare cybersecurity best practices
    Details: NIST Website
  • SecurityWeek ICS Cybersecurity Conference - 25th Anniversary Edition
    Date: October 6-8, 2026
    Location: W Nashville, Nashville, TN
    Focus: Industrial control system security for critical infrastructure
    Details: SecurityWeek

Threat Periods Requiring Heightened Awareness

  • Iranian Retaliation Window: Water ISAC's T
Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.