“Security researchers say the mechanics behind many of these attacks are often far less sophisticated than commonly imagined. Rather than relying on advanced malware or rare zero-day vulnerabilities, attackers frequently exploit poorly secured industrial systems exposed to the internet, including devices protected by default passwords or outdated configurations.
”Small utilities are proving especially vulnerable. Experts note that attackers often view smaller municipalities as attractive targets because they typically lack mature cybersecurity defenses while still offering symbolic and psychological impact if disrupted. In many cases, obscurity no longer acts as protection. Instead, it reduces the effort required to identify and compromise vulnerable systems.
"Growing role of artificial intelligence is adding another layer of concern for defenders. In November, Anthropic disclosed that Chinese state-sponsored operators had used AI extensively during a campaign targeting roughly 30 organizations worldwide, with AI reportedly handling between 80 and 90 percent of operational tasks during the intrusion lifecycle.
“Industrial cybersecurity firm Dragos revealed details of an attempted intrusion involving a municipal water utility serving the Monterrey metropolitan area. According to the company, a commercially available AI system was able to identify industrial control systems within the target network even without prior operational technology or industrial control systems expertise.”
ROUNDUP: CRITICAL INFRASTRUCTURE CYBER ATTACKS
“The Los Angeles County Metropolitan Transportation Authority (LACMTA), widely known as LA Metro, discovered a breach in mid-March. The cybersecurity incident led to internal operational disruptions at LA Metro, but did not impact rail and bus services.
“LA Metro representatives said in early April that hundreds of servers had to be checked for signs of compromise before they could be brought back online.
“A few days later, the attack on LA Metro was claimed by Ababil of Minab, which purports to be a pro-Iran hacktivist group. The threat actor allegedly wiped hundreds of terabytes of data and exfiltrated more than 1TB worth of files.”
Also this week, a company called Gambit Security released a detailed report covering the cyber attack methods used, as well as describing similar attacks overseas and against the South Florida Regional Transportation Authority.
In addition, back on April 7, several U.S. agencies — including the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency and other agencies — warned Iranian-affiliated cyber actors were exploiting programmable logic controllers across U.S. critical infrastructure.
“The authoring agencies assess a group of Iranian-affiliated advanced persistent threat (APT) actors is conducting this activity to cause disruptive effects within the United States. The group has targeted devices spanning multiple U.S. critical infrastructure sectors, including Government Services and Facilities (to include local municipalities), Water and Wastewater Systems (WWS), and Energy Sectors. The authoring agencies previously reported on similar activity targeting PLCs by CyberAv3ngers (aka Shahid Kaveh Group)—a cyber threat actor affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) Cyber Electronic Command (CEC).”
Earlier this month, CNN reported that U.S. officials suspected that it was Iranian threat groups that breached automatic tank gauges at gas stations across the United States in operations that didn’t cause damage but raised many concerns nationwide.
Here are some more examples of escalating cyber attacks against critical infrastructure in the first half of 2026:
1. The Stryker Corporation Wiping Attack (March 2026)
- Target Sector: Healthcare and Public Health/Medical Technology
- The Incident: In March 2026, major medical technology giant Stryker was hit by a devastating, destructive cyber attack attributed to an Iran-aligned hacktivist group. Rather than a standard ransomware attack aimed at extorting money, this was a kinetic “wiper” attack. Employees watched as corporate systems and computers were wiped in real time, forcing entire offices to shut down operations and exposing the severe vulnerability of the healthcare supply chain to geopolitically motivated disruption.
- Target Sector: Communications/Information Technology
- The Incident: While initiated by China-aligned actors rather than Iran, FBI and CISA briefings in early 2026 confirmed that the massive “Salt Typhoon” campaign had successfully maintained deep, persistent access inside U.S. telecommunications carriers and government communications. Security audits through March and April 2026 revealed that these hackers had effectively mapped out critical digital routing infrastructure, allowing them access to congressional communications and federal contracting databases.
- Target Sector: Information Technology/Cross-Sector
- The Incident: Running parallel to the spring geopolitical tensions, a state-sponsored threat group designated as UAT-7290 aggressively targeted U.S. and allied telecommunications providers. They specifically exploited unpatched vulnerabilities in edge network devices (like Internet-facing firewalls and routers) to establish permanent malware footholds, giving foreign adversaries the ability to intercept or shut down data flows at a moment's notice.
- Target Sector: Government Facilities/Water/Energy
- The Incident: Spring 2026 marked a terrifying paradigm shift in how infrastructure was targeted. Threat intelligence reports highlighted the emergence of tools like the “Tsundere Bot” and AI-driven automated scanning. Hostile groups began using AI to autonomously handle network reconnaissance, scan U.S. municipal utilities for vulnerabilities, and execute credential theft without human intervention, resulting in a 62 percent higher cyber attack frequency in the U.S. compared to the global average.
- Target Sector: Communications Internet Infrastructure
- The Incident: Brightspeed, a major U.S. broadband and telecommunications provider servicing millions of residential and business customers across multiple states, suffered a severe ransomware breach. The attack targeted internal infrastructure, disrupting back-end operations and highlighting how vulnerable the localized U.S. Internet grid is to supply-chain and service-provider extortion.
FINAL THOUGHTS
Also this past week, we received more chilling news from the U.K. spy chief. Her message is that "Time is running out for the West to confront threats from Russia and China":
“In a rare public speech, Anne Keast-Butler, the director of GCHQ — the U.K.’s intelligence, cyber and security agency — will say Britain is at a ‘moment of consequence,’ with the country facing increasingly brazen behavior from hostile nations.”
“‘The ground beneath our feet is shifting,’ as AI continues to develop swiftly, with new technologies creating a ‘narrowing window for the U.K. and allies to stay ahead.’”
These events taken in total mean that the new normal has shifted when it comes to cyber attacks against critical infrastructure sectors. State and local governments, utilities and others defending these key systems need to be prepared. And even though the Iran war may be winding down, the cyber attacks affecting key physical assets from global nation-states are just getting started.
