Retaliatory Iranian cyberattacks, steel giant confirms breach, ransomware hits healthcare system again - Cybersecurity Headlines

Summary4 min read

Cyber Security Headlines - Episode Summary Hosted by CISO Series | Release Date: June 24, 2025

1. DHS Warns of Retaliatory Iranian Cyber Attacks

Lauren Verno opens the episode by highlighting the Department of Homeland Security's (DHS) recent national advisory concerning potential Iranian cyber retaliation. In the wake of President Trump's airstrikes on three Iranian nuclear sites, the DHS anticipates an escalation in cyber activities from Iranian state-sponsored hackers and pro-Iranian hacktivists targeting U.S. infrastructure.

Lauren Verno (00:07): "Iranian cyber threat actors are expected to ramp up operations against US Targets following President Trump's recent airstrikes on three Iranian nuclear sites."

The advisory underscores Iran's history of targeting critical infrastructure, political campaigns, and operational technologies within the U.S., primarily through malware-based attacks. Iranian-linked groups have already signaled their intent to retaliate, increasing concerns over national cybersecurity.

2. Steel Giant Nucor Confirms Breach

Next, Verno discusses the cyberattack on Nucor, North America's largest steel producer. The incident resulted in data theft and temporarily halted operations across several facilities.

Lauren Verno (02:15): "Nucor confirmed a cyber attack that led to the data theft and the temporary shutdown of operations at several facilities."

Despite restoring affected systems and observing no ongoing unauthorized access, the nature of the breach suggests a possible double extortion ransomware attack, although no group has claimed responsibility yet. The SEC filing revealed that only limited data was exfiltrated, alleviating some immediate concerns but leaving the door open for future threats.

3. Ransomware Hits Healthcare System Again

The episode moves on to another significant cyber incident involving McLaren Healthcare. This Michigan-based hospital network suffered its second major ransomware attack within a year, compromising sensitive data of over 740,000 patients.

Lauren Verno (04:50): "McLaren Healthcare has confirmed a ransomware attack that compromised sensitive data for over 740,000 patients."

The breach exposed personal information including names, Social Security numbers, and medical records. McLaren has responded by notifying victims and offering a year of free credit monitoring. Early indicators suggest involvement of the Inc. Ransomware gang, based on the ransom note circulated online.

4. SALT Typhoon Targets Canadian Telecom Providers

Verno brings attention to SALT Typhoon, a Chinese state-sponsored hacking group actively targeting Canadian telecom networks. A notable breach in February 2025 exploited a critical Cisco vulnerability, months after its public disclosure.

Lauren Verno (06:30): "Salt Typhoon is actively targeting networks with a confirmed breach in February of 2025 that exploited a critical Cisco flaw."

Despite prior warnings, several critical infrastructures remain unpatched, exacerbating the risk as SALT Typhoon intensifies its activities across telecom and other key sectors. The Canadian Center for Cybersecurity and the FBI have raised alarms about the ongoing threats posed by these persistent attackers.

5. Iran-Linked Attacks Hit Globally

Expanding on the earlier discussion about Iranian cyber threats, Verno details recent cyberattacks linked to Iran that have impacted global targets.

Lauren Verno (05:45): "Iran linked attacks hit Globally now as tensions with Iran escalate, recent cyber attacks abroad serve as a stark reminder that Iranian linked hackers are already actively targeting critical systems worldwide."

In Albania, the group Homeland Justice, associated with Iran's Islamic Revolutionary Guard Corps, disrupted public services by taking down the capital's website and exfiltrating data. Similarly, in Saudi Arabia, Cyber Fatah leaked thousands of personal records related to the 2024 Saudi Games, revealing sensitive information of athletes and officials. These actions are part of a broader information warfare campaign aimed at advancing Iran's anti-U.S., anti-Israel, and anti-Saudi agendas.

6. Fake Zoom Calls Used to Deploy Malware

The podcast highlights a sophisticated social engineering tactic involving fake Zoom calls to deploy malware, attributed to North Korea's Blue Noroff hacking group.

Lauren Verno (07:20): "We are now learning that a scheme of fake zoom calls to deploy malware is greater than first thought."

Victims, primarily in the cryptocurrency and financial sectors, are deceived into running fake Zoom audio fix scripts or downloading malicious extensions. Attackers employ deepfakes, spoofed domains, and Telegram to deliver malicious payloads, leading to data theft, keyloggers, and persistent backdoors within compromised systems.

7. UK Retailers Lose Millions in Cyber Attacks

The final major headline covers the substantial financial losses UK retailers have faced due to cyberattacks. Marks & Spencer and Co-op are among the hardest hit, with estimated damages totaling up to €440 million (approximately $591 million USD).

Lauren Verno (08:00): "Cyber attacks targeting major UK retailers like Marks and Spencer and Co Op are estimated to cost up to 440 million euros."

Britain's Cyber Monitoring Center (CMC) implemented a new classification system for systemic cyber events, and these attacks were categorized as Category 2 incidents. Marks & Spencer experienced the most significant financial impact, while Co-op dealt with severe operational disruptions, particularly in rural areas. This classification aims to provide clarity for insurers and policymakers in addressing and mitigating such large-scale cyber threats.

Conclusion

In this episode of Cyber Security Headlines, Lauren Verno comprehensively covered the escalating cyber threats linked to geopolitical tensions, significant breaches in major industries, and innovative attack vectors like fake Zoom calls. The discussed incidents underscore the critical need for robust cybersecurity measures and proactive defense strategies to protect against increasingly sophisticated and state-sponsored cyber threats.

For those interested in more detailed stories and daily updates, visit CISOseries.com.

Note: All timestamps correspond to the moments when the respective topics were discussed in the podcast.

Loading summary

Transcript3 lines

[00:00]
Unknown Host
From the CISO series, it's Cybersecurity Headlines.
[00:07]
Lauren Verno
These are the cybersecurity headlines for Tuesday, June 24, 2025. I'm Lauren Verno. DHS warns of retaliatory Iranian Cyber Attacks Iranian cyber threat actors are expected to ramp up operations against US Targets following President Trump's recent airstrikes three Iranian nuclear sites now the Department of Homeland Security issued a national advisory warning that state sponsored hackers and pro Iranian hacktivists are likely to escalate low level cyber attacks with the potential for more serious retaliation. Iranian linked groups have already called for attacks in response to the conflict. The country's track record includes targeting critical infrastructure, political campaigns and even operational tech in the US Primarily by using malware. Steel giant Nucor confirms Breach North America's largest steel producer, Nucor confirmed a cyber attack that led to the data theft and the temporary shutdown of operations at several facilities. In an SEC filing, the company said limited data was exfiltrated, affected systems have been restored and there's no indication attackers still have access. While Nucor hasn't confirmed ransomware was involved, the incident does bear the hallmarks of a double extortion attack, though no group has claimed responsibility at this time. Ransomware Hits healthcare system again McLaren Healthcare has confirmed a ransomware attack that compromised sensitive data for over 740,000 patients, marking the second major cyber incident to hit the Michigan hospital network in less than a year. The hackers had access to systems between July and August of 2024, stealing names, Social Security numbers, medical records and other personal information. Victims are now being notified and offered one year of free credit monitoring. While McLaren hasn't named the group behind the attack, a ransom note shared online points to the Inc. Ransomware gang. SALT Typhoon Hits Canadian Telecom A Warning to Canadian Telecom Providers the Chinese state sponsored hacking group Salt Typhoon is actively targeting networks with a confirmed breach in February of 2025 that exploited a critical Cisco flaw months after it was publicly disclosed. The Canadian center for Cybersecurity and the FBI say the attackers use the vulnerability to steal network configurations and set up tunnels for data exfiltration, raising alarms about ongoing risk. Now, despite earlier warnings, some critical infrastructure remains unpatched, prompting renewed urgency as Salt Typhoon ramps up activity across telecom and other key sectors. Thanks to Today's episode sponsor ThreatLocker. ThreatLocker is a global leader in zero Trust Endpoint security, offering cybersecurity controls to protect businesses from zero day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack. Surface and MITIGATE potential cyber vulnerabilities. To learn more and start your free trial, visit threatlocker.com SL CISO that's T H R E A T L O c k e r.com CSO Iran linked attacks hit Globally now as tensions with Iran escalate, recent cyber attacks abroad serve as a stark reminder that Iranian linked hackers are already actively targeting critical systems worldwide, one of the reasons why the DHS is warning of potential retaliation on US Soil. For instance, in Albania, the group Homeland justice, linked to Iran's Islamic Revolutionary Guard Corps, disrupted multiple public services in the capital by taking down the city's website, wiping servers and exfiltrating data. The group cited Albania's support of an exiled opposition group as motivation. Meanwhile, in Saudi Arabia, the pro Iranian hacktivist group Cyber Fatah leaked thousands of personal records tied to the Saudi Games in 2024, exposing passport scans, medical certificates and bank details from athletes and officials. Now, security researchers say this is part of a broader information warfare campaign designed to advance Iran's anti us, anti Israel and anti Saudi agenda. Fake Zoom calls used to deploy malware we are now learning that a scheme of fake zoom calls to deploy malware is greater than first thought. Now we first reported this story last week where security researchers say North Korea's Blue Noroff hacking group is behind a new wave of social engineering attacks using fake zoom calls to deploy malware and steal credentials. Now, multiple incidents have been reported, with victims mostly in cryptocurrency and financial sectors, being tricked into running fake Zoom audio fix scripts or downloading malicious extensions. After experiencing staged technical issues, the attackers use deepfakes, spoof domains and telegram to deliver the payloads. With infections resulting in data theft, key loggers and persistent backdoors. UK Retailers lose millions Cyber attacks targeting major UK retailers like Marks and Spencer and and Co Op are estimated to cost up to 440 million euros. That's about 591 million US dollars. That's according to Britain's Cyber Monitoring center, or CMC. This marks the CMC's first real world Incident classification since launching earlier this year to define what qualifies as a systemic cyber event, a move designed to bring clarity for insurers and policymakers. The attacks were labeled a Category 2 event, with Mark and Spencer hit hardest financially and co op facing greater operational impact in rural communities. Hey CISO series listeners, if you're in the San Diego area, be sure to join us on Wednesday, June 25 at at 6pm for the San Diego Cyber Group meetup. We'll be at Novo Brazil Brewing Mission Valley, with fun conversation about cyber, a few silly games and a guided discussion, plus free food and drink for the first 60 people. Head on over to the events page@cisoseries.com for more details. And if you have some thoughts on the news from today we or about the show in general, be sure to reach out to us@feedbackisoseries.com we'd love to hear from you. I'm Lauren Verno reporting from the CISO series.
[08:15]
Unknown Host
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines.