One of the reassuring things about owning an iPhone was knowing you could lock it if it got lost or stolen. Without your passcode, fingerprint or face to unlock it, it would be useless to anyone else.

Now, though, some phone thieves have found a workaround, not by breaking Apple’s security, but by tricking owners into giving them the keys.

The Swiss National Cyber Security Centre (NCSC) has issued a warning about phishing scams targeting iPhone owners who’ve lost their devices.

Phishing for Apple ID credentials

When you report an iPhone as lost in Apple’s Find My app, you can set a custom lock-screen message that appears on the missing device. Many people include an email address or phone number in that message so a helpful stranger can contact them if the phone turns up.

Unfortunately, that’s the very information scammers use to reach you. A thief (or anyone who now has the phone) can see that contact detail on the screen and send you a convincing message—usually by text, iMessage, or email—claiming to have found your device.

The scam messages often include details copied from the phone itself, such as its model and color, to make it sound authentic. It also includes a link to a fake website that mimics the Find My service that Apple operates to locate lost devices. The site will ask for the victim’s Apple ID credentials.

If the victim takes the bait, the thief can use those credentials to gain full access to the phone. That enables them to wipe it, returning it to factory settings for resale.

Although the NCSC didn’t say so, an enterprising thief could get up to all kinds of other shenanigans. They might reset the user’s Apple ID to lock them out—even on a replacement device, access their photos (yes, including any risqué ones), read their emails and nose through their apps. In short, it would give them carte blanche to your digital life.

These attacks don’t have to happen immediately. The perpetrators might text months after the device has been lost, when victims might have moved on and lowered their guard.

The good news… and the bad

The warning is both good and bad news. It’s good news because it shows that criminals are apparently unable to bypass Apple’s Activation Lock protection through technical means. The Activation Lock, turned on when you activate Find My, registers a device ID on Apple’s activation servers. Even if the criminals reset your device, the activation lock will still be there. Only someone with the user’s Apple ID credentials can unlock it. It’s a version of something called Factory Reset Protection (FRP) that the US mandated under the US Smart Phone Theft Prevention Act of 2015. Android phones have similar lock functionality.

The warning is bad news because phone owners are human, and humans are often the easiest security system to defeat. Phishing schemes that target phone theft victims are big business. Back in 2017, security reporter Brian Krebs documented “phishing as a service” platforms that did it at scale, on a subscription basis. Vice found toolkits like ProKit for phishing to unlock phones on sale for around $75.

We’ve already written about how the phone theft industry operates. Police in the UK recently uncovered a network stealing up to 40,000 phones per year. Most were shipped overseas to countries including China, where they would be used as profitably as possible. Locked phones might be broken up for parts, but a phone restored to factory settings that can be activated from scratch is far more valuable.

What to do if your iPhone is stolen

Ignore any messages from “Apple” claiming your lost phone has been found. The NCSC says Apple will never text or email customers about a recovered device.

If you lose your phone, turn on Lost Mode right away in Find My to lock it and display your contact message. Use a different contact number or email (not the one linked to your Apple ID or main phone) so scammers can’t use that information to target you.

Protect your SIM, too: enable PIN protection immediately, and ask your carrier to block or replace the SIM if the phone has been stolen.

We can’t easily stop thieves stealing people’s phones, or control who sees our phones after they leave our hands. But a little forethought now can help you to stop criminals from accessing your digital life or selling your phone on in its current form if it does enter the underground supply chain.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Researchers at Zimperium identified Fantasy Hub, a new Android spyware developed and sold as a subscription on Russian-language cybercrime forums.

Malware-as-a-Service (MaaS) means cybercriminals rent out to malware to other criminals, complete with the infrastructure necessary to harvest and abuse stolen information. Usually, it’s up to the buyer to spread the malware, but Fantasy Hub goes a step further—it comes with full documentation, video tutorials, and a subscription model that makes it easy for even inexperienced attackers to use. Its creators provide step-by-step guides to create fake Google Play pages that imitate apps like Telegram or online banking portals, complete with realistic reviews. It’s a Remote Access Trojan (RAT) that anyone can distribute.

Distribution relies heavily on social engineering and phishing. Attackers use Fantasy Hub’s templates and tools to set up convincing fake app pages, tricking users into downloading the malicious software. A “dropper” option even lets buyers upload any Android app APK and get back a modified version with Fantasy Hub added.

These counterfeit apps look legitimate, and often request only a single permission: SMS access. But that permission unlocks much more. The SMS handler role bundles multiple powerful permissions: contacts, camera, and file access into a single authorization step, unlocking extensive control over the device’s messaging, contacts, and camera functions. Fantasy Hub is designed to bypass standard security checks and can remain concealed, making detection difficult for users.

What can it do?

Once installed, Fantasy Hub can steal SMS messages, call logs, contacts, photos, and videos. It can also intercept, reply to, and delete notifications. More dangerously, it can initiate live audio and video streams using the device’s camera and microphone without the user’s consent. It’s been found in imitation banking apps, displaying fake windows to harvest user credentials such as usernames, PINs, and passwords. As part of the handy pack provided by Fantasy Hub’s creators, attackers are given tools to tailor these phishing windows for almost any banking app they wish to target.

While individuals at at risk from this malware, the threat extends to organizations that use Bring Your Own Device (BYOD) policies or rely on mobile banking and work apps. A single infected phone could expose company data or communications.

How to stay protected

Fantasy Hub shows how easily cybercriminals can now buy and run complex spyware. But a few simple habits can help you stay safe:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware as Android/Trojan.Spy.ACRF949851CC4.
• Scrutinize permissions. Does it really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for SMS or camera access.
• Unsolicited communications. Stay wary of messages, emails, or links urging you to “update” or install outside the official app stores.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

You’ve probably seen it before—a bright, urgent message claiming you’ve qualified for a $750 or $1000 Walmart gift card. All you have to do is answer a few questions. It looks harmless enough. But once you click, you find yourself in a maze of surveys, redirects, and “partner offers”—without ever actually reaching the end and claiming your prize.

This so-called “survey” is part of a lead-generation and affiliate marketing scam, designed not to reward you but to harvest your data and push you through ad funnels that make money for others, at the cost of your privacy.

What’s really going on?

It’s a scam because these pages rarely deliver any real gift card. What they’re after is your personal data.

As you move through each step, you’re asked for details like your name, email, phone number, ZIP code and even your home address. In some cases, you’re prompted to share interests such as home repair, debt help, or insurance quotes—each answer helps categorize you for targeted marketing.

Even if the page itself doesn’t steal money, that information is still valuable. It can be used to target you with more ads and offers, add you to marketing lists, or personalize follow-up contact. In other words, completing the questionnaire hands over data that can be exploited for profit—even when no gift card ever appears.

In some cases, the funnel gets even more specific. For example, if the survey asks you about home projects and you say you’re planning to replace your windows, you might be redirected to what looks like a legitimate home improvement site—often just another form asking for the same details again. The whole thing is designed to keep you filling out more forms, giving up more of your data, to more websites and affiliates.

These scams don’t aren’t just annoying time-wasters. They are harvesting your data, eroding your privacy and exposing you to wider risks. Once your details are shared, they can travel far beyond that fake survey.

Your information may:

• Be resold to advertisers and data brokers, who build detailed profiles about your habits, spending, and location.
• Lead to a surge of spam calls, texts, and phishing emails tailored to your interests.
• Feed more convincing scams down the line, since criminals can now personalize their lures using real information about you.
• End up on unregulated marketing lists that circulate for years, keeping your data in play long after you’ve closed the page.

That’s the hidden cost of a “free” gift card: each click fuels a network that profits from your identity, not your participation.

Why do people fall for it?

The hook is simple—free money and easy participation. But this fake Walmart promotion taps into three powerful psychological triggers:

1. The sense of luck: “You’ve been selected!” sounds personal and special.
2. The promise of low effort: Answering a few questions feels harmless.
3. The illusion of credibility: Walmart’s branding lends legitimacy.

These scams spread mainly through advertising and malvertising networks—pop-ups, spam emails, social media ads, or sketchy website banners that imitate real promotions.

You might spot them alongside news articles or as “sponsored links” that sound too good to be true. Some appear via push notifications or redirects, whisking you from a real website to a fake reward page in seconds.

The designs often use official logos, countdown timers, and congratulatory language to make them look like authentic brand campaigns—tricking people into lowering their guard.

It’s an easy mental shortcut: “If this was fake, it wouldn’t look so professional.” That’s what these scammers count on—the appearance of legitimacy mixed with urgency and reward.

How to protect yourself

These gift card offers aren’t just harmless internet fluff—they’re the front door to a sprawling network of data collection and affiliate profiteering. Each click, form, and redirect is designed to extract value from your attention and information, not to reward you.

Recognizing these scams early is the best defense. Here’s how to stay safe:

1. Be suspicious of online surveys promising big rewards. Legitimate promotions from major retailers rarely require long questionnaires or partner offers.
2. Never give personal information to unknown pages. If a site asks for your phone number or address for a “free prize,” it’s a red flag.
3. Use browser protection tools. Extensions like Malwarebytes Browser Guard can block known scam domains and malvertising networks before they load.
4. Check the URL carefully. Real Walmart promotions will always come from official domains (like walmart.com or survey.walmart.com), not random URLs with extra words or numbers.
5. Stay alert and skeptical. Online quizzes and reward offers are a favorite bait for scammers. When in doubt – close the tab.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Last week on Malwarebytes Labs:

• Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025
• Fake CAPTCHA sites now have tutorial videos to help victims install malware
• Hackers commit highway robbery, stealing cargo and goods
• Android malware steals your card details and PIN to make instant ATM withdrawals
• Take control of your privacy with updates on Malwarebytes for Windows
• Cyberattacks on UK water systems reveal rising risks to critical infrastructure
• Should you let Chrome store your driver’s license and passport?
• Apple patches 50 security flaws—update now
• “Sneaky” new Android malware takes over your phone, hiding in fake news and ID apps
• Sling TV turned privacy into a game you weren’t meant to win
• Attack of the clones: Fake ChatGPT apps are everywhere
• Would you sext ChatGPT? (Lock and Code S06E22)
• Malwarebytes aces PCMag Readers’ Choice Awards and AVLab Cybersecurity Foundation tests

On the ThreatDown blog:

• Inside EDR-Freeze: How ThreatDown stops the attack before it spreads

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The AV-Comparatives Stalkerware Test 2025 delivers a sobering look at the evolving threat posed by stalkerware on mobile devices. Despite measures from both the tech industry and platform providers, stalkerware-type apps, which are apps that can be installed covertly to spy on a victim’s private life, remain a critical concern.

This comprehensive assessment, developed in collaboration with Electronic Frontier Foundation (EFF), evaluated 13 leading Android security solutions against 17 diverse stalkerware-type apps. Key findings show that stalkerware persists even as providers and coalitions crack down: it’s sideloaded from developer websites, designed to evade detection, and frequently stores sensitive victim data on insecure servers, often exposing it to wider risks like public data leaks.

For this test, each security app was assessed for its ability to clearly detect and report stalkerware, not just using generic labels, but with explicit warnings tailored to support possible victims.

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.

Of the 13 security products tested in September 2025, only a few stood out for detection accuracy, clarity, and responsible alerting, with Malwarebytes the only one to score a 100% detection rate.

From the report:

The results show clear differences in performance between mobile security products. Malwarebytes stood out by detecting all stalkerware testcases, achieving a 100% detection rate. 

It went on to say:

Bitdefender, ESET, Kaspersky, and McAfee followed closely with 94% each, showing consistently high effectiveness. Avast, Avira, and F-Secure also performed well, identifying 88% of the test set, while Norton and Sophos achieved moderate coverage, detecting around 82%. At the lower end, G Data (65%), Google (53%), and Trend Micro (59%) missed a substantial portion of the stalkerware.

Why it matters to Malwarebytes

As one of the founding members of the Coalition Against Stalkerware, Malwarebytes sees this result as much more than a technical win. For us, the mission goes beyond simply blocking malicious software. Stalkerware-type apps are often used by abusers to systematically invade privacy and exert control. Their impact is highly personal, making reliable detection and safe reporting imperative.

Our participation in the coalition reflects a commitment to industry best practices: preventing stalkerware-type apps from being quietly installed, giving users detailed and honest threat information, and ensuring that every detection alert is crafted with survivor safety in mind. Scoring 100% in this test validates years of advocacy and development focused on the real-world needs of victims and their supporters, which goes beyond focusing on theoretical malware samples.

Ultimately, consistent leadership in stalkerware detection means standing alongside partners and survivor organizations to raise public awareness, drive safer technology, and provide every user with a clear path to reclaim their privacy. For Malwarebytes, achieving a perfect score isn’t just a mark of product quality; it’s proof of our commitment to your privacy and security.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer.

ClickFix is the name researchers have since given to this type of campaign—one that uses the clipboard and fake CAPTCHA sites to trick users into running malicious commands themselves.

Later, we found that the cybercriminals behind it seemed to be running some A/B tests to figure out which infection method worked best: ClickFix, or the more traditional file download that disguises malware as a useful application.

The criminals probably decided to go with ClickFix, because they soon came up with a campaign that targeted Mac users to spread the infamous Atomic Stealer.

Now, as reported by researchers from Push Security, the attackers behind ClickFix have tried to make the campaign more “user-friendly.”  The latest fake CAPTCHA pages include embedded video tutorials showing exactly how to run the malicious code.

The site automatically detects the visitor’s operating system and provides matching instructions, copying the right code for that OS straight to the clipboard—making typos less likely and infection more certain.

A countdown timer adds urgency, pressuring users to complete the “challenge” within a minute. When people rush instead of thinking things through, social engineering wins.

Unsurprisingly, most of these pages spread through SEO-poisoned Google search results, although they also circulate via email, social media, and in-app ads too.

How to stay safe

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens.

According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even diverting real cargo shipments to unapproved locations so that the stolen goods can be sold or shipped elsewhere.

The impact, the researchers said, extends far beyond the logistics industry:

“Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics. The most targeted commodities are food and beverage products.”

Although the cyberattacks were mostly seen in North America, cargo theft is a problem across the world, impacting consumers and businesses that rely on the often-overlooked network of trucks, trains, ships, planes, and people.

In these attacks, cybercriminals compromise the accounts of carrier companies that transport goods from one location to the next. By posing as legitimate carriers, they can place real bids on shipments and then redirect them to unauthorized destinations, where they or their partners will receive and steal the cargo.

Researchers found that attackers take control of these accounts in at least one of three ways.

1. Fake load boards

Attackers may post a fake order on what’s called a “load board,” a digital marketplace that connects shippers with carriers so that cargo can be assigned and accepted. But when legitimate carriers inquire about the fake load board posting, the criminals reply with an email that includes a malicious link that, when clicked, installs Remote Monitoring and Management (RMM) software. (To make the scam more convincing, the cybercriminals also compromise a “broker” account so their load board posting looks legitimate.)

Despite the sneaky install method, RMM software itself is entirely legitimate. It’s used by IT support teams to remotely fix issues for employees. But that legitimacy makes RMM software perfect for any cybercriminal campaign because it may raise fewer red flags from older antivirus tools.

Once the attackers gain access to a carrier’s account, they can also deploy malware to steal account credentials, giving them greater access to a company’s network.

2. Compromised email accounts

A second observed attack method involved hijacking an active email address and then impersonating the owner when responding to emails about cargo orders and shipments. Here, too, cybercriminals inserted malicious links into emails that eventually install RMM tools.

3. Social engineering

Finally, researchers also observed the attackers sending direct phishing emails to carriers, using classic social engineering tricks—like sending a bogus bill to lure victims into clicking malicious links.

While many of the well-tested security best practices still apply—like not clicking on links inside emails—one of the strongest defenses is to use a security product that notifies users about RMM tools (also sometimes referred to as Remote Desktop Programs) installed on their device. RMM tools are legitimate, but because of their abuses in cybercriminal campaigns, it is important that every installation is verified and tracked.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Polish Computer Emergency Response Team (CERT Polska) analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims’ bank accounts.

Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs (Automated Teller Machines, or cash machines) using banking data exfiltrated from victims’ phones—without ever physically stealing the cards.

NFC is a wireless technology that allows devices such as smartphones, payment cards, and terminals to communicate when they’re very close together. So, instead of stealing your bank card, the attackers capture NFC (Near Field Communication) activity on a mobile phone infected with the NGate malware and forward that transaction data to devices at ATMs. In NGate’s case the stolen data is sent over the network to the attackers’ servers rather than being relayed purely by radio.

NFC comes in a few “flavors.” Some produce a static code—for example, the card that opens my apartment building door. That kind of signal can easily be copied to a device like my “Flipper Zero” so I can use that to open the door. But sophisticated contactless payment cards (like your Visa or Mastercard debit and credit cards) use dynamic codes. Each time you use the NFC, your card’s chip generates a unique, one-time code (often called a cryptogram or token) that cannot be reused and is different every time.

So, that’s what makes the NGate malware more sophisticated. It doesn’t simply grab a signal from your card. The phone must be infected, and the victim must be tricked into performing a tap-to-pay or card-verification action and entering their PIN. When that happens, the app captures all the necessary NFC transaction data exchanged — not just the card number, but the fresh one-time codes and other details generated in that moment.

The malware then instantly sends all that NFC data, including the PIN, to the attacker’s device. Because the codes are freshly generated and valid only for a short time, the attacker uses them immediately to imitate your card at an ATM; the accomplice at the ATM presents the captured data using a card-emulating device such as a phone, smartwatch, or custom hardware.

But, as you can imagine, being ready at an ATM when the data comes in takes planning—and social engineering.

First, attackers need to plant the malware on the victim’s device. Typically, they send phishing emails or SMS messages to potential victims. These often claim there is a security or technical issue with their bank account, trying to induce worry or urgency. Sometimes, they follow up with a phone call, pretending to be from the bank. These messages or calls direct victims to download a fake “banking” app from a non-official source, such as a direct link instead of Google Play.

Once installed, the app app asks for permissions and leads victims through fake “card verification” steps. The goal is to get victims to act quickly and trustingly—while an accomplice waits at an ATM to cash out.

How to stay safe

NGate only works if your phone is infected and you’re tricked into initiating a tap-to-pay action on the fake banking app and entering your PIN. So the best way to stay safe from this malware is keep your phone protected and stay vigilant to social engineering:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Do not engage with unsolicited callers. If someone claims to be from your bank, tell them you’ll call them back at the number you have on file.
• Ignore suspicious texts. Do not respond to or act upon unsolicited messages, no matter how harmless or urgent they seem.

Malwarebytes for Android detects these banking Trojans as Android/Trojan.Spy.NGate.C; Android/Trojan.Agent.SIB01022b454eH140; Android/Trojan.Agent.SIB01c84b1237H62; Android/Trojan.Spy.Generic.AUR9552b53bH2756 and Android/Trojan.Banker.AURf26adb59C19.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

It’s getting harder to keep your Windows space truly yours, as Microsoft increasingly serves annoying ads and tracks your data across third-party apps.

Pushing back against your eroding privacy has been a scattered and sometimes complicated process… but we’re making it easier for you. With the latest version of Malwarebytes for Windows, we’ve introduced Privacy Controls—a simple screen that brings several privacy settings together in one place, so you can easily decide how Microsoft handles your data.

With four simple toggles, you can decide whether to:

• Allow third-party apps to use your Advertising ID
• Allow third-party content on your lock screen
• Allow third-party content on your Start screen
• Allow Microsoft to use Windows diagnostic data

You can also disable all privacy-impacting features at once.

There’s more good news for your privacy. Malwarebytes now also alerts you when “Remote Desktop Programs” are installed on your device.

Remote Desktop Programs are powerful, often legitimate tools used by IT teams and tech support to fix problems remotely—especially since remote work became common. But the remote access these programs provide is powerful, which makes them a target for cybercriminals. If a real tech support account is compromised, a hacker could use the remote desktop program to tamper with your devices or spy on sensitive information.

There’s also a type of scam—called a tech support scam—where criminals trick people into installing remote desktop programs so they can take control of the victim’s device, potentially stealing data or money down the line.  

By flagging these programs, Malwarebytes gives you more visibility into what’s on your computer, so you can stay in control of your privacy and security.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Digital intruders have been targeting UK drinking water systems in what seems to be a growing risk.

Recorded Future News sent a request to the UK’s Drinking Water Inspectorate (DWI), the organization responsible for ensuring that drinking water is safe, for details on cyberattacks affecting the country’s water system. Using freedom of information laws, the site discovered five incidents that had taken place since January 1, 2024.

A steady stream of water attacks

These aren’t the first attacks on UK water systems. In August 2022, the Clop ransomware gang hit South Staffordshire Water, thinking that it was actually Thames Water. The attack focused on stealing customer data, meaning water supplies weren’t disrupted, although corporate systems were affected.

In late 2023, pro-Iranian hackers disrupted water supplies in County Mayo, Ireland. The intruders, known as the Cyber Av2ngers group, caused outages across 160 homes for two days. The attack was politically motivated by the utility’s apparent use of an Israeli-made tool.

These are far from the only attacks on water systems around the world. In February last year, CISA warned that a Chinese state-sponsored group had spent nine months moving laterally through a US water facility.

In that incident, attackers gained access using an administrator’s login and spent months inside the infrastructure, nosing around databases and other assets. CISA linked the intrusion to Volt Typhoon—a group that also targeted telecommunications companies around the world. The attackers were described as “OT adjacent,” meaning they had reached administrative systems close enough to potentially impact the operational technology that controls water flow.

The attacks keep coming. Just last month, the Canadian Centre for Cybersecurity reported an attack on a municipal water facility. Hacktivists managed to alter water pressure, causing “degraded service” for the local community.

It’s always worrying when attackers target critical national infrastructure. When attackers hit Colonial Pipeline in 2021, they only compromised its administrative network (the part that handles paperwork). But the company was spooked enough that it shut down its fuel distribution systems too, as a protective measure, causing gasoline prices to spike across the US East Coast.

A possible legal shake-up

Many attacks on water systems might go unreported, depending on where they happen. The UK’s Network and Information Systems (NIS) regulations dictate that critical national infrastructure organizations should reveal cyber attacks to the public. However, that only applies if those attacks caused disruption.

That’s why the attacks uncovered by Recorded Future haven’t been made public until now. While worrying, they didn’t affect the UK’s water supply. A 2022 review of the NIS regulations criticized this limited disclosure, noting that attacks with the potential to disrupt services often went unreported.

Although the attacks reported to Recorded Future were voluntarily disclosed by the DWI by suppliers, upcoming legal changes could lower the bar for mandatory reporting. The UK’s proposed Cyber Security and Resilience Bill would expand disclosure requirements, increasing transparency about attacks that could affect the water supply. The Bill is expected to reach Parliament in 2025—though time is running short.

A resource under pressure

Water is under considerable threat already in the UK, with major droughts declared this year. The Met Office reports that this year’s February-to-April period was the driest since 1956, with rainfall at just half the long-term average. River flows have dropped sharply, soil moisture is down, and the National Drought Group has met to coordinate a national response.

Water companies already have plans to manage shortages, the UK government says. But as the cyberattacks mount, the question is: are their system defenses strong enough too?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.