Iranian Hackers Target Thousands of US Industrial Controllers While Healthcare Breaches Get Personal

I’ve been following some concerning developments this week that highlight how our threat landscape continues to shift in unexpected ways. While we’re all familiar with the usual ransomware headlines, there are some specific incidents that deserve our attention – particularly around critical infrastructure targeting and the evolving nature of healthcare data breaches.

Nearly 4,000 Industrial Controllers in Iranian Crosshairs

The most alarming story comes from BleepingComputer’s report about Iranian-linked threat actors specifically targeting internet-exposed programmable logic controllers (PLCs) manufactured by Rockwell Automation. We’re talking about nearly 4,000 US industrial devices that are sitting ducks for cyberattacks.

What makes this particularly concerning isn’t just the scale – it’s the specificity. These aren’t opportunistic attacks against whatever happens to be exposed. Iranian actors are systematically mapping and targeting the exact industrial control systems that keep our critical infrastructure running. Rockwell Automation PLCs are everywhere: manufacturing plants, water treatment facilities, power generation sites.

The fact that these devices are internet-exposed in the first place tells us we still have fundamental security hygiene problems in our industrial sectors. I’ve seen too many organizations where operational technology (OT) teams and IT security teams operate in silos, leaving critical gaps in visibility and protection.

Healthcare Breaches Get Uncomfortably Personal

Speaking of gaps, the Hims telehealth breach reported by Dark Reading represents a new flavor of healthcare data exposure that should make us all uncomfortable. This isn’t your typical breach of names, addresses, and insurance information. We’re talking about deeply personal health data – who’s dealing with hair loss, weight issues, erectile dysfunction.

The headline puts it bluntly: “threat actors may know who’s bald, overweight, and impotent.” While that might sound almost comical, think about the implications. This type of highly personal medical information creates perfect conditions for targeted social engineering, blackmail, or identity theft schemes. It’s one thing to have your email address leaked; it’s entirely another to have your most private health concerns exposed.

For those of us working in healthcare security, this underscores why we need to think beyond traditional PHI protection models. Telehealth platforms are collecting incredibly sensitive data, often with less rigorous security controls than traditional healthcare providers.

Developers Under Fire with Supply Chain Tricks

The GlassWorm campaign evolution caught my attention because of how sophisticated the targeting has become. These attackers are using a Zig dropper hidden in what appears to be a legitimate WakaTime extension for developer IDEs. The fake extension is called “specstudio.code-wakatime-activity-tracker” and it’s designed to infect multiple development environments on the same machine.

This is supply chain compromise at a very granular level. Instead of going after major repositories or build systems, they’re targeting the individual tools developers use every day. If you’re managing developer workstations, this should be a wake-up call about extension and plugin management policies.

The choice of Zig as the dropper language is interesting too – it’s relatively new and might fly under the radar of traditional detection systems that are heavily tuned for more common languages and frameworks.

Multiple Fronts, Same Problems

Looking at this week’s other incidents mentioned in SecurityWeek’s roundup – the Stryker cyberattack, a new Windows zero-day, and Chinese supercomputer compromises – there’s a common thread. We’re seeing attackers get more precise about their targets while defenders struggle with basic visibility and control.

Whether it’s industrial control systems exposed to the internet, healthcare platforms with inadequate protection for sensitive data, or developers installing malicious extensions, the root issues often come back to asset visibility, access controls, and security awareness.

What This Means for Our Day-to-Day Work

These incidents reinforce some uncomfortable truths about where we stand. The Iranian targeting of industrial controllers shows that nation-state actors are moving beyond espionage and positioning for potential physical impact. The Hims breach demonstrates that our privacy assumptions about healthcare data need updating. The GlassWorm campaign evolution proves that supply chain attacks are getting more targeted and harder to detect.

For practical next steps, we need to prioritize asset discovery across both IT and OT environments, implement stronger controls around third-party integrations (especially in developer environments), and rethink our approach to protecting highly sensitive personal data in healthcare contexts.

The threat actors aren’t slowing down, and they’re definitely not getting less creative.

Sources

• Nearly 4,000 US industrial devices exposed to Iranian cyberattacks
• Hims Breach Exposes the Most Sensitive Kinds of PHI
• GlassWorm Campaign Uses Zig Dropper to Infect Multiple Developer IDEs
• In Other News: Cyberattack Stings Stryker, Windows Zero-Day, China Supercomputer Hack