Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. Learn how simple vulnerabilities threaten critical infrastructure.

In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.

According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.

****Vulnerable Control Systems Highlighted****

The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.

Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.

****Broader Threats to Essential Services****

This incident is not isolated as such intrusions into vital infrastructure have occurred in the past. For instance, Hackread.com reported in April 2023, that Israel faced a wave of cyberattacks, with authorities believing they were part of OpIsrael, a campaign by pro-Palestinian hackers.

Among the targets were Israel’s irrigation systems, which saw several water monitors malfunction. The targets included irrigation and wastewater treatment systems in areas like the Hula Valley, the Jordan Valley, and the Galil Sewage Corporation. These cases show how simple vulnerabilities, like easy-to-guess passwords, can be exploited by threat actors.

****Lessons for Critical Infrastructure Protection****

While this particular facility primarily serves a fish farm and is not connected to Norway’s power grid, the incident shows a critical security lesson for essential infrastructure worldwide. It demonstrates how easily basic security failures, especially weak credentials, can compromise vital systems.

It also highlights that remote access, proper authentication, and clear ownership of cyber-physical interfaces should be standard security practices. The fact that the attack persisted for four hours undetected also indicates the importance of sufficient monitoring for critical infrastructure like dams. Effective cybersecurity practices, including strong passwords and multi-factor authentication (requiring more than one way to prove identity), are crucial for protecting these essential services.

Norwegian Dam Valve Forced Open for Hours in Cyberattack

Grocery giant Ahold Delhaize USA faced a major data breach affecting over 2.2 million employees. Learn what sensitive info was stolen and the ransomware group behind the Nov 2024 attack.

A data breach at Ahold Delhaize USA Services, LLC, a company providing support to the major East Coast grocery retailer Ahold Delhaize USA, has affected more than 2.2 million (2,242,521) individuals (including over 95,000 Mainers).

The incident, which involved unauthorized access to internal US business systems, occurred between November 5th and 6th, 2024, leading to the theft of highly sensitive personal, financial, and health information primarily belonging to current and former employees.

Ahold Delhaize USA is a prominent name in the US grocery sector, operating popular brands such as Food Lion, Giant Food, The GIANT Company, Hannaford, and Stop & Shop. According to Ahold Delhaize USA’s official statement, the company is notifying those impacted and is providing two years of complimentary credit monitoring and identity protection services. A help desk has also been established to assist individuals with inquiries.

****Details of the Cyberattack****

Ahold Delhaize USA Services detected the cybersecurity issue on November 6, 2024, and swiftly launched an investigation with the help of leading external cybersecurity experts., also coordinated with US federal law enforcement.

The investigation revealed that an unauthorized third party had gained access to and obtained files from one of their internal US file repositories. While the company quickly took some systems offline to contain the issue, leading to temporary disruptions for online orders and pharmacy services, these systems were soon restored.

The stolen data varied from person to person but was extensive, as per the breach notification submitted to the Maine Attorney General. It included names, contact details, dates of birth, government-issued identification numbers like Social Security numbers, passport numbers, and driver’s license numbers. Financial account records, including bank account numbers, were also compromised.

Additionally, health information, specifically workers’ compensation details and medical records within employment histories, along with other employment-related data, were exposed.

“Our review of the impacted files is still ongoing. At this time, we believe that many associates who were working for Ahold Delhaize Group, Ahold Delhaize Europe & Indonesia (EBS), Albert Heijn, Etos, Gall & Gall and the Ahold Delhaize Coffee Company in the Netherlands and who were on the payroll in April 2021 may have been affected by this issue,” the company noted.

Ahold Delhaize confirms that it found “no indication that customer payment or pharmacy systems were compromised” and “no customer credit card numbers contained in the affected files,” suggesting the focus of the attack was on employee data.

****Ransomware Group Claims Responsibility****

In a development that surfaced on April 16, 2025, the INC ransomware group publicly claimed responsibility for breaching Ahold Delhaize on their dark data leak website and threatened to release it fully after providing samples.

INC Ransomware on its dark web leak blog (Image: Hackread.com)

This group, active since mid-2023, often uses tactics like phishing emails or exploit kit malware to gain access. They are known for avoiding attacks in Russia, possibly indicating a base there or in a neighbouring country.

Ahold Delhaize confirmed on April 17, 2025, that data had indeed been stolen and began reviewing the affected files to identify the personal information at risk. This complex investigation, which has taken seven months to identify affected US individuals and also uncovered some Dutch employment data from April 2021, highlights the intricate nature of responding to such cyber incidents.

“To date, this is one of the most significant data breaches following a ransomware attack, particularly within the food and beverage sector,” said Rebecca Moody, Head of Data Research at Comparitech. “In fact, since we began tracking ransomware attacks at the start of 2018, this attack on Ahold Delhaize is the largest within the food and beverage sector (based on records affected).”

“In most cases, attacks on this sector have focused on system encryption, as this is often where the most disruption is caused. For example, from 2018 to the present, the average number of records breached in a ransomware attack on a food and beverage company was 53,200,_“_ explained Rebecca.

_“_This highlights the severity of this breach as well as the new focus on data theft (as well as system encryption) for the majority of ransomware gangs. It is likely that we’ll see larger data breaches within the food and beverage industry going forward. We are also yet to see the extent of the breaches on the UK’s Marks & Spencer and Co-op attacks this year.”

Ahold Delhaize Confirms Data Breach of 2.2M amid INC Ransomware Claims

A list of topics we covered in the week of June 23 to June 29 of 2025

June 27, 2025 - An invitation to sign a DocuSign document went through mysterious ways and a way-too-easy Captcha to fingerprint the target.

June 26, 2025 - Cybercriminals are using jailbroken AI models to assist them in designing campaigns and improving their tactics.

June 26, 2025 - The Do Not Call Registry hardly works. The reason why is simple and frustrating—it was never meant to stop all unwanted calls.

June 25, 2025 - Facial recognition is quickly becoming commonplace. It is important to know where, when, and how you can opt out.

June 25, 2025 - Data brokers that have registered in one state are failing to register in other states. What could be behind this?

 A week in security (June 23 &#8211; June 29) 

In Akka through 2.10.6, akka-cluster-metrics uses Java serialization for cluster metrics.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-358m-fq53-hp87: akka-cluster-metrics uses Java serialization for cluster metrics

Deserialization of Untrusted Data vulnerability in Apache Seata (incubating).

This security vulnerability is the same as CVE-2024-47552, but the version range described in the CVE-2024-47552 definition is too narrow.
This issue affects Apache Seata (incubating): from 2.0.0 before 2.3.0.

Users are recommended to upgrade to version 2.3.0, which fixes the issue.

GHSA-m964-fjrh-xxq2: Apache Seata Vulnerable to Deserialization of Untrusted Data

A patient's death is confirmed linked to the June 2024 ransomware attack by the Qilin ransomware gang on Synnovis, crippling London's NHS. Learn about the disruptions and Impact.

A patient’s death has been officially connected to a cyber attack carried out by the **Qilin ransomware** group that crippled pathology services at several major NHS hospitals in London last year. The cyber attack on Synnovis, a key pathology provider, caused widespread disruption to vital diagnostic services, delaying critical blood test results and impacting patient care significantly.

King’s College Hospital NHS Foundation Trust **confirmed** that a patient unexpectedly died during the cyber-incident. A spokesperson for the trust revealed that a detailed review of the patient’s care found multiple contributing factors, including “a long wait for a blood test result due to the cyber attack impacting pathology services at the time.”

The findings of this safety investigation have been shared with the patient’s family. Synnovis CEO, Mark Dollar, expressed deep sadness, stating, “Our hearts go out to the family involved.”

****Widespread Chaos and Data Theft****

Hackread.com **reported on this incident** on June 4, 2024, highlighting the chaos across London’s healthcare system. The attack occurred on June 3, 2024, targeting Synnovis, which provides diagnostics, testing, and digital pathology in southeast London. This incident brought blood testing across multiple NHS trusts, including King’s College, Guy’s and St Thomas’, and Lewisham and Greenwich hospitals, along with GP practices, to a halt.

The disruption was extensive, affecting more than 10,000 outpatient appointments and leading to the postponement of 1,710 operations at King’s College and Guy’s and St Thomas’ NHS Foundation Trusts.

Additionally, as per Sky News, 1,100 cancer treatments were delayed. Healthcare providers faced challenges with blood transfusions and matching, forcing them to use universal O-type blood, which contributed to a national shortage of O-type supplies, as explained by NHS England.

Nearly 600 patient safety incidents were linked to the attack, with two cases classified as severe, indicating permanent damage or life-threatening delays, according to revised figures from 2025. Synnovis also reported having to discard 20,000 degraded blood samples from 13,500 patients due to the inability to test them.

The **Russian cybercriminal group Qilin** is believed to be responsible. The group also allegedly published almost 400GB of stolen sensitive data online, including patient names, dates of birth, NHS numbers, blood test descriptions, and financial arrangements between hospitals and Synnovis, on its darknet site and Telegram channel.

****A Precedent for Fatal Cyberattacks****

This tragic death draws parallels with a similar incident in Germany on September 18, 2020, **as reported** by Hackread.com. In that case, a ransomware attack on University Hospital Düsseldorf (UKD) caused IT systems to fail. An emergency patient needing urgent treatment had to be rerouted to another hospital 32 kilometers away, leading to her death.

Investigators later found the attackers had mistakenly targeted the university, not the hospital and provided a decryption key when informed of their error. The vulnerability exploited in that attack, **Citrix ADC CVE-2019-19781**, had a patch available a month prior, emphasizing the critical need for timely cybersecurity updates in healthcare as these tragic incidents highlight the severe human cost of cyberattacks on medical facilities.

Qilin Ransomware Attack on NHS Causes Patient Death in the UK

Plus: US feds charge alleged masterminds behind infamous forum, Scattered Spider targets airlines, and hackers open a valve at a Norwegian dam.

WIRED published a shocking investigation this week based on records, including audio recordings, of hundreds of emergency calls from United States Immigration and Customs Enforcement (ICE) detention centers. The calls—which include reports of incidents of staff sexual assaults, suicide attempts, and head injuries—indicate a system inundated by life-threatening incidents, delayed treatment, and overcrowding.

In a 6-3 decision on Friday, the US Supreme Court upheld a Texas porn ID law, finding that age verification for explicit sites is constitutional. In a dissent, Justice Elena Kagan warned that this determination ignores First Amendment precedent and will have privacy implications for adults.

Looking at the US bombing of Iranian nuclear sites last weekend, President Donald Trump posted initial announcements of the strikes on the social Network Truth Social, which then began suffering intermittent outages. And WIRED reported on assessments of the damage to the nuclear sites based on satellite photos taken before and after the bombing.

Meanwhile, Taiwan is scrambling to make its own unmanned aerial vehicles domestically as drones increasingly become a crucial weapon of war. The urgency comes as a potential conflict with China looms. And Telegram launched a purge of Chinese cryptocurrency markets last month, banning black markets that sold tens of billions of dollars in crypto-scam-related services. Now, though, the markets are rebranding and bouncing back with no further action from the communication platform.

But wait, there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Immigration and Customs Enforcement (ICE) is now using a mobile app called Mobile Fortify that allegedly allows agents to identify individuals by pointing a smartphone at their face or capturing contactless fingerprints, 404 Media reports. The app reportedly taps into government databases, including Customs and Border Protection’s Traveler Verification Service and a DHS biometric intelligence system, in an attempt to match facial images taken in the field against prior government-collected records. ICE says the tool is intended to help officers identify “unknown subjects,” but civil liberties advocates tell 404 Media that it may open the door to surveillance-driven profiling and wrongful arrests.

Nathan Freed Wessler of the ACLU told the site, “Face recognition technology is notoriously unreliable, frequently generating false matches and resulting in a number of known wrongful arrests across the country. Immigration agents relying on this technology to try to identify people on the street is a recipe for disaster. Congress has never authorized DHS to use face recognition technology in this way, and the agency should shut this dangerous experiment down."

**US Feds Charge Group of Alleged Hackers Behind a Notorious Cybercrime Forum**

Global law enforcement this week announced the bust of a group of alleged cybercriminal hackers accused of carrying out years of profit-focused data breaches and running a notorious cybercriminal forum and market known as Breachforums. French authorities arrested four members of the group who went by the names “ShinyHunters,” “Hollow,” “Noct,” and “Depressed,” though the police sources who shared the news with the French newspaper Le Parisien didn’t reveal the suspects’ real names. The US Justice Department, meanwhile, criminally charged Kai West, a young British man, with carrying out a broad, years-long hacking spree under the handle “Intelbroker” that inflicted $25 million total damage against victims before he was arrested in February. In addition to hacking and selling vast troves of stolen data, the group—or at least some subset of its members—appears to have served as administrators for Breachforums, a notorious sales forum for cybercriminal information and tools that was shut down in a law enforcement operation in 2023 but was later relaunched by its staff.

**Scattered Spider Hackers Shift Their Targeting to the Airline Industry**

The loose cybercriminal gang known as Scattered Spider has carried out data theft and ransomware incidents for years, most recently targeting the grocery industry, other retailers, and the insurance industry in the US and the UK. Now cybersecurity analysts at Mandiant and Palo Alto Networks say the group is turning their attention to the aviation and transportation sector. Specifically, hackers were behind a cybersecurity incident last week that took down some IT systems and the mobile app for Canadian airline WestJet, Axios reports. Now Hawaiian Airlines has said it’s experiencing a “cybersecurity incident” affecting its network, though it hasn’t yet revealed more details or any evidence that Scattered Spider is responsible. Cybersecurity firms tracking the group warn that other potential aviation and transportation industry targets should be on the lookout for the group, which often uses sophisticated social engineering to trick staff into letting them bypass multi-factor authentication and gain a foothold on target systems.

**Hackers Breach a Norwegian Dam to Open Valve**

Here’s a curiosity that we missed a couple weeks ago: A rare industrial control system hijacking incident in which an unknown hacker appears to have messed with the computer systems that control the Lake Risevatnet dam in southwest Norway, opening a valve to its maximum setting. The tampering, the motivation for which was far from clear, increased the dam’s water flow by nearly 500 liters a second, but didn’t come close to approaching a dangerous level. No one appears to have spotted the change for close to four hours. Officials told the Norwegian energy news outlet Energiteknikk, which broke the story, that a weak password on a web-accessible control panel allowed the unauthorized access.

ICE Rolls Facial Recognition Tools Out to Officers' Phones

The U.S. Federal Bureau of Investigation (FBI) has revealed that it has observed the notorious cybercrime group Scattered Spider broadening its targeting footprint to strike the airline sector.
To that end, the agency said it's actively working with aviation and industry partners to combat the activity and help victims.
"These actors rely on social engineering techniques, often impersonating

FBI Warns of Scattered Spider's Expanding Attacks on Airlines Using Social Engineering

Cybercriminals use malicious AI models to write malware and phishing scams Cisco Talos warns of rising threats from uncensored and custom AI tools.

New research from Cisco Talos reveals a rise in cybercriminals abusing Large Language Models (LLMs) to enhance their illicit activities. These powerful AI tools, known for generating text, solving problems, and writing code, are, reportedly, being manipulated to launch more sophisticated and widespread attacks.

For your information, LLMs are designed with built-in safety features, including alignment (training to minimize bias) and guardrails (real-time mechanisms to prevent harmful outputs). For instance, a legitimate LLM like ChatGPT would refuse to generate a phishing email. However, cybercriminals are actively seeking ways around these protections.

Talos’s investigation, shared with Hackread.com highlights three primary methods used by adversaries:

**Uncensored LLMs**: These models, lacking safety constraints, readily produce sensitive or harmful content. Examples include OnionGPT and WhiteRabbitNeo, which can generate offensive security tools or phishing emails. Frameworks like Ollama allow users to run uncensored models, such as Llama 2 Uncensored, on their own machines.

**Custom-Built Criminal LLMs**: Some enterprising cybercriminals are developing their own LLMs specifically designed for malicious purposes. Names like GhostGPT, WormGPT, DarkGPT, DarkestGPT, and FraudGPT are advertised on the dark web, boasting features like creating malware, phishing pages, and hacking tools.

**Jailbreaking Legitimate LLMs**: This involves tricking existing LLMs into ignoring their safety protocols through clever prompt injection techniques. Methods observed include using encoded language (like Base64), appending random text (adversarial suffixes), role-playing scenarios (e.g., DAN or Grandma jailbreak), and even exploiting the model’s self-awareness (meta prompting).

The dark web has become a marketplace for these malicious LLMs. FraudGPT, for example, advertised features ranging from writing malicious code and creating undetectable malware to finding vulnerable websites and generating phishing content.

However, the market isn’t without its risks for criminals themselves; Talos researchers found that the alleged developer of FraudGPT, CanadianKingpin12, was scamming potential buyers out of cryptocurrency by promising a non-existent product.

Image via Cisco Talos

Beyond direct illicit content generation, cybercriminals are leveraging LLMs for tasks similar to legitimate users, but with a malicious twist. In December 2024, Anthropic, developers of Claude LLM, noted programming, content creation, and research as top uses for their model. Similarly, criminal LLMs are used for:

*   Programming: Crafting ransomware, remote access Trojans, wipers, and code obfuscation.

*   Content Creation: Generating convincing phishing emails, landing pages, and configuration files.

*   Research: Verifying stolen credit card numbers, scanning for vulnerabilities, and even brainstorming new criminal schemes.

LLMs are also becoming targets themselves. Attackers are distributing backdoored models on platforms like Hugging Face, embedding malicious code that runs when downloaded. Furthermore, LLMs that use external data sources (Retrieval Augmented Generation or RAG) can be vulnerable to data poisoning, where attackers manipulate the data to influence the LLM’s responses.

Cisco Talos anticipates that as AI technology continues to advance, cybercriminals will increasingly adopt LLMs to streamline their operations, effectively acting as a “force multiplier” for existing attack methods rather than creating entirely new “cyber weapons.”

Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos

The threat actor behind the GIFTEDCROOK malware has made significant updates to turn the malicious program from a basic browser data stealer to a potent intelligence-gathering tool.
"Recent campaigns in June 2025 demonstrate GIFTEDCROOK's enhanced ability to exfiltrate a broad range of sensitive documents from the devices of targeted individuals, including potentially proprietary files and

Latest News