InfoSec Briefing - May 20, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Wednesday the 20th of May 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 3 articles to cover. All attribution is by the article authors. All article analysis is automated.

Iranian-linked hackers have breached automatic tank gauge systems at US gas stations across multiple states, according to CNN reporting. The attackers exploited internet-facing devices lacking password protection and manipulated fuel level displays, which could potentially mask gas leaks — though no physical damage has been reported. One for anyone responsible for critical infrastructure security, particularly in the oil and gas sector.

Poland's National CSIRT has issued a warning about active phishing campaigns targeting Signal messenger users in government and prominent public positions. Attackers are impersonating Signal technical support, claiming accounts have been blocked and sending malicious links for credential theft. The Polish government is recommending a shift to national secure communication platforms for official use — which tells you something about the scale of the targeting they're seeing.

SentinelOne have written up SHub Reaper, a macOS infostealer that spoofs Apple, Google, and Microsoft brands in a single attack chain. The malware uses typo-squatted domains and fake installers for legitimate applications like WeChat and Miro, then establishes persistence through fake Google Software Update paths. Worth flagging if you're managing macOS devices — this one's covering quite a bit of ground in terms of trusted brand impersonation.

That concludes today's briefing.

📰 Articles Covered

Exclusive: Hackers have breached tank readers at US gas stations; officials suspect Iran is responsible | CNN Politics - CNN

This report summarizes the recent cyber intrusions targeting fuel infrastructure in the United States.

### **What Happened**
US officials suspect that **Iranian-linked hackers** have successfully breached **automatic tank gauge (ATG)** systems at gas stations across multiple states 【1】. These systems are used to monitor fuel levels in storage tanks. The attackers exploited devices that were connected to the internet and lacked password protection, allowing them to manipulate the display readings of the tanks, though they did not alter the actual physical fuel levels 【1】.

### **Who Is Affected**
The campaign has impacted **gas station operators** in various US states who utilize internet-facing ATG systems 【1】. This incident serves as a broader warning to operators of **US critical infrastructure** who have struggled to secure their systems against known vulnerabilities 【1】.

### **Security Implications**
While there have been no reports of physical damage or harm, the breaches present significant safety risks:
- **Detection Failure:** By manipulating the data reported by ATGs, hackers could potentially mask a **gas leak**, preventing operators from identifying and addressing hazardous conditions 【1】.
- **Targeting Critical Infrastructure:** This activity aligns with a long-standing pattern of Iranian groups seeking "low-hanging fruit" within US computer systems that interact with oil, gas, and water sectors 【1】.

### **Technical Details**
- **Vulnerability:** The primary vector for these intrusions is the exposure of **ATG systems to the public internet** without basic security measures like password authentication 【1】.
- **Historical Context:** Security researchers have warned about the risks of internet-facing ATGs for over a decade. As early as 2015, security firms demonstrated that pro-Iran groups were actively scanning for and targeting these specific systems 【1】.
- **Intent:** Documents linked to the **Islamic Revolutionary Guard Corps** from 2021 identified ATGs as a specific target for disruptive cyberattacks, confirming that these systems are a deliberate focus for such actors 【1】.

### **What Defenders Should Know**
- **Remove Internet Exposure:** The most critical defense is to ensure that ATG systems and other industrial control devices are not directly accessible via the public internet 【1】.
- **Implement Authentication:** All critical infrastructure devices must be protected by strong, unique passwords to prevent unauthorized access 【1】.
- **Prioritize Hygiene:** Operators must move beyond federal exhortations and actively audit their networks to identify and secure legacy or "low-hanging" systems that remain exposed 【1】.
Rekomendacja Pełnomocnika Rządu ds. Cyberbezpieczeństwa dotycząca komunikatora Signal - Recommendation of the Government Plenipotentiary for Cybersecurity regarding the Signal messenger - Kancelaria Prezesa Rady Ministrów

The Polish Government Plenipotentiary for Cybersecurity has issued a formal recommendation regarding the use of the **Signal** messenger due to identified security risks posed by state-sponsored threat actors 【1】.

### What Happened
National CSIRT teams have identified active phishing campaigns targeting users of the Signal application 【1】. These campaigns are orchestrated by **Advanced Persistent Threat (APT)** groups linked to hostile foreign intelligence services, aiming to compromise user accounts and intercept sensitive communications 【1】【1】.

### Who Is Affected
The primary targets of these attacks are individuals holding **prominent public positions** and **employees of state institutions** 【1】.

### Security Implications
The successful compromise of these accounts poses a direct threat to national security and the confidentiality of sensitive information 【1】. By gaining control over a user's communication, attackers can monitor ongoing discussions and potentially exfiltrate classified or restricted data.

### Technical Details
The attackers employ **social engineering techniques** to deceive victims 【1】:
- **Impersonation:** The attackers pose as Signal technical support staff 【1】.
- **Phishing:** Victims receive messages claiming their account has been blocked, which includes malicious links designed to facilitate account takeover 【1】.

### What Defenders Should Know
To mitigate these risks, the Ministry of Digital Affairs recommends the following:
- **Adopt Secure Alternatives:** For official government communication, users are advised to transition to dedicated, secure national solutions:
- **mSzyfr:** A secure tool for encrypted official communication managed by NASK-PIB 【1】.
- **SKR-Z:** A system specifically designed for classified communication (up to the "Zastrzeżone" / "Restricted" level) 【1】.
- **Vigilance:** Users should exercise extreme caution regarding unsolicited messages, even those appearing to come from official support channels, and avoid clicking suspicious links 【1】.
- **Follow Guidelines:** Organizations should implement the specific security recommendations provided by the DKWOC (Department of Cybersecurity) to harden their communication environments 【1】.
SHub Reaper | macOS Stealer Spoofs Apple, Google, and Microsoft in a Single Attack Chain - SentinelOne

The **SHub Reaper** malware represents a sophisticated evolution of the SHub infostealer family, specifically targeting **macOS** users through a multi-stage attack chain that impersonates major technology brands 【1】.

### What Happened
Threat actors are utilizing a new variant of the SHub stealer, dubbed "**Reaper**," which employs a highly deceptive infection chain. The malware lures victims with fake installers for popular applications like **WeChat** and **Miro**, then shifts its disguise at every stage of the execution process to evade detection and build false trust 【1】.

### Who Is Affected
The primary targets are **macOS users**. The attack relies on social engineering and typo-squatting, making it a threat to any individual or organization that may inadvertently download software from unofficial or spoofed domains 【1】.

### Security Implications
The malware is designed to exfiltrate sensitive data, including documents, by leveraging an **AMOS-style (Atomic macOS Stealer) theft module** that supports chunked uploads 【1】. By masquerading as legitimate updates and services, the malware increases the likelihood of successful execution and persistence on compromised systems.

### Technical Details
The infection chain is notable for its use of multiple vendor identities:
- **Hosting:** The payload is hosted on **typo-squatted Microsoft domains** 【1】.
- **Execution:** The malware runs under the guise of a fake **Apple security update** 【1】.
- **Persistence:** It establishes persistence by creating files within a directory mimicking a **Google Software Update** path 【1】.

### What Defenders Should Know
Security teams should monitor for specific behavioral indicators associated with this threat:
- **Suspicious Scripting:** Watch for unexpected `AppleScript` or `osascript` activity, particularly following the execution of the `Script Editor` 【1】.
- **Network Anomalies:** Investigate suspicious outbound traffic that occurs immediately after script execution 【1】.
- **Persistence Mechanisms:** Monitor for the unauthorized creation of `LaunchAgents` or files located in directories associated with trusted vendors (e.g., Apple or Google) 【1】.