InfoSec Briefing - May 29, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Friday the 29th of May 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 3 articles to cover. All attribution is by the article authors. All article analysis is automated.

Following on from the Salt Typhoon coverage earlier this week, an analysis piece from open.substack.com examines the attribution challenges around the group. The campaign targeted at least nine U.S. telcos including AT&T and Verizon, breaching government-mandated wiretapping systems and accessing metadata for over a million users. Particularly notable is the compromise of the CALEA infrastructure itself — the very systems meant for lawful intercept were turned into espionage channels.

Segev-Magen Technologies document Iranian state cyber operations targeting Israeli industrial infrastructure during the ceasefire period that began in April 2026. The campaign's been hitting both operational technology and traditional IT environments at industrial sites, causing physical damage including failed refrigeration systems and spoiled goods at food production facilities. It's a good illustration of how cyber sabotage continues when kinetic operations pause.

And finally, the National Cyber Security Centre have published guidance on designing Zero Trust Network Access implementations. The core issue they're addressing is organisations deploying ZTNA tools but keeping the old network-based trust models underneath, which rather defeats the point. The guidance includes reference architectures for private applications and SaaS — one for infrastructure teams considering ZTNA deployments.

That concludes today's briefing.

📰 Articles Covered

Who is Salt Typhoon Really? Unraveling the Attribution Challenge - open.substack.com

Salt Typhoon is a sophisticated, China-linked advanced persistent threat (APT) group—believed to be operated by the Ministry of State Security (MSS)—responsible for one of the most significant cyber espionage campaigns targeting U.S. critical infrastructure 【4】【7】【6】.

### What Happened
Beginning in 2024, Salt Typhoon conducted a massive, long-term cyber espionage operation by infiltrating at least nine major U.S. telecommunications providers, including AT&T, Verizon, and T-Mobile 【1】. The attackers breached government-mandated wiretapping systems (CALEA), allowing them to access sensitive communication metadata and, in some instances, record phone calls of high-profile targets, including political campaign staffers 【1】.

### Who Is Affected
* **Telecommunications Providers:** At least nine major U.S. carriers were compromised 【1】.
* **Individuals:** Metadata from over a million users was accessed 【1】.
* **High-Profile Targets:** The campaign specifically targeted individuals of interest, including political campaign personnel 【1】.
* **Global Reach:** The group has infiltrated over 200 targets across more than 80 countries 【6】.

### Security Implications
The breach is considered one of the worst in U.S. history due to the compromise of critical infrastructure and the exploitation of systems designed for legal surveillance 【1】. It highlights a severe risk to national security, as the attackers gained the ability to monitor communications of U.S. citizens and officials, effectively turning domestic infrastructure against its users 【2】.

### Technical Details
* **Initial Access:** The group exploited technical vulnerabilities in cybersecurity products, such as firewalls, to gain initial entry into target networks 【2】.
* **Persistence:** Once inside, they utilized conventional tools to expand their reach, gather information, and deploy malware 【2】.
* **Network Manipulation:** The actors frequently modified routers to maintain long-term, persistent access to compromised networks 【3】.
* **Targeting Infrastructure:** A key technical achievement was the successful exploitation of CALEA (Communications Assistance for Law Enforcement Act) systems, which are intended for lawful interception but became a vector for espionage 【1】.

### What Defenders Should Know
* **Focus on Basic Hygiene:** Experts emphasize that many critical infrastructure operators lack fundamental cybersecurity practices that would make such attacks significantly more difficult and costly for adversaries 【5】.
* **Monitor Network Hardware:** Because the group modifies routers for persistence, defenders must prioritize the integrity of network hardware and firmware 【3】.
* **Assume Compromise:** Given the group's ability to stay hidden for extended periods, organizations should adopt a "zero trust" mindset, focusing on continuous monitoring and rapid detection of lateral movement within their networks 【2】.
The War Between Wars: How an IRGC Cyber Front Runs Destructive OT and IT Attacks Under Cover of a Ceasefire - Segev-Magen Technologies Ltd. and Segev-Magen Technologies Inc.

The article "The War Between Wars: How an IRGC Cyber Front Runs Destructive OT and IT Attacks Under Cover of a Ceasefire," published by Profero on May 24, 2026, details a persistent campaign of sabotage conducted by Iranian state-directed actors against Israeli industrial infrastructure 【1】.

### **What Happened**
Despite a ceasefire in the kinetic conflict between Israel and Iran that began in April 2026, Iranian-affiliated cyber actors have continued to operate in the "quiet stretches" of the conflict 【1】. These actors have executed a series of destructive operations targeting Israeli industry, specifically focusing on both Operational Technology (OT) and Information Technology (IT) environments 【2】.

### **Who Is Affected**
The primary targets identified in the report are Israeli industrial facilities, including food-production plants 【1】. The attacks have directly impacted physical operations, such as industrial refrigeration systems, leading to the spoilage of goods 【2】.

### **Security Implications**
The campaign highlights a critical strategic reality: a ceasefire on the battlefield does not equate to a ceasefire in cyberspace 【1】. These operations are "deniable by design" and "destructive by intent," allowing the actors to maintain pressure on adversaries while avoiding the threshold of full-scale kinetic war 【1】.

### **Technical Details**
* **Tactics:** The actors engage in pre-positioning and intelligence collection within target networks.
* **Destructive Actions:** The campaign involves disk-wiping activities on IT systems and the manipulation of OT devices, such as programmable logic controllers (PLCs) used in industrial refrigeration 【2】.
* **Tools:** The actors have been observed using various backdoors, including those associated with the "MuddyWater" group, to maintain persistence.

### **What Defenders Should Know**
* **Early Detection:** The report emphasizes that the first signs of these operations are often not traditional security alerts but rather physical anomalies on the plant floor (e.g., temperature changes in refrigeration) 【1】.
* **Proactive Hunting:** Defenders are advised to look for the actor before it reaches the plant floor by monitoring for suspicious lateral movement and unauthorized access to OT-related management interfaces 【2】.
* **Convergence:** There is a growing convergence between hacktivist personas and state-sponsored destructive capabilities, making it harder to attribute attacks and predict intent.
Designing secure access with ZTNA - National Cyber Security Centre (NCSC)

The NCSC guidance on designing secure Zero Trust Network Access (ZTNA) addresses the common issue where organizations adopt modern ZTNA tools but inadvertently maintain legacy "walled garden" security models 【1】.

### What Happened
While ZTNA is widely adopted to modernize application access, many implementations fail to achieve true zero trust because they continue to rely on outdated trust assumptions 【1】. The NCSC has released new guidance to help architects and security practitioners move beyond these legacy models and align their ZTNA architectures with fundamental zero trust principles 【1】.

### Who Is Affected
This guidance is primarily intended for:
* **Security architects** and **technical decision-makers** responsible for designing or evolving access architectures 【1】.
* Organizations currently using or planning to deploy ZTNA solutions that may be struggling with legacy network-based trust models 【1】.

### Security Implications
The core security risk identified is that many ZTNA deployments still treat **network location** as a primary signal of trust 【1】. By relying on broad, network-based access rather than granular, context-driven decisions, organizations leave themselves vulnerable to the same risks as traditional perimeter-based security, effectively undermining the benefits of a zero trust approach 【1】.

### Technical Details
The NCSC guidance provides a framework for network access within a broader zero trust architecture, covering:
* **Foundations:** The necessary organizational and technical prerequisites required before initiating a ZTNA deployment 【1】.
* **Design Requirements:** Essential criteria that ZTNA architectures must meet to ensure they are not just "new tools" on "old foundations" 【1】.
* **Reference Architecture:** A simplified model demonstrating how ZTNA should be implemented to access both private applications and Software as a Service (SaaS) platforms 【1】.

### What Defenders Should Know
Defenders should be aware that ZTNA failures are rarely due to missing technology features, but rather the persistence of legacy trust assumptions 【1】. Key takeaways for defenders include:
* **Avoid Anti-patterns:** The guidance explicitly highlights common design anti-patterns that can sabotage ZTNA efforts 【1】.
* **Shift from Network to Context:** Security decisions must move away from network location and toward granular, context-aware verification 【1】.
* **Prioritize Design over Tools:** Successful ZTNA is an architectural shift, not just a product deployment; the underlying design must be fundamentally re-evaluated to remove legacy trust dependencies 【1】.