News Summary week 18, 2026

Executive Summary

The week of April 24 – May 1, 2026 was defined by two major breach disclosures affecting critical infrastructure suppliers, a continued drumbeat of Iranian-affiliated PLC exploitation, and a concentrated batch of ABB product advisories from CISA.

On April 27, Itron — a supplier of internet-connected smart meters to over 110 million utility endpoints — confirmed that unauthorized actors accessed internal IT systems on April 13. The same day, Medtronic disclosed a breach first claimed by the ShinyHunters group on April 18, with approximately nine million records alleged stolen. Neither incident disrupted product operations or patient safety, but both underscore the supply-chain and corporate IT risk profile surrounding physical critical infrastructure operators.

CISA’s advisory output for the week was concentrated on April 28 and April 30. The April 28 release covered NSA GRASSMARLIN (ICSA-26-118-01), an end-of-life open-source OT network visualization tool with an XML parsing flaw (CVSS 5.5). April 30 brought six ABB advisories: three covering AWIN industrial gateway vulnerabilities with CVSS scores up to 8.3, one covering an authentication bypass in Ability OPTIMAX via Azure AD SSO, and two covering Symphony Plus Engineering and System 800xA/Symphony Plus IEC 61850 component vulnerabilities.

The CyberAv3ngers campaign documented in AA26-097A — active since at least March 2026 — remained the primary active threat, with NERC, WaterISAC, and energy sector ISACs sustaining elevated monitoring posture throughout the week. The underlying exploit, CVE-2021-22681 (CVSS 9.8), has no vendor patch available, making architectural isolation the only available control.

On April 30, INE published analysis confirming that OT ransomware downtime costs have reached a new elevated baseline, with manufacturing the most heavily targeted sector globally and 78% of OT ransomware incidents originating from initial IT footholds before lateral movement into operational environments.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

---

Week of April 24 – May 1, 2026

Critical Alerts & Advisories

CISA April 28 Advisory: ICSA-26-118-01 (NSA GRASSMARLIN)

CISA published one advisory on April 28, 2026, covering a vulnerability in NSA GRASSMARLIN (ICSA-26-118-01). GRASSMARLIN is an open-source passive network mapping and visualization tool developed by the NSA for ICS and SCADA network discovery; the project reached end-of-life in 2017 and is no longer supported.

The disclosed vulnerability affects GRASSMARLIN v3.2.1. Crafted session data can trigger improper handling of XML input, exposing sensitive information through insufficient hardening of the XML parsing process. The assigned CVSS v3.1 base score is 5.5, with high confidentiality impact but no integrity or availability impact (Medium severity). Successful exploitation could allow an attacker to disclose sensitive information about the monitored network.

CISA’s decision to publish an advisory for an end-of-life tool reflects the reality that GRASSMARLIN remains deployed in some OT environments where it was installed during the 2015-2017 active development period. Organizations still running GRASSMARLIN should treat this advisory as a prompt to migrate to a supported passive discovery solution and remove the tool from production network monitoring positions. No vendor patch is available or expected.

CISA April 30 Advisories: ABB Products (ICSA-26-120 Series)

CISA released six ICS advisories on April 30, 2026, all covering ABB products across industrial control, power management, and building automation environments.

ICSA-26-120-05: ABB AWIN Gateways discloses three vulnerabilities in ABB AWIN GW100 rev.2 and GW120 firmware. These industrial gateways bridge legacy serial field devices to IP networks in energy and building automation environments.

CVE-2025-13777 and CVE-2025-13779 (CVSS 8.3) allow an unauthenticated attacker on an adjacent network to query the device and receive a response disclosing system configuration, including sensitive details such as credentials or network topology information. CVE-2025-13778 (CVSS 6.5) is a denial-of-service flaw allowing an unauthenticated adjacent-network attacker to remotely reboot the device. None of the three vulnerabilities are exploitable from the general internet — an attacker must be on an adjacent network segment — but in flat OT/IT network architectures this restriction provides limited protection. No known public exploitation has been reported.

ICSA-26-120-04: ABB Ability OPTIMAX discloses an authentication bypass vulnerability in OPTIMAX installations that use the Azure Active Directory Single Sign-On integration. Successful exploitation allows an attacker to bypass user authentication entirely on affected OPTIMAX instances. OPTIMAX is an energy optimization and monitoring platform deployed in industrial facilities to manage energy consumption. The SSO bypass class of vulnerability is particularly consequential in OT environments because energy management platforms frequently have read and write access to building and process control systems through integration layers. ABB has released a patch; installations using Azure AD SSO integration should prioritize remediation.

ICSA-26-120-06: ABB Ability Symphony Plus Engineering covers vulnerabilities inherited from PostgreSQL version 13.11 and earlier, which is bundled with the S+ Engineering software. The affected PostgreSQL versions carry known CVEs in the upstream database component. Symphony Plus Engineering is used for engineering, configuration, and maintenance of Symphony Plus distributed control systems in power generation and water treatment facilities. Customers should update to a version that bundles a remediated PostgreSQL release, as advertised in ABB’s advisory.

ICSA-26-120-01: ABB System 800xA and Symphony Plus IEC 61850 was also published on April 30 and covers the IEC 61850 communication component used in power substation automation and protection relay integration. System 800xA is ABB’s flagship DCS platform, widely deployed in power generation, oil and gas, and chemical processing. IEC 61850 components handle protection relay communications in substations, making vulnerabilities in this stack directly relevant to grid reliability. Full CVE details were not yet aggregated by third-party sources at time of compilation; organizations running 800xA with IEC 61850 communication should consult the CISA advisory directly for patch guidance.

Critical Infrastructure Breach Disclosures

Itron: Smart Meter Supplier Confirms Internal Network Access

Itron, a major supplier of smart meter technology for electricity, gas, and water utilities — serving approximately 110 million metered endpoints globally — disclosed a cyberattack via a U.S. Securities and Exchange Commission filing on April 25, 2026. The company discovered the intrusion on April 13.

Unauthorized actors accessed some of Itron’s internal IT systems. Itron activated contingency plans and data backups, expelled the attackers, and confirmed it has observed no subsequent unauthorized activity in corporate systems. Operations have continued in all material respects, and no unauthorized access to customer data has been identified. Itron did not specify the attack type — ransomware deployment, exfiltration, or other — nor confirm whether the attackers made direct contact.

Itron stated that its insurance policy is expected to cover a significant portion of direct costs. The company’s smart meter systems manage the metering infrastructure underpinning utility billing, demand response, and load management for hundreds of utilities. While Itron confirmed no customer operational data was accessed, the incident illustrates the attractive target profile of companies that provide centralized management software across large distributed infrastructure deployments. A future intrusion that penetrated from corporate IT into metering platform infrastructure could potentially affect utility billing systems, outage detection, or advanced metering infrastructure command channels.

Medtronic: ShinyHunters Claims 9 Million Records Stolen

Medtronic, a global medical device manufacturer with a market capitalization of approximately $107 billion, disclosed a cybersecurity breach on April 24, 2026. The ShinyHunters data theft and extortion group had claimed responsibility on April 18 and alleged that approximately nine million records including personally identifiable information and internal corporate data were exfiltrated. ShinyHunters set a ransom payment deadline of April 21.

Medtronic confirmed that an unauthorized party accessed data in certain corporate IT systems and stated that the breach did not affect products, patient safety, customer connections, manufacturing and distribution operations, financial reporting systems, or the company’s ability to meet patient needs. Medtronic is continuing to investigate the scope and has not yet confirmed whether sensitive patient or employee information was included in the compromised data. Medtronic’s listing on ShinyHunters’ public leak site was no longer visible at time of compilation, suggesting possible ransom negotiations or payment.

The incident was covered alongside the Itron disclosure in reporting by The Register on April 27 under the framing of simultaneous critical infrastructure and medical technology company breaches. MITRE’s April 28 cybersecurity risk analysis, published the same week, warned that cloud-dependent medical devices could face patient care disruption if cloud infrastructure is attacked — a separate but contextually related concern given the Medtronic disclosure. ORDR’s 2026 Medical Device Breach Statistics report, released this week, noted that 24% of healthcare facilities have now experienced a cyberattack on a medical device, up from 22% in 2025, and that 80% of those attacked reported moderate or significant patient care impact.

Ongoing Campaigns

Iranian CyberAv3ngers PLC Campaign: Week Five of Elevated Posture

The joint advisory AA26-097A (FBI, CISA, NSA, EPA, DOE, U.S. Cyber Command) documenting Iranian-affiliated exploitation of internet-exposed Rockwell Automation PLCs continued to drive elevated monitoring and response activity in water, energy, and government facilities throughout the week.

The campaign, active since at least March 2026, targets internet-facing Rockwell/Allen-Bradley Logix controllers using CVE-2021-22681 — a critical authentication bypass in Studio 5000 Logix Designer with a CVSS score of 9.8. This flaw allows a non-Rockwell application to authenticate to Logix controllers by recovering a cryptographic key from the software. CyberAv3ngers uses Rockwell’s own engineering software to connect directly to exposed PLCs, exfiltrate and modify project files, and manipulate SCADA HMI displays to show falsified process readings while altered control logic executes undetected.

Documented impact includes operational disruption and financial loss across Government Services and Facilities, Water and Wastewater Systems, and Energy sector organizations. Censys data showing 5,219 globally exposed EtherNet/IP devices identifying as Rockwell/Allen-Bradley hardware — with 74.6% in the United States — continued to circulate as the baseline exposure figure. CVE-2021-22681 has no vendor patch; removal of PLCs from internet-routable network segments is the only effective control.

NERC’s Watch Operations team sustained an active member alert to Electricity ISAC members, and WaterISAC continued issuing daily bulletin digests amplifying the advisory throughout the week.

Automotive CPS Security

CarlinKit and 70mai Zero-Day Disclosures

VicOne researchers disclosed five zero-day vulnerabilities in two widely deployed automotive aftermarket peripherals this week: the CarlinKit CPC200-CCPA wireless CarPlay and Android Auto adapter, and the 70mai A510 smart dashcam. An estimated 85,000 of these combined devices are currently internet-exposed.

The vulnerabilities allow attackers to bypass authentication, execute arbitrary code, and establish persistent control over the affected devices. Because both products are network-connected and integrated into vehicle infotainment and telematics ecosystems, a compromised device can serve as a persistent foothold for surveillance, data exfiltration, or — in vehicle architectures where the infotainment bus has connectivity to CAN bus segments — a potential lateral movement vector toward vehicle control systems. VicOne coordinated disclosure with the vendors; patch availability timelines were not confirmed at time of compilation.

The Automotive ISAC’s April 2026 community call, held this week, addressed what participants described as the AI awakening of automotive cybersecurity — the convergence of AI-assisted attack tooling with the growing software-defined vehicle fleet. The 2026 Upstream Global Automotive Cybersecurity Report, referenced during the call, noted that 61% of incidents in the current period carry potential impact on thousands to millions of mobility assets, and that ransom-related incidents account for 44% of all reported automotive cybersecurity incidents — double the share recorded in 2024.

Medical Device CPS Security

RunSafe 2026 Medical Device Cybersecurity Index

RunSafe Security released the 2026 Medical Device Cybersecurity Index on April 29, 2026, providing a comprehensive view of the threat landscape for connected medical devices. Key findings include that cyberattacks on medical devices are more frequent than in 2025, and that patient care impact when incidents occur has worsened. 56% of organizations have now rejected a medical device due to cybersecurity concerns, up from 46% in 2025.

57% of organizations deploy AI-enabled or AI-assisted medical devices, with 80% expressing at least moderate concern about the cybersecurity risks these devices introduce. The report coincided with MITRE’s April 28 analysis warning that cloud-dependent medical devices face a systemic failure mode: when cloud infrastructure is attacked or fails, devices may stop functioning or produce incorrect outputs, and a single cloud incident can simultaneously affect dozens or hundreds of healthcare facilities.

The FDA’s strengthened cybersecurity guidance — issued in March 2026 and requiring Security Risk Management Reports, SBOMs, and Coordinated Vulnerability Disclosure programs in premarket submissions — continued to reshape procurement and product development conversations throughout the week.

Energy & Power Grid

NERC Grid Monitoring and Iranian Threat Elevated Posture

NERC continued active monitoring of the grid in response to the Iranian-affiliated PLC threat, sustaining the member alert to Electricity ISAC participants issued the previous week. The advisory’s call to remove EtherNet/IP PLCs from internet-routable network segments applies directly to substations, natural gas compressor stations, and distributed energy resource sites where Rockwell/Allen-Bradley hardware is present.

A Security MEA industry analysis published April 29 confirmed that digitalization — the proliferation of renewable energy management platforms, smart grid endpoints, and cloud-connected SCADA interfaces — has materially expanded the energy sector’s attack surface. The article cited Kaspersky and VDC joint research showing that over half of energy organizations have already experienced cyber incidents exceeding one million dollars in direct cost.

The U.S. Department of Energy’s FY2027 budget request, publicized this week, framed cybersecurity as a core pillar of national energy security, allocating $160 million to the Office of Cybersecurity, Energy Security, and Emergency Response.

The ABB Ability OPTIMAX (ICSA-26-120-04) and System 800xA/IEC 61850 (ICSA-26-120-01) advisories released April 30 are directly relevant to energy sector OT environments: OPTIMAX manages energy consumption in industrial facilities, and System 800xA with IEC 61850 is the backbone of substation protection relay communication for many utilities.

Manufacturing & Industrial

Stryker: Handala April Claims and Ongoing Recovery

The Handala Iran-linked group claimed this week to have factory-reset over 200,000 Stryker corporate devices across 79 countries via the March 11, 2026 attack on Stryker’s Microsoft Intune mobile device management console. Stryker confirmed in April communications to customers that operations are fully restored, with no material impact expected on full-year 2026 guidance. The attack used no propagating malware — Handala weaponized Stryker’s own Intune infrastructure to issue remote wipe commands to enrolled devices, halting manufacturing and shipping for several days.

Stryker’s network segmentation successfully prevented the attack from reaching medical devices including the Mako robotic surgical system, Lifepak defibrillators, and Vocera communications platforms. The Stryker incident is being analyzed across the OT security community as a case study in how IT device management infrastructure — specifically MDM platforms — can serve as a force-multiplier attack vector that bypasses traditional endpoint security while achieving manufacturing disruption without ever touching OT protocol layers.

An INE report published April 30 confirmed that ransomware downtime costs in industrial environments have reached a new elevated baseline, with manufacturing the most heavily targeted sector globally. 78% of OT ransomware incidents originate in IT systems before lateral movement into OT, and per Resilience’s April 2026 report, manufacturing leads all sectors in global cyberattack targets with ransomware dominating direct losses.

The Siemens SINEC NMS authentication bypass (CVE-2026-24032, CVSS 8.8) and RUGGEDCOM CROSSBOW advisories from the previous week remained relevant throughout the current week as patching timelines stretched across the April 24-30 period for organizations on standard monthly maintenance cycles.

Water & Wastewater Sector

The CyberAv3ngers PLC campaign remained the primary water sector threat throughout the week, with the joint advisory AA26-097A continuing to drive incident response and network architecture reviews at water utilities nationwide. The EPA — a co-signatory of the advisory — continued outreach to state drinking water primacy agencies to amplify the call for PLC removal from internet-routable segments.

WaterISAC’s daily briefings throughout the week highlighted that the same Rockwell/Allen-Bradley hardware targeted by CyberAv3ngers is present at water treatment, distribution, and wastewater treatment facilities across the United States. The lack of a vendor patch for CVE-2021-22681 means that utilities cannot resolve this exposure through standard patch workflows and must instead implement architectural controls: removing PLCs from internet-routable network segments, deploying data diodes or unidirectional security gateways for external monitoring, and implementing continuous monitoring of EtherNet/IP traffic for anomalous engineering software connections.

Threat Intelligence Highlights

Palo Alto Networks Unit 42 published an updated Threat Brief on Escalating Cyber Risk Related to Iran on April 17, covering the broader Iranian threat actor ecosystem active in April 2026. The brief documented that CyberAv3ngers — also tracked as Shahid Kaveh Group, Storm-0784, and UNC5691 — is one of multiple groups operating under the Electronic Operations Room, a coordinating structure formed in late February 2026 that brings multiple Iranian state-aligned groups under a shared command framework. The Electronic Operations Room coordinates Handala (responsible for the Stryker MDM wipe and claims of attacks on manufacturing), CyberAv3ngers (PLC attacks on water, energy, and government infrastructure), and at least one additional group focused on enterprise IT intrusions.

Unit 42 assessed that Iranian-affiliated APT targeting campaigns against U.S. organizations have recently escalated, likely in response to ongoing hostilities between Iran and the United States and Israel. The multi-group coordination structure means that defenders should treat Handala-style IT disruption campaigns and CyberAv3ngers-style OT intrusion campaigns as potentially related operations rather than independent incidents.

The Viakoo Daily OT Security News briefing for April 30 summarized the week’s advisory activity and noted that April 2026 represents one of the highest-volume months for OT advisory releases in 2026, with the ABB batch, ongoing Iranian campaign activity, and the Itron and Medtronic corporate breach disclosures creating a dense set of concurrent defensive obligations for critical infrastructure security teams.

Defensive Recommendations

Organizations running ABB AWIN GW100 or GW120 gateways should apply the vendor-issued firmware update addressing CVE-2025-13777, CVE-2025-13778, and CVE-2025-13779. Until patching is complete, verify that gateway management interfaces are not reachable from untrusted network segments. The adjacent-network requirement for exploitation means that proper network segmentation — isolating the serial-device network segment from general office or IT traffic — is an effective interim control.

Organizations deploying ABB Ability OPTIMAX with Azure AD SSO should apply the ABB patch immediately. Energy management platforms with write access to building or process control systems are high-value targets; an authentication bypass at this layer can enable an attacker to manipulate load schedules, demand response signals, or connected building management systems.

ABB System 800xA operators using IEC 61850 communication components should review ICSA-26-120-01 and apply the recommended update. System 800xA is widely deployed in power generation and substation automation; IEC 61850 vulnerabilities in this context carry direct grid reliability implications.

Utility and infrastructure companies that use Itron metering platforms should verify whether the April 13 corporate IT breach resulted in any indicators of compromise in Itron’s customer-facing support or metering management platforms, even if Itron has stated no customer data was accessed. Security teams should review authentication logs for Itron’s managed services portals and confirm that supply chain trust relationships with Itron’s software delivery infrastructure remain intact.

Healthcare organizations and medical device manufacturers should treat the Medtronic ShinyHunters breach as a prompt to audit their own corporate IT to product network segmentation. The Medtronic incident is notable for what did not happen — product operations and patient safety were unaffected — because Medtronic’s corporate IT and product/manufacturing infrastructure are sufficiently separated. Organizations that have not achieved this separation should prioritize it.

For the CyberAv3ngers PLC campaign, the fundamental mitigation remains unchanged: Rockwell/Allen-Bradley Logix PLCs must not be directly internet-reachable. Any EtherNet/IP device accessible from outside the plant network should be treated as potentially compromised. Organizations should review PLC project files for unauthorized modifications, cross-validate HMI displays against independent sensor readings, and implement continuous monitoring for anomalous engineering software connections (unexpected Studio 5000 sessions) on the OT network.

Organizations operating Microsoft Intune or other MDM platforms in manufacturing environments should review the Stryker incident as a case study in MDM as an attack vector. Administrative access to MDM consoles should require phishing-resistant multi-factor authentication, privileged access workstations, and just-in-time elevation. The ability to issue remote wipe commands to large device fleets should be gated behind an approval workflow with human review rather than executable directly by a compromised administrator credential.

---

Sources Referenced

Government Advisories & Alerts

• ICSA-26-118-01: NSA GRASSMARLIN (CISA)
• ICSA-26-120-01: ABB System 800xA, Symphony Plus IEC 61850 (CISA)
• ICSA-26-120-04: ABB Ability OPTIMAX (CISA)
• AA26-097A: Iranian-Affiliated Cyber Actors Exploit PLCs Across U.S. Critical Infrastructure (CISA)
• Iranian-Affiliated Cyber Actors Exploit PLCs – Joint Advisory PDF (IC3)
• (TLP:CLEAR) CISA ICS Advisories, Additional Alerts, Updates, and Bulletins – April 23, 2026 (WaterISAC)

Breach Disclosures

• Critical Infrastructure Giant Itron Says It Was Hacked (TechCrunch)
• Utility Giant Itron Confirms Cyberattack, Says Internal Systems Were Accessed (TechRadar)
• Major Critical Infrastructure Supplier Reports Cyberattack (Cybersecurity Dive)
• Medtronic Confirms Breach After Hackers Claim 9 Million Records Theft (BleepingComputer)
• Medtronic Says ShinyHunters Hackers Stole Around 9 Million Medical Records (TechRadar)
• Medical and Utility Tech Companies Admit Digital Break-ins (The Register)
• 29th April 2026 Cyber Update: Medtronic Breach Shows Why “No Operational Impact” Still Leaves Healthcare Exposed (Cyber News Centre)

CyberAv3ngers / Iranian PLC Campaign

• Iran-Linked Hackers Target Water, Energy in US, FBI and CISA Warn (Cybersecurity Dive)
• Iran-Linked Hackers Disrupt US Critical Infrastructure via PLC Attacks (SecurityWeek)
• Iranian Cyber Threats Escalate: New Campaigns Targeting Water, Energy, and Enterprise Infrastructure (Forsyte IT)
• Threat Brief: Escalation of Cyber Risk Related to Iran – Updated April 17 (Palo Alto Unit 42)
• NERC Is Actively Monitoring the Grid Following Iran-Linked Cyber Threat (Utility Dive)

Stryker / Handala

• Stryker Attack Raises Concerns About Role of Device Management Tool (Cybersecurity Dive)
• Stryker’s Manufacturing, Shipping Disrupted After Cyberattack (MedTech Dive)
• Stryker Operations Fully Restored After Cyberattack (Mass Device)

Automotive Cybersecurity

• Thousands of Vehicles at Risk: Zero-Day Vulnerabilities Reveal a Critical Blind Spot in Automotive Cybersecurity (VicOne)
• April 2026: The AI Awakening of Automotive Cybersecurity (Automotive ISAC)

Medical Device Security

• RunSafe Security Releases 2026 Medical Device Cybersecurity Index (Business Wire)
• Medical Device Cybersecurity: MITRE Warns of Cloud Risk (Health System CIO)
• A Quarter of Healthcare Organizations Report Medical Device Attacks (Infosecurity Magazine)

Manufacturing & OT Ransomware

• INE Highlights Escalating Cost of Ransomware Downtime in Industrial Environments (GlobeNewswire)
• Resilience Report Finds Manufacturing Leads Global Cyberattack Targets (Industrial Cyber)
• Daily OT Security News: April 30, 2026 (Viakoo)

ABB Advisories

• CISA Warns: ABB AWIN Gateways Adjacent-Network Bugs Enable Data Leak or Reboot (Windows Forum)
• ABB AWIN Gateways Advisory Details (ASSURANT Cyber)
• ABB Ability Symphony Plus Engineering Advisory Details (ASSURANT Cyber)

Energy Sector

• Digitalisation Leaves Energy Sector More Exposed to Cyber Threats (Security MEA)
• DOE Allocates $160 Million to Secure Energy Systems (Industrial Cyber)
• Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure (CSIS)