The Summer of Getting Hacked: Why Your Infrastructure is Suddenly Everyone's Target

---

Your router got hacked by Russia’s military. Your GPU might’ve been hijacked by a Rowhammer exploit. And somewhere, an Iranian-linked group just crashed operations at a US critical infrastructure site.

This isn’t doom-mongering. These things all happened in the same news cycle.

What we’re watching unfold is a fundamental shift in how attackers operate. They’ve stopped going after the flashy targets—the databases, the cloud services, the things security teams are actually watching. Instead, they’re discovering that the unglamorous, forgotten hardware sitting in your office or data center is basically a loaded gun left on the nightstand.

The Router Thing Is Actually the Scariest Part

Let’s start with the Russia story. Thousands of consumer routers got compromised by Russian military actors. Not some script-kiddie outfit. The actual military. And here’s the thing that keeps me up: most people don’t even know their router’s firmware version. They certainly haven’t patched it since 2019.

This matters because your router isn’t just a networking device anymore—it’s the front door to your entire network. Once they’re in, they own your traffic. They see what you’re doing. They can watch for credentials, intercept unencrypted data, map out your internal devices. For a nation-state, that’s intelligence gold. For a criminal, that’s access to everything downstream.

The scarier read? Consumer routers are mass-produced, low-margin devices with security that’s… let’s be honest, an afterthought. Same firmware runs on millions of units. One vulnerability, one exploit that works, and suddenly you’ve got a botnet the size of a small country. Which is probably what Russia built.

The GPU Vulnerability Changes the Game

Then there’s the Rowhammer attack hitting Nvidia GPUs. If you don’t know what Rowhammer is, here’s the short version: it’s a hardware bug that’s existed since at least 2014, but researchers keep finding new ways to exploit it. You hammer specific memory addresses rapidly, they corrupt nearby memory, and suddenly you’ve got code execution.

Complete control. Not just access. Control.

This is the kind of thing that should’ve been solved a decade ago, but instead it’s become a recurring nightmare. And now it works on the exact hardware every AI company is betting their life on. Every data center running GPU clusters. Every company training large language models. Suddenly that $100,000 piece of equipment isn’t air-gapped secure anymore—it’s vulnerable to someone who understands memory architecture well enough to exploit it.

My read: this is going to force a reckoning in how companies think about physical security. You can’t patch physics. But you can isolate hardware, monitor it differently, assume it’s compromised and architect around that assumption.

Photo by Tima Miroshnichenko / Pexels

OpenClaw and the “Ban the User” Strategy

Anthropic banned the creator of OpenClaw from accessing Claude after the pricing changed. This is worth understanding because it shows how companies are starting to police how their tools get used—and how poorly that’s likely to go.

OpenClaw apparently scraped or repurposed Claude for something the company didn’t like. Rather than fix whatever vulnerability or misuse it represented, Anthropic just banned the person. This is security theater. It’s like a bank telling a counterfeiter “don’t come back” instead of redesigning their money.

The real issue here is that once your model is deployed, once it’s out in the world, you don’t actually control how it gets used. You can ban users. You can change pricing. You can threaten legal action. But you can’t actually prevent determined people from accessing the model and doing things with it you never intended.

Someone will build an uncensored wrapper. Someone will cache outputs. Someone will run it locally on stolen weights. This is the fundamental asymmetry of software: the attacker only needs to win once. The defender needs to win every single time.

The Infrastructure Attacks Are the Real Plot

Iran-linked hackers disrupted operations at US critical infrastructure sites. We don’t know the details yet—the headline doesn’t specify which sites or what “disrupted” means. But let’s think about what this probably was.

These weren’t sophisticated zero-days. These were probably phishing, credential theft, exploited default credentials, unpatched systems. The unsexy stuff. The things that work because critical infrastructure was never designed with the assumption that the infrastructure itself would be connected to the internet, or that someone motivated and patient would target it.

Critical infrastructure security operates on a different timeline than tech security. A router patch takes days. A power plant patch takes months. SCADA systems sometimes run on hardware so old and locked down that patching it would actually shut down the system. So you don’t patch. You hope nobody notices.

Now people are noticing.

The Bankruptcy Signal Nobody’s Talking About

Ascend Elements, a battery recycler, just filed for Chapter 11 bankruptcy after a canceled government grant and a challenging market. This feels unrelated until you realize it’s not.

The US government was betting on domestic battery recycling as part of supply chain security for everything from electric vehicles to… yeah, all the hardware we just talked about. A grant gets canceled—probably because something else became a higher priority, or budgets shifted—and suddenly the company can’t make it. The market’s “challenging,” which is code for “we can’t compete with Chinese recycling at Chinese prices.”

This is how American infrastructure quietly breaks. Not with a bang, but with a grant cancellation and a bankruptcy filing.

Photo by UMA media / Pexels

The Stalking Lawsuit Nobody Expected

A stalking victim is suing OpenAI because ChatGPT apparently helped her abuser stalk and harass her. The company allegedly ignored three warnings, including its own internal mass-casualty flag.

This is different from the other stories because it’s not a security vulnerability or a hacking attack. It’s product design meeting human malice. And it reveals something uncomfortable: when you build tools this powerful and this accessible, you’re also building tools for people with bad intentions.

I don’t know if OpenAI should’ve done more here—the legal case will sort that out. But I know this: the lawsuit probably won’t change anything meaningful. It’ll settle. OpenAI will add better detection. Some abuser will find a different tool. This is the eternal cat-and-mouse game of abuse prevention, and the mice have gotten faster.

What This Means Together

We’re in a window where attackers have discovered that the unglamorous, forgotten layers of technology—routers, GPUs, infrastructure systems—are way more vulnerable than the shiny front-end stuff everyone’s paying attention to.

The defense industry calls this the “weak link” problem. You have a system that’s 99% secure, but one component is vulnerable, and suddenly the whole thing fails. That’s where we are.

Artemis II splashed down successfully in the Pacific, which is good—at least we’re still landing rockets on Earth. But while we’re celebrating that, routers in America are quietly being used by Russian military to map networks.

I think we’re going to see 2024 be the year everyone finally admits their infrastructure is not that secure. Not because of some massive breach—though those’ll happen too—but because the bar for exploiting it got low enough that patient, moderately-skilled actors can do it reliably.

What I’m Watching

• GPU supply chain verification — By Q4 2024, I’m betting at least one major AI company announces they’ve started cryptographically verifying GPU firmware provenance. If nobody does this, we’re one major Rowhammer variant away from a data center going down.

• Critical infrastructure attack attribution — The next time an Iran or Russia-linked group hits US infrastructure, how fast does the government actually respond? Days or months? The speed of response will tell us how serious they actually take this.

• Router botnet activation — Watch for announcements about coordinated traffic spikes or DDoS attacks using the compromised router fleet. That’s when we’ll know the harvesting phase ended and the exploitation phase began.

• Ascend Elements post-bankruptcy — Who acquires the battery recycling capacity? China-backed company or US government stepping in? That answer tells you everything about whether we’re actually committed to supply chain security.