critical infrastructure | Breaking Cybersecurity News | The Hacker News

Threat actors with ties to Iran successfully broke into the personal email account of Kash Patel, the director of the U.S. Federal Bureau of Investigation (FBI), and leaked a cache of photos and other documents to the internet. Handala Hack Team , which carried out the breach, said on its website that Patel "will now find his name among the list of successfully hacked victims." In a statement shared with Reuters, the FBI confirmed Patel's emails had been targeted, and noted necessary steps have been taken to "mitigate ​potential risks associated with this activity." The agency also said the published data was "historical in nature and involves no government information." The leak includes emails from ​2010 and 2019 allegedly sent by Patel. Handala Hack is assessed to be a pro-Iranian, pro-Palestinian hacktivist persona adopted by Iran's Ministry of Intelligence and Security ( MOIS ). It's tracked by the cybersecurity community under the m...

Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it.  Introduction: One tech power to rule them all is a thing of the past  The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes of two world wars and the deliberate construction of a new global order. The United States of America set the terms of this new world. The long peace under Pax Americana provided a stable foundation, but that foundation is shifting. Europe’s deep strategic dependence on the U.S.’s technological and cybersecurity capabilities, from intelligence and infrastructure to frameworks and funding, is now being tested. Those tectonic geopolitical changes are undermining trust, threatening the state of safety, and compelling European organizations to rethink digital architectures and approaches at ever...

The U.S. Federal Communications Commission (FCC) said on Monday that it was banning the import of new, foreign-made consumer routers, citing "unacceptable" risks to cyber and national security. The action was designed to safeguard Americans and the underlying communications networks the country relies on, FCC Chairman Brendan Carr said in a post on X. The development means that new models of foreign-produced routers will no longer be eligible for marketing or sale in the U.S. The move comes in the wake of a national security determination provided by Executive Branch Agencies, Carr added. To that end, all consumer-grade routers manufactured in foreign countries have been added to the Covered List , unless they have been granted a Conditional Approval by the Department of War (DoW) or the Department of Homeland Security (DHS) after determining that they do not pose any risks. As of writing, the approved list only includes drone systems and software-defined radios (SDRs) ...

High-value organizations located in South, Southeast, and East Asia have been targeted by a Chinese threat actor as part of a years-long campaign. The activity, which has targeted aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications sectors, has been attributed by Palo Alto Networks Unit 42 to a previously undocumented threat activity group dubbed CL-UNK-1068 , where "CL" refers to "cluster" and "UNK" stands for unknown motivation. However, the security vendor has assessed with "moderate-to-high confidence" that the primary objective of the campaign is cyber espionage. "Our analysis reveals a multi-faceted tool set that includes custom malware, modified open-source utilities, and living-off-the-land binaries (LOLBINs)," security researcher Tom Fakterman said . "These provide a simple, effective way for the attackers to maintain a persistent presence within targeted environments....

New research from Broadcom's Symantec and Carbon Black Threat Hunter Team has discovered evidence of an Iranian hacking group embedding itself in several U.S. companies' networks, including banks, airports, non-profit, and the Israeli arm of a software company. The activity has been attributed to a state-sponsored hacking group called MuddyWater (aka Seedworm). It's affiliated with the Iranian Ministry of Intelligence and Security (MOIS). The campaign is assessed to have begun in early February, with recent activity detected following U.S. and Israeli military strikes on Iran . "The software company is a supplier to the defense and aerospace industries, among others, and has a presence in Israel, with the company's Israel operation seeming to be the target in this activity," the security vendor said in a report shared with The Hacker News. The attacks targeting the software company, as well as a U.S. bank and a Canadian non-profit, have been found to p...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Hikvision and Rockwell Automation products to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. The critical-severity vulnerabilities are listed below - CVE-2017-7921 (CVSS score: 9.8) - An improper authentication vulnerability affecting multiple Hikvision products that could allow a malicious user to escalate privileges on the system and gain access to sensitive information.  CVE-2021-22681 (CVSS score: 9.8) - An insufficiently protected credentials vulnerability affecting multiple Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers that could allow an unauthorized user with network access to the controller to bypass the verification mechanism and authenticate with it, as well as alter its configuration and/or application code. The addition of CVE-2017-7921 to the KEV catalog comes more...

Cybersecurity researchers have warned of a surge in retaliatory hacktivist activity following the U.S.-Israel coordinated military campaign against Iran , codenamed Epic Fury and Roaring Lion. "The hacktivist threat in the Middle East is highly lopsided, with two groups, Keymous+ and DieNet, driving nearly 70% of all attack activity between February 28 and March 2," Radware said in a Tuesday report. The first distributed denial-of-service (DDoS) attack was launched by Hider Nex (aka Tunisian Maskers Cyber Force) on February 28, 2026. According to details shared by Orange Cyberdefense, Hider Nex is a shadowy Tunisian hacktivist group that supports pro-Palestinian causes. It leverages a hack-and-leak strategy combining DDoS attacks with data breaches to leak sensitive data and advance its geopolitical agenda. The group emerged in mid-2025. In all, a total of 149 hacktivist DDoS claims were recorded targeting 110 distinct organizations across 16 countries. The attacks were...

The threat activity cluster known as SloppyLemming has been attributed to a fresh set of attacks targeting government entities and critical infrastructure operators in Pakistan and Bangladesh. The activity, per Arctic Wolf, took place between January 2025 and January 2026. It involves the use of two distinct attack chains to deliver malware families tracked as BurrowShell and a Rust-based keylogger.  "The use of the Rust programming language represents a notable evolution in SloppyLemming’s tooling, as prior reporting documented the actor using only traditional compiled languages and borrowed adversary simulation frameworks such as Cobalt Strike, Havoc, and the custom NekroWire RAT," the cybersecurity company said in a report shared with The Hacker News. SloppyLemming is the moniker assigned to a threat actor that's known to target government, law enforcement, energy, telecommunications, and technology entities in Pakistan, Sri Lanka, Bangladesh, and China since ...

A newly disclosed maximum-severity security flaw in Cisco Catalyst SD-WAN Controller (formerly vSmart) and Catalyst SD-WAN Manager (formerly vManage) has come under active exploitation in the wild as part of malicious activity that dates back to 2023. The vulnerability, tracked as CVE-2026-20127 (CVSS score: 10.0), allows an unauthenticated remote attacker to bypass authentication and obtain administrative privileges on an affected system by sending a crafted request. Successful exploitation of the flaw could allow the adversary to obtain elevated privileges and log in to the system as an internal, high-privileged, non-root user account. "This vulnerability exists because the peering authentication mechanism in an affected system is not working properly," Cisco said in an advisory, adding the threat actor could leverage the non-root user account to access NETCONF and manipulate network configuration for the SD-WAN fabric.  The shortcoming affects the following deploym...

Technologies are evolving fast, reshaping economies, governance, and daily life. Yet, as innovation accelerates, so do digital risks. Technological change is no longer abstract for such a country as Lithuania, as well. From e-signatures to digital health records, the country depends on secure systems.  Cybersecurity has become not only a technical challenge but a societal one – demanding the cooperation of scientists, business leaders, and policymakers. In Lithuania, this cooperation has taken a concrete form – the government-funded national initiative . Coordinated by the Innovation Agency Lithuania, the project aims to strengthen the country’s e-security and digital resilience.  Under this umbrella, universities and companies with long-standing expertise are working hand in hand to transform scientific knowledge into market-ready, high-value innovations. Several of these solutions are already being tested in real environments, for example, in public institutions and criti...

A previously undocumented threat actor has been attributed to attacks targeting Ukrainian organizations with malware known as CANFAIL . Google Threat Intelligence Group (GTIG) described the hacking group as possibly affiliated with Russian intelligence services. The threat actor is assessed to have targeted defense, military, government, and energy organizations within the Ukrainian regional and national governments. However, the group has also exhibited growing interest in aerospace organizations, manufacturing companies with military and drone ties, nuclear and chemical research organizations, and international organizations involved in conflict monitoring and humanitarian aid in Ukraine, GTIG added. "Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs [large language models]," GTIG said . "Through prompting, they conduct reconnaissance, create lures for soci...

Several state-sponsored actors, hacktivist entities, and criminal groups from China, Iran, North Korea, and Russia have trained their sights on the defense industrial base (DIB) sector, according to findings from Google Threat Intelligence Group (GTIG). The tech giant's threat intelligence division said the adversarial targeting of the sector is centered around four key themes: striking defense entities deploying technologies on the battlefield in the Russia-Ukraine War, directly approaching employees and exploitation of the hiring process by North Korean and Iranian actors, use of edge devices and appliances as initial access pathways for China-nexus groups, and supply chain risk stemming from the breach of the manufacturing sector. "Many of the chief state-sponsors of cyber espionage and hacktivist actors have shown an interest in autonomous vehicles and drones, as these platforms play an increasing role in modern warfare," GTIG said . "Further, the 'evasion...

The threat actor known as Bloody Wolf has been linked to a campaign targeting Uzbekistan and Russia to infect systems with a remote access trojan known as NetSupport RAT . Cybersecurity vendor Kaspersky is tracking the activity under the moniker Stan Ghouls . The threat actor is known to be active since at least 2023, orchestrating spear-phishing attacks against manufacturing, finance, and IT sectors in Russia, Kyrgyzstan, Kazakhstan, and Uzbekistan. The campaign is estimated to have claimed about 50 victims in Uzbekistan, with 10 devices in Russia also impacted. Other infections have been identified to a lesser degree in Kazakhstan, Turkey, Serbia, and Belarus. Infection attempts have also been recorded on devices within government organizations, logistics companies, medical facilities, and educational institutions. "Given Stan Ghouls' targeting of financial institutions, we believe their primary motive is financial gain," Kaspersky noted. "That said, their hea...

Germany's Federal Office for the Protection of the Constitution (aka Bundesamt für Verfassungsschutz or BfV) and Federal Office for Information Security (BSI) have issued a joint advisory warning of a malicious cyber campaign undertaken by a likely state-sponsored threat actor that involves carrying out phishing attacks over the Signal messaging app. "The focus is on high-ranking targets in politics, the military, and diplomacy, as well as investigative journalists in Germany and Europe," the agencies said . "Unauthorized access to messenger accounts not only allows access to confidential private communications but also potentially compromises entire networks." A noteworthy aspect of the campaign is that it does not involve the distribution of malware or the exploitation of any security vulnerability in the privacy-focused messaging platform. Rather, the end goal is to weaponize its legitimate features to obtain covert access to a victim's chats, along wi...

A previously undocumented cyber espionage group operating from Asia broke into the networks of at least 70 government and critical infrastructure organizations across 37 countries over the past year, according to new findings from Palo Alto Networks Unit 42. In addition, the hacking crew has been observed conducting active reconnaissance against government infrastructure associated with 155 countries between November and December 2025. Some of the entities that have been successfully compromised include five national-level law enforcement/border control entities, three ministries of finance and other government ministries, and departments that align with economic, trade, natural resources, and diplomatic functions. The activity is being tracked by the cybersecurity company under the moniker TGR-STA-1030 , where "TGR" stands for temporary threat group and "STA" refers to state-backed motivation. Evidence shows that the threat actor has been active since January ...

CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra , which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit. It's worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm. "All attacks had a purely destructive objective," CERT Polska said in a report published Friday. "Althoug...

A study by OMICRON has revealed widespread cybersecurity gaps in the operational technology (OT) networks of substations, power plants, and control centers worldwide. Drawing on data from more than 100 installations, the analysis highlights recurring technical, organizational, and functional issues that leave critical energy infrastructure vulnerable to cyber threats. The findings are based on several years of deploying OMICRON’s intrusion detection system (IDS) StationGuard in protection, automation, and control (PAC) systems. The technology, which monitors network traffic passively, has provided deep visibility into real-world OT environments. The results underscore the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures. Connection of an IDS in PAC systems (circles indicate mirror ports) StationGuard deployments, often carried out during security assessments, revealed vulnerabilities su...

The "coordinated" cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM . Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy resources (DERs). "The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites," Dragos said . "While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site." It's worth pointing out that ELECTRUM and KAMACITE share overlaps with a cluster referred to as Sandworm (aka APT44 and Seashell Blizzard). KA...

The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the "largest cyber attack" targeting Poland's power system in the last week of December 2025. The attack was unsuccessful, the country's energy minister, Milosz Motyka, said last week. "The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years," Motyka was quoted as saying. According to a new report by ESET, the attack was the work of Sandworm, which deployed a previously undocumented wiper malware codenamed DynoWiper (aka Win32/KillFiles.NMO). The links to Sandworm are based on overlaps with prior wiper activity associated with the adversary, particularly in the aftermath of Russia's military invasion of Ukraine in February 2022. The Slovakian cybersecurity company, which identified the use of the wiper as part of the attempted disruptive attack aimed at the...

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837 , assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their v...