critical infrastructure | Breaking Cybersecurity News | The Hacker News

CERT Polska, the Polish computer emergency response team, revealed that coordinated cyber attacks targeted more than 30 wind and photovoltaic farms, a private company from the manufacturing sector, and a large combined heat and power plant (CHP) supplying heat to almost half a million customers in the country. The incident took place on December 29, 2025. The agency has attributed the attacks to a threat cluster dubbed Static Tundra , which is also tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Energetic Bear, Ghost Blizzard (formerly Bromine), and Havex. Static Tundra is assessed to be linked to Russia's Federal Security Service's (FSB) Center 16 unit. It's worth noting that recent reports from ESET and Dragos attributed the activity with moderate confidence to a different Russian state-sponsored hacking group known as Sandworm. "All attacks had a purely destructive objective," CERT Polska said in a report published Friday. "Althoug...

A study by OMICRON has revealed widespread cybersecurity gaps in the operational technology (OT) networks of substations, power plants, and control centers worldwide. Drawing on data from more than 100 installations, the analysis highlights recurring technical, organizational, and functional issues that leave critical energy infrastructure vulnerable to cyber threats. The findings are based on several years of deploying OMICRON's intrusion detection system (IDS) StationGuard in protection, automation, and control (PAC) systems. The technology, which monitors network traffic passively, has provided deep visibility into real-world OT environments. The results underscore the growing attack surface in energy systems and the challenges operators face in securing aging infrastructure and complex network architectures. Connection of an IDS in PAC systems (circles indicate mirror ports) StationGuard deployments, often carried out during security assessments, revealed vulnerabilities su...

The "coordinated" cyber attack targeting multiple sites across the Polish power grid has been attributed with medium confidence to a Russian state-sponsored hacking crew known as ELECTRUM . Operational technology (OT) cybersecurity company Dragos, in a new intelligence brief published Tuesday, described the late December 2025 activity as the first major cyber attack targeting distributed energy resources (DERs). "The attack affected communication and control systems at combined heat and power (CHP) facilities and systems managing the dispatch of renewable energy systems from wind and solar sites," Dragos said . "While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site." It's worth pointing out that ELECTRUM and KAMACITE share overlaps with a cluster referred to as Sandworm (aka APT44 and Seashell Blizzard). KA...

The Russian nation-state hacking group known as Sandworm has been attributed to what has been described as the "largest cyber attack" targeting Poland's power system in the last week of December 2025. The attack was unsuccessful, the country's energy minister, Milosz Motyka, said last week. "The command of the cyberspace forces has diagnosed in the last days of the year the strongest attack on the energy infrastructure in years," Motyka was quoted as saying. According to a new report by ESET, the attack was the work of Sandworm, which deployed a previously undocumented wiper malware codenamed DynoWiper (aka Win32/KillFiles.NMO). The links to Sandworm are based on overlaps with prior wiper activity associated with the adversary, particularly in the aftermath of Russia's military invasion of Ukraine in February 2022. The Slovakian cybersecurity company, which identified the use of the wiper as part of the attempted disruptive attack aimed at the...

A threat actor likely aligned with China has been observed targeting critical infrastructure sectors in North America since at least last year. Cisco Talos, which is tracking the activity under the name UAT-8837 , assessed it to be a China-nexus advanced persistent threat (APT) actor with medium confidence based on tactical overlaps with other campaigns mounted by threat actors from the region. The cybersecurity company noted that the threat actor is "primarily tasked with obtaining initial access to high-value organizations," based on the tactics, techniques, and procedures (TTPs) and post-compromise activity observed. "After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their v...

Amazon's threat intelligence team has disclosed details of a "years-long" Russian state-sponsored campaign that targeted Western critical infrastructure between 2021 and 2025. Targets of the campaign included energy sector organizations across Western nations, critical infrastructure providers in North America and Europe, and entities with cloud-hosted network infrastructure. The activity has been attributed with high confidence to Russia's Main Intelligence Directorate (GRU), citing infrastructure overlaps with APT44 , which is also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear. The activity is notable for using as initial access vectors misconfigured customer network edge devices with exposed management interfaces, as N-day and zero-day vulnerability exploitation activity declined over the time period – indicative of a shift in attacks aimed at critical infrastructure, the tech giant said. "This tactical adaptation enables the same o...

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization that allows an attacker to inject malicious logic that the server executes in a privileged context. It also affects other frameworks, including Next.js, Waku, Vite, React Router, and RedwoodSDK. "A single, specially crafted HTTP request is sufficient; there is no authentication requirement, user interaction, or elevated permissions involved," Cloudforce One, Cloudflare's threat intelligence team, said . "Once successful, the attacker can execute arbitrary, privileged JavaScript on the affected server." Since its public disclosure on December 3, 2025, the shortcoming...

Israeli entities spanning academia, engineering, local government, manufacturing, technology, transportation, and utilities sectors have emerged as the target of a new set of attacks undertaken by Iranian nation-state actors that have delivered a previously undocumented backdoor called MuddyViper. The activity has been attributed by ESET to a hacking group known as MuddyWater (aka Mango Sandstorm, Static Kitten, or TA450), a cluster assessed to be affiliated with Iran's Ministry of Intelligence and Security (MOIS). The attacks also singled out one technology company based in Egypt. The campaign took place between September 30, 2024, and March 18, 2025. The hacking group first came to light in November 2017, when Palo Alto Networks Unit 42 detailed targeted attacks against the Middle East between February and October of that year using a custom backdoor dubbed POWERSTATS. It's also known for its destructive attacks on Israeli organizations using a Thanos ransomware varian...

Threat actors with ties to Iran engaged in cyber warfare as part of efforts to facilitate and enhance physical, real-world attacks, a trend that Amazon has called cyber-enabled kinetic targeting. The development is a sign that the lines between state-sponsored cyber attacks and kinetic warfare are increasingly blurring, necessitating the need for a new category of warfare, the tech giant's threat intelligence team said in a report shared with The Hacker News. While traditional cybersecurity frameworks have treated digital and physical threats as separate domains, CJ Moses, CISO of Amazon Integrated Security, said these delineations are artificial and that nation-state threat actors are engaging in cyber reconnaissance activity to enable kinetic targeting. "These aren't just cyber attacks that happen to cause physical damage; they are coordinated campaigns where digital operations are specifically designed to support physical military objectives," Moses added. As an...

Cybersecurity researchers have disclosed two critical security flaws impacting Red Lion Sixne t remote terminal unit (RTU) products that, if successfully exploited, could result in code execution with the highest privileges. The shortcomings, tracked as CVE-2023-40151 and CVE-2023-42770 , are both rated 10.0 on the CVSS scoring system. "The vulnerabilities affect Red Lion SixTRAK and VersaTRAK RTUs, and allow an unauthenticated attacker to execute commands with root privileges," Claroty Team 82 researchers said in a report published Tuesday. Red Lion's Sixnet RTUs provide advanced automation, control, and data acquisition capabilities in industrial automation and control systems, primarily across energy, water, and wastewater treatment, transportation, utilities, and manufacturing sectors. These industrial devices are configured using a Windows utility called Sixnet IO Tool Kit, with a proprietary Sixnet "Universal" protocol used to interface and enable ...

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape. How Threat Actors Abuse Microsoft Teams Attackers Abuse Microsoft Teams for Extortion, Social Engineering, and Financial Theft Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. " Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as p...

Russian hackers' adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country's State Service for Special Communications and Information Protection (SSSCIP) said. "Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated with AI – and attackers are certainly not going to stop there," the agency said in a report published Wednesday. SSSCIP said 3,018 cyber incidents were recorded during the time period, up from 2,575 in the second half of 2024 (H2 2024). Local authorities and military entities witnessed an increase in attacks compared to H2 2024, while those targeting government and energy sectors declined. One notable attack observed involved UAC-0219's use of malware called WRECKSTEEL in attacks aimed at state administration bodies and critical infrastructure facilities in the country...

Law enforcement authorities in the U.K. have arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency. Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses on Tuesday, the National Crime Agency (NCA) said. They are 19 and 18, respectively. It's worth noting that Flowers was initially arrested for his alleged involvement in the TfL attack in September 2024, but was subsequently released on bail. The agency said it found evidence of Flowers targeting U.S. healthcare companies, and that he has also been charged with conspiring with others to infiltrate and damage the networks of SSM Health Care Corporation and Sutter Health. Jubair has also been charged under the Regulation of Investigatory Powers...

U.S. Senator Ron Wyden has called on the Federal Trade Commission (FTC) to probe Microsoft and hold it responsible for what he called "gross cybersecurity negligence" that enabled ransomware attacks on U.S. critical infrastructure, including against healthcare networks. "Without timely action, Microsoft's culture of negligent cybersecurity, combined with its de facto monopolization of the enterprise operating system market, poses a serious national security threat and makes additional hacks inevitable," Wyden wrote in a four-page letter to FTC Chairman Andrew Ferguson, likening Redmond to an "arsonist selling firefighting services to their victims." The development comes after Wyden's office obtained new information from healthcare system Ascension, which suffered a crippling ransomware attack last year, resulting in the theft of personal and medical information associated with nearly 5.6 million individuals . The ransomware attack, which al...

A Russian state-sponsored cyber espionage group known as Static Tundra has been observed actively exploiting a seven-year-old security flaw in Cisco IOS and Cisco IOS XE software as a means to establish persistent access to target networks. Cisco Talos, which disclosed details of the activity, said the attacks single out organizations in telecommunications, higher education and manufacturing sectors across North America, Asia, Africa and Europe. Prospective victims are chosen based on their "strategic interest" to Russia, it added, with recent efforts directed against Ukraine and its allies following the onset of the Russo-Ukrainian war in 2022. The vulnerability in question is CVE-2018-0171 (CVSS score: 9.8), a critical flaw in the Smart Install feature of Cisco IOS Software and Cisco IOS XE software that could allow an unauthenticated, remote attacker to trigger a denial-of-service (DoS) condition or execute arbitrary code. It's worth noting that the security ...

A new exploit combining two critical, now-patched security flaws in SAP NetWeaver has emerged in the wild, putting organizations at risk of system compromise and data theft. The exploit in question chains together CVE-2025-31324 and CVE-2025-42999 to bypass authentication and achieve remote code execution, SAP security company Onapsis said . CVE-2025-31324 (CVSS score: 10.0) - Missing Authorization check in SAP NetWeaver's Visual Composer development server CVE-2025-42999 (CVSS score: 9.1) - Insecure Deserialization in SAP NetWeaver's Visual Composer development server The vulnerabilities were addressed by SAP back in April and May 2025, but not before they were abused by threat actors as zero-days since at least March. Multiple ransomware and data extortion groups, including Qilin, BianLian, and RansomExx, have been observed weaponizing the flaws , not to mention several China-nexus espionage crews who have also put them to use in attacks targeting critical infra...

The Dutch National Cyber Security Centre (NCSC-NL) has warned of cyber attacks exploiting a recently disclosed critical security flaw impacting Citrix NetScaler ADC products to breach organizations in the country. The NCSC-NL said it discovered the exploitation of CVE-2025-6543 targeting several critical organizations within the Netherlands, and that investigations are ongoing to determine the extent of the impact. CVE-2025-6543 (CVSS score: 9.2) is a critical security vulnerability in NetScaler ADC that results in unintended control flow and denial-of-service (DoS) when the devices are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR AAA virtual server. The vulnerability was first disclosed in late June 2025, with patches released in the following versions - NetScaler ADC and NetScaler Gateway 14.1 prior to 14.1-47.46 NetScaler ADC and NetScaler Gateway 13.1 prior to 13.1-59.19 NetScaler ADC 13.1-FIPS and NDcPP prior to 13.1-37.236-FIPS and NDcPP ...

Cybersecurity researchers have discovered a fresh set of security issues in the Terrestrial Trunked Radio (TETRA) communications protocol, including in its proprietary end-to-end encryption (E2EE) mechanism that exposes the system to replay and brute-force attacks, and even decrypt encrypted traffic. Details of the vulnerabilities – dubbed 2TETRA:2BURST – were presented at the Black Hat USA security conference last week by Midnight Blue researchers Carlo Meijer, Wouter Bokslag, and Jos Wetzels. TETRA is a European mobile radio standard that's widely used by law enforcement, military, transportation, utilities, and critical infrastructure operators. It was developed by the European Telecommunications Standards Institute (ETSI). It encompasses four encryption algorithms: TEA1, TEA2, TEA3, and TEA4. The disclosure comes a little over two years after the Netherlands-based cybersecurity company discovered a set of security vulnerabilities in TETRA standard called TETRA:BURST, c...

Malicious actors have been observed exploiting a now-patched critical security flaw impacting Erlang/Open Telecom Platform (OTP) SSH as early as beginning of May 2025, with about 70% of detections originating from firewalls protecting operational technology (OT) networks. The vulnerability in question is CVE-2025-32433 (CVSS score: 10.0), a missing authentication issue that could be abused by an attacker with network access to an Erlang/OTP SSH server to execute arbitrary code. It was patched in April 2025 with versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20. Then in June 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. "At the heart of Erlang/OTP's secure communication capabilities lies its native SSH implementation — responsible for encrypted connections, file transfers and most importantly, command execution," Palo Alto Networks U...