Russian APT28 Targets Energy Research as CISA Orders Emergency Gogs Patching; BreachForums Database Exposes 324,000 Hackers

Executive Summary

This week's intelligence highlights significant developments across the critical infrastructure threat landscape, with nation-state actors intensifying operations against energy and defense sectors while supply chain vulnerabilities continue to pose systemic risks.

• Nation-State Activity: Russia's APT28 (Fancy Bear) has been observed targeting energy research institutions and defense collaboration entities through sophisticated credential harvesting campaigns impersonating Microsoft OWA, Google, and Sophos VPN portals. Separately, Iran-linked MuddyWater APT has deployed a new Rust-based implant in ongoing campaigns.
• Active Exploitation: CISA has added a high-severity Gogs vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following confirmed zero-day exploitation, ordering federal agencies to patch immediately. Nearly 60,000 n8n workflow automation instances remain vulnerable to a maximum-severity flaw dubbed "Ni8mare."
• Supply Chain Threats: A supply chain attack targeting the n8n automation platform has been discovered, with eight malicious npm packages designed to steal OAuth tokens from developers.
• Threat Actor Exposure: The notorious BreachForums hacking site suffered a significant data breach, exposing approximately 324,000 criminal users—potentially providing law enforcement with valuable intelligence on cybercriminal networks.
• Sector Impacts: The University of Hawaii Cancer Center disclosed a ransomware attack compromising patient data dating back to the 1990s. Spanish energy giant Endesa confirmed a data breach affecting customer information. A Dutch hacker received a seven-year sentence for breaching Rotterdam and Antwerp port systems.
• Strategic Outlook: The World Economic Forum's Global Cybersecurity Outlook 2026 reveals cyber fraud has overtaken ransomware as the top concern for CEOs, while ransomware remains the primary concern for CISOs—highlighting a perception gap between business leadership and security professionals.

Threat Landscape

Nation-State Threat Actor Activities

Russia - APT28 (Fancy Bear/Forest Blizzard)

Russian military intelligence-linked APT28 has been observed conducting targeted credential harvesting campaigns against energy research institutions and defense collaboration entities. The group is impersonating legitimate webmail and VPN services including:

• Microsoft Outlook Web Access (OWA)
• Google authentication portals
• Sophos VPN login pages

This campaign aligns with Russia's strategic interest in Western energy infrastructure and defense technology sharing arrangements. Organizations in the energy research and defense sectors should implement additional authentication controls and user awareness training regarding credential harvesting attempts.

Source: SecurityWeek - Russia's APT28 Targeting Energy Research, Defense Collaboration Entities

Iran - MuddyWater APT

Iran-linked MuddyWater (also known as MERCURY, Static Kitten) has deployed a new Rust-based implant in its latest campaign. The shift to Rust programming language represents an evolution in the group's tooling, potentially aimed at evading detection and complicating reverse engineering efforts. MuddyWater has historically targeted telecommunications, government, and energy sectors across the Middle East and beyond.

Source: CSO Online - Iran-linked MuddyWater APT deploys Rust-based implant

North Korea - QR Code Exploitation

Security leaders are responding to recent warnings regarding North Korean threat actors exploiting QR codes as an attack vector. This technique leverages the inherent trust users place in QR codes and the difficulty of inspecting destination URLs before scanning. Critical infrastructure operators should review policies regarding QR code usage in operational environments.

Source: Security Magazine - Security Leaders Discuss FBI Warning: North Korea Exploiting QR Codes

Ransomware and Cybercriminal Developments

BreachForums Database Exposure

In a significant development for threat intelligence, the notorious BreachForums hacking marketplace has suffered what researchers are calling a "doomsday" leak, exposing approximately 324,000 criminal user accounts. This database exposure may provide law enforcement and security researchers with valuable intelligence on cybercriminal networks, including potential identification of threat actors targeting critical infrastructure.

Source: CSO Online - Notorious BreachForums hacking site hit by 'doomsday' leak

Illicit Cryptocurrency Activity

TRM Labs reports that illegal cryptocurrency flows reached a record $158 billion in 2025, representing a significant increase in the financial infrastructure supporting cybercriminal operations. This growth in illicit crypto activity directly enables ransomware operations, fraud schemes, and other attacks targeting critical infrastructure.

Source: Infosecurity Magazine - Illicit Crypto Activity Hits Record $158bn in 2025

Pig Butchering-as-a-Service (PBaaS)

Researchers have uncovered service providers fueling industrial-scale "pig butchering" fraud operations. These providers supply criminal networks with tools and infrastructure to conduct romance and investment scams at scale. The professionalization of these fraud operations represents an evolution in the cybercriminal ecosystem.

Source: The Hacker News - Researchers Uncover Service Providers Fueling Industrial-Scale Pig Butchering Fraud

Black Axe Disruption

Spanish police have disrupted the Black Axe criminal organization, arresting alleged leaders across four cities. The organization specialized in business email compromise (BEC) scams, generating billions of dollars annually through numerous small-scale operations. This enforcement action may temporarily disrupt BEC campaigns targeting organizations globally.

Source: CyberScoop - Spanish police disrupt Black Axe, arrest alleged leaders

Emerging Attack Vectors

LLM API Targeting

Threat intelligence firms warn that attackers are actively hunting for misconfigured proxy servers to gain unauthorized access to APIs for various Large Language Models (LLMs). This "prompt poaching" activity could enable threat actors to leverage AI capabilities for malicious purposes without attribution or cost.

Source: SecurityWeek - LLMs in Attacker Crosshairs

Browser-in-Browser (BitB) Attacks

Credential theft campaigns using the browser-in-the-browser technique have increased significantly over the past six months, primarily targeting Facebook account credentials. This technique creates convincing fake browser windows within legitimate pages, making phishing attempts more difficult to detect.

Source: Bleeping Computer - Facebook login thieves now using browser-in-browser trick

GoBruteforcer Botnet

A new wave of GoBruteforcer attacks is targeting databases of cryptocurrency and blockchain projects, exploiting weak credentials to co-opt systems into a botnet capable of brute-forcing passwords for services including FTP. While primarily targeting crypto projects, the techniques employed could be adapted against critical infrastructure systems with weak authentication.

Source: The Hacker News - GoBruteforcer Botnet Targets Crypto Project Databases

Sector-Specific Analysis

Energy Sector

APT28 Targeting Energy Research

The energy sector faces elevated threat levels from Russian state-sponsored actors. APT28's targeting of energy research institutions suggests interest in intellectual property related to energy technologies, grid modernization efforts, and potentially operational technology research. Organizations should:

• Implement phishing-resistant multi-factor authentication
• Monitor for credential harvesting attempts impersonating common enterprise services
• Review access controls for research data and collaboration platforms
• Brief personnel on current social engineering tactics

Spanish Energy Provider Breach

Endesa, one of Spain's largest energy providers, along with its Energía XXI operator, is notifying customers of a data breach. Hackers accessed company systems and obtained contract-related information including personal details. This incident underscores the ongoing targeting of energy sector customer data and the importance of protecting billing and customer management systems.

Source: Bleeping Computer - Spanish energy giant Endesa discloses data breach

U.S. Gray Zone Cyber Operations

Analysis suggests the United States may be adopting "gray zone" cyber tactics, with rumored disruptions tied to Venezuela's oil sector. These operations represent sustained economic pressure through cyber means rather than one-off attacks, potentially signaling an evolution in how cyber capabilities are employed against adversary critical infrastructure.

Source: CyberScoop - Is the US adopting the gray zone cyber playbook?

Transportation Systems

Port Security - Dutch Hacker Sentenced

The Amsterdam Court of Appeal sentenced a 44-year-old Dutch national to seven years in prison for computer hacking and attempted extortion related to breaches of the Rotterdam and Antwerp port systems. This case highlights the ongoing threat to maritime critical infrastructure and the potential for criminal actors to target port operations for financial gain. The significant sentence may serve as a deterrent for future attacks on transportation infrastructure.

Source: Bleeping Computer - Hacker gets seven years for breaching Rotterdam and Antwerp ports

Leadership Change - Seattle-Tacoma International Airport

Wendy Reiter has been named the new Managing Director of Seattle-Tacoma International Airport. Security professionals should note leadership transitions at major transportation hubs as they may signal shifts in security priorities or approaches.

Source: Homeland Security Today - Wendy Reiter Named as New Seattle-Tacoma International Airport Managing Director

Healthcare & Public Health

University of Hawaii Cancer Center Ransomware Attack

The University of Hawaii has disclosed that a ransomware gang breached its Cancer Center in August 2025, stealing data of study participants. The compromised information includes documents dating back to the 1990s containing Social Security numbers. Key concerns include:

• University officials have refused to disclose which cancer research project was affected
• The amount paid to hackers to regain file access has not been disclosed
• Affected individuals were not immediately notified of the breach
• Legacy data from decades-old research projects may contain sensitive PII with limited protective controls

Healthcare organizations should review data retention policies and ensure legacy research data receives appropriate security controls.

Source: Bleeping Computer - University of Hawaii Cancer Center hit by ransomware attack

AI in Healthcare - Claude Platform

Anthropic has launched Claude AI for healthcare with HIPAA-ready Enterprise tools, allowing healthcare providers, payers, and consumers to use the platform for medical purposes with secure health record access. While this represents advancement in healthcare AI capabilities, organizations should carefully evaluate AI tools accessing protected health information and ensure appropriate safeguards are in place.

Source: The Hacker News - Anthropic Launches Claude AI for Healthcare

Communications & Information Technology

n8n Supply Chain Attack

A significant supply chain attack has been discovered targeting the n8n workflow automation platform. Eight malicious packages uploaded to the npm registry masqueraded as legitimate n8n integrations to steal OAuth tokens from developers. Organizations using n8n should:

• Audit installed community nodes and integrations
• Review OAuth token usage and revoke suspicious authorizations
• Implement package verification procedures before installation

Source: The Hacker News - n8n Supply Chain Attack Abuses Community Nodes

Ni8mare Vulnerability

Nearly 60,000 n8n instances exposed online remain unpatched against a maximum-severity vulnerability dubbed "Ni8mare." Organizations using n8n for workflow automation should prioritize patching and consider network segmentation to limit exposure.

Source: Bleeping Computer - Max severity Ni8mare flaw impacts nearly 60,000 n8n instances

Instagram Password Reset Vulnerability

Instagram has fixed a password reset vulnerability that allowed third parties to send password reset emails to users, potentially enabling account takeover attempts. While primarily a consumer platform, many organizations use Instagram for official communications, making account security relevant to operational integrity.

Source: SecurityWeek - Instagram Fixes Password Reset Vulnerability

Telegram Proxy Link Privacy Issue

A vulnerability in how Telegram handles proxy links can expose users' real IP addresses with a single click. Telegram has acknowledged the issue and plans to add warnings. Organizations using Telegram for communications should brief users on this risk.

Source: Bleeping Computer - Hidden Telegram proxy links can reveal your IP address

Financial Services

Cyber Fraud Surpasses Ransomware as CEO Concern

The World Economic Forum's Global Cybersecurity Outlook 2026 reveals a significant shift in executive risk perception. Cyber fraud—including phishing, invoice scams, and other cyber-enabled fraud—has overtaken ransomware as the top cybersecurity concern for CEOs. However, ransomware remains the primary concern for CISOs. This perception gap between business leadership and security professionals may impact resource allocation and security priorities.

Key findings:

• Phishing and fraud attacks are at "record highs"
• The threat is described as "pervasive" across sectors
• Business email compromise continues to generate significant losses

Source: SecurityWeek - Cyber Fraud Overtakes Ransomware as Top CEO Concern: WEF

Target Source Code Theft Claims

Hackers claim to be selling internal source code belonging to Target Corporation, publishing what appears to be a sample of stolen code repositories. Target's development server has been taken offline. While unconfirmed, this incident highlights risks to retail sector intellectual property and the potential for supply chain implications.

Source: Bleeping Computer - Target's dev server offline after hackers claim to steal source code

Government Facilities

Terrorist Watchlist Guidance

The Government Accountability Office (GAO) has recommended that the FBI improve guidance for state and local use of the terrorist watchlist. This finding has implications for information sharing between federal and local law enforcement protecting critical infrastructure.

Source: Homeland Security Today - GAO: FBI Should Improve Guidance for State and Local Use of Terrorist Watchlist

Counterterrorism Operations

Operation Hawkeye Strike has targeted multiple ISIS positions in Syria, demonstrating continued counterterrorism operations in the region. Additionally, Hezbollah has released an AI-generated video depicting the White House in flames, representing continued use of AI for propaganda purposes by designated terrorist organizations.

Source: Homeland Security Today - Operation Hawkeye Strike

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CISA KEV Addition: Gogs RCE Vulnerability

CISA has added a high-severity Gogs vulnerability to its Known Exploited Vulnerabilities (KEV) catalog following confirmed zero-day exploitation. Federal agencies have been ordered to patch immediately. Gogs is a self-hosted Git service used by development teams across multiple sectors.

• Impact: Remote code execution
• Exploitation Status: Active exploitation confirmed
• Action Required: Immediate patching; federal agencies must comply with CISA directive

Source: The Hacker News - CISA Warns of Active Exploitation of Gogs Vulnerability

n8n "Ni8mare" Vulnerability (Maximum Severity)

A maximum-severity vulnerability affects the n8n workflow automation platform, with nearly 60,000 instances exposed online remaining unpatched.

• Impact: Maximum severity (specific details in vendor advisory)
• Exposure: ~60,000 internet-facing instances
• Action Required: Immediate patching; network segmentation for exposed instances

Source: Bleeping Computer - Max severity Ni8mare flaw

CISA Advisories and Emergency Directives

Emergency Directive Closures

CISA has retired ten Emergency Directives issued between 2019 and 2024, marking a new approach to managing federal cyber-risk. This administrative action closes directives where the immediate threat has been addressed or superseded by other guidance. Organizations should review their compliance status with current active directives.

Source: Infosecurity Magazine - CISA Closes Ten Emergency Directives

Weekly Vulnerability Summary

US-CERT has published the Vulnerability Summary for the Week of January 5, 2026, cataloging high, medium, and low severity vulnerabilities. Critical infrastructure operators should review this summary for vulnerabilities affecting their technology stack.

Source: US-CERT - Vulnerability Summary for the Week of January 5, 2026

Recommended Defensive Measures

For APT28 Credential Harvesting Campaigns:

• Implement phishing-resistant MFA (FIDO2/WebAuthn)
• Deploy email security solutions capable of detecting impersonation attempts
• Monitor for anomalous authentication attempts to webmail and VPN services
• Conduct targeted user awareness training on current TTPs

For Supply Chain Attacks:

• Implement software composition analysis (SCA) tools
• Verify package integrity before installation
• Monitor for unauthorized OAuth token usage
• Review and audit third-party integrations regularly

Vibe Coding Security Governance

Palo Alto Networks' Unit 42 has published a new security governance framework for "vibe coding" tools (AI-assisted development). Organizations adopting AI coding assistants should implement recommended security controls to prevent introduction of vulnerabilities.

Source: Infosecurity Magazine - Palo Alto Networks Introduces New Vibe Coding Security Governance Framework

Resilience & Continuity Planning

Lessons Learned

Port Infrastructure Attacks

The seven-year sentence for the Dutch hacker who breached Rotterdam and Antwerp ports provides several lessons:

• Maritime infrastructure remains an attractive target for both criminal and nation-state actors
• Port systems may have interconnections that enable lateral movement between facilities
• Law enforcement cooperation across jurisdictions can result in significant penalties
• Extortion attempts against critical infrastructure are being prosecuted aggressively

Healthcare Data Retention Risks

The University of Hawaii Cancer Center breach highlights risks associated with legacy research data:

• Historical data from decades-old projects may contain sensitive PII
• Data retention policies should balance research needs with security risks
• Legacy systems and data stores require ongoing security assessment
• Incident response plans should address notification requirements for historical data

Supply Chain Security

npm Ecosystem Risks

The n8n supply chain attack demonstrates ongoing risks in software package ecosystems:

• Community-contributed packages may be weaponized
• OAuth tokens represent high-value targets for supply chain attacks
• Automation platforms with broad integrations present expanded attack surfaces

Recommended Supply Chain Controls:

• Implement package signing verification
• Use private package registries with curated dependencies
• Monitor for typosquatting and impersonation packages
• Conduct regular audits of installed dependencies

Cross-Sector Dependencies

AI Integration Risks

Multiple developments this week highlight growing AI integration across sectors:

• Anthropic's Claude healthcare integration introduces AI into sensitive medical data handling
• Apple's Siri integration with Google Gemini expands AI dependencies in consumer technology
• LLM API targeting by threat actors could enable AI-powered attacks

Organizations should assess AI dependencies and implement appropriate security controls as these technologies become embedded in critical operations.

Salesforce Security Tool

Mandiant has released AuraInspector, a tool for auditing Salesforce Aura applications for data exposure. Organizations using Salesforce should consider incorporating this tool into security assessments.

Source: Mandiant Blog - AuraInspector: Auditing Salesforce Aura for Data Exposure

Regulatory & Policy Developments

Federal Developments

CISA Emergency Directive Management

CISA's closure of ten Emergency Directives from 2019-2024 signals a maturing approach to federal cybersecurity governance. Organizations should:

• Review compliance status with remaining active directives
• Update security documentation to reflect closed directives
• Maintain implemented controls even after directive closure

FBI Leadership Change

Christopher Raia has been named FBI Co-Deputy Director. Leadership transitions may influence priorities for cyber investigations and critical infrastructure protection initiatives.

Source: Homeland Security Today - Christopher Raia Named FBI Co-Deputy Director

International Developments

EU Google-Wiz Acquisition Review

The European Union has set a February deadline for its verdict on Google's $32 billion acquisition of cloud security firm Wiz. The deal has already received U.S. government approval. This acquisition could significantly impact the cloud security market and available tools for critical infrastructure protection.

Source: SecurityWeek - EU Sets February Deadline for Verdict on Google's $32B Wiz Acquisition

UK Ofcom Investigation of X

British regulator Ofcom has opened an investigation into X (formerly Twitter) regarding the platform's role in facilitating nonconsensual deepfake pornography. This investigation may have implications for content moderation requirements affecting communications platforms.

Source: CyberScoop - British regulator Ofcom opens investigation into X

California Data Broker Enforcement

The California Privacy Protection Agency (CPPA) is cracking down on data brokers trading personal data without authorization. This enforcement action may impact data availability for both legitimate and malicious purposes.

Source: Infosecurity Magazine - California Shuts Down Health Data Resales By Unregistered Brokers

Standards Development

NIST Secure Hardware Standards

NIST's SUSHI (Secure Hardware) initiative is advancing next-generation secure hardware standards to enhance hardware security for national defense and emerging technologies. This initiative addresses semiconductor security amid global supply chain concerns.

Source: NIST - SUSHI@NIST: Rolling Next-Generation Secure Hardware into Standards

Training & Resource Spotlight

Security Industry Resources

CISO Priorities for 2026

CSO Online has published analysis of the top 10 cybersecurity priorities for CISOs in 2026, providing strategic guidance for security leaders across sectors. Key themes include AI security, supply chain resilience, and evolving regulatory compliance.

Source: CSO Online - CISOs' top 10 cybersecurity priorities for 2026

AI-Enabled Security Vendor Assessment

CSO Online has published a CISO-informed ranking of the top 10 vendors for AI-enabled security solutions, providing guidance for organizations evaluating AI security tools.

Source: CSO Online - Top 10 vendors for AI-enable