Russian Sandworm Strikes Polish Power Grid as Microsoft Issues Emergency Office Zero-Day Patch

Executive Summary

This week's intelligence cycle reveals significant threats across multiple critical infrastructure sectors, with nation-state actors and cybercriminals demonstrating increasingly sophisticated capabilities. The following developments require immediate attention from infrastructure owners and operators:

• Energy Sector Attack: Russia's Sandworm APT group has been attributed to a destructive wiper attack against Poland's power grid, marking the group's first confirmed attack on NATO member energy infrastructure since the 2015-2016 Ukrainian grid attacks. This represents a significant escalation in nation-state targeting of European critical infrastructure.
• Active Zero-Day Exploitation: Microsoft released emergency out-of-band patches for CVE-2026-21509, a high-severity Office zero-day vulnerability actively exploited in targeted attacks. Organizations should prioritize immediate patching across all Microsoft Office deployments.
• Physical Access Control Vulnerabilities: Over 20 vulnerabilities discovered in Dormakaba access control systems could allow attackers to unlock doors at major European facilities, highlighting the convergence of cyber and physical security risks.
• Supply Chain Compromise: A supply chain breach in eScan antivirus software is distributing signed malware through legitimate update channels, demonstrating continued adversary focus on trusted software distribution mechanisms.
• Policy Shift: OMB has rescinded the Biden-era secure software attestation memo, making the common attestation form voluntary for federal contractors—a development that may impact software security requirements across government supply chains.

Threat Landscape

Nation-State Threat Actor Activities

Russian Federation - Sandworm (GRU Unit 74455): Polish authorities and cybersecurity researchers have attributed a destructive cyberattack on Poland's electricity grid to Russia's Sandworm APT group. The attack deployed data-wiping malware targeting operational technology systems, though full operational impact remains under investigation. This marks a significant escalation—Sandworm's first confirmed destructive attack against NATO member energy infrastructure since their landmark attacks on Ukraine's power grid in 2015-2016.

Analysis: The timing coincides with heightened geopolitical tensions and suggests Russia may be testing NATO's collective defense posture in cyberspace. Energy sector operators across NATO countries should elevate their defensive posture and review incident response procedures.

Source: SecurityWeek, CSO Online

North Korea - Konni Group: The Konni threat actor has been observed deploying AI-generated PowerShell malware targeting blockchain developers and engineering teams. This represents a notable evolution in the group's tradecraft, leveraging artificial intelligence tools to generate malicious code that may evade traditional signature-based detection.

Source: The Hacker News

Ransomware and Cybercriminal Developments

World Leaks Ransomware Group: The group has claimed responsibility for a significant data breach at Nike, posting what they allege is 1.4TB of stolen data. Nike is reportedly investigating the claims. This incident underscores the continued threat ransomware groups pose to major enterprises.

Source: Infosecurity Magazine

ShinyHunters Campaign: A coordinated campaign attributed to ShinyHunters has targeted multiple organizations including Crunchbase, SoundCloud, and Betterment. The group is employing sophisticated vishing (voice phishing) attacks that bypass multi-factor authentication by generating fake login sites in real-time during social engineering calls.

Source: CyberScoop, SecurityWeek

Stanley Malware-as-a-Service: A new MaaS toolkit called "Stanley" has emerged on cybercrime forums, priced between $2,000-$6,000. The service promises to help threat actors create malicious Chrome extensions that can pass Google's review process and be published to the Chrome Web Store, significantly lowering the barrier for browser-based attacks.

Source: SecurityWeek, Bleeping Computer

Emerging Attack Vectors

AI-Powered Attack Evolution: Multiple reports this week highlight the increasing use of artificial intelligence by threat actors. Beyond the Konni group's AI-generated malware, researchers have identified malicious VS Code extensions masquerading as AI coding assistants that have accumulated over 1.5 million installations while stealing developer source code. Additionally, malicious ChatGPT browser extensions are intercepting authenticated session tokens to hijack user accounts.

Source: The Hacker News, CyberScoop

ClickFix Attack Evolution: A new campaign combines the ClickFix social engineering technique with fake CAPTCHA prompts and signed Microsoft Application Virtualization (App-V) scripts to deliver the Amatera infostealer. The use of legitimately signed Microsoft components helps the malware evade security controls.

Source: Bleeping Computer

Sector-Specific Analysis

Energy Sector

CRITICAL - Polish Grid Attack: The Sandworm attack on Poland's power grid represents the most significant cyber incident affecting European energy infrastructure this year. While operational details remain limited, the deployment of wiper malware indicates destructive intent rather than espionage. Energy sector operators should:

• Review and validate network segmentation between IT and OT environments
• Ensure offline backups of critical operational configurations
• Verify incident response procedures and communication channels
• Monitor for indicators of compromise associated with Sandworm TTPs

Severe Weather Considerations: With nearly 200 million Americans under cold weather alerts following a major winter storm that has claimed at least 30 lives, energy infrastructure faces increased stress. Security leaders should be aware that malicious cyber actors may attempt to exploit weather-related crises when attention and resources are diverted to emergency response.

Source: Security Magazine, Homeland Security Today

Water & Wastewater Systems

No sector-specific incidents were reported this cycle. However, water utilities should note the broader threat environment, particularly the Sandworm activity against European infrastructure and the VMware vCenter vulnerability (see Vulnerability section) which may affect virtualized SCADA environments.

Communications & Information Technology

Cloudflare BGP Route Leak: A misconfiguration caused a 25-minute Border Gateway Protocol route leak affecting IPv6 traffic, resulting in measurable congestion, packet loss, and approximately 12 Gbps of traffic disruption. While not malicious, this incident highlights the fragility of internet routing infrastructure and the potential impact of both accidental and intentional BGP manipulation.

Source: Bleeping Computer

Telnet Exposure: Shadowserver is tracking nearly 800,000 IP addresses with exposed Telnet services amid ongoing attacks exploiting a critical authentication bypass vulnerability in GNU InetUtils. Organizations should audit their networks for legacy protocol exposure.

Source: Bleeping Computer

TikTok Resolution: TikTok has finalized a deal to create a new American entity, avoiding a potential ban in the United States. This development has implications for communications infrastructure policy and foreign ownership of technology platforms.

Source: SecurityWeek

Transportation Systems

No sector-specific incidents were reported this cycle. Transportation operators should maintain awareness of the broader threat environment and ensure systems are patched against the actively exploited vulnerabilities detailed in this briefing.

Healthcare & Public Health

Blackmoon Malware Campaign: While primarily targeting Indian users through tax-themed phishing, the Blackmoon malware campaign demonstrates continued threat actor interest in multi-stage backdoor deployments. Healthcare organizations should ensure email security controls are configured to detect similar phishing techniques.

Source: The Hacker News

Financial Services

Coupang Class Action: Law firm Hagens Berman is leading a class action lawsuit against e-commerce company Coupang over security failures related to a June 2025 data breach. This case may establish precedents for corporate liability following security incidents.

Source: Infosecurity Magazine

BitLocker Key Disclosure: Reports indicate Microsoft has provided BitLocker encryption keys to law enforcement, raising concerns about enterprise data control and the security of cloud-backed encryption key storage. Organizations with strict data sovereignty requirements should evaluate their encryption key management practices.

Source: CSO Online

Commercial Facilities

Physical Access Control Vulnerabilities: Researchers discovered and reported over 20 vulnerabilities in Dormakaba physical access control systems that could allow attackers to remotely unlock doors at major European facilities. Patches have been released. Organizations using Dormakaba systems should verify they are running updated firmware and review physical access logs for anomalies.

Source: SecurityWeek

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE	Product	Severity	Status	Action
CVE-2026-21509	Microsoft Office	High	ACTIVELY EXPLOITED	Patch immediately
CVE-2024-XXXXX	VMware vCenter Server	Critical	ACTIVELY EXPLOITED	Patch immediately
Multiple	Dormakaba Access Systems	High	Patched	Update firmware
CVE-XXXX-XXXXX	GNU InetUtils (Telnet)	Critical	Under Attack	Disable Telnet/Patch

Microsoft Office Zero-Day (CVE-2026-21509)

Impact: Security feature bypass enabling code execution in targeted attacks

Affected Products: Microsoft Office suite

Mitigation: Apply out-of-band security update immediately. This is Microsoft's second emergency patch release this week.

Source: SecurityWeek, Bleeping Computer, The Hacker News

VMware vCenter Server RCE

Impact: Remote code execution via crafted network packets

Status: CISA has added this 2024 vulnerability to the Known Exploited Vulnerabilities catalog after confirming active exploitation

Mitigation: Federal agencies have three weeks to patch per CISA directive. All organizations should prioritize patching virtualization infrastructure.

Source: Bleeping Computer, SecurityWeek

Supply Chain Vulnerabilities

eScan Antivirus: A supply chain compromise in eScan antivirus software is distributing multi-stage malware through legitimate, signed updates. Organizations using eScan should verify the integrity of recent updates and scan for indicators of compromise.

Source: Infosecurity Magazine

NPM/Yarn Package Managers: Researchers have identified weaknesses in the defense mechanisms NPM introduced after the "Shai-Hulud" supply-chain attacks. Threat actors can bypass these protections via Git dependencies. Development teams should audit dependency sources and implement additional supply chain security controls.

Source: Bleeping Computer, CSO Online

CISA Advisories

CISA has published its weekly vulnerability summary covering the week of January 19, 2026, cataloging high, medium, and low severity vulnerabilities. Security teams should review for any products in their environment.

Source: US-CERT

Resilience & Continuity Planning

Lessons from Recent Incidents

Polish Grid Attack Implications: The Sandworm attack on Poland's power grid reinforces several resilience principles:

• Air-gapped backups: Wiper malware specifically targets data destruction; offline backups remain the most reliable recovery mechanism
• OT/IT segmentation: Proper network segmentation can limit lateral movement from IT networks to operational technology
• Cross-border coordination: European energy operators should ensure communication channels with neighboring grid operators and national CERTs are tested and functional

Supply Chain Security Developments

This week's supply chain compromises (eScan antivirus, malicious VS Code extensions, NPM bypass techniques) highlight the need for:

• Software bill of materials (SBOM) implementation to track software components
• Verification of software signatures and update integrity
• Network monitoring for unexpected outbound connections from development tools
• Regular audits of browser extensions and IDE plugins across the organization

Severe Weather Response

With the ongoing winter storm affecting much of the United States, organizations should:

• Activate business continuity plans for facilities in affected regions
• Ensure remote access capabilities are secure and functional
• Maintain heightened security awareness as threat actors may exploit crisis conditions
• Verify backup power systems and fuel supplies for critical facilities

Regulatory & Policy Developments

Federal Policy Changes

OMB Secure Software Memo Rescinded: The Office of Management and Budget has rescinded the Biden-era secure software attestation memo, making the common attestation form voluntary for federal contractors. Critics have characterized this as the "first major policy step back" on cybersecurity under the current administration. Organizations that had been preparing for mandatory attestation requirements should monitor for updated guidance.

Analysis: While the immediate compliance burden is reduced, organizations selling to the federal government should consider maintaining secure development practices as future administrations may reinstate similar requirements. Additionally, many agencies may continue to require attestations through contract-specific provisions.

Source: CyberScoop

Post-Quantum Cryptography Guidance

CISA PQC Product Categories: CISA has released an initial list of post-quantum cryptography (PQC) capable hardware and software product categories to guide organizations in their transition planning. However, security experts caution that most products and backend internet protocols have yet to be updated to support PQC algorithms.

Recommendation: Organizations should begin inventorying cryptographic dependencies and developing migration roadmaps, while recognizing that full PQC transition will be a multi-year effort.

Source: CyberScoop, Infosecurity Magazine

International Developments

Ireland Digital Surveillance Powers: The Irish government is proposing legislation to expand police capabilities to intercept digital communications. This development may have implications for technology companies operating in Ireland and data privacy frameworks.

Source: Schneier on Security

Pall Mall Process: Industry, government, and nonprofit stakeholders met over the weekend to discuss voluntary rules for commercial hacking tools as part of the Pall Mall Process. Discussions revealed the complexity of regulating offensive security tools while preserving legitimate security research.

Source: CyberScoop

EU Regulatory Action

The European Commission has launched an investigation into X (formerly Twitter) regarding the deployment of its Grok AI tool, specifically examining whether the company properly assessed risks before enabling the generation of sexually explicit images. This action signals continued EU focus on AI governance and platform accountability.

Source: Bleeping Computer

Training & Resource Spotlight

New Frameworks and Guidance

NIST SUSHI Initiative: NIST has announced the "SUSHI@NIST" initiative focused on rolling next-generation secure hardware standards. The program aims to enhance hardware security for national defense and emerging technologies amid geopolitical uncertainty and semiconductor supply chain concerns.

Source: NIST

Zero-Trust Data Governance: Industry analysts predict AI-driven data proliferation will accelerate zero-trust data governance adoption in 2026. Organizations should evaluate their data classification and access control frameworks.

Source: CSO Online

Threat Hunting Resources

SecurityWeek's "Cyber Insights 2026" series includes analysis of how threat hunting differs from reactive security and how the discipline will evolve with automation and AI. This resource provides valuable context for organizations building or maturing threat hunting capabilities.

Source: SecurityWeek

Executive Protection Guidance

Security Magazine has published guidance on safeguarding executives through proactive planning and online presence management, outlining a three-step approach: assess, design, and deliver. This resource is relevant given the increasing targeting of executives in social engineering campaigns.

Source: Security Magazine

Industry Investment

Cloud-native application protection platform (CNAPP) vendor Upwind has raised $250 million at a $1.5 billion valuation, indicating continued investor confidence in cloud security solutions. The company plans to expand its runtime-first cloud security offering across data, AI, and code protection.

Source: SecurityWeek

Looking Ahead: Upcoming Events & Considerations

Threat Periods Requiring Heightened Awareness

• Winter Storm Recovery (Ongoing): As critical infrastructure operators respond to severe weather impacts, maintain heightened security awareness for opportunistic attacks
• VMware Patching Deadline: Federal agencies have approximately three weeks to patch the actively exploited vCenter vulnerability per CISA directive
• Tax Season Preparation: The Blackmoon campaign targeting Indian users with tax-themed phishing may presage similar campaigns targeting other jurisdictions as tax seasons approach

Anticipated Developments

• Polish Grid Attack Attribution: Additional technical details and indicators of compromise from the Sandworm attack on Poland's power grid are expected as investigation continues
• PQC Implementation Guidance: Following CISA's product category list, additional implementation guidance for post-quantum cryptography migration is anticipated
• Secure Software Policy: Monitor for agency-specific responses to the OMB memo rescission and potential contract-level attestation requirements

Seasonal Considerations

• Cold Weather Infrastructure Stress: Energy and water infrastructure face increased demand and potential equipment failures during extreme cold
• Remote Work Security: Weather-related office closures may increase remote access usage; ensure VPN and remote access security controls are robust

Security Conference Calendar

Organizations should monitor announcements for upcoming security conferences and training opportunities in Q1 2026. Major events typically release detailed agendas 4-6 weeks in advance.

---

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with sector partners through appropriate channels. For questions or to report incidents, contact CISA at 1-888-282-0870 or report@cisa.gov.