Security Intelligence for Real-World Decisions
← Back to Archive

Russian Sandworm Attack Bricks ICS Devices Across Polish Power Grid; Ivanti Zero-Days Under Active Exploitation

Executive Summary

This week's intelligence cycle is dominated by a significant Russia-linked cyberattack against Polish critical infrastructure and multiple actively exploited zero-day vulnerabilities requiring immediate attention from infrastructure operators.

  • PRIORITY ALERT - Energy Sector Attack: Russian threat actor Sandworm (also tracked as Electrum) conducted a destructive cyberattack against Poland's power grid, bricking industrial control system (ICS) devices at 30 sites. This represents a significant escalation in nation-state targeting of European energy infrastructure and demonstrates continued Russian willingness to conduct destructive operations against NATO allies.
  • CRITICAL VULNERABILITIES: Ivanti has released emergency patches for two zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Endpoint Manager Mobile (EPMM) that are under active exploitation. Organizations using Ivanti EPMM should prioritize immediate patching. Additionally, SolarWinds has patched four critical vulnerabilities in Web Help Desk that could allow unauthenticated remote code execution.
  • Threat Actor Evolution: CrowdStrike reports that the North Korean Lazarus Group has split into three distinct operational units, each focused on espionage and cryptocurrency theft. This organizational restructuring may indicate increased operational tempo and specialization.
  • AI Infrastructure Abuse: Multiple reports highlight the growing exploitation of AI infrastructure, including 175,000 publicly exposed Ollama AI servers and a large-scale "LLMjacking" operation monetizing hijacked large language models. Critical infrastructure organizations deploying AI capabilities should audit their exposure.
  • Regulatory Development: The U.S. government is pushing to establish global AI cybersecurity standards, with implications for critical infrastructure operators integrating AI into operational environments.

Threat Landscape

Nation-State Threat Actor Activities

Russia - Sandworm/Electrum (PRIORITY): The Russian military intelligence (GRU) affiliated threat group Sandworm conducted a destructive cyberattack against Poland's power grid infrastructure. The attack targeted communication and control systems at 30 sites, resulting in bricked ICS devices. This operation demonstrates:

  • Continued Russian targeting of NATO member critical infrastructure
  • Capability and willingness to conduct destructive (not just disruptive) operations
  • Focus on energy sector as a strategic target
  • Potential for similar attacks against other European and North American energy infrastructure

Source: SecurityWeek

China - UAT-8837: Water ISAC has issued a TLP:GREEN advisory regarding China-nexus APT group UAT-8837 targeting critical infrastructure in North America. Details are restricted to WaterISAC members, but this represents continued Chinese interest in U.S. critical infrastructure reconnaissance and potential pre-positioning.

Source: WaterISAC

North Korea - Lazarus Group Reorganization: CrowdStrike analysis reveals the Lazarus Group has split into three distinct operational units sharing common lineage. Each unit maintains focus on espionage and cryptocurrency theft operations. This reorganization may indicate:

  • Increased operational specialization and efficiency
  • Potential for more sophisticated, targeted campaigns
  • Continued prioritization of financial theft to fund regime activities

Source: CyberScoop

China - Trade Secret Theft: A former Google engineer has been convicted in the U.S. for stealing over 2,000 AI trade secrets intended for a China-based startup. This case underscores the persistent insider threat from nation-state recruitment of personnel with access to sensitive technology.

Source: The Hacker News

Ransomware and Cybercriminal Developments

RAMP Forum Takedown: The FBI has successfully taken down the RAMP ransomware forum, a significant dark web marketplace for ransomware operators. The forum administrator confirmed the takedown and stated they have "no plans to rebuild." This represents a meaningful disruption to ransomware-as-a-service ecosystems.

Source: Infosecurity Magazine

Ransomware Trends: Despite the reduction in active extortion groups, ransomware victim numbers rose in Q4 2025, with data leaks increasing 50% according to ReliaQuest researchers. This suggests remaining groups are becoming more efficient and prolific.

Source: Infosecurity Magazine

ShinyHunters Vishing Campaign: The ShinyHunters threat group has ramped up a new voice phishing (vishing) campaign with hundreds of targets in the crosshairs. Organizations should alert employees to the increased risk of sophisticated phone-based social engineering.

Source: CSO Online

Initial Access Broker Evolution: Threat actor TA584, a prolific initial access broker, has been observed using the Tsundere Bot alongside XWorm RAT to gain network access that could lead to ransomware attacks. This represents evolving tooling among access brokers.

Source: Bleeping Computer

Emerging Attack Vectors

AI Infrastructure Exploitation: Multiple concerning developments in AI infrastructure abuse:

  • Exposed Ollama Servers: SentinelOne and Censys identified 175,000 publicly accessible Ollama AI servers across 130 countries, creating an "unmanaged, publicly accessible layer" of AI infrastructure vulnerable to abuse.
  • Operation Bizarre Bazaar: An LLMjacking operation is targeting exposed LLMs and Model Context Protocols (MCPs) at scale for commercial monetization.
  • Hugging Face Abuse: Threat actors are using the Hugging Face platform to distribute thousands of Android malware variants targeting financial and payment services.

Sources: The Hacker News, SecurityWeek, Bleeping Computer

Record-Breaking DDoS: The Aisuru/Kimwolf botnet launched a record-setting DDoS attack in December 2025, peaking at 31.4 Tbps and 200 million requests per second. Critical infrastructure operators should review DDoS mitigation capabilities.

Source: Bleeping Computer

Domain Registration Vulnerabilities: A senior Secret Service official has highlighted the internet domain registration system as a "staggering" cybersecurity weakness that malicious actors can exploit but is often overlooked by defenders.

Source: CyberScoop

Sector-Specific Analysis

Energy Sector

CRITICAL - Polish Power Grid Attack: The Sandworm attack on Poland's power grid represents the most significant energy sector cyber incident this week. Key details:

  • 30 sites affected with communication and control systems targeted
  • ICS devices were bricked (rendered permanently inoperable)
  • Attack attributed to Russian GRU-affiliated Sandworm/Electrum group
  • Demonstrates capability for destructive attacks against Western energy infrastructure

Recommended Actions for Energy Sector:

  • Review and enhance network segmentation between IT and OT environments
  • Audit remote access capabilities to ICS/SCADA systems
  • Ensure backup communication systems are available and tested
  • Verify ICS device firmware integrity and maintain offline backups
  • Increase monitoring for Sandworm TTPs in network traffic

Source: SecurityWeek

OT Cybersecurity Gaps Study: A comprehensive study by OMICRON examining over 100 energy systems has revealed widespread cybersecurity gaps in OT networks of substations, power plants, and control centers worldwide. Energy sector operators should review the findings for applicability to their environments.

Source: The Hacker News

Water & Wastewater Systems

China-Nexus Targeting: WaterISAC has issued an advisory regarding APT group UAT-8837 targeting North American critical infrastructure, including water sector assets. Water utilities should review the TLP:GREEN advisory through WaterISAC membership channels.

Cross-Sector Impact - Substation Vandalism: WaterISAC reports an incident where vandalism at an electric substation led to an oil leak and subsequent "Do Not Consume" water advisory. This highlights the interconnected nature of critical infrastructure and potential for cascading impacts from physical security incidents.

Winter Storm Impacts: A massive winter storm has caused power outages and hazardous conditions affecting water utility operations. Utilities should review cold weather preparedness and backup power capabilities.

EPA Threat Briefing: The EPA is hosting its annual Water Sector Threat Briefing next month. Water sector stakeholders should plan to participate for updated threat intelligence.

Source: WaterISAC

Communications & Information Technology

IPIDEA Proxy Network Disruption: Google Threat Intelligence Group, in coordination with industry partners, has disrupted IPIDEA, described as one of the world's largest residential proxy networks. The network enrolled devices through SDKs for mobile and desktop applications and was frequently abused by threat actors for malicious activities.

Sources: SecurityWeek, Bleeping Computer

Microsoft Teams Security Enhancement: Microsoft plans to introduce a call reporting feature in Teams by mid-March 2026, allowing users to flag suspicious or unwanted calls as potential scams or phishing attempts. This will enhance organizational ability to identify and respond to voice-based social engineering.

Source: Bleeping Computer

Windows 11 Boot Issues: Microsoft has linked recent Windows 11 boot failures following January 2026 updates to previously failed December 2025 security update installations. IT administrators should verify update status on affected systems.

Source: Bleeping Computer

Transportation Systems

Enhanced Passenger Processing: CBP and Philadelphia International Airport have launched enhanced passenger processing for U.S. travelers returning from overseas, potentially impacting airport operations and security procedures.

Source: Homeland Security Today

Healthcare & Public Health

No sector-specific incidents reported this cycle. However, healthcare organizations should note the Ivanti EPMM vulnerabilities, as mobile device management platforms are widely used in healthcare environments for managing clinical devices.

Financial Services

Match Group Data Breach: Match Group, owner of Tinder, Match.com, Meetic, OkCupid, and Hinge, confirmed a cybersecurity incident compromising user data across multiple platforms. While not directly financial services, this breach may expose data that could be used for identity theft and financial fraud.

Source: Bleeping Computer

Marquis Software Ransomware Impact: Marquis Software Solutions, a Texas-based financial services provider, has attributed a ransomware attack that impacted dozens of U.S. banks and credit unions in August 2025 to a SonicWall cloud backup compromise. Financial institutions should review third-party vendor security, particularly backup service providers.

Source: Bleeping Computer

Android Financial Malware: Thousands of Android malware variants targeting financial and payment services are being distributed through the Hugging Face platform. Financial institutions should alert customers and review mobile banking security controls.

Source: Bleeping Computer

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product CVE(s) Severity Status Action Required
Ivanti EPMM CVE-2026-1281, CVE-2026-1340 Critical Actively Exploited (Zero-Day) Patch Immediately
SolarWinds Web Help Desk Multiple (4 CVEs) Critical Patch Available Patch Immediately
SmarterMail CVE-2026-XXXX (CVSS 9.3) Critical Patch Available Patch Within 24-48 Hours
n8n Automation Platform Two RCE flaws High Patch Available Patch Within 72 Hours

Ivanti EPMM Zero-Days (PRIORITY)

Ivanti has released emergency patches for two critical vulnerabilities in Endpoint Manager Mobile (EPMM) that are under active zero-day exploitation:

  • CVE-2026-1281 and CVE-2026-1340: Allow unauthenticated attackers to execute arbitrary code remotely
  • One vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog
  • Organizations using Ivanti EPMM should treat this as an emergency patching priority

Mitigation: Apply Ivanti security updates immediately. If patching is not immediately possible, consider isolating EPMM systems from internet access until patches can be applied.

Sources: SecurityWeek, The Hacker News, Bleeping Computer

SolarWinds Web Help Desk

SolarWinds has patched four critical vulnerabilities in Web Help Desk that could allow:

  • Unauthenticated remote code execution
  • Authentication bypass

Given SolarWinds' history as a target for sophisticated threat actors, organizations should prioritize these patches.

Sources: SecurityWeek, The Hacker News, CSO Online

SmarterMail RCE

SmarterTools has addressed a critical unauthenticated RCE vulnerability (CVSS 9.3) in SmarterMail email software. Organizations using SmarterMail should apply updates promptly.

Source: The Hacker News

n8n Automation Platform

Critical RCE vulnerabilities in the n8n automation platform could allow host-level compromise through weaknesses in the AST sanitization logic of the sandbox mechanism. Organizations using n8n for workflow automation should patch immediately.

Sources: SecurityWeek, CSO Online

CISA Guidance

Insider Threat Guidance: CISA has published new guidance targeting insider threat risks, including an infographic offering strategies to manage these risks. Organizations should review and incorporate this guidance into their security programs.

Source: Infosecurity Magazine

FBI Operation Winter SHIELD

The FBI has issued a call to action for organizations to improve cybersecurity, outlining ten specific actions to defend networks against cybercriminal and nation-state threats. Organizations should review these recommendations for applicability.

Source: Infosecurity Magazine

Resilience & Continuity Planning

Lessons Learned

Polish Power Grid Attack Implications: The Sandworm attack on Poland's power grid offers several lessons for critical infrastructure operators:

  • Destructive Capability: Nation-state actors are willing and able to permanently damage ICS equipment, not just disrupt operations
  • Scale of Targeting: 30 sites were affected simultaneously, indicating coordinated, well-resourced operations
  • Communication Systems as Targets: Communication and control systems were specifically targeted, highlighting the need for resilient backup communications
  • Geographic Expansion: While Ukraine has been the primary target, this attack demonstrates willingness to target NATO allies

Third-Party Vendor Risk: The Marquis Software ransomware incident, attributed to a SonicWall cloud backup compromise, underscores the importance of:

  • Rigorous vendor security assessments
  • Understanding the security posture of backup and recovery service providers
  • Maintaining offline or air-gapped backup copies for critical data

Crisis Communication

Security Magazine highlights that trust is lost in minutes during a crisis, and clear, human communication is the only way to recover it. Organizations should review and test crisis communication plans, ensuring:

  • Pre-drafted communication templates for various incident types
  • Clear chains of communication authority
  • Stakeholder notification procedures
  • Media response protocols

Source: Security Magazine

Cross-Sector Dependencies

This week's reporting highlights several cross-sector dependencies:

  • Energy → Water: Electric substation vandalism leading to water contamination advisory
  • Weather → Multiple Sectors: Winter storm impacts on power and water utilities
  • IT Services → Financial: Backup service provider compromise affecting banks and credit unions

Incident Response Guidance

WaterISAC has published guidance on "What to Do When Your Organization Has Been Compromised by a Cyber Attack." While targeted at water utilities, the guidance is applicable across sectors.

Source: WaterISAC

Regulatory & Policy Developments

U.S. AI Cybersecurity Standards Initiative

The Trump administration is pushing to establish U.S. views on AI cybersecurity standards globally and envisions AI playing a role in protecting federal government networks. Critical infrastructure operators should monitor these developments for potential compliance implications.

Source: CyberScoop

NIST AI Guidance

NIST has released new AI guidance that pushes cybersecurity boundaries. Organizations deploying AI in critical infrastructure environments should review this guidance for applicability to their implementations.

Source: CSO Online

EU Vulnerability Database

The EU's answer to the CVE system aims to solve dependency issues but introduces potential fragmentation risks. Organizations operating in both U.S. and EU jurisdictions should prepare for potential dual vulnerability tracking requirements.

Source: CSO Online

GDPR Enforcement

France Travail Fine: The French data protection authority (CNIL) has fined the national employment agency €5 million for GDPR violations related to a 2024 data breach. This enforcement action demonstrates continued regulatory focus on data protection compliance.

Sources: Bleeping Computer, Infosecurity Magazine

Rising GDPR Violations: Reports indicate GDPR violation reports have risen sharply, suggesting increased regulatory scrutiny and enforcement activity.

Source: CSO Online

Data Breach Trends

The Identity Theft Resource Center (ITRC) reports that U.S. data breaches increased 5% annually to reach a record total in 2025, though individual victim numbers declined. This suggests fewer but larger breaches affecting more records per incident.

Source: Infosecurity Magazine

Training & Resource Spotlight

Workforce Development

Cybersecurity Profession Growth: Cybersecurity is now the fifth fastest-growing occupation in the UK, with the number of cybersecurity professionals surging 194% in four years. This trend likely mirrors growth in other developed nations and indicates improving workforce availability.

Source: Infosecurity Magazine

Human Risk Management

CSO Online examines human risk management as a solution to the security awareness training paradox. CISOs should consider evolving beyond traditional awareness training to more comprehensive human risk management programs.

Source: CSO Online

Shadow AI Risk

Research indicates roughly half of employees are using unsanctioned AI tools, with enterprise leaders being major culprits. Organizations should:

  • Develop clear AI acceptable use policies
  • Provide sanctioned AI tools that meet employee needs
  • Monitor for unauthorized AI tool usage
  • Train employees on AI security risks

Source: CSO Online

Physical Security Resources

WaterISAC has published a physical security fact sheet on "Keys & Locks" as part of ongoing security and resilience updates. Physical security remains a critical component of infrastructure protection.

Source: WaterISAC

Industry Partnerships

PwC-Google Cloud Partnership: PwC and Google Cloud have announced a $400 million deal to scale AI-powered defense capabilities. This follows a recent multibillion-dollar AI and cloud security deal between Palo Alto Networks and Google Cloud, indicating significant industry investment in AI-enhanced security.

Source: SecurityWeek

Conference Guide

CSO Online has published an updated guide to top security conferences for 2026. Security professionals should review for professional development and networking opportunities.

Source: CSO Online

Looking Ahead: Upcoming Events

February 2026

EPA Annual Water Sector Threat Briefing

  • Date: February
Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.