Security Intelligence for Real-World Decisions
← Back to Archive

State-Sponsored 'Shadow Campaigns' Hit 155 Countries as CISA Orders Removal of Unsupported Edge Devices; BridgePay Ransomware Disrupts Payment Systems

Critical Infrastructure Intelligence Briefing

Reporting Period: January 31 – February 7, 2026
Published: Saturday, February 7, 2026

1. Executive Summary

This week's intelligence landscape is dominated by three significant developments requiring immediate attention from critical infrastructure stakeholders:

  • Global Espionage Campaign: A newly identified state-aligned threat group (TGR-STA-1030/UNC6619) has conducted the "Shadow Campaigns" operation targeting government infrastructure across 155 countries, representing one of the most extensive espionage operations observed in recent years.
  • CISA Emergency Action on Edge Devices: CISA has issued orders requiring Federal Civilian Executive Branch agencies to remove unsupported edge network devices, following confirmed exploitation by state-sponsored actors. Private sector organizations should treat this as an urgent call to audit their own edge device inventories.
  • Financial Sector Disruption: BridgePay, a major U.S. payment gateway provider, confirmed a ransomware attack causing widespread service outages affecting multiple downstream financial services—a reminder of cascading risks in interconnected payment ecosystems.
  • China-Nexus Router Compromise Framework: Security researchers have disclosed DKnife, a sophisticated adversary-in-the-middle framework operated by China-linked actors since 2019, targeting routers for traffic hijacking and malware delivery.
  • Targeted Messaging App Attacks: German intelligence agencies warn of state-sponsored phishing campaigns targeting politicians, military personnel, and journalists via Signal, indicating elevated risk for high-value individuals across sectors.

2. Threat Landscape

Nation-State Threat Actor Activities

Shadow Campaigns – Global Government Targeting (TGR-STA-1030/UNC6619)

  • A state-aligned cyberespionage group has been attributed to a massive operation targeting government infrastructure in 155 countries.
  • The campaign's scale suggests significant resources and sophisticated operational security.
  • Critical infrastructure operators with government contracts or connections should review network telemetry for indicators of compromise.
  • Source: Bleeping Computer

China-Linked DKnife Framework

  • Researchers have exposed DKnife, an adversary-in-the-middle (AitM) framework operated by China-nexus threat actors since at least 2019.
  • The toolkit specifically targets routers and edge devices to hijack traffic, conduct surveillance, and deliver malware.
  • Notably, the framework has been observed targeting Chinese-based routers and users, suggesting both domestic surveillance and international espionage applications.
  • Sources: The Hacker News, Bleeping Computer, Infosecurity Magazine

Signal Phishing Targeting High-Value Individuals

  • Germany's BfV and BSI have issued a joint advisory warning of state-sponsored phishing attacks via Signal targeting politicians, military personnel, and journalists.
  • The campaign exploits trust in encrypted messaging platforms to compromise high-value targets.
  • Critical infrastructure executives and security personnel using Signal should implement additional verification protocols for unexpected messages.
  • Sources: The Hacker News, Bleeping Computer

Ransomware and Cybercriminal Developments

BridgePay Ransomware Attack

  • BridgePay, a major U.S. payment gateway and solutions provider, confirmed ransomware as the cause of ongoing service outages.
  • The incident began Friday and continues to affect multiple services, with downstream impacts on merchants and financial institutions.
  • This attack underscores the systemic risk posed by ransomware targeting financial infrastructure chokepoints.
  • Source: Bleeping Computer

SmarterMail RCE Exploited in Ransomware Attacks

  • CISA has warned that CVE-2026-24423, an unauthenticated remote code execution vulnerability in SmarterMail, is being actively exploited in ransomware campaigns.
  • Organizations using SmarterMail should prioritize immediate patching or mitigation.
  • Source: Bleeping Computer

Emerging Attack Vectors

PDF-Based Attack Techniques ("Pretend Disk Format")

  • New research highlights evolving PDF-based attack techniques that evade traditional security controls.
  • Organizations should review PDF handling policies and ensure endpoint protection includes updated PDF analysis capabilities.
  • Source: CSO Online

Browser-Native Attacks Evading Traditional Security

  • Analysis indicates that many modern attacks occur entirely within browsers, leaving minimal evidence for EDR, email security, and SASE solutions.
  • Security teams should evaluate browser-specific visibility and control solutions.
  • Source: Bleeping Computer

3. Sector-Specific Analysis

Energy Sector

  • Edge Device Risk: CISA's directive on unsupported edge devices has direct implications for energy sector SCADA and remote monitoring systems. Many operational technology environments rely on edge devices with extended lifecycles that may no longer receive security updates.
  • Recommended Action: Energy sector operators should conduct immediate inventories of edge devices, particularly those at remote substations, pipeline monitoring stations, and generation facilities.

Water & Wastewater Systems

  • Router Compromise Risk: The DKnife framework's focus on router-level compromise poses elevated risk for water utilities, which often rely on commodity networking equipment for remote site connectivity.
  • Recommended Action: Water utilities should verify router firmware versions, implement network segmentation, and monitor for anomalous traffic patterns indicative of AitM activity.

Communications & Information Technology

  • n8n Automation Platform Vulnerabilities: Six additional vulnerabilities have been discovered in the n8n automation platform, which is increasingly used for workflow automation in IT environments.
  • Substack Data Breach: The newsletter platform confirmed a data breach compromising "limited user data." Organizations using Substack for communications should assess exposure and notify affected personnel.
  • Sources: CSO Online, Infosecurity Magazine

Transportation Systems

  • Edge Device Exposure: Transportation systems—particularly aviation, rail, and maritime—rely heavily on edge computing for real-time operations. The CISA directive and DKnife disclosures highlight the need for comprehensive edge device security reviews.
  • Super Bowl Security Considerations: With major sporting events approaching, transportation security around venues requires heightened awareness. Human trafficking concerns are elevated during major events.
  • Source: Homeland Security Today

Healthcare & Public Health

  • Email Security Concerns: The SmarterMail vulnerability being exploited in ransomware attacks is particularly relevant for healthcare organizations, which remain primary ransomware targets.
  • Recommended Action: Healthcare IT teams should verify email infrastructure is not running vulnerable SmarterMail versions and ensure backup and recovery procedures are tested.

Financial Services

  • BridgePay Incident Impact: The ransomware attack on BridgePay demonstrates cascading risk in payment processing infrastructure. Financial institutions should:
    • Verify alternative payment processing arrangements
    • Monitor for downstream fraud attempts exploiting the disruption
    • Review third-party payment processor resilience requirements
  • Source: Bleeping Computer

Government Facilities

  • Shadow Campaigns Targeting: The TGR-STA-1030/UNC6619 operation specifically targeted government infrastructure across 155 countries. U.S. government facilities and contractors should implement enhanced monitoring and review recent network activity for indicators of compromise.
  • DHS Privacy Audit: DHS has initiated a privacy probe focusing on biometric tracking by ICE and OBIM, with potential expansion to other DHS components. This may affect biometric security systems at government facilities.
  • Source: CyberScoop

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE/Vulnerability Affected Product Severity Status
CVE-2026-24423 SmarterMail Critical (RCE) Active exploitation in ransomware attacks
Multiple (6 CVEs) n8n Automation Platform High Newly disclosed
Various Unsupported Edge Devices Critical CISA directive issued

CISA Advisories and Directives

Edge Device Lifecycle Management Directive

  • CISA has ordered FCEB agencies to strengthen asset lifecycle management for edge network devices and remove unsupported devices from federal networks.
  • While binding only on federal agencies, CISA strongly urges private sector organizations to follow the same guidance.
  • Key requirements include:
    • Comprehensive inventory of all edge devices
    • Identification of devices no longer receiving security updates
    • Removal or isolation of unsupported devices
    • Implementation of compensating controls where immediate removal is not feasible
  • Sources: SecurityWeek, The Hacker News

Recommended Defensive Measures

For Edge Device Security:

  • Conduct immediate inventory of all edge devices including routers, firewalls, VPN concentrators, and IoT gateways
  • Verify vendor support status and patch levels for all identified devices
  • Implement network segmentation to isolate edge devices from critical systems
  • Deploy monitoring for anomalous traffic patterns indicative of AitM attacks
  • Establish replacement timelines for end-of-life equipment

For Messaging Security (Signal Phishing):

  • Brief high-value personnel on targeted phishing via encrypted messaging apps
  • Implement out-of-band verification for unexpected requests via messaging platforms
  • Review Signal security settings including linked devices and safety numbers

AI-Assisted Vulnerability Discovery

  • Anthropic's Claude AI has reportedly identified 500 high-severity software vulnerabilities, demonstrating the increasing role of AI in both offensive and defensive security research.
  • Security teams should anticipate accelerated vulnerability disclosure cycles as AI-assisted discovery becomes more prevalent.
  • Source: CSO Online

5. Resilience & Continuity Planning

Lessons from the BridgePay Incident

The BridgePay ransomware attack offers several lessons for critical infrastructure resilience:

  • Third-Party Dependency Mapping: Organizations should maintain current maps of critical third-party dependencies, particularly for payment processing and financial services.
  • Alternative Processing Arrangements: Financial institutions should verify that backup payment processing arrangements are documented, tested, and can be activated rapidly.
  • Communication Protocols: Establish clear communication channels with third-party providers for incident notification and status updates.

Supply Chain Security Considerations

Edge Device Supply Chain:

  • The DKnife framework's targeting of Chinese-manufactured routers highlights supply chain security concerns for networking equipment.
  • Organizations should review procurement policies for edge devices and consider geographic diversity in vendor selection.
  • Implement firmware verification procedures for newly deployed network equipment.

Cross-Sector Dependencies

This week's developments highlight several critical cross-sector dependencies:

  • Financial → All Sectors: Payment processing disruptions affect all sectors relying on electronic payments for operations, procurement, and payroll.
  • Communications → All Sectors: Router-level compromise (DKnife) can affect any sector relying on network connectivity for operations.
  • IT → Government: The Shadow Campaigns operation demonstrates how IT infrastructure compromise enables broader government targeting.

Building Security Culture

Security Magazine published guidance on building strong security cultures, emphasizing:

  • Leadership commitment and visible security prioritization
  • Regular training and awareness programs
  • Clear reporting channels for security concerns
  • Recognition programs for security-conscious behavior
  • Integration of security into business processes

Source: Security Magazine

6. Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

CISA Edge Device Directive

  • The directive requiring FCEB agencies to remove unsupported edge devices establishes a federal baseline that may influence future regulatory requirements for critical infrastructure sectors.
  • Sector-specific regulators may adopt similar requirements for regulated entities.

DHS Biometric Privacy Probe

  • DHS auditors have initiated a privacy investigation into biometric tracking practices by ICE and OBIM.
  • The probe may expand to other DHS components and could result in policy changes affecting biometric security systems.
  • Organizations using DHS biometric data or systems should monitor for guidance changes.
  • Source: CyberScoop

International Developments

EU TikTok Fine for Addictive Design

  • The European Commission announced TikTok faces fines over "addictive design" features including infinite scroll, autoplay, and personalized recommendations.
  • This action signals increased regulatory scrutiny of platform design choices and may influence future regulations affecting technology used in critical infrastructure environments.
  • Source: Bleeping Computer

German Intelligence Advisory

  • The joint BfV/BSI advisory on Signal phishing represents coordinated government-industry threat communication that could serve as a model for similar U.S. advisories.

Counterterrorism Developments

  • DOJ Benghazi Charges: DOJ has charged a third suspect in the 2012 Benghazi attack with multiple murder and terrorism counts, demonstrating continued pursuit of terrorism cases.
  • UK Terrorism Guilty Plea: A UK teenager has pleaded guilty to terrorism offenses, highlighting ongoing domestic terrorism concerns.
  • Source: Homeland Security Today

7. Training & Resource Spotlight

Upcoming Training Opportunities

NIST Cybersecurity for IoT Workshop: Future Directions

  • Date: March 31, 2026
  • Focus: Emerging and future trends for IoT technologies and their implications for IoT cybersecurity
  • Relevance: As IoT becomes more sophisticated, automated, and ubiquitous, understanding security implications is critical for infrastructure operators
  • Source: NIST

Tools and Frameworks

AI-Assisted Security Analysis

  • The disclosure that Claude AI identified 500 high-severity vulnerabilities highlights the potential for AI tools in security operations.
  • Security teams should evaluate AI-assisted tools for vulnerability management, threat detection, and security analysis.
  • Consider both benefits and risks of AI integration into security workflows.

Best Practices Highlight

Edge Device Lifecycle Management

Based on this week's CISA directive and threat disclosures, organizations should implement:

  1. Asset Discovery: Deploy automated discovery tools to identify all edge devices
  2. Lifecycle Tracking: Maintain records of vendor support dates for all network equipment
  3. Replacement Planning: Budget for regular equipment refresh cycles (typically 5-7 years)
  4. Compensating Controls: Document and implement controls for devices that cannot be immediately replaced
  5. Monitoring: Implement enhanced monitoring for edge device traffic and behavior

8. Looking Ahead: Upcoming Events

Security Conferences and Events

NIST Cybersecurity for IoT Workshop

  • Date: March 31, 2026
  • Topic: Future directions for IoT cybersecurity
  • Relevance: Critical for infrastructure operators deploying IoT sensors and monitoring systems

Heightened Awareness Periods

Super Bowl LX (February 8-9, 2026)

  • Major sporting events historically correlate with increased cyber and physical security threats
  • Human trafficking awareness is elevated during major events
  • Transportation and communications infrastructure supporting the event require enhanced monitoring
  • Financial services should monitor for fraud attempts exploiting event-related activity

Anticipated Developments

  • BridgePay Recovery: Monitor for service restoration updates and post-incident analysis
  • Shadow Campaigns IOCs: Expect additional threat intelligence releases as researchers analyze the 155-country espionage operation
  • CISA Edge Device Guidance: Anticipate supplementary guidance for private sector implementation of edge device security measures
  • DKnife Detection Signatures: Security vendors likely to release detection capabilities for the newly disclosed framework

Seasonal Considerations

  • Tax Season: Approaching tax filing deadlines historically correlate with increased phishing and fraud attempts targeting financial information
  • Winter Weather: Continued winter weather events may stress energy and transportation infrastructure, requiring resilience planning

This intelligence briefing is compiled from open-source reporting and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with appropriate stakeholders and report suspicious activity to relevant authorities.

Report Prepared: Saturday, February 7, 2026

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.