Security Intelligence for Real-World Decisions
← Back to Archive

Chinese Hackers Exploit Dell Zero-Day for 18 Months; Three New ICS Threat Groups Emerge as Ransomware Hits Industrial Operations

Critical Infrastructure Intelligence Briefing

Report Date: Wednesday, February 18, 2026

Reporting Period: February 11-18, 2026

1. Executive Summary

This week's intelligence reveals significant escalation in threats to critical infrastructure, with Chinese state-sponsored actors exploiting a Dell zero-day vulnerability undetected for 18 months, and industrial cybersecurity firm Dragos identifying three new threat groups targeting ICS/OT environments. Key developments include:

  • Nation-State Activity: Google researchers disclosed that Chinese threat group UNC6201 has been exploiting a Dell RecoverPoint for Virtual Machines zero-day since mid-2024, deploying advanced "Grimbolt" malware—an evolution of the Brickstorm backdoor. This represents a significant intelligence failure in detection capabilities.
  • ICS/OT Threat Expansion: Dragos's 9th Annual Year in Review report identifies three new threat groups that began targeting industrial control systems in 2025, with ransomware attacks causing increased operational disruption across industrial environments.
  • Identity-Based Attacks Surge: Palo Alto Networks' Unit 42 reports that nearly two-thirds of breaches now originate from identity abuse, highlighting critical gaps in access controls across integrated enterprise systems.
  • Ransomware Enforcement: Polish authorities arrested a 47-year-old suspect linked to the Phobos ransomware operation, seizing devices containing stolen credentials and credit card data.
  • Regulatory Development: CISA is actively seeking industry input on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), presenting an important opportunity for infrastructure operators to shape reporting requirements.
  • AI Security Concerns: Multiple reports highlight emerging risks from AI systems, including research showing AI assistants can be weaponized as command-and-control proxies and internal AI copilots creating accidental data exposure pathways.

2. Threat Landscape

Nation-State Threat Actor Activities

Chinese APT Exploits Dell Zero-Day (UNC6201)

Google Mandiant researchers have disclosed that suspected Chinese state-backed threat group UNC6201 has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024—approximately 18 months before detection. Key findings include:

  • Malware Evolution: Attackers have transitioned from the Brickstorm backdoor to a more advanced variant called "Grimbolt," indicating continued investment in capability development
  • Target Profile: Virtual machine recovery infrastructure represents high-value targets for data exfiltration and potential disruption of disaster recovery capabilities
  • Detection Gap: The extended dwell time highlights significant challenges in identifying sophisticated supply chain and infrastructure-level compromises

Source: CyberScoop, Bleeping Computer, Mandiant

New ICS/OT Threat Groups Identified

Dragos's annual OT/ICS Cybersecurity Report reveals three new threat groups began targeting industrial control systems in 2025. While specific group designations were not detailed in available reporting, this expansion indicates growing adversary interest in operational technology environments across critical infrastructure sectors.

Source: SecurityWeek

Ransomware and Cybercriminal Developments

Phobos Ransomware Affiliate Arrested

Polish authorities arrested a 47-year-old man suspected of involvement with the Phobos ransomware operation. Law enforcement seized computers and mobile devices containing:

  • Stolen credentials
  • Credit card numbers
  • Server access information
  • Evidence of cybercrime tool production and distribution

The suspect faces up to five years imprisonment for producing, obtaining, and sharing computer programs used in cyberattacks.

Source: CyberScoop, SecurityWeek

Industrial Ransomware Surge

Dragos reports a significant rise in ransomware attacks specifically targeting industrial operations, with attacks increasingly causing operational disruption rather than just data theft. This trend represents elevated risk for manufacturing, energy, and utilities sectors.

Source: Infosecurity Magazine

Emerging Attack Vectors

AI Systems as Attack Infrastructure

Researchers have demonstrated that AI assistants supporting web browsing or URL fetching can be weaponized as stealthy command-and-control (C2) relays. Microsoft Copilot and xAI's Grok were specifically identified as vulnerable to this abuse technique.

Source: The Hacker News

"Vibe Extortion" Using AI

Unit 42 researchers observed low-skilled threat actors using large language models to script professional extortion campaigns, complete with deadlines and psychological pressure tactics. This democratization of attack capabilities lowers the barrier for less sophisticated criminals.

Source: Infosecurity Magazine

API Threats Amplified by AI

New research indicates attackers are increasingly abusing APIs at machine speed, with AI-driven systems widening exposure and amplifying impact. Organizations should review API security controls and monitoring capabilities.

Source: SecurityWeek

Mobile and Firmware Threats

Keenadu Android Backdoor

Kaspersky researchers discovered a sophisticated Android malware called "Keenadu" embedded in device firmware from multiple brands. The backdoor:

  • Is delivered through signed OTA updates, bypassing typical security controls
  • Can compromise all installed applications
  • Enables silent data harvesting and remote device control
  • Has been found in both firmware and Google Play applications

Source: The Hacker News, Bleeping Computer

ZeroDayRAT Spyware

A new commercial spyware toolkit dubbed "ZeroDayRAT" is targeting both Android and iOS devices. The toolkit's commercial availability suggests potential use by both criminal actors and surveillance operations.

Source: CSO Online

3. Sector-Specific Analysis

Energy Sector

Threat Level: ELEVATED

The energy sector faces heightened risk from multiple threat vectors this week:

  • ICS Vulnerabilities: CISA issued advisories for GE Vernova Enervista UR Setup and Siemens Simcenter products commonly deployed in energy sector environments
  • Industrial Targeting: Dragos's identification of three new ICS-focused threat groups, combined with rising ransomware targeting industrial operations, indicates sustained adversary interest in energy infrastructure
  • Supply Chain Risk: The Dell RecoverPoint zero-day exploitation demonstrates how virtualization and backup infrastructure can serve as attack vectors into operational environments

Recommended Actions:

  • Review CISA ICS advisories for GE Vernova and Siemens products
  • Assess backup and recovery infrastructure for potential compromise indicators
  • Enhance monitoring of IT/OT boundary points

Water & Wastewater Systems

Threat Level: MODERATE

Water utilities should note the broader ICS/OT threat landscape developments:

  • The emergence of new threat groups targeting industrial systems applies across sectors
  • Identity-based attack trends (two-thirds of breaches) highlight the importance of access control in SCADA and control system environments
  • Smaller utilities with limited security resources remain particularly vulnerable to ransomware campaigns

Recommended Actions:

  • Review and strengthen identity and access management for control systems
  • Ensure offline backup capabilities for critical operational data
  • Consider participation in CISA's CIRCIA input process to shape sector-appropriate reporting requirements

Communications & Information Technology

Threat Level: ELEVATED

Chrome Zero-Day Under Active Exploitation

Google has confirmed an exploit is available for a new Chrome zero-day vulnerability. Organizations should prioritize browser updates across enterprise environments.

Source: CSO Online

VSCode Extension Vulnerabilities

High to critical severity vulnerabilities affecting popular Visual Studio Code extensions—collectively downloaded over 128 million times—could be exploited to steal local files and credentials. Development environments represent an often-overlooked attack surface.

Source: Bleeping Computer

Microsoft Teams Outage

Microsoft is addressing an ongoing outage affecting Teams users in the United States and Europe, causing delays and access issues. While not security-related, this highlights dependency risks on cloud collaboration platforms.

Source: Bleeping Computer

Password Manager Vulnerabilities

ETH Zurich researchers tested Bitwarden, LastPass, Dashlane, and 1Password, finding vulnerabilities that could enable vault compromise under malicious server conditions. Organizations relying on enterprise password managers should review vendor security advisories.

Source: SecurityWeek

Transportation Systems

Threat Level: MODERATE

Eurail Data Breach

Hackers are offering to sell millions of Eurail user records. Eurail has confirmed the stolen data is for sale but is still determining the scope of impact. While this incident affects European rail, it highlights data protection challenges across transportation sector customer systems.

Source: SecurityWeek

Recommended Actions:

  • Review customer data protection controls and breach notification procedures
  • Assess third-party data sharing arrangements
  • Monitor for credential stuffing attempts using potentially compromised data

Healthcare & Public Health

Threat Level: ELEVATED

2025 Healthcare Breach Analysis

Security Magazine published analysis of the top 20 healthcare data breaches from 2025, providing valuable lessons for the sector. Healthcare organizations should review these incidents for applicable defensive insights.

Source: Security Magazine

AI Copilot Data Exposure Risk

Internal AI assistants are creating a new class of data exposure risk, particularly concerning for healthcare organizations handling protected health information. Organizations deploying AI copilots should assess data access controls and potential for inadvertent disclosure.

Source: Security Magazine

Financial Services

Threat Level: MODERATE

Financial services organizations should note:

  • Identity Attack Trends: The Unit 42 finding that two-thirds of breaches start with identity abuse is particularly relevant for financial institutions
  • API Security: AI-amplified API attacks pose significant risk to financial services APIs
  • Infostealer Activity: The SmartLoader campaign distributing StealC infostealer through trojanized MCP servers represents ongoing credential theft risk

Source: The Hacker News

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product Severity Status Action Required
Dell RecoverPoint for VMs Critical Zero-day under active exploitation Apply patches immediately; hunt for IOCs
Google Chrome High Exploit available Update to latest version
VSCode Extensions (multiple) High-Critical Vulnerabilities disclosed Review and update extensions

CISA ICS Advisories (Published February 17, 2026)

CISA released four ICS advisories this week:

  • ICSA-26-048-04: Honeywell CCTV Products - Successful exploitation could allow unauthorized access to surveillance systems
  • ICSA-26-048-03: GE Vernova Enervista UR Setup - Multiple vulnerabilities affecting protective relay configuration software
  • ICSA-26-048-02: Delta Electronics ASDA-Soft - Vulnerabilities in servo drive software
  • ICSA-26-048-01: Siemens Simcenter Femap and Nastran - Engineering simulation software vulnerabilities

Recommended Action: Review full advisories and assess applicability to your environment. Prioritize patching for internet-facing or critical systems.

Recommended Defensive Measures

For Dell RecoverPoint Zero-Day:

  • Apply vendor patches as soon as available
  • Review logs for indicators of compromise dating back to mid-2024
  • Segment backup infrastructure from production networks
  • Monitor for Grimbolt/Brickstorm malware indicators

For Identity-Based Attack Prevention:

  • Implement phishing-resistant MFA across all critical systems
  • Review and minimize standing privileges
  • Deploy identity threat detection capabilities
  • Audit service account usage and permissions

For AI/Copilot Security:

  • Inventory AI assistants deployed across the organization
  • Review data access permissions for AI systems
  • Implement data loss prevention controls for AI interactions
  • Establish acceptable use policies for AI tools

Software Security Improvements

Notepad++ Update Security Enhancement: Notepad++ has implemented a "double-lock" mechanism for its update process following a recent supply chain compromise. This represents a positive example of vendors responding to security incidents with architectural improvements.

Source: Bleeping Computer

5. Resilience & Continuity Planning

Lessons from Recent Incidents

Dell Zero-Day: Detection Gap Analysis

The 18-month exploitation window for the Dell RecoverPoint vulnerability highlights critical lessons:

  • Backup Infrastructure as Target: Disaster recovery systems are high-value targets that may receive less security scrutiny than production systems
  • Extended Dwell Time: Sophisticated actors can maintain persistent access for extended periods without detection
  • Vendor Trust: Signed updates and legitimate vendor infrastructure can be weaponized

Recommended Actions:

  • Include backup and recovery infrastructure in threat hunting programs
  • Implement behavioral monitoring for backup systems
  • Maintain offline backup copies that cannot be compromised through network access

Basic Security Failures Enable Attacks

Palo Alto Networks analysis finds that cyber attacks continue to be enabled by basic security failings. Organizations should ensure foundational controls are in place before investing in advanced capabilities.

Source: CSO Online

Supply Chain Security

Strategic Supply Chain Considerations

NIST has highlighted that recent disruptions—from pandemics to infrastructure failures to changing trade policies—have exposed critical vulnerabilities in U.S. supply chains. Organizations should:

  • Map critical dependencies across technology and operational supply chains
  • Identify single points of failure
  • Develop alternative sourcing strategies for critical components
  • Participate in sector-specific supply chain security initiatives

Cross-Sector Dependencies

This week's intelligence highlights several cross-sector dependency risks:

  • Virtualization Infrastructure: The Dell zero-day affects organizations across all sectors using VMware environments with RecoverPoint
  • Cloud Collaboration: Microsoft Teams outage demonstrates dependency on cloud services for business continuity
  • Identity Systems: Identity-based attacks can cascade across integrated systems and sectors

Living Risk Registers

Former CIO Ann Dunkin emphasizes that "living risk registers" are key to real cyber resilience. Organizations should maintain dynamic risk documentation that evolves with the threat landscape rather than static annual assessments.

Source: Homeland Security Today

6. Regulatory & Policy Developments

CISA CIRCIA Industry Input Request

Action Opportunity: CISA is actively seeking industry input on the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This represents a significant opportunity for critical infrastructure owners and operators to shape incident reporting requirements.

Key Considerations:

  • Reporting timelines and thresholds
  • Definition of covered incidents
  • Information sharing protections
  • Sector-specific considerations

Recommended Action: Organizations should review CISA's request and submit comments through official channels. Coordinate with sector ISACs and trade associations for collective input.

Source: Homeland Security Today

CISA 2025 Year in Review

CISA has released its 2025 Year in Review, providing insights into agency priorities, accomplishments, and future direction. Critical infrastructure stakeholders should review this document to understand CISA's evolving role and available resources.

Source: Homeland Security Today

International Developments

Spain VPN Blocking Order

A Spanish court has ordered NordVPN and ProtonVPN to block 16 websites facilitating piracy of football matches. While focused on copyright enforcement, this precedent has implications for VPN providers and internet freedom considerations.

Source: Bleeping Computer

Ireland X/Grok Investigation

Ireland's Data Protection Commission has opened a formal investigation into X (formerly Twitter) over the use of the Grok AI tool to generate content, including concerns about sexual imagery generation. This investigation may have broader implications for AI governance.

Source: Bleeping Computer

Surveillance Technology Concerns

Citizen Lab has linked Cellebrite phone-cracking technology to the hacking of a Kenyan presidential candidate's phone following his arrest. This research highlights ongoing concerns about surveillance technology use and potential for abuse.

Source: CyberScoop

7. Training & Resource Spotlight

Industry Investment

VulnCheck Series B Funding

Vulnerability intelligence firm VulnCheck has raised $25 million in Series B funding led by Sorenson Capital, bringing total investment to $45 million. This investment signals continued market demand for vulnerability intelligence capabilities.

Source: SecurityWeek

Palo Alto Networks Acquires Koi

Palo Alto Networks has acquired Koi to improve visibility into AI-driven activity on workplace devices. This acquisition reflects growing enterprise focus on AI agent security.

Source: CyberScoop

Platform Security Updates

Android 17 Beta Security Features

Android 17 Beta introduces a secure-by-default architecture with enhanced privacy and security controls. Organizations managing mobile device fleets should evaluate these improvements for future deployment planning.

Source: Infosecurity Magazine

iOS 26.4 Security Enhancements

Apple's iOS 26.4 developer beta adds:

  • End-to-end encryption for RCS messaging
  • Enhanced Memory Integrity Enforcement

These improvements will enhance security for enterprise iOS deployments when generally available.

Source: Infosecurity Magazine, The Hacker News

Research and Analysis Resources

  • Dragos 9th Annual OT/ICS Cybersecurity Report: Comprehensive analysis of industrial cybersecurity threats and trends
  • Unit 42 Incident Response Report: Analysis of breach patterns and identity-based attack trends
  • ETH Zurich Password Manager Research: Security analysis of major password management solutions

CISO Resources

Multiple reports this week address CISO challenges:

  • Re-envisioning Enterprise Risk: CSO Online analysis of how stretched security leaders can restructure risk management approaches
  • Agentic AI Challenges: Analysis of why autonomous AI systems present new security management challenges

Source: CSO Online

8. Looking Ahead: Upcoming Events

Upcoming Workshops and Conferences

NIST Cybersecurity for IoT Workshop: Future Directions

Date: March 31, 2026

Focus: Emerging and future trends for IoT technologies and their implications for IoT cybersecurity. As IoT becomes more sophisticated, automated, and ubiquitous, this workshop will address evolving security requirements.

Relevance: Critical for organizations deploying IoT in operational technology environments

Source: NIST

NIST Building the Strategic Supply Chain Network

Date: March 9, 2026

Focus: Addressing critical vulnerabilities in U.S. supply chains exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies

Relevance: Essential for supply chain security planning across critical infrastructure sectors

Source: NIST

Threat Periods Requiring Heightened Awareness

  • Ongoing: Chinese APT activity exploiting Dell infrastructure—organizations should conduct threat hunting for historical compromise
  • Ongoing: Industrial ransomware campaigns targeting operational technology environments
  • Ongoing: Identity-based attacks across enterprise environments

Anticipated Regulatory Milestones

  • CIRCIA Rulemaking: Monitor CISA announcements for comment period deadlines and draft rule publication
  • AI Governance: Watch for developments from Ireland DPC investigation into AI-generated content

Seasonal Considerations

  • Tax Season (U.S.): Heightened phishing and social engineering activity
Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.