Security Intelligence for Real-World Decisions
← Back to Archive

Russian FortiBleed Campaign Harvests 110 Million Credentials; CISA Issues Seven ICS Advisories Amid Energy Sector Breach

Executive Summary

This week's intelligence highlights significant threats to critical infrastructure across multiple sectors, with a Russian initial access broker's massive credential harvesting operation and a confirmed breach at a Canadian electricity provider demanding immediate attention from infrastructure operators.

  • Major Credential Harvesting Operation: A Russian-speaking initial access broker has been identified behind the "FortiBleed" campaign, which has captured over 110 million credentials from more than 430,000 FortiGate firewalls since February 2026. This operation poses significant risk to critical infrastructure organizations relying on Fortinet products for perimeter security.
  • Energy Sector Breach: Canadian electricity provider London Hydro disclosed a data breach affecting customer personal information, including names, addresses, email addresses, phone numbers, and account information. This incident underscores ongoing targeting of energy sector utilities.
  • CISA ICS Advisory Surge: CISA released seven Industrial Control System advisories on June 23, 2026, affecting Siemens, ABB, Hubbell Aclara, and B&R products widely deployed across energy, water, and manufacturing sectors.
  • Healthcare Data Breach: Healthtech firm Xolis confirmed a phishing-enabled breach impacting 1.4 million individuals, highlighting persistent threats to the healthcare sector's data security posture.
  • Post-Quantum Cryptography Mandate: President Trump signed an executive order establishing 2030 deadlines for federal agencies to migrate high-value assets to post-quantum cryptography, signaling accelerated timelines for critical infrastructure operators to begin their own transitions.
  • AI Security Developments: Multiple significant AI-related security developments emerged, including Dragos unveiling AI capabilities for OT security, OpenAI expanding its Daybreak defensive initiative, and Anthropic's AI model reportedly finding vulnerabilities in classified government systems.

Threat Landscape

Nation-State Threat Actor Activities

  • Russian Initial Access Broker - FortiBleed Campaign: Security researchers have attributed a large-scale credential harvesting operation to a financially-motivated Russian-speaking initial access broker. The campaign, dubbed "FortiBleed," has targeted over 430,000 FortiGate firewalls using a custom sniffer tool, capturing more than 110 million credentials since at least February 2026. Initial access brokers typically sell harvested credentials to ransomware operators and other threat actors, making this a precursor indicator for potential follow-on attacks against critical infrastructure organizations. (SecurityWeek, The Hacker News)
  • Five Eyes AI Threat Warning: The Five Eyes Alliance (US, UK, Canada, Australia, New Zealand) issued a rare joint call to action urging organizations to fundamentally change their cyber risk strategies to address emerging AI-enabled threats. The advisory emphasizes that frontier AI capabilities are being weaponized faster than defensive measures can adapt, requiring proactive risk management approaches. (CSO Online)

Ransomware and Cybercriminal Developments

  • Scattered Spider Convictions: Two members of the "Scattered Spider" cybercrime group pleaded guilty in UK courts to charges stemming from the August 2024 cyberattack on Transport for London (TfL). The attack significantly disrupted public transportation systems and exposed customer data. These convictions represent continued law enforcement success against this prolific threat group known for targeting critical infrastructure and high-profile organizations. (KrebsOnSecurity, Bleeping Computer)
  • Tata Electronics Cyberattack: Tata Electronics confirmed a cyberattack impacting portions of its IT infrastructure, with threat actors beginning to leak stolen data. As a major electronics manufacturer and supplier, this incident has potential supply chain implications for multiple sectors. (Bleeping Computer)
  • Cybercrime Marketplace Takedown: The Department of Justice seized infrastructure used by cyber scam operations and criminal marketplaces, while Treasury took action against Cambodian company Huione Group and affiliates. Separately, Algerian national Abdellah Belmili was extradited to the US for allegedly operating the Market0Day and Spoxy cybercrime marketplaces, facing up to 30 years in prison. (CyberScoop, SecurityWeek)

Emerging Attack Vectors

  • macOS ClickFix Campaign: A new macOS attack campaign uses Terminal commands to silently download, mount, and launch info-stealing malware from malicious disk image (DMG) files. This technique bypasses traditional security controls and represents an evolution in macOS-targeted attacks. (Bleeping Computer)
  • WhatsApp VBScript Campaign: Threat actors are using WhatsApp direct messages to distribute malicious Visual Basic Script files that install legitimate Remote Monitoring and Management (RMM) tools for unauthorized access. This social engineering approach exploits trusted communication channels. (The Hacker News)
  • Fake AI Agent Skills: Security firm AIR demonstrated that a fake AI agent skill passed security scans on a popular skill marketplace and reportedly reached approximately 26,000 agents, including corporate accounts. This highlights emerging risks in the AI agent ecosystem. (The Hacker News)
  • GTA 6 Pre-Order Scams: Cybercriminals have launched fake GTA 6 pre-order websites offering early access in exchange for cryptocurrency payments. While not directly targeting critical infrastructure, these campaigns demonstrate threat actor agility in exploiting high-profile events. (Infosecurity Magazine)

Supply Chain Threats

  • LastPass Klue Supply Chain Attack: LastPass confirmed that hackers accessed customer data from its Salesforce environment after stealing OAuth tokens in the Klue supply chain attack earlier this month. This incident demonstrates the cascading risks of third-party compromises. (Bleeping Computer)
  • Malicious npm Packages: Researchers discovered malicious npm packages posing as PostCSS tools designed to deliver a Windows-based remote access trojan (RAT). The packages impersonate legitimate postcss-selector-parser functionality, targeting software development pipelines. (The Hacker News, Infosecurity Magazine)

Sector-Specific Analysis

Energy Sector

  • London Hydro Data Breach: Canadian electricity provider London Hydro disclosed a data breach in which hackers stole customer personal information including names, addresses, email addresses, phone numbers, and account information. While the full scope of the breach remains under investigation, this incident highlights the ongoing targeting of utility customer data and the potential for follow-on social engineering attacks against affected customers. (SecurityWeek)
  • Siemens SIPROTEC 5 Vulnerability: CISA issued an advisory for Siemens SIPROTEC 5 devices using the DIGSI5 protocol, warning of arbitrary code execution vulnerabilities. SIPROTEC 5 devices are widely deployed for protection, automation, and control in electrical substations and power generation facilities. Organizations should review the advisory and implement recommended mitigations. (CISA ICS Advisory)
  • Hubbell Aclara Metrum Vulnerability: CISA released an advisory for vulnerabilities in Hubbell Aclara Metrum Cellular Web Interface, used in smart grid and advanced metering infrastructure (AMI) deployments. Successful exploitation could allow unauthorized access to metering systems. (CISA ICS Advisory)

Water & Wastewater Systems

  • WaterISAC Quarterly Incident Summary: WaterISAC released its quarterly water sector incident summary covering January through March 2026. The executive summary is available at TLP:CLEAR, with detailed analysis available to members at TLP:AMBER. Water sector organizations are encouraged to review the summary for trends and lessons learned applicable to their operations. (WaterISAC)
  • ABB Freelance Security Lock Vulnerability: CISA issued an advisory for ABB Freelance Security Lock systems used in process automation, including water treatment facilities. Successful exploitation could allow unauthorized access to control systems. Water utilities using ABB Freelance systems should review the advisory immediately. (CISA ICS Advisory)

Communications & Information Technology

  • Cisco Unified CM Exploitation: A high-severity server-side request forgery (SSRF) vulnerability (CVE-2026-20230) in Cisco Unified Communications Manager Server is now being actively exploited in attacks. Organizations using Cisco UCM should prioritize patching immediately. (Bleeping Computer)
  • Samsung KNOX Vulnerability: An eight-year-old high-severity use-after-free vulnerability in Samsung's KNOX security framework has been disclosed, affecting Android-powered Galaxy devices from the S9 through S25 series. This vulnerability exposed millions of devices to potential kernel attacks. (SecurityWeek)
  • Dify AI Platform Vulnerabilities: Data exposure flaws in the Dify AI platform, used by approximately 1 million applications, could allow attackers to read private chats, preview other tenants' documents, and reach internal APIs. Organizations using Dify should assess their exposure and implement available mitigations. (SecurityWeek)
  • GitHub Actions Security Update: GitHub has updated "actions/checkout" to block common "pwn request" attack patterns that exploit the risky use of the "pull_request_target workflow" trigger. This update strengthens software supply chain security for organizations using GitHub Actions. (The Hacker News, CSO Online)

Transportation Systems

  • Scattered Spider TfL Convictions: The guilty pleas from two Scattered Spider members for the 2024 Transport for London attack provide important lessons for transportation sector security. The attack demonstrated how social engineering and credential theft can cascade into significant operational disruptions for mass transit systems. Transportation authorities should review their identity and access management controls in light of this case. (KrebsOnSecurity)
  • FIFA World Cup 2026 Fraud Warning: Recorded Future has identified a purchase scam tactic that hijacks organic search through compromised websites, with infrastructure built to scale into 2026 FIFA World Cup fraud. Transportation and hospitality sectors should prepare for increased fraud attempts as the tournament approaches. (Recorded Future)

Healthcare & Public Health

  • Xolis Data Breach: Healthcare technology company Xolis confirmed that a phishing attack gave attackers access to its network, compromising sensitive data belonging to nearly 1.4 million individuals. This incident highlights the continued effectiveness of phishing as an initial access vector against healthcare organizations and their technology partners. (Bleeping Computer)
  • HIPAA Security 2026 Conference: HHS Office for Civil Rights and NIST are hosting "Safeguarding Health Information: Building Assurance through HIPAA Security 2026" on September 2, 2026. Healthcare organizations should consider attendance for regulatory compliance updates. (NIST)

Financial Services

  • Cybercrime Marketplace Disruption: DOJ and Treasury actions against Huione Group and the extradition of alleged marketplace operators represent positive developments for financial sector security. These marketplaces facilitated the sale of stolen financial credentials and phishing kits targeting major American banks. (CyberScoop)

Manufacturing & Industrial

  • Siemens Product Advisories: CISA released multiple advisories affecting Siemens industrial products:
    • SINEC INS: Vulnerabilities in versions before V1.0 SP2 Update 6 (CISA Advisory)
    • WinCC Certificate Manager: Insufficient certificate validation vulnerabilities (CISA Advisory)
    • Products using OpenSSL: Stack-based buffer overflow vulnerabilities (CISA Advisory)
  • B&R Products Linux Kernel Vulnerabilities: CISA issued an advisory regarding the impact of Linux kernel vulnerabilities on B&R automation products. Organizations using B&R systems should review the advisory for affected products and available mitigations. (CISA ICS Advisory)
  • Dragos EmberAI for OT Security: Dragos unveiled EmberAI, an artificial intelligence capability built on the company's extensive operational technology cybersecurity dataset. This tool is designed to help OT security teams more effectively detect and respond to threats in industrial environments. (SecurityWeek)

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product/Vendor Vulnerability Severity Status Action Required
Cisco Unified CM CVE-2026-20230 (SSRF) High Actively Exploited Patch immediately
FortiGate Firewalls FortiBleed credential harvesting Critical Active Campaign Review logs, rotate credentials
Siemens SIPROTEC 5 Arbitrary code execution High Advisory Released Apply mitigations per CISA advisory
FFmpeg libavcodec PixelSmash RCE High Disclosed Update FFmpeg installations
Microsoft SharePoint Multiple vulnerabilities High Actively Exploited Patch unpatched servers

Notable Patches and Updates

  • FFmpeg PixelSmash Vulnerability: A critical flaw in FFmpeg's libavcodec library allows remote code execution through crafted media files. This affects video players, media servers, and NAS appliances using FFmpeg. Organizations should update FFmpeg installations across their infrastructure. (SecurityWeek, CSO Online)
  • Windows 11 KB5095093: Microsoft released a preview cumulative update for Windows 11 24H2 and 25H2 that fixes numerous bugs and introduces new features including Point-in-Time restore capability. (Bleeping Computer)
  • Unpatched SharePoint Exploitation: Microsoft found that unpatched SharePoint servers opened the door to multiple attackers, emphasizing the importance of timely patching for enterprise collaboration platforms. (CSO Online)

CISA ICS Advisories (June 23, 2026)

CISA released seven Industrial Control System advisories affecting products deployed across critical infrastructure sectors:

  1. Siemens WinCC Certificate Manager - ICSA-26-174-01 (Advisory)
  2. Siemens SIPROTEC 5 Using DIGSI5 Protocol - ICSA-26-174-02 (Advisory)
  3. Siemens Products using OpenSSL - ICSA-26-174-03 (Advisory)
  4. Siemens SINEC INS - ICSA-26-174-04 (Advisory)
  5. ABB Freelance Security Lock - ICSA-26-174-05 (Advisory)
  6. B&R Products (Linux Kernel vulnerabilities) - ICSA-26-174-06 (Advisory)
  7. Hubbell Aclara Metrum Cellular Web Interface - ICSA-26-174-07 (Advisory)

Recommended Defensive Measures

  • FortiBleed Response: Organizations using FortiGate firewalls should:
    • Review authentication logs for suspicious activity since February 2026
    • Rotate all credentials that may have traversed FortiGate devices
    • Ensure firmware is updated to latest versions
    • Implement network segmentation to limit credential exposure
    • Enable multi-factor authentication where possible
  • AI-Assisted Vulnerability Management: OpenAI has expanded its Daybreak initiative with GPT-5.5-Cyber, designed to help defenders identify and patch security flaws. Organizations may consider evaluating AI-assisted tools for vulnerability prioritization and remediation. (SecurityWeek, Infosecurity Magazine)

Resilience & Continuity Planning

Lessons Learned from Recent Incidents

  • Transport for London Attack: The Scattered Spider convictions provide an opportunity to review lessons from the TfL incident:
    • Social engineering remains highly effective against even security-aware organizations
    • Credential theft can enable significant operational disruption
    • Incident response plans should account for public-facing service disruptions
    • Law enforcement coordination can lead to successful prosecutions
  • Supply Chain Attack Cascades: The LastPass/Klue incident demonstrates how supply chain compromises can cascade through multiple organizations. Critical infrastructure operators should:
    • Inventory third-party integrations and OAuth connections
    • Implement monitoring for anomalous third-party access patterns
    • Develop playbooks for responding to supplier compromises

Cross-Sector Dependencies

  • Energy-Water Nexus: This week's advisories affecting both energy sector (SIPROTEC 5, Hubbell Aclara) and water sector (ABB Freelance) products highlight shared vulnerabilities across these interdependent sectors. Organizations should coordinate patching efforts and share threat intelligence through sector ISACs.
  • IT-OT Convergence Risks: Multiple advisories this week affect products that bridge IT and OT environments. Organizations should ensure their IT security teams and OT operators are coordinating on vulnerability management and incident response.

Security Professional Wellness

  • Burnout Management: Security Magazine published guidance on managing security professional burnout, emphasizing the need to treat it as an operational priority rather than an afterthought. Given the sustained threat tempo facing critical infrastructure, organizations should ensure adequate staffing and support for security teams. (Security Magazine)

Regulatory & Policy Developments

Federal Guidelines and Regulatory Changes

  • Post-Quantum Cryptography Executive Order: President Trump signed an executive order on June 22, 2026, establishing hard deadlines for federal agencies to migrate high-value assets and high-impact systems to post-quantum cryptography by 2030, with full transition required by 2031. Key provisions include:
    • Inventory of cryptographic assets required within 180 days
    • Prioritization framework for migration based on data sensitivity
    • Coordination requirements with critical infrastructure partners
    • Broader federal quantum initiative launched alongside the order

    Implications for Critical Infrastructure: While the mandate applies to federal agencies, critical infrastructure operators should begin their own post-quantum planning, particularly those handling sensitive government data or operating under federal contracts. (The Hacker News, CSO Online, Infosecurity Magazine)

International Developments

  • Five Eyes AI Threat Guidance: The Five Eyes Alliance's joint advisory on AI threats represents a significant international policy coordination effort. The guidance calls for organizations to fundamentally reassess their cyber risk strategies in light of AI-enabled threats, suggesting potential future regulatory alignment across allied nations. (CSO Online)

Privacy and Data Protection

  • Meta Employee Monitoring Pause: Meta has paused its employee monitoring program after data protection failures were identified. While not directly a critical infrastructure issue, this development may signal increased regulatory scrutiny of workplace monitoring practices that could affect infrastructure operators. (CSO Online)

Training & Resource Spotlight

New Tools and Capabilities

  • Dragos EmberAI: Dragos has released EmberAI, an artificial intelligence capability specifically designed for operational technology security. Built on Dragos' extensive OT cybersecurity dataset, this tool may help infrastructure operators improve threat detection and response in industrial environments. (SecurityWeek)
  • OpenAI Daybreak Expansion: OpenAI's expanded Daybreak initiative, including the full release of GPT-5.5-Cyber to trusted defenders, provides new AI-assisted capabilities for vulnerability identification and patching. Security teams may evaluate these tools for integration into their vulnerability management programs. (The Hacker News)
  • Picus Security Exploit Validation: Picus Security has published guidance on validating exploitability of newly disclosed vulnerabilities before public exploits are available, helping security teams prioritize patching efforts. (Bleeping Computer)

AI Security Developments

  • Anthropic Mythos Model Capabilities: A government official disclosed that Anthropic's Mythos model found vulnerabilities in classified US government systems, with some discovered within hours. However, the official clarified that finding vulnerabilities does not equate to exploiting them within that timeframe. This development highlights both the potential and limitations of AI in security research. (SecurityWeek)
  • Anthropic Fable 5
Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.