Russia Blamed for Destructive Attacks on Danish Water Infrastructure; WatchGuard Firewall Zero-Day Actively Exploited

Critical Infrastructure Intelligence Briefing

Report Date: Saturday, December 20, 2025

Reporting Period: December 13-20, 2025

1. Executive Summary

This week's intelligence highlights significant nation-state activity targeting critical infrastructure, with Denmark formally attributing destructive cyberattacks against water utilities and election systems to Russia. Concurrently, multiple actively exploited vulnerabilities in network security appliances demand immediate attention from infrastructure operators.

Key Developments:

Nation-State Threats: Danish intelligence has formally blamed Russia for destructive cyberattacks on water utility infrastructure and election-related systems, characterizing these as part of Moscow's "hybrid war" against Western nations. Separately, Chinese APT "LongNosedGoblin" continues targeting Asian government networks using Group Policy for malware deployment.
Critical Vulnerabilities Under Active Exploitation: WatchGuard disclosed CVE-2025-14733 (CVSS 9.3), a critical firewall vulnerability being actively exploited in the wild. Over 25,000 Fortinet devices with FortiCloud SSO remain exposed to ongoing authentication bypass attacks.
Emerging Attack Vectors: A new UEFI vulnerability affecting motherboards from ASRock, ASUS, GIGABYTE, and MSI enables pre-boot DMA attacks, potentially compromising systems before security controls initialize. Russian-linked actors are leveraging Microsoft 365 OAuth device code phishing for account takeovers.
Law Enforcement Actions: Significant arrests this week include the Nigerian developer behind the RaccoonO365 phishing platform, a Ukrainian national pleading guilty to Nefilim ransomware attacks, and two former incident responders admitting to conducting ransomware attacks while employed at cybersecurity firms.
Policy Developments: Army Lt. Gen. Joshua Rudd has been nominated to lead both NSA and U.S. Cyber Command. The Coast Guard established a new Maritime Nuclear Policy Division, signaling increased focus on nuclear security in maritime environments.

2. Threat Landscape

Nation-State Threat Actor Activities

Russia

Danish Infrastructure Attacks: Denmark's intelligence service (PET) has formally attributed destructive cyberattacks against Danish critical infrastructure to Russia. The attacks targeted water utility systems and election-related infrastructure ahead of Danish elections. Officials characterized these operations as part of Russia's broader "hybrid war" against Western nations, designed to create instability and undermine public confidence in essential services. Source: SecurityWeek
Microsoft 365 Device Code Phishing: A suspected Russia-aligned threat group is conducting sophisticated phishing campaigns exploiting Microsoft 365's device code authentication workflow. This technique bypasses traditional phishing defenses by leveraging legitimate OAuth mechanisms for account takeover operations. Source: The Hacker News
Deepfake Impersonation Campaign: The FBI issued an updated advisory on an "ongoing" deepfake impersonation campaign targeting U.S. government officials that dates back to 2023. The advisory includes new details on specific tactics and talking points used by impersonators. Source: CyberScoop

China

LongNosedGoblin APT: A Chinese APT group dubbed "LongNosedGoblin" has been observed targeting Asian government networks using Group Policy Objects (GPO) to deploy cyberespionage tools. This technique enables persistent, stealthy access across governmental network environments. Source: SecurityWeek
AI-Enabled Hacking Concerns: Policymakers continue grappling with the implications of Chinese AI-enabled hacking capabilities. While some officials assert the era of AI-powered attacks has arrived, security experts note current tools still have significant limitations. Source: CyberScoop
Power Grid Threat Assessment: Reports this week highlighted ongoing concerns about Chinese threat activity targeting the U.S. power grid, though specific new incidents were not disclosed. Source: SecurityWeek

Iran

Prince of Persia APT Returns: The Iranian APT group known as "Prince of Persia" has resurfaced with new malware variants and updated command-and-control infrastructure. Security researchers are tracking the group's evolved capabilities and potential targeting of Western interests. Source: CSO Online

Ransomware and Cybercriminal Developments

Nefilim Ransomware Guilty Plea: A 35-year-old Ukrainian national pleaded guilty to conducting Nefilim ransomware attacks. The individual faces up to 10 years in prison. Authorities announced an $11 million reward for information on an alleged co-conspirator who remains at large. Source: CyberScoop
Insider Threat - Former Incident Responders: In a significant insider threat case, Ryan Goldberg and Kevin Martin—both former employees at cybersecurity companies—pleaded guilty to conducting ransomware attacks against five companies in 2023 while working as incident responders. This case highlights the critical importance of insider threat programs and personnel vetting. Source: CyberScoop
E-Note Crypto Exchange Shutdown: U.S. authorities shut down the E-Note cryptocurrency exchange and charged its Russian administrator. The exchange allegedly laundered money for ransomware groups and other transnational cybercriminal organizations. Source: SecurityWeek
RaccoonO365 Developer Arrested: Nigerian authorities arrested three individuals linked to the RaccoonO365 phishing-as-a-service platform, which targeted Microsoft 365 accounts at major corporations. Source: The Hacker News

Botnet Activity

Kimwolf Android Botnet: The "Kimwolf" Android botnet, linked to the Aisuru IoT botnet, has compromised approximately 1.8 million devices. The botnet has launched over 1.7 billion DDoS attack commands, representing a significant threat to internet-connected infrastructure. Source: SecurityWeek

Emerging Attack Vectors

OAuth Device Code Phishing: Multiple threat actors are exploiting Microsoft 365's OAuth device code authorization mechanism in phishing campaigns. This technique is particularly effective because it leverages legitimate authentication workflows. Source: Bleeping Computer
VPN Credential Attacks: Attackers are bringing their own passwords to Cisco and Palo Alto VPN systems, suggesting credential theft or brute-force campaigns targeting enterprise remote access infrastructure. Source: CSO Online
Cracked Software Distribution: Cybercriminals are using cracked software distribution sites and YouTube videos to spread CountLoader and GachiLoader malware variants. Source: The Hacker News

3. Sector-Specific Analysis

Water & Wastewater Systems

Threat Level: ELEVATED

The water sector faces heightened threat activity following Denmark's attribution of destructive cyberattacks on water utility infrastructure to Russian state actors. This represents a significant escalation in nation-state targeting of water systems.

Key Concerns:

Russian actors demonstrated willingness to conduct destructive (not just disruptive) attacks against water infrastructure
Attacks appear coordinated with broader hybrid warfare objectives
U.S. water utilities should assume similar targeting is possible

Recommended Actions:

Review and validate network segmentation between IT and OT environments
Ensure remote access mechanisms are properly secured and monitored
Verify backup and recovery capabilities for critical control systems
Engage with WaterISAC for sector-specific threat intelligence

Energy Sector

Threat Level: ELEVATED

Reports this week highlighted ongoing concerns about Chinese threat activity targeting the U.S. power grid. While specific new incidents were not publicly disclosed, the persistent nature of this threat warrants continued vigilance.

Key Developments:

Continued nation-state interest in power grid reconnaissance and potential pre-positioning
UEFI vulnerabilities affecting industrial motherboards could impact energy sector control systems
VPN and firewall vulnerabilities create potential entry points for adversaries

Recommended Actions:

Prioritize patching of WatchGuard and Fortinet devices in energy environments
Assess UEFI firmware versions on critical systems
Review supply chain security for hardware components

Communications & Information Technology

Threat Level: HIGH

Multiple critical vulnerabilities in network security appliances are under active exploitation, creating significant risk for organizations relying on these devices for perimeter security.

Critical Issues:

WatchGuard CVE-2025-14733: Critical RCE vulnerability (CVSS 9.3) actively exploited
Fortinet Authentication Bypass: Over 25,000 devices with FortiCloud SSO exposed
Microsoft 365 OAuth Attacks: Device code phishing bypassing traditional controls
React2Shell: Described as a "Log4j moment" for front-end development

Recommended Actions:

Immediately patch WatchGuard Firebox devices
Audit Fortinet device exposure and apply authentication bypass mitigations
Implement conditional access policies to limit OAuth device code authentication
Review front-end development frameworks for React2Shell exposure

Healthcare & Public Health

Threat Level: MODERATE

While no major healthcare-specific incidents were reported this week, the sector remains a high-value target for ransomware operators. The holiday period traditionally sees increased attack activity.

Key Considerations:

Former incident responders' guilty pleas highlight insider threat risks in security operations
Microsoft 365 phishing campaigns could target healthcare administrative systems
Holiday staffing reductions may delay incident detection and response

Financial Services

Threat Level: MODERATE

Key Developments:

ATM Jackpotting Conspiracy: U.S. authorities charged 54 individuals in a massive ATM jackpotting conspiracy linked to Venezuelan crime syndicate Tren de Aragua. The group is accused of stealing millions through coordinated attacks on ATM infrastructure. Source: Infosecurity Magazine
Crypto Exchange Enforcement: The E-Note cryptocurrency exchange shutdown demonstrates continued law enforcement focus on disrupting financial infrastructure supporting cybercrime

Transportation Systems

Threat Level: BASELINE

Maritime Security Updates:

The U.S. Coast Guard established a new Maritime Nuclear Policy Division, signaling increased focus on nuclear security in maritime environments
USCGC Active offloaded $203 million in cocaine seized during Operation Pacific Viper
U.S. Navy took delivery of new fleet oiler USNS Lucy Stone

Government Facilities

Threat Level: ELEVATED

Key Concerns:

Chinese APT LongNosedGoblin targeting government networks in Asia using GPO-based malware deployment
FBI warning on ongoing deepfake impersonation of U.S. government officials
University of Sydney data breach affected 27,000 individuals including staff and affiliates

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE/Vulnerability	Affected Product	CVSS	Status	Action Required
CVE-2025-14733	WatchGuard Fireware OS	9.3	ACTIVELY EXPLOITED	Patch immediately
Fortinet Auth Bypass	FortiCloud SSO	High	ACTIVELY EXPLOITED	Apply mitigations; 25K+ devices exposed
UEFI DMA Flaw	ASRock, ASUS, GIGABYTE, MSI motherboards	High	Disclosed	Assess exposure; await vendor patches
HPE OneView RCE	HPE OneView	Critical	Patch Available	Apply updates
React2Shell	React-based applications	High	Disclosed	Review front-end frameworks

Detailed Vulnerability Analysis

WatchGuard Fireware OS (CVE-2025-14733)

Severity: Critical (CVSS 9.3)
Status: Actively Exploited
Impact: Remote code execution allowing complete firewall takeover

WatchGuard has released emergency patches for this critical VPN vulnerability. Organizations using WatchGuard Firebox devices should treat this as an emergency patching priority. The vulnerability enables unauthenticated remote attackers to execute arbitrary code on affected devices.

Mitigation:

Apply WatchGuard security updates immediately
If patching is not immediately possible, consider temporarily disabling VPN functionality
Monitor for indicators of compromise
Review logs for suspicious authentication attempts

Source: CSO Online | Source: Bleeping Computer

UEFI Early-Boot DMA Vulnerability

Severity: High
Affected Vendors: ASRock, ASUSTeK, GIGABYTE, MSI
Impact: Pre-boot direct memory access attacks bypassing security controls

This vulnerability affects UEFI firmware implementations and enables attackers with physical access or certain remote capabilities to conduct DMA attacks before operating system security controls initialize. This is particularly concerning for high-security environments and systems handling sensitive data.

Mitigation:

Inventory affected motherboard models in critical systems
Enable IOMMU/VT-d protections where available
Monitor vendor advisories for firmware updates
Consider physical security controls for high-value systems

Source: The Hacker News | Source: Bleeping Computer

Fortinet FortiCloud SSO Exposure

Status: Over 25,000 devices exposed
Impact: Authentication bypass enabling unauthorized access

Shadowserver has identified more than 25,000 Fortinet devices with FortiCloud SSO enabled that are exposed to ongoing authentication bypass attacks. Organizations should immediately audit their Fortinet deployments.

Mitigation:

Audit all Fortinet devices for FortiCloud SSO configuration
Apply available patches and mitigations
Consider disabling FortiCloud SSO if not required
Implement network segmentation to limit exposure

Source: Bleeping Computer

Additional Security Updates

Windows 10 OOB Update: Microsoft released an out-of-band update to fix Message Queuing (MSMQ) issues caused by this month's extended security update. Enterprise environments using MSMQ should apply this fix. Source: Bleeping Computer
Docker Hardened Images: Docker has made 1,000 hardened, production-ready container images free and open source, providing developers with secure baseline images. Source: SecurityWeek

5. Resilience & Continuity Planning

Lessons Learned: Insider Threat Case Study

The guilty pleas of two former cybersecurity incident responders who conducted ransomware attacks while employed at security firms provides critical lessons for insider threat programs:

Key Takeaways:

Privileged Access Risk: Security personnel often have elevated access that could be abused for malicious purposes
Continuous Monitoring: Background checks at hiring are insufficient; ongoing behavioral monitoring is essential
Separation of Duties: Ensure no single individual has unchecked access to critical systems
Audit Logging: Maintain comprehensive logs of security team activities
Vendor Vetting: Extend insider threat considerations to third-party security providers

Holiday Period Security Considerations

With the holiday season approaching, organizations should prepare for increased threat activity during periods of reduced staffing:

Recommended Actions:

Ensure 24/7 security monitoring coverage through the holiday period
Pre-position incident response resources and establish clear escalation procedures
Verify backup integrity and test restoration procedures
Communicate emergency contact information to all stakeholders
Consider implementing additional access controls during reduced staffing periods
Brief staff on holiday-themed phishing and social engineering tactics

Supply Chain Security

Hardware Security Concerns:

The UEFI vulnerability affecting multiple motherboard manufacturers highlights supply chain security challenges:

Maintain hardware inventories including motherboard models and firmware versions
Establish relationships with vendors for security update notifications
Consider hardware security requirements in procurement processes
Implement firmware integrity monitoring where possible

Cross-Sector Dependencies

The Danish water utility attacks demonstrate the interconnected nature of critical infrastructure threats:

Water systems often depend on energy sector for power
Communications infrastructure supports SCADA/ICS operations across sectors
Attacks on one sector may be coordinated with broader campaigns
Information sharing between sectors is essential for early warning

6. Regulatory & Policy Developments

Leadership Changes

NSA/Cyber Command Nomination

Army Lt. Gen. Joshua Rudd has been nominated to lead both the National Security Agency (NSA) and U.S. Cyber Command. This dual-hat leadership position is critical for coordinating national cybersecurity and signals intelligence operations. Source: Homeland Security Today

Maritime Security Policy

Coast Guard Maritime Nuclear Policy Division

The U.S. Coast Guard has established a new Maritime Nuclear Policy Division, signaling increased focus on nuclear security in maritime environments. This development is relevant for:

Port facilities handling nuclear materials
Nuclear-powered vessel operations
Maritime transportation of radioactive materials
Port security planning and exercises

Source: Homeland Security Today

Grant and Funding Developments

DHS/FEMA DEI Grant Conditions

Federal courts continue to block DHS and FEMA DEI grant conditions, creating uncertainty for grant recipients. Organizations should monitor developments and consult legal counsel regarding compliance requirements. Source: Homeland Security Today

International Developments

International Anti-Scam Initiative

Thailand hosted a conference launching an international initiative to combat online scams. ASEAN members have made similar pledges in recent months, indicating growing international cooperation on cybercrime. Source: SecurityWeek

Cybersecurity Policy Analysis

A comprehensive review of Trump administration cybersecurity policy developments was published this week, analyzing policy changes that may affect critical infrastructure protection. Key areas of concern include:

Potential use of private firms for cyber offensive operations
Changes to federal cybersecurity workforce and capabilities
Shifts in public-private partnership approaches

Source: KrebsOnSecurity

7. Training & Resource Spotlight

New Tools and Resources

Docker Hardened Images

Docker has released 1,000 hardened, production-ready container images as free and open source resources. These images provide:

Secure baseline configurations
Reduced attack surface
Regular security updates
Production-ready deployments

Organizations using containerized applications should evaluate these images for their environments. Source: SecurityWeek

Criminal IP and Cortex XSOAR Integration

Criminal IP's AI-powered threat intelligence platform is now integrated with Palo Alto Networks' Cortex XSOAR, enabling automated incident response with exposure intelligence. Source: Bleeping Computer

AI Security Developments

NIST Center for AI Standards and Innovation (CAISI)

NIST's CAISI is seeking AI experts to help develop AI standards and is hiring an AI Research Scientist. Organizations interested in contributing to AI security standards development can express interest through NIST. Source: NIST

Palo Alto Networks and Google Cloud Partnership

Palo Alto Networks and Google Cloud announced a multibillion-dollar AI and cloud security partnership. Palo Alto will migrate workloads and adopt Google's Vertex AI and Gemini models, potentially influencing enterprise security tool capabilities. Source: SecurityWeek

AI Security Startup Funding

AI security firm Ciphero emerged from stealth with $2.5 million in funding. The startup's solution captures, verifies, and governs AI interactions within enterprise environments. Source: SecurityWeek

Emergency Response Technology

DHS S&T Unmanned Ground Vehicle Evaluation

DHS Science and Technology Directorate is evaluating unmanned ground vehicles (UGVs) for emergency response applications. This technology assessment may lead to new capabilities for first responders and critical infrastructure protection. Source: Homeland Security Today

Best Practices: Managing Agentic AI Risk

CSO Online published guidance on managing agentic AI risk based on lessons from the OWASP Top 10. Key considerations include:

Understanding autonomous AI decision-making risks
Implementing appropriate guardrails and oversight
Monitoring AI system behaviors for anomalies
Establishing clear accountability for AI actions

Source: CSO Online

Physical Security Insights

University Attack Prevention Case Study

Security Magazine published analysis of a prevented university attack, offering lessons for campus security professionals:

Importance of threat assessment programs
Value of community reporting mechanisms
Coordination between campus police and external agencies

Source: Security Magazine

8. Looking Ahead: Upcoming Events

Anticipated Developments

Holiday Period Threat Considerations (December 20, 2025 - January 5, 2026)

Increased Ransomware Risk: Historically, threat actors target organizations during holiday periods when staffing is reduced
Phishing Campaigns: Holiday-themed phishing and social engineering attacks typically increase
Reduced Response Capacity: Organizations should pre-position incident response resources

NIST SUSHI@NIST Event (January 28, 2026)

NIST will host "SUSHI@NIST: Rolling Next-Generation Secure Hardware into Standards," focusing on enhancing hardware security for national defense and emerging technologies. Topics include:

Semiconductor security in geopolitical context
Digital sovereignty considerations
Hardware security standards development

Source: NIST

Regulatory Milestones

Monitor for NSA/Cyber Command leadership confirmation proceedings
Watch for updates on DHS/FEMA grant condition litigation
Track Coast Guard Maritime Nuclear Policy Division guidance releases

Threat Periods Requiring Heightened Awareness

Year

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.