Security Intelligence for Real-World Decisions
← Back to Archive

Sandworm Strikes Polish Power Grid with DynoWiper as Fortinet Auth Bypass Remains Unpatched on Enterprise Firewalls

Critical Infrastructure Intelligence Briefing

Report Date: Saturday, January 24, 2026
Reporting Period: January 17-24, 2026

1. Executive Summary

Major Developments

  • CRITICAL - Nation-State Attack on Power Infrastructure: Russia's Sandworm APT group executed what Polish authorities describe as the "largest cyber attack" targeting Poland's power system in late December 2025, deploying new destructive malware dubbed "DynoWiper." This represents a significant escalation in nation-state targeting of European energy infrastructure.
  • CRITICAL - Fortinet Authentication Bypass Under Active Exploitation: Fortinet has confirmed that a critical FortiCloud SSO authentication bypass vulnerability is being actively exploited against fully patched FortiGate firewalls. The company acknowledges the flaw is not yet fully remediated, leaving enterprise networks exposed.
  • HIGH - Energy Sector Phishing Campaign: Microsoft has disclosed a sophisticated multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign specifically targeting energy sector organizations, abusing SharePoint for payload delivery.
  • HIGH - CISA KEV Catalog Updates: CISA added five vulnerabilities to its Known Exploited Vulnerabilities catalog this week, including critical flaws in VMware vCenter Server, Zimbra Collaboration, Versa enterprise software, and the Vite frontend tool.
  • MODERATE - Mass Credential Exposure: Security researchers discovered 149 million credentials exposed in a 96GB data cache, including credentials for government systems, Facebook, Instagram, and various enterprise platforms.

Cross-Sector Concerns

  • The Fortinet vulnerability affects network security appliances deployed across all critical infrastructure sectors
  • Energy sector faces coordinated targeting from both nation-state actors and sophisticated phishing campaigns
  • Transportation sector impacted by ransomware attack on German transit authority (Verkehrsgesellschaft Main-Tauber)
  • Pwn2Own Automotive 2026 disclosed 76 zero-day vulnerabilities in automotive systems, including EV chargers and infotainment systems

2. Threat Landscape

Nation-State Threat Actor Activities

Sandworm (Russia) - CRITICAL PRIORITY

The Russian GRU-affiliated threat group Sandworm has been attributed to a major cyber attack against Poland's power infrastructure occurring in late December 2025. Key details include:

  • New Malware: Deployment of previously unseen destructive malware designated "DynoWiper"
  • Target: Polish power grid systems
  • Assessment: This attack represents continued Russian targeting of NATO member energy infrastructure and demonstrates Sandworm's ongoing development of destructive capabilities
  • Historical Context: Sandworm has previously conducted destructive attacks against Ukrainian power infrastructure (2015, 2016, 2022) and deployed NotPetya globally (2017)

Source: The Hacker News

AI-Enhanced Cyber Capabilities

Anthropic has published research indicating that current AI models are demonstrating improved capabilities in finding and exploiting internet vulnerabilities. This development has implications for both defensive and offensive cyber operations, potentially lowering the barrier for sophisticated attacks.

Source: Schneier on Security

Ransomware and Cybercriminal Developments

WorldLeaks Extortion Group

The WorldLeaks cybercrime group claims responsibility for a potential breach of Nike's systems, threatening to leak stolen data. While Nike is a consumer goods company rather than critical infrastructure, this demonstrates continued aggressive activity by extortion groups.

Source: SecurityWeek

ShinyHunters SSO Targeting Campaign

The ShinyHunters extortion gang has claimed responsibility for ongoing voice phishing (vishing) attacks targeting single sign-on (SSO) accounts at major identity providers including Okta, Microsoft, and Google. This campaign poses significant risk to organizations relying on these platforms for authentication.

Source: Bleeping Computer

Ransomware Gang Operational Security Failure

A ransomware gang's operational security mistake enabled data recovery for 12 U.S. firms, demonstrating that threat actor errors can sometimes provide recovery opportunities for victims.

Source: CSO Online

Physical Security Threats

Transit Terrorism Threat - Canada

A Montreal man who allegedly threatened to bomb public transit systems is now facing additional terrorism charges. This case underscores ongoing physical security concerns for mass transit infrastructure.

Source: Homeland Security Today

Emerging Attack Vectors

Dual-Vector Credential Theft Campaign

Security researchers have disclosed a new campaign combining stolen credentials with deployment of legitimate Remote Monitoring and Management (RMM) software (LogMeIn) for persistent access. This technique abuses trusted tools to evade detection.

Source: The Hacker News

Malicious VSCode Extensions

Two malicious extensions in Microsoft's Visual Studio Code Marketplace, with combined installations of 1.5 million, have been discovered exfiltrating developer data to China-based servers. This supply chain attack vector threatens software development environments across sectors.

Source: Bleeping Computer

GNU InetUtils Telnetd Exploitation

A coordinated campaign is targeting a critical-severity authentication bypass vulnerability in the GNU InetUtils telnetd server that has existed for 11 years. Successful exploitation grants root access to affected systems.

Source: Bleeping Computer

3. Sector-Specific Analysis

Energy Sector - ELEVATED THREAT LEVEL

Sandworm Attack on Polish Power Grid

Threat Level: CRITICAL

The Sandworm attack on Poland's power infrastructure represents the most significant nation-state cyber operation against Western energy infrastructure in recent months. Energy sector operators should:

  • Review and enhance monitoring of operational technology (OT) networks
  • Ensure network segmentation between IT and OT environments
  • Verify incident response plans account for destructive malware scenarios
  • Coordinate with sector ISACs for additional threat intelligence

AitM Phishing Campaign Targeting Energy Organizations

Threat Level: HIGH

Microsoft has warned of a sophisticated multi-stage attack campaign specifically targeting energy sector organizations:

  • Initial Access: SharePoint-based phishing for credential harvesting
  • Technique: Adversary-in-the-middle (AitM) attacks to bypass MFA
  • Objective: Business email compromise (BEC) for financial fraud
  • Recommendation: Implement phishing-resistant MFA (FIDO2/WebAuthn), enhance email security controls, and conduct targeted awareness training

Sources: The Hacker News, SecurityWeek

Transportation Systems

German Transit Authority Ransomware Attack

Verkehrsgesellschaft Main-Tauber, a German transportation authority, has been impacted by a ransomware attack. Details on operational impacts remain limited, but the incident highlights continued targeting of transit systems by ransomware operators.

Source: CSO Online

Automotive Sector Vulnerabilities

Pwn2Own Automotive 2026 concluded with researchers earning over $1 million for demonstrating 76 zero-day vulnerabilities in automotive systems, including:

  • Electric vehicle charging infrastructure
  • In-vehicle infotainment systems
  • Connected vehicle components

These vulnerabilities have implications for EV charging infrastructure security and connected vehicle fleets.

Source: SecurityWeek, Bleeping Computer

Coast Guard Maritime Operations

The U.S. Coast Guard has launched the RAPTOR (Rapid Prototyping and Technology Operations Response) program to accelerate deployment of new maritime security technologies. This initiative aims to improve response capabilities and technology adoption for maritime security operations.

Source: Homeland Security Today

Communications & Information Technology

Fortinet FortiCloud SSO Bypass - CRITICAL

Fortinet has confirmed that a critical authentication bypass vulnerability affecting FortiCloud single sign-on is being actively exploited against fully patched FortiGate firewalls. Key concerns:

  • Patches released to date do not fully address the vulnerability
  • Exploitation bypasses authentication controls
  • Affects enterprise network security infrastructure across all sectors
  • Fortinet states it is working to fully remediate the issue

Immediate Actions:

  • Monitor Fortinet advisories for complete patch availability
  • Implement additional access controls and monitoring for FortiGate management interfaces
  • Consider restricting FortiCloud SSO functionality until fully patched
  • Review logs for indicators of compromise

Sources: SecurityWeek, The Hacker News, CSO Online, Bleeping Computer

TikTok U.S. Operations Update

TikTok has announced formation of a joint venture (TikTok USDS) to continue U.S. operations under the 2025 Executive Order. This development has implications for data security and communications infrastructure policy.

Source: The Hacker News

Healthcare & Public Health

NHS Supply Chain Security Initiative

NHS technology leaders have issued an open letter demanding improved cybersecurity standards from suppliers, outlining plans to identify and address risks to software supply chain security across the UK health and social care system. This initiative may serve as a model for healthcare supply chain security improvements in other jurisdictions.

Source: Infosecurity Magazine

Financial Services

ATM Jackpotting Convictions

Two Venezuelan nationals have been convicted in the U.S. for using malware to conduct ATM jackpotting attacks, stealing hundreds of thousands of dollars from U.S. banks. The individuals will be deported following sentencing. This case is part of broader enforcement actions against dozens of Venezuelan nationals involved in similar schemes.

Sources: SecurityWeek, Bleeping Computer

Government Facilities

Dresden State Art Collections Cyber Breach

Digital infrastructure supporting the Dresden State Art Collections in Germany has been targeted in a cyber breach. While primarily a cultural institution, this incident demonstrates continued targeting of government-affiliated facilities.

Source: Security Magazine

4. Vulnerability & Mitigation Updates

CISA Known Exploited Vulnerabilities (KEV) Additions

CISA added the following vulnerabilities to the KEV catalog this week, indicating confirmed active exploitation:

CVE Product Severity Description
CVE-2024-37079 VMware vCenter Server Critical Heap-overflow vulnerability (patched June 2024, now confirmed exploited)
Multiple Zimbra Collaboration High Authentication/access control vulnerabilities
Multiple Versa Enterprise Software High Enterprise software vulnerabilities
TBD Vite Frontend Tool High Development tool vulnerability

Federal Civilian Agencies: Must remediate per BOD 22-01 timelines
All Organizations: Strongly encouraged to prioritize patching of KEV-listed vulnerabilities

Sources: The Hacker News, Bleeping Computer

Critical Vulnerabilities Requiring Immediate Attention

Fortinet FortiCloud SSO Authentication Bypass

  • Status: Actively exploited; patch incomplete
  • Impact: Authentication bypass on FortiGate firewalls
  • Action: Monitor for updated patches; implement compensating controls

SmarterMail Authentication Bypass

  • Status: Exploitation began within 48 hours of patch release
  • Impact: Administrative access to mail servers
  • Action: Apply patches immediately; review for compromise indicators

Source: SecurityWeek

GNU InetUtils Telnetd Authentication Bypass

  • Status: Actively exploited in coordinated campaign
  • Impact: Root access to affected systems
  • Vulnerability Age: 11 years
  • Action: Disable telnetd where possible; apply patches; migrate to SSH

Source: Bleeping Computer

Industrial Control Systems Advisories

Rockwell Automation Security Notice

A security notice has been issued for Rockwell Automation products. Organizations using Rockwell ICS/SCADA systems should review the advisory and apply recommended mitigations.

Source: SecurityWeek

Recommended Defensive Measures

  • Network Security Appliances: Audit Fortinet deployments; implement additional monitoring; restrict management interface access
  • Email Security: Deploy phishing-resistant MFA; enhance SharePoint security controls; implement email authentication (DMARC/DKIM/SPF)
  • Development Environments: Audit VSCode extensions; implement extension allowlisting; monitor for data exfiltration
  • Legacy Protocols: Identify and eliminate telnet usage; enforce SSH for remote administration
  • Identity Security: Implement additional controls around SSO platforms; monitor for vishing attempts targeting IT staff

5. Resilience & Continuity Planning

Lessons Learned

Ransomware Recovery Opportunity

The recovery of data for 12 U.S. firms following a ransomware gang's operational security failure highlights the importance of:

  • Maintaining communication with law enforcement during incidents
  • Preserving forensic evidence that may enable recovery
  • Not immediately paying ransoms, as alternative recovery paths may emerge

AI-Generated Code Security Risks

Analysis of an AI-written honeypot revealed that AI-generated code can introduce subtle security vulnerabilities when teams over-trust automated output. Organizations should:

  • Implement mandatory security review for AI-generated code
  • Maintain human oversight of automated development processes
  • Test AI-generated components in isolated environments before production deployment

Source: Bleeping Computer

Supply Chain Security

Cloud Environment Exploitation

Research indicates that customer-managed business cloud environments are being actively exploited, affecting security vendors and Fortune 500 companies. Organizations should:

  • Audit cloud security configurations against CIS benchmarks
  • Implement cloud security posture management (CSPM) tools
  • Review third-party access to cloud environments

Source: Security Magazine

NHS Supply Chain Initiative

The NHS open letter on supplier cybersecurity standards provides a framework that critical infrastructure operators may consider adapting:

  • Establishing minimum security requirements for suppliers
  • Conducting supply chain risk assessments
  • Requiring security certifications and attestations

Emergency Preparedness

FEMA Winter Preparedness

FEMA has released winter preparedness guidance as severe weather threatens much of the U.S. Critical infrastructure operators should:

  • Review cold weather operational procedures
  • Verify backup power and heating systems
  • Coordinate with local emergency management
  • Update business continuity plans for winter weather scenarios

Source: Homeland Security Today

6. Regulatory & Policy Developments

Compliance Landscape Analysis

Cyber Insights 2026: Regulatory Complexity

SecurityWeek's Cyber Insights 2026 report highlights the increasingly complex regulatory environment facing organizations, where "politics meets business." Key observations:

  • Compliance requirements continue to multiply across jurisdictions
  • Organizations face challenges harmonizing overlapping regulatory frameworks
  • Political considerations increasingly influence cybersecurity regulation

Source: SecurityWeek

GDPR Enforcement

€1.2 billion in GDPR fines were reported this period, demonstrating continued aggressive enforcement of data protection requirements in Europe. U.S. organizations with European operations or customers should ensure GDPR compliance programs remain current.

Source: SecurityWeek

Federal Developments

DHS Science and Technology Leadership

Pedro Allende has been confirmed as the new Under Secretary of Science and Technology at DHS. This appointment may influence technology priorities and research initiatives relevant to critical infrastructure protection.

Source: Homeland Security Today

DHS SBIR Program Clarification

DHS has clarified the Small Business Innovation Research (SBIR) Phase III process as the federal innovation program remains in administrative limbo. Organizations engaged in SBIR contracts should monitor for additional guidance.

Source: Homeland Security Today

Standards Development

NIST Hardware Security Standards

NIST has announced the "SUSHI@NIST" initiative focused on rolling next-generation secure hardware into standards. This effort aims to enhance hardware security for national defense and emerging technologies, with potential implications for critical infrastructure supply chain security.

Source: NIST

7. Training & Resource Spotlight

Tools and Frameworks

Net-NTLMv1 Rainbow Tables

New Net-NTLMv1 rainbow tables have been released, which security teams can use to assess the risk of legacy authentication protocols in their environments. Organizations still using NTLMv1 should prioritize migration to more secure authentication methods.

Source: SecurityWeek

Network Detection and Response

NETSCOUT has been recognized for leadership in network detection and response (NDR) capabilities. Organizations evaluating NDR solutions for critical infrastructure environments may consider this recognition in vendor assessments.

Source: CSO Online

Industry Recognition

Ed Chandler Security Innovation Award

The inaugural Ed Chandler Security Innovation Award was presented to ADRM at CONSULT 2025, recognizing innovation in security solutions.

Source: Security Magazine

Research and Analysis

AI Agent Security Considerations

The Hacker News has published analysis on rethinking access, accountability, and risk in the age of AI agents. As AI agents increasingly perform autonomous actions in enterprise environments, security teams should consider:

  • Access control frameworks for AI agents
  • Audit and accountability mechanisms
  • Risk assessment methodologies for autonomous systems

Source: The Hacker News

Awareness Resources

Insider Threat Management

CSO Online has published guidance on taking insider threats seriously, emphasizing that this risk category remains underestimated by many organizations. Security teams should review insider threat programs and ensure appropriate controls are in place.

Source: CSO Online

8. Looking Ahead: Upcoming Events & Considerations

Threat Periods Requiring Heightened Awareness

Winter Weather Operations

With severe winter weather threatening much of the U.S., critical infrastructure operators should maintain heightened awareness for:

  • Physical impacts to infrastructure from ice, snow, and cold
  • Increased demand on energy systems
  • Potential for cyber attacks timed to coincide with weather-related stress
  • Supply chain disruptions affecting maintenance and operations

Continued Nation-State Activity

Following the Sandworm attack on Polish power infrastructure, European and NATO-aligned energy sector operators should maintain elevated vigilance for:

  • Reconnaissance activity against energy systems
  • Spear-phishing campaigns targeting energy sector personnel
  • Potential for additional destructive attacks

Anticipated Developments

Fortinet Patch Completion

Organizations should monitor for Fortinet's complete remediation of the FortiCloud SSO authentication bypass vulnerability. Expect additional advisories and patches in the coming days to weeks.

Pwn2Own Vulnerability Disclosures

Following Pwn2Own Automotive 2026, expect coordinated disclosure of the 76 zero-day vulnerabilities demonstrated during the event. Automotive and EV charging infrastructure operators should monitor for patches from affected vendors.

Upcoming Industry Events

Homeland Security Today National Border Security Awards

Homeland Security Today has launched the National Border Security Awards program. Nominations and event details are forthcoming.

Source: Homeland Security Today

Seasonal Security Considerations

  • Q1 2026 Budget Cycles: Many organizations are finalizing security budgets; ensure critical infrastructure protection investments are prioritized
  • Tax Season Phishing: Anticipate increased phishing activity leveraging tax-related themes
  • Winter Storm Response: Maintain coordination with emergency management partners for potential weather-related incidents

Contact and Coordination

Critical infrastructure owners and operators are encouraged to:

  • Report suspicious activity to CISA
  • Participate in sector-specific Information Sharing and Analysis Centers (ISACs)
  • Engage with local Fusion Centers for regional threat awareness
  • Coordinate with sector-specific agencies for specialized guidance

This briefing is derived from open-source reporting and is intended to support critical infrastructure protection efforts. Information should be verified through official channels before operational implementation.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.