Sandworm Deploys New DynoWiper in Major Attack on Polish Power Grid; CISA Adds Critical VMware Flaw to KEV Catalog

Critical Infrastructure Intelligence Briefing

Reporting Period: January 18–25, 2026
Date of Publication: Sunday, January 25, 2026

1. Executive Summary

This week's threat landscape is dominated by a significant nation-state attack on European energy infrastructure and continued exploitation of enterprise virtualization platforms. Critical infrastructure operators should prioritize the following developments:

Russian APT Activity Against Energy Sector: The Sandworm threat group (attributed to Russian military intelligence) conducted what Polish authorities describe as the "largest cyber attack" targeting Poland's power system in late December 2025. The attack employed a previously undocumented destructive malware dubbed "DynoWiper." While the attack was ultimately unsuccessful, it represents a significant escalation in offensive cyber operations against NATO-allied critical infrastructure.
Critical VMware Vulnerability Under Active Exploitation: CISA added CVE-2024-37079, a critical vulnerability in VMware vCenter Server, to its Known Exploited Vulnerabilities (KEV) catalog on Friday. Despite being patched in June 2024, active exploitation in the wild necessitates immediate remediation for organizations that have not yet applied updates.
Supply Chain and SSO Targeting: The ShinyHunters extortion group is conducting sophisticated voice phishing (vishing) campaigns targeting single sign-on (SSO) accounts at major identity providers including Okta, Microsoft, and Google—posing significant risk to organizations relying on federated authentication.
AI-Enhanced Threat Development: North Korean threat actors (Konni/Opal Sleet) are now leveraging artificial intelligence to generate malware, specifically targeting blockchain engineers with AI-crafted PowerShell payloads—demonstrating the accelerating integration of AI tools into adversary tradecraft.

Recommended Immediate Actions:

Verify VMware vCenter Server patching status for CVE-2024-37079
Review and strengthen SSO account security controls and vishing awareness
Energy sector operators should review OT network segmentation and incident response procedures
Implement enhanced monitoring for wiper malware indicators

2. Threat Landscape

Nation-State Threat Actor Activities

Sandworm (Russia – GRU Unit 74455)

Target: Polish Power Grid
Timeframe: Late December 2025 (disclosed this week)
Assessment: HIGH CONCERN

The Russian state-sponsored group Sandworm has been definitively attributed to a major cyber attack against Poland's power infrastructure. Key details include:

New Capability: The attack introduced "DynoWiper," a previously undocumented destructive malware designed to render systems inoperable by wiping critical data and system files
Attack Outcome: The attack was detected and contained before achieving its destructive objectives, though the attempt itself represents significant escalation
Strategic Context: Poland's role as a key NATO logistics hub and its proximity to the ongoing conflict in Ukraine make it a high-priority target for Russian cyber operations
Historical Pattern: This attack is consistent with Sandworm's documented history of targeting energy infrastructure, including the 2015 and 2016 Ukraine power grid attacks and the 2022 Industroyer2 deployment

Sources: Bleeping Computer, The Hacker News

Konni / Opal Sleet (North Korea)

Target: Blockchain Engineers and Developers
Assessment: MODERATE CONCERN

North Korean threat actors are demonstrating tactical evolution through the integration of AI tools into their malware development pipeline:

AI-Generated Malware: The group is using artificial intelligence to create PowerShell-based malware, potentially accelerating development cycles and evading signature-based detection
Target Selection: Focus on blockchain sector personnel aligns with North Korea's documented interest in cryptocurrency theft to fund state programs
Implications: This represents an early but significant indicator of how AI tools may lower barriers to sophisticated malware development

Source: Bleeping Computer

Ransomware and Cybercriminal Developments

ShinyHunters SSO Targeting Campaign

Assessment: HIGH CONCERN for Enterprise Security

The ShinyHunters extortion group has claimed responsibility for an ongoing wave of voice phishing attacks targeting enterprise SSO infrastructure:

Targets: Okta, Microsoft, and Google SSO accounts
Methodology: Social engineering via voice calls (vishing) to bypass MFA and gain access to federated authentication systems
Impact Potential: Successful compromise of SSO accounts can provide broad access across multiple connected applications and services
Recommended Mitigations:
- Implement phishing-resistant MFA (FIDO2/WebAuthn)
- Establish out-of-band verification procedures for sensitive account changes
- Conduct targeted security awareness training on vishing tactics

Source: Bleeping Computer

WorldLeaks Extortion Group

Target: Nike, Inc.
Assessment: MONITORING

The WorldLeaks cybercrime group claims to have exfiltrated data from Nike's systems and is threatening public disclosure. While Nike is not classified as critical infrastructure, this incident is noteworthy for:

Potential supply chain implications for manufacturing and logistics sectors
Demonstration of continued extortion group activity targeting major enterprises
Nike has confirmed it is investigating the claimed incident

Source: SecurityWeek

Amnesia RAT and Ransomware Campaign

Target: Russian Users
Assessment: LOW CONCERN for Western Infrastructure

A multi-stage phishing campaign targeting users in Russia has been observed deploying the Amnesia RAT and ransomware payloads. While this campaign is geographically focused on Russia, the tactics, techniques, and procedures (TTPs) may be adapted for broader targeting.

Source: The Hacker News

3. Sector-Specific Analysis

Energy Sector

Threat Level: ELEVATED

The attempted Sandworm attack on Poland's power grid represents the most significant energy sector development this reporting period. Key considerations for U.S. energy operators:

Wiper Malware Threat: DynoWiper joins a growing family of destructive malware targeting energy infrastructure (Industroyer, Industroyer2, CaddyWiper, etc.)
OT/IT Convergence Risk: Modern grid operations increasingly rely on IT systems that may serve as initial access vectors for OT-targeted attacks
Geopolitical Spillover: While this attack targeted Poland, U.S. energy infrastructure remains a high-priority target for Russian cyber operations, particularly given ongoing geopolitical tensions

Recommended Actions:

Review and test OT network segmentation controls
Ensure offline backups of critical control system configurations
Validate incident response procedures for destructive malware scenarios
Participate in sector-specific information sharing (E-ISAC)

Communications & Information Technology

Threat Level: ELEVATED

VMware vCenter Server Vulnerability (CVE-2024-37079)

CISA's addition of this vulnerability to the KEV catalog indicates confirmed exploitation in the wild. VMware vCenter Server is widely deployed across critical infrastructure sectors for virtualization management.

Severity: Critical (heap-overflow vulnerability enabling remote code execution)
Patch Availability: Available since June 2024
Federal Deadline: FCEB agencies must remediate per BOD 22-01 timelines
Private Sector Guidance: Immediate patching recommended; if patching is not immediately possible, implement network segmentation to limit vCenter exposure

Microsoft Outlook Stability Issues

Microsoft released emergency out-of-band updates on Saturday (January 25) to address Outlook freezing issues affecting Windows 10, Windows 11, and Windows Server environments using PST files. While not a security vulnerability, operational disruptions to email systems can impact incident response and business continuity.

Sources: CISA, Bleeping Computer

Financial Services

Threat Level: MODERATE

The ShinyHunters SSO targeting campaign poses particular risk to financial services organizations that rely heavily on federated authentication:

Financial institutions should review identity provider security configurations
Consider implementing additional verification steps for high-privilege account changes
Monitor for unusual authentication patterns that may indicate account compromise

Additionally, the Konni group's targeting of blockchain engineers may indicate continued North Korean interest in cryptocurrency-adjacent targets, including exchanges and DeFi platforms.

Healthcare & Public Health

Threat Level: BASELINE

No sector-specific incidents were reported this period. However, healthcare organizations should note:

VMware vCenter vulnerabilities affect healthcare IT infrastructure
SSO compromise risks are elevated given healthcare's reliance on federated identity systems
Continued vigilance against ransomware targeting is warranted

Transportation Systems

Threat Level: BASELINE

No direct transportation sector incidents were reported this period. Transportation operators should maintain awareness of:

Potential spillover effects from energy sector targeting
Supply chain implications from enterprise breaches (e.g., Nike logistics operations)

Water & Wastewater Systems

Threat Level: BASELINE

No sector-specific incidents were reported this period. Water utilities should continue implementing recommendations from recent CISA advisories on securing internet-exposed OT systems.

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CVE	Product	Severity	Status	Action Required
CVE-2024-37079	VMware vCenter Server	Critical	Added to KEV (Active Exploitation)	Patch immediately; isolate if patching delayed

CISA Advisories and Actions

KEV Catalog Update (January 24, 2026): CVE-2024-37079 added due to confirmed active exploitation
Binding Operational Directive 22-01: Federal agencies must remediate KEV vulnerabilities within specified timelines

Recommended Defensive Measures

For VMware vCenter Environments:

Apply vendor patches immediately
Restrict network access to vCenter management interfaces
Monitor for indicators of compromise associated with exploitation
Review vCenter audit logs for suspicious administrative activity

For SSO/Identity Infrastructure:

Implement phishing-resistant MFA (FIDO2, hardware tokens)
Enable conditional access policies based on device compliance and location
Establish callback verification procedures for sensitive account changes
Monitor for anomalous authentication patterns

For Energy Sector OT Environments:

Validate network segmentation between IT and OT systems
Ensure offline backups of critical control system configurations
Review and test incident response procedures for destructive malware
Implement application whitelisting on critical systems where feasible

5. Resilience & Continuity Planning

Lessons Learned: Poland Power Grid Attack

The successful detection and containment of the Sandworm attack on Poland's power infrastructure offers valuable lessons:

Detection Capabilities Matter: Early detection prevented the DynoWiper malware from achieving its destructive objectives
Preparation Pays Off: Poland's heightened security posture, likely informed by regional threat awareness, contributed to successful defense
Information Sharing: Rapid attribution and public disclosure enable other potential targets to implement defensive measures

Wiper Malware Preparedness

Organizations should review their preparedness for destructive malware scenarios:

Backup Integrity: Ensure backups are isolated from production networks and regularly tested for restoration
Recovery Procedures: Document and practice system recovery procedures, including from bare-metal scenarios
Detection Capabilities: Implement behavioral detection for file system manipulation patterns associated with wiper malware
Segmentation: Limit lateral movement potential through network segmentation and least-privilege access controls

Supply Chain Security Considerations

The Nike breach claim and SSO targeting campaign highlight supply chain and third-party risks:

Review identity provider security configurations and incident response procedures
Assess vendor access to critical systems and data
Ensure contractual requirements for security incident notification

6. Regulatory & Policy Developments

NIST Hardware Security Standards Initiative

NIST has announced the "SUSHI@NIST" initiative focused on rolling next-generation secure hardware into standards. While the full details are scheduled for release on January 28, 2026, the initiative addresses:

Hardware security for national defense applications
Emerging technology security requirements
Semiconductor supply chain resilience
Digital sovereignty considerations

Implications: Critical infrastructure operators should monitor this initiative for potential future compliance requirements and procurement guidance.

Source: NIST

AI Governance and Security

The emergence of AI-generated malware (as seen in the Konni campaign) and the broader proliferation of AI agents in enterprise environments raise important policy considerations:

Organizations should develop governance frameworks for AI agent access and accountability
Security teams should assess risks associated with AI tools that can access data, trigger workflows, and take autonomous actions
Regulatory guidance on AI security in critical infrastructure contexts is anticipated

Source: The Hacker News

7. Training & Resource Spotlight

Recommended Resources

CISA Resources:

Known Exploited Vulnerabilities Catalog – Monitor for additions requiring immediate action
Shields Up – Guidance for heightened threat environments
Cross-Sector Cybersecurity Performance Goals – Baseline security measures for critical infrastructure

Sector-Specific ISACs:

E-ISAC – Electricity sector threat intelligence and coordination
FS-ISAC – Financial services threat intelligence
H-ISAC – Healthcare sector threat intelligence
WaterISAC – Water sector threat intelligence

Best Practices Highlight: Vishing Defense

Given the ShinyHunters SSO targeting campaign, organizations should implement:

Callback Verification: Establish procedures requiring verification through known-good contact methods before processing sensitive requests
Code Words: Consider implementing verification code words for high-sensitivity operations
Training: Conduct targeted awareness training on voice-based social engineering tactics
Technical Controls: Implement phishing-resistant MFA that cannot be bypassed through social engineering

8. Looking Ahead: Upcoming Events

Anticipated Developments

January 28, 2026: NIST SUSHI@NIST secure hardware standards initiative publication expected
Ongoing: Monitor for additional details on DynoWiper malware indicators of compromise as analysis continues
Ongoing: ShinyHunters SSO campaign expected to continue; organizations should maintain heightened vigilance

Threat Periods Requiring Heightened Awareness

Geopolitical Tensions: Continued Russian cyber operations against NATO-allied infrastructure should be anticipated
Financial Reporting Season: Q4 2025 earnings season may drive increased targeting of financial services and publicly traded companies

Recommended Monitoring

CISA KEV Catalog for additional vulnerability additions
Sector-specific ISAC alerts for emerging threats
Vendor security advisories for critical infrastructure systems

This briefing is derived from open-source intelligence and is intended to support critical infrastructure protection efforts. Recipients are encouraged to share relevant information with appropriate stakeholders and report suspicious activity to CISA (report@cisa.gov) or sector-specific ISACs.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.