Russian Hackers Brick Polish Power Grid Systems as Ivanti Zero-Days Exploited; White House Revokes Software Security Rules

1. Executive Summary

This week's intelligence cycle reveals significant escalation in nation-state targeting of critical infrastructure, major policy shifts affecting federal cybersecurity requirements, and continued exploitation of enterprise software vulnerabilities.

Major Developments

• Energy Sector Attack: Russia-linked threat actor Sandworm/Electrum conducted coordinated cyber attacks against Polish energy infrastructure, targeting over 30 wind and solar farms and bricking industrial control system (ICS) devices at multiple sites. This represents a significant escalation in destructive attacks against European energy infrastructure.
• Active Zero-Day Exploitation: Ivanti has released emergency patches for two critical zero-day vulnerabilities (CVSS 9.3+) in Endpoint Manager Mobile (EPMM) that are under active exploitation. One vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog.
• Policy Reversal: The White House has revoked two Biden-era memorandums establishing software security requirements for federal contractors, characterizing them as "burdensome." This shift may impact software supply chain security standards across government systems.
• Expanding Threat Campaigns: Mandiant reports significant expansion of ShinyHunters-style vishing attacks targeting SaaS platforms, with threat actors stealing MFA credentials to breach enterprise environments. Separately, North Korean threat groups have evolved, with Labyrinth Chollima splitting into three distinct operational units.
• Insider Threat Advisory: CISA has issued guidance urging critical infrastructure organizations to take immediate action against insider threats, highlighting growing concerns about internal security risks.

2. Threat Landscape

Nation-State Threat Actor Activities

Russia - Sandworm/Electrum (Energy Sector)

CERT Polska has disclosed coordinated cyber attacks attributed to Russia-linked Sandworm (also tracked as Electrum) targeting Polish critical infrastructure. The campaign affected:

• More than 30 wind and photovoltaic (solar) farms
• Communication and control systems at 30 separate sites
• At least one private manufacturing company

The attacks resulted in ICS devices being "bricked" - rendered permanently inoperable - representing a shift from intelligence collection to destructive operations. This activity aligns with Russia's documented interest in degrading NATO-allied energy infrastructure.

Source: SecurityWeek, The Hacker News

China - UAT-8099 (IT Infrastructure)

Cisco Talos researchers have identified a new campaign by China-linked threat actor UAT-8099 targeting IIS servers across Asia. The campaign, active from late 2025 through early 2026, deploys BadIIS malware for SEO manipulation and potential further compromise. Organizations running Internet Information Services should review server configurations and monitor for indicators of compromise.

Source: The Hacker News

North Korea - Labyrinth Chollima Evolution

CrowdStrike assesses that North Korean threat group Labyrinth Chollima has evolved into three distinct hacking groups, indicating increased operational capacity and specialization. This fragmentation suggests expanded targeting capabilities and potentially more sophisticated tradecraft across different operational objectives.

Source: Infosecurity Magazine

Iran-Targeting Campaign (RedKitten)

A new AI-developed malware campaign dubbed "RedKitten" has been identified targeting individuals seeking information about missing persons or political dissidents in Iran. While not directly targeting U.S. critical infrastructure, this campaign demonstrates the increasing use of AI in malware development and social engineering lure creation.

Source: Infosecurity Magazine

Ransomware and Cybercriminal Developments

ShinyHunters Vishing Campaign Expansion

Mandiant has identified a "significant expansion in threat activity" using tradecraft consistent with the ShinyHunters extortion group. Key characteristics include:

• Voice phishing (vishing) attacks targeting enterprise employees
• MFA credential theft to bypass security controls
• Focus on SaaS platform access for data exfiltration
• Hundreds of organizations currently in crosshairs

The campaign represents an evolution in social engineering tactics, with threat actors calling employees directly to obtain authentication credentials rather than relying solely on email-based phishing.

Source: Mandiant Blog, CSO Online

Cryptocurrency Illicit Flows

Illegal cryptocurrency flows reached a record $158 billion in 2025, reversing a three-year declining trend (from $86B in 2021 to $64B in 2024). This surge indicates increased profitability of cybercriminal operations and highlights the continued challenge of disrupting ransomware payment ecosystems.

Source: Bleeping Computer

Emerging Attack Vectors

AI Platform Abuse

Threat actors are increasingly abusing legitimate AI infrastructure for malicious purposes:

• Hugging Face: Android remote access trojans (RATs) are being distributed via malicious payloads hosted in Hugging Face repositories, exploiting the platform's trusted reputation.
• Ollama Exposure: Researchers identified 175,000 exposed Ollama hosts that could enable LLM abuse, with 23,000 hosts persistently responsible for majority of observed activity over 293 days.
• Chrome Extensions: Malicious browser extensions discovered stealing OpenAI ChatGPT authentication tokens and hijacking affiliate links.

Source: SecurityWeek, CSO Online

Invoice Fraud Warning

The UK National Crime Agency and NatWest have issued a joint warning about cyber fraudsters targeting corporate finance departments through invoice fraud schemes, costing businesses millions annually. Critical infrastructure organizations should review accounts payable procedures and implement verification protocols for payment changes.

Source: Infosecurity Magazine

3. Sector-Specific Analysis

Energy Sector

CRITICAL: Polish Renewable Energy Infrastructure Attack

The coordinated Sandworm/Electrum attack on Polish energy infrastructure represents the most significant publicly disclosed destructive cyber operation against European energy systems in recent months.

Attack Characteristics:

• Targeted renewable energy generation (wind and solar farms)
• Compromised communication and control systems
• Resulted in permanent damage to ICS devices (bricking)
• Affected 30+ separate sites simultaneously

Implications for U.S. Energy Sector:

• Renewable energy facilities may face increased targeting as adversaries seek to disrupt energy transition efforts
• Distributed generation assets (wind/solar farms) present expanded attack surface compared to centralized generation
• Communication systems connecting remote generation sites to control centers represent high-value targets
• ICS device destruction indicates willingness to cause lasting physical damage rather than temporary disruption

Recommended Actions:

• Review network segmentation between IT and OT environments at renewable generation facilities
• Audit remote access mechanisms for distributed energy resources
• Ensure ICS device firmware is current and backup configurations are maintained offline
• Coordinate with sector ISACs for additional threat intelligence

Source: SecurityWeek, The Hacker News

Water & Wastewater Systems

No sector-specific incidents reported this period. However, water utilities should note:

• The Polish energy attack demonstrates Sandworm's continued focus on critical infrastructure supporting essential services
• CISA's insider threat guidance applies to water sector organizations
• Ivanti EPMM vulnerabilities may affect mobile device management in water utility environments

Communications & Information Technology

IIS Server Targeting

The UAT-8099 campaign targeting IIS servers across Asia with BadIIS malware highlights ongoing risks to web infrastructure. Organizations should:

• Audit IIS server configurations and patch levels
• Monitor for SEO manipulation indicators
• Review web server logs for suspicious activity patterns

Mobile Device Management Vulnerabilities

Active exploitation of Ivanti EPMM zero-days poses significant risk to organizations relying on mobile device management for workforce security. Communications sector organizations with mobile workforces should prioritize patching.

NTLM Deprecation

Microsoft announced plans to disable NTLM authentication by default in future Windows releases due to security vulnerabilities. Organizations should begin planning migration to modern authentication protocols.

Source: Bleeping Computer

Transportation Systems

Maritime Sector Updates

• ASAP Portal Launch: The U.S. Coast Guard has debuted a new portal to streamline mariner credentialing processes, potentially improving workforce availability for maritime operations.
• No direct cyber threats to transportation systems reported this period, though sector organizations should monitor for potential spillover from energy sector targeting.

Source: Homeland Security Today

Healthcare & Public Health

No sector-specific incidents reported this period. Healthcare organizations should note:

• ShinyHunters vishing campaigns may target healthcare SaaS platforms containing protected health information
• Ivanti EPMM vulnerabilities affect mobile device management commonly used in healthcare settings
• CISA insider threat guidance particularly relevant given healthcare workforce access to sensitive data

Financial Services

Invoice Fraud Alert

Joint NCA/NatWest warning highlights sophisticated invoice fraud targeting corporate finance departments. Financial services organizations should:

• Implement multi-channel verification for payment changes
• Train accounts payable staff on social engineering tactics
• Review vendor management and payment authorization procedures

Cryptocurrency Enforcement

Record illicit cryptocurrency flows ($158B in 2025) underscore continued challenges in disrupting cybercriminal financial infrastructure. Financial institutions should maintain robust cryptocurrency transaction monitoring.

Government Facilities

Software Security Policy Changes

The White House revocation of Biden-era software security memorandums may affect federal contractor requirements and government system security standards. Government facility operators should monitor for updated guidance on software supply chain security expectations.

Intellectual Property Theft

A former Google engineer was convicted for stealing AI-related trade secrets intended for a China-based startup, highlighting ongoing insider threat risks in technology-adjacent government and contractor environments.

Source: The Hacker News

4. Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

🔴 CRITICAL: Ivanti Endpoint Manager Mobile (EPMM) Zero-Days

Analysis: These vulnerabilities allow unauthenticated attackers to execute arbitrary code remotely on affected systems. Given EPMM's role in managing mobile devices across enterprise environments, successful exploitation could provide attackers with access to managed device configurations, credentials, and potentially pivot points into broader network infrastructure.

Affected Organizations: Any organization using Ivanti EPMM for mobile device management, particularly those in critical infrastructure sectors with mobile workforces.

Mitigation Steps:

1. Apply Ivanti security updates immediately
2. Review EPMM access logs for suspicious authentication attempts
3. Audit managed device inventory for unauthorized changes
4. Consider temporary network isolation of EPMM servers if patching is delayed

Source: SecurityWeek, The Hacker News, CSO Online

🟠 HIGH: SmarterMail Remote Code Execution

Analysis: SmarterTools has addressed two security flaws in SmarterMail, including one critical vulnerability enabling arbitrary code execution. Organizations using SmarterMail for email services should prioritize updates.

Source: The Hacker News

Notable Patches and Updates

Microsoft Updates

• Windows 11 KB5074105: Preview cumulative update includes 32 changes, fixing boot, sign-in, and activation issues. Organizations experiencing boot failures after January 2026 updates should review Microsoft's guidance linking issues to failed December 2025 update attempts.
• Outlook Fix: Microsoft resolved a bug preventing access to encrypted emails in classic Outlook following recent updates.
• NTLM Deprecation Notice: Future Windows releases will disable NTLM authentication by default. Begin planning migration to modern authentication protocols.

Source: Bleeping Computer

Defensive Recommendations

Vishing Defense (ShinyHunters Campaign)

Based on Mandiant's guidance for defending against the expanding ShinyHunters vishing campaign:

• Implement strict verification procedures for any phone-based requests for credentials or MFA codes
• Train employees to recognize voice phishing tactics and establish callback verification procedures
• Deploy phishing-resistant MFA (FIDO2/WebAuthn) where possible
• Monitor SaaS platform access logs for anomalous authentication patterns
• Establish clear escalation procedures for suspicious contact attempts

Source: Mandiant Blog

ICS/OT Security (Energy Sector)

In response to the Polish energy infrastructure attacks:

• Audit network segmentation between corporate IT and operational technology environments
• Review and restrict remote access to ICS/SCADA systems
• Maintain offline backups of ICS device configurations
• Implement monitoring for anomalous commands to industrial control systems
• Coordinate with E-ISAC for sector-specific threat intelligence

AI Platform Security

Given abuse of Hugging Face and Ollama platforms:

• Implement application allowlisting to prevent unauthorized AI tool installation
• Monitor for connections to AI model hosting platforms from production environments
• Review browser extension policies and audit installed extensions
• Establish governance policies for AI tool usage in enterprise environments

5. Resilience & Continuity Planning

Lessons from Recent Incidents

Polish Energy Attack Implications

The Sandworm attack on Polish renewable energy infrastructure offers several lessons for resilience planning:

Key Observations:

• Distributed Assets Increase Attack Surface: Renewable energy facilities often involve numerous geographically dispersed assets connected via communication networks, creating multiple potential entry points.
• Destructive Intent: The bricking of ICS devices indicates adversary willingness to cause permanent damage rather than temporary disruption, requiring robust backup and recovery capabilities.
• Coordinated Targeting: Simultaneous attacks on 30+ sites suggest sophisticated operational planning and the need for coordinated sector-wide defense.

Resilience Recommendations:

• Maintain offline spare ICS components for critical systems
• Develop manual operation procedures for essential functions
• Establish communication protocols that don't depend on potentially compromised systems
• Conduct tabletop exercises simulating coordinated attacks on distributed assets

Crisis Communication Best Practices

Security Magazine highlights that trust is lost in minutes during a crisis, emphasizing the importance of clear, human communication. Critical infrastructure organizations should:

• Pre-position crisis communication templates and spokesperson training
• Establish stakeholder notification procedures before incidents occur
• Practice crisis communication as part of incident response exercises
• Maintain relationships with sector regulators and information sharing partners

Source: Security Magazine

Supply Chain Security Developments

Software Security Policy Changes

The White House revocation of Biden-era software security memorandums creates uncertainty around federal software supply chain requirements. Organizations should:

• Continue implementing software bill of materials (SBOM) capabilities regardless of regulatory requirements
• Maintain vendor security assessment programs
• Monitor for updated federal guidance on software security expectations
• Consider industry frameworks (NIST SSDF, SLSA) as baseline standards

Shadow AI Risks

Research indicates roughly half of employees are using unsanctioned AI tools, with enterprise leaders among major culprits. This creates supply chain and data security risks that organizations should address through:

• Clear AI acceptable use policies
• Approved AI tool catalogs with security vetting
• Technical controls to detect unauthorized AI platform usage
• Training on data handling risks associated with AI tools

Source: CSO Online

Cross-Sector Dependencies

This week's developments highlight several cross-sector dependencies:

• Energy → All Sectors: Attacks on energy generation affect all sectors dependent on reliable power
• IT → All Sectors: Ivanti EPMM vulnerabilities affect mobile device management across all sectors
• Communications → Energy: Polish attacks targeted communication systems connecting distributed energy assets
• Financial → All Sectors: Cryptocurrency flows enabling ransomware affect all sectors

Emergency Response Coordination

FEMA has deployed debris teams to Mississippi and Tennessee following recent severe weather, demonstrating ongoing federal support for infrastructure restoration. Critical infrastructure organizations should maintain current emergency contact information and coordination procedures with relevant federal, state, and local emergency management agencies.

Source: Homeland Security Today

6. Regulatory & Policy Developments

Federal Policy Changes

Software Security Memorandums Revoked

The White House has revoked two Biden-era memorandums establishing software security requirements for federal contractors, characterizing them as "burdensome." Key implications:

What Changed:

• Memorandums requiring software security attestations from federal contractors have been rescinded
• Some resources provided by the memorandums may still be available for voluntary use
• Regulatory uncertainty for organizations that had begun compliance efforts

Recommended Approach:

• Continue software security best practices regardless of regulatory requirements
• Maintain SBOM capabilities as industry standard practice
• Monitor for replacement guidance or alternative requirements
• Document security practices for potential future compliance needs

Source: SecurityWeek

CISA Developments

• Insider Threat Guidance: CISA has issued guidance urging critical infrastructure organizations to take action against insider threats, emphasizing the need for comprehensive insider threat programs.
• RSA Conference Withdrawal: Reports indicate CISA has withdrawn from the RSA Conference, though implications for public-private engagement remain unclear.
• CISA Authorization Concerns: Security Magazine analysis suggests stop-and-go authorizations undermine real-time threat sharing, raising questions about confidence for cyber threat reporters.

Source: Homeland Security Today, Security Magazine

Law Enforcement Actions

Piracy Infrastructure Takedowns

• DOJ Domain Seizures: The Department of Justice seized three U.S.-registered domains distributing copyrighted content that received tens of millions of visits annually.
• Operation Switch Off: International law enforcement dismantled major pirate TV streaming services, seizing three industrial-scale illegal IPTV operations.

While not directly related to critical infrastructure, these actions demonstrate continued law enforcement focus on disrupting criminal infrastructure.

Source: CyberScoop, Bleeping Computer

Malicious Network Disruption

Google has taken action to disrupt IPIDEA proxy infrastructure, removing millions of devices from a malicious network. While the effort impaired some infrastructure, not all was affected, underscoring the ongoing challenge of dismantling cybercriminal operations.

Source: CyberScoop

International Developments

NIS2 Supply Chain Considerations

European NIS2 directive implementation continues to emphasize supply chain as a risk factor. U.S. organizations with European operations or customers should monitor NIS2 compliance requirements and their potential impact on transatlantic business relationships.

Source: CSO Online

Intellectual Property Protection

The conviction of a former Google engineer for stealing AI trade secrets for a China-based startup reinforces the importance of insider threat programs and intellectual property protection measures, particularly for organizations involved in AI development or critical technology sectors.

Source: The Hacker News

7. Training & Resource Spotlight

New Tools and Frameworks

Vulnerability Management Innovation

Aisy Platform Launch: Aisy has emerged from stealth with $2.3 million in seed funding for an AI-assisted vulnerability management platform. Organizations struggling with vulnerability prioritization may benefit from evaluating emerging AI-powered solutions.

Source: SecurityWeek

Linux Security Development

Amutable: Startup Amutable is developing Linux security enhancements to counter hacking threats. Organizations with significant Linux infrastructure should monitor developments in this space.

Source: CSO Online

Human Risk Management

CSO Online highlights the evolution from traditional security awareness training to comprehensive human risk management approaches. Key considerations:

• Move beyond compliance-focused training to behavior-change programs
• Implement continuous assessment rather than annual training cycles
• Tailor training to role-specific risks and threat scenarios
• Measure security behavior changes rather than training completion rates

Source: CSO Online

Threat Intelligence Resources

Mandiant ShinyHunters Guidance

Mandiant has published detailed guidance for proactive defense against ShinyHunters-branded data theft targeting SaaS platforms. Security teams should review this resource for:

• Indicators of compromise
• Detection strategies
• Defensive recommendations
• Incident response considerations

Source: Mandiant Blog

Law Enforcement Insights

The Hacker News has published analysis on law enforcement approaches to cybercriminals, examining what brings threat actors to justice and their roles in the criminal ecosystem. This resource may be valuable for understanding adversary motivations and vulnerabilities.

Source: The Hacker News

Security Conference Guide

CSO Online has published an updated guide to top security conferences for 2026. Security professionals should review upcoming opportunities for training, networking, and threat intelligence sharing.

Source: CSO Online

Platform Security Guidance

Apple has updated its platform security guide, providing comprehensive documentation on security features across Apple devices. Organizations with Apple device deployments should review updated guidance for security configuration recommendations.

Source: SecurityWeek

8. Looking Ahead: Upcoming Events

Conferences and Training

DRONERESPONDERS National Public Safety UAS Conference

• Dates: March 10-11, 2026
• Focus: Public safety unmanned aerial systems operations and policy
• Relevance: Critical infrastructure organizations using or considering UAS