CISA Flags OT Risks After Polish Grid Hack

See Also: Why Cyberattackers Love ‘Living Off the Land’

A stymied December 2025 cyberattack against the Polish electrical grid is a reminder for critical infrastructure operators to ensure network edge devices are secure, said the U.S. Cybersecurity and Infrastructure Security Agency in a Tuesday alert.

Russian intelligence agency hackers gained initial access “through vulnerable internet-facing edge devices,” the agency noted. Hackers subsequently deployed wiper malware and caused damage to remote terminal units (see: Russia Hacked the Polish Electricity Grid. Now What?).

Hackers targeted 30 wind and solar installations, a combined heat and power plant and a manufacturing facility, Poland’s Computer Emergency Response Team said in January, also publishing a technical breakdown of the attack.

CISA directed federal agencies to remove network appliances running past their vendor support cutoff date under a directive published Feb. 5 (see: CISA Directs Federal Agencies to Update Edge Devices).

The agency also warned that hackers used default credentials during the attack, allowing manufacturer-set credentials to remain in place after device set-up – a common but risky cybersecurity failure. The agency also advised operators to deploy integrity verification tools to detect changes to firmware.

Another reminder that deleted data rarely disappears from systems immediately – it’s often still there, just waiting to be overwritten by new data. That appears to be the case with images transmitted by the Google Nest outdoor security camera owned by Nancy Guthrie, the kidnapped mother of television host Savannah Guthrie. The FBI Tuesday published images of an armed individual appearing to tamper with the camera at Guthrie’s front door the morning of her Feb. 1 disappearance.

“The video was recovered from residual data located in backend systems,” said FBI Director Kash Patel. Local authorities initially said the camera couldn’t supply images because Guthrie didn’t pay Google a subscription for storing video. But, even without a subscription, the Nest camera uploads a limited amount of data to the cloud, keeping video clips from the latest models for up to six hours, reported The Verge.

Engineers at Google were able to comb through cloud servers and recover transmitted data after several days, reported CNN. Google’s cloud likely processed video from the camera many times over as it passed through different systems for compressing data or rendering it into a certain format – each layer offering the potential for recovering unsaved data, a former FBI agent told the network.

German authorities warned that likely state-sponsored hackers are phishing “high-ranking targets in politics, the military and diplomacy, as well as investigative journalists in Germany and Europe” through the Signal messaging app.

A joint Friday alert from Germany’s Federal Office for the Protection of the Constitution and the Federal Office for Information Security says the campaign does not rely on software vulnerabilities or malware, but on social engineering and misuse of legitimate app features.

According to authorities, attackers pose as official support channels. Two primary methods have been observed. In one, attackers impersonate “Signal support” and prompt victims with fake security warnings, cajoling them into disclosing Signal PINs or SMS verification codes. With these credentials, adversaries can re-register the account on devices under their control, gaining access to ongoing conversations and contacts.

A second variant abuses the app’s device-linking function. Under a plausible pretext, victims are persuaded to scan a QR code, thereby adding an attacker-controlled device to their Signal account. This method allows continuous access to recent messages and contact data without triggering obvious system alerts.

Signal’s widespread adoption by individuals whose communications can be sensitive are a spur for hackers to find ways to breach its security. Russian intelligence hackers have used these social engineering attacks in the past to target Signal users in Ukraine (see: Ukrainian Signal Users Fall to Russian Social Engineering).

Russia granted political asylum to a Spanish IT specialist and former professor wanted in Spain on accusations of cyberattacks and espionage in favor of Moscow, El Mundo reported.

Spanish national Enrique Arias Gil, 37, told Russian state news agency Tass that he applied for asylum in February 2025 and now holds political refugee status while pursuing Russian citizenship.

Spanish authorities have accused him of conducting cyberattacks “on behalf of Russia” and maintaining ties to NoName057(16) – a pro-Russian hacktivist group that emerged in March 2022 and specializes in DDoS attacks against NATO, EU and Ukrainian targets (see: Breach Roundup: UK NCSC Issues Hacktivist Warning).

One tell that Arias’s sympathies might lie more with the Kremlin than Madrid: he selected “Desinformador Ruso,” which translates to “Russian disinformation agent,” as his online handle. Gil arrived in Russia in August 2024 on a scholarship from a Russian cultural foundation. The Spanish National Court has issued an international arrest warrant, and Europol lists him among its most wanted.

Prosecutors also allege he threatened journalists and business leaders who supported Ukraine. Charges include computer damage for terrorist purposes, membership in a criminal organization and glorifying terrorism.

Spain’s Ministry of Science, Innovation and Universities partially shut down electronic services after a technical incident, suspending online administrative procedures while the issue is assessed, the ministry said.

A threat actor using the handle “GordonFreeman” claimed responsibility, posting samples of purported data. The threat actor asserts the data includes identification documents, academic credentials, enrollment files and financial information.

The disruption affected administrative platforms used by students, universities and research institutions. The ministry said deadlines tied to ongoing procedures would be extended while systems remain offline. It has not disclosed technical specifics or confirmed whether data was accessed.

A ransomware strain initially linked to Black Basta has been identified as a separate and emerging family known as Reynolds, incorporating defense-evasion capabilities directly into its payload.

The malware uses the bring-your-own-vulnerable-driver technique within its binary, analysis by Security.com found. In typical BYOVD attacks, adversaries drop a digitally signed vulnerable driver to escalate privileges and terminate antivirus or endpoint detection processes before launching encryption. In this case, attackers use a NSecSoft and NSecKrnl Windows kernel driver with a known vulnerability tracked as CVE-2025-68947.

By eliminating the need to drop a separate tool, the malware reduces opportunities for detection because no standalone staging artifact appears on the network.

The findings align with earlier open-source reporting from threat tracker Hackmanac, which in November 2025 flagged a ransomware group using the Reynolds name. Hackmanac observed the use of the .locked extension and a ransom note titled “RestoreYourFiles.txt.”

Semi-truck and construction earth-mover manufacturer Volvo Group North America is notifying approximately 17,000 employees and affiliated individuals that their personal data was exposed due to a prolonged breach at third-party service provider Conduent Business Services. The notification letters, distributed on behalf of Volvo by Conduent, follow discovery of unauthorized access to Conduent’s network that persisted from Oct. 21, 2024, through Jan. 13, 2025 (see: Conduent Hack Victim Count Soars by at Least 50%).

The breach affected files tied to current or former health-plan administration, with compromised data including names and other personal information contained in those records. Volvo told regulators it learned of its workforce’s exposure in late January 2026, more than a year after Conduent first detected the incident.

Microsoft’s latest monthly dump of patches fixed roughly 60 vulnerabilities, including six zero-day flaws under active exploitation. The U.S. Cybersecurity and Infrastructure Security Agency added the six flaws to its Known Exploited Vulnerabilities Catalog.

The exploited vulnerabilities include CVE-2026-21510, a Windows Shell security feature bypass that can suppress SmartScreen and other warning prompts and CVE-2026-21513, a similar bypass flaw in the MSHTML framework. CVE-2026-21514 affects Microsoft Word and enables attackers to evade built-in protections through crafted documents. All three vulnerabilities were publicly disclosed before patches were issued, increasing exposure risk.

Two elevation-of-privilege bugs – CVE-2026-21519 in Desktop Window Manager and CVE-2026-21533 in Windows Remote Desktop Services – allow attackers with local access to escalate privileges to system level. Security researchers said exploitation of CVE-2026-21533 involves modifying service configuration settings to create an administrator-level account. Microsoft also addressed CVE-2026-21525, a denial-of-service vulnerability in the Windows Remote Access Connection Manager.

Beyond the zero-days, the release includes fixes for elevation-of-privilege, remote code execution, spoofing and information disclosure flaws across Windows components.

Security researchers identified a new spyware platform, ZeroDayRAT, that targets Android and iOS devices. Threat research company iVerify first observed the tool being sold on Telegram on Feb. 2 and reported that sellers impose no clear access restrictions.

ZeroDayRAT provides operators with persistent access to infected devices through a web control panel. The interface aggregates device details, including operating system version, carrier information and recent activity, allowing operators to monitor compromised devices remotely.

Attackers must persuade targets to install a malicious application. Researchers say distribution likely relies on social engineering techniques such as smishing, malicious links and third-party app stores. The spyware does not exploit a zero-click vulnerability; it requires user interaction.

Once installed, the malware collects device data, captures user inputs and retrieves messages and location information. It can also access device sensors and enumerate accounts registered on the device. Researchers report that the framework includes modules designed to interact with financial applications and cryptocurrency wallets.

Researchers describe ZeroDayRAT as part of a growing market for commercially available mobile surveillance tools that lower the technical barrier for deployment.

Software company SmarterTools confirmed a network breach that occurred on Jan. 29, after attackers exploited unpatched vulnerabilities in its SmarterMail email server software. The incident was traced to a forgotten virtual machine running SmarterMail that had not received recent security updates.

SmarterTools said hackers compromised a SmarterMail instance, leading to lateral movement. Due to network segmentation, core customer-facing services such as the SmarterTools website, shopping cart, account portal and business applications were not affected, and no account data was compromised.

The breach exploited critical authentication bypass and remote code execution flaws in SmarterMail, tracked as CVE-2026-23760 and CVE-2026-24423.

Researchers linked active exploitation of CVE-2026-23760 to the Warlock ransomware-as-a-service group, which emerged in mid-2025. Also tracked as Storm-2603, the group has been scanning for exposed, unpatched SmarterMail servers, using authentication bypass to gain initial access and then deploying legitimate remote management tools to establish persistence and move laterally before staging ransomware.

Fortinet published patches for a critical SQL injection vulnerability in its FortiClient Endpoint Management Server. The flaw carries a CVSS score of 9.1 out of 10.

Tracked as CVE-2026-21643, the vulnerability affects the EMS administrative interface and allows an unauthenticated remote attacker to send crafted HTTP requests that inject malicious SQL. Successful exploitation could lead to unauthorized code execution on the underlying system.

Other Stories From This Week

With reporting from Information Security Media Group’s Poulami Kundu in Bengaluru and David Perera in Northern Virginia.