Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Critical Infrastructure Security. Show all posts
State Sponsored Hacking
Critical Infrastructure Security DynoWiper ESET Research malware Polish Energy Sector Power Grid Cybersecurity Russia Linked Cyberattack Sandworm State Sponsored Hacking

Sandworm-Associated DynoWiper Malware Targets Polish Power Infrastructure


 

A cyber intrusion targeting the nation's energy infrastructure occurred in late 2025, which security experts have described as one of the largest cyberattacks the nation has faced in many years. It underscores the growing vulnerability of critical national systems in light of increasing geopolitical tensions, which are at odds with one another. 

ESET, a cybersecurity company specializing in cyber security, has uncovered new data indicating that the operation was carried out by Sandworm, an advanced persistent threat group closely aligned with Russia that has been associated with disrupting energy and industrial networks for decades. 

ESET researchers found that a deeper analysis of the malware used during the incident revealed operational patterns and code similarities that are consistent with Sandworm's past campaigns, indicating that the attack follows Sandworm's established playbook for damaging cyber activity. 

According to the assailants, they were planning to use a malware strain named DynoWiper that was designed to permanently destroy files and cripple affected systems by irreversibly destroying them, a strategy which could have caused widespread disruptions across the Poland electricity industry if it had been successful. 

At the time of publication, the Russian Embassy in Washington did not respond to requests for comment. According to cyber experts, Sandworm, which is also known as UAC-0113, APT44, or Seashell Blizzard in the cybersecurity community, has been active for more than a decade and is widely regarded as an act of state-sponsored hacking, most likely aimed at Russian military intelligence agencies. 

The group's ties to Unit 74455 of the Main Intelligence Directorate (GRU) have been established by security researchers after repeated accusations that the organization has committed high-impact cyber-operations intended to disrupt and degrade critical infrastructure systems. 

Throughout its history, Sandworm has been credited with some of the most significant cyber incidents against energy networks, most notably a devastating attack on the Ukraine's power grid nearly a decade ago, which used data-wiping malware and left around 230,000 people without power for a period of nearly 10 days.

It is important to note that this episode still remains a prototypical example of the group's capabilities and intentions, and it continues to shape the assessment of the group's role in more recent attempts to undermine energy systems beyond Ukraine's borders. 

As detailed in a recent report issued by ESET, they believed that the operation bore the hallmarks of Sandworm, a threat actor widely linked to Russia's military and intelligence apparatus, evidenced by its involvement in the operation. 

A data wiping malware, DynoWiper, dubbed DynoWiper, was identified by investigators and tracked as Win32/KillFiles.NMO, which had previously been undocumented, pointing the finger at the group. The wiper campaign was similar in both technical and operational aspects to earlier Sandworm wiper campaigns, especially those that were observed following Russian invasion of Ukraine in February of that year. 

In a statement published by ESET on December 29, 2025, the company stated that the malware had been detected during an attempt to disrupt Poland's energy sector, but that there are no indications that the attackers succeeded in causing outages or permanently damage the energy sector. 

In an email sent on December 29, the Polish authorities confirmed that there was activity observed in the area of two combined heat and power plants and a system used to manage the generation of electricity from renewable sources, such as the power of wind and sun. 

In a public statement, the Prime Minister said that the attacks were directed by groups “directly linked to Russian services,” citing the government's plans to strengthen national defenses through additional safeguards and cybersecurity legislation that will require more stringent requirements on risk management, information technology and operational technology security, and preparedness for incidents. Tusk said this legislation is expected to be implemented very soon. 

Moreover, the timing of the incident attracted the attention of analysts as it coincided with the tenth anniversary of Sandworm's historic attack on Ukraine's power grid in 2015. BlackEnergy and KillDisk malware were deployed during the attack, and the attack caused hours-long blackouts for thousands of people, something that was cited as a continuation of a pattern of disruption campaigns against critical infrastructure that has been occurring for years. 

A company named ESET stated that the attempted intrusion coincided with Sandworm's tenth anniversary of the devastating attack on Ukraine's power grid in the year 2000, though it only provided limited technical information beyond the identification of the malware involved. 

Researchers are pointing out that the use of a custom-built wiper, as well as the pattern of Russian cyber operations in which data-destroying malware has been a strategic tool, aligns with a broader pattern observed in cyber operations. The use of wipers in attacks linked to Moscow has increased significantly since 2022. 

The use of AcidRain to disable roughly 270,000 satellite modems in Ukraine has been an effort to disrupt the communication of the country. A number of campaigns targeting universities, critical infrastructure, and the like have been attributed to Sandworm. This is also true in the case of the NotPetya outbreak in 2017, a destructive worm that in its early stage was targeted at Ukrainian targets, but quickly spread worldwide, causing an estimated $10 billion in damage and securing its place as one of the highest-profile case studies in the history of cybercrime. 

There are no indications yet as to why DynoWiper had failed to trigger power outages in Poland; the investigation has left open the possibility that the operation may have been strategically calibrated to avoid escalation or that strong defenses within the country’s energy grid prevented it. 

In the aftermath of the incident, governments and operators of critical infrastructure across Europe have been reminded once again that energy systems continue to be an attractive target among state-sanctioned cyber operations even when those attacks do not result in immediate disruptions. 

It is noted that security analysts have noted the attempt to deploy DynoWiper in a strategic capacity reflects a continued reliance on destructive malware as a strategy tool, and emphasize the importance of investing in cyber resilience, real-time monitoring, and coordinated incident response across both the information technology as well as operational technologies. 

Although it appears that Polish officials are using the episode as a springboard in order to strengthen their defenses, experts point out that similar threats may not be bound by borders in the near future since geopolitical tensions are unlikely to ease at all. 

Despite the fact that the failure of the attack may offer some reassurance for the time being, it also emphasizes a more significant reality: adversaries continue to search energy networks for weaknesses, and it will be crucial to be prepared and cooperative if we wish to avoid future disruptions, as well as to be able to detect and neutralize malware before it becomes a major problem.
Read more »
Infrastructure Security
Critical Infrastructure Security Cyber Attacks Cyber Security Ransomware Attacks Cyber Threats Hypervisor Infrastructure Security

Hypervisor Ransomware Attacks Surge as Threat Actors Shift Focus to Virtual Infrastructure

 

Hypervisors have emerged as a highly important, yet insecure, component in modern infrastructural networks, and attackers have understood this to expand the reach of their ransomware attacks. It has been observed by the security community that the modes of attack have changed, where attackers have abandoned heavily fortified devices in favor of the hypervisor, the platform through which they have the capability to regulate hundreds of devices at one time. In other words, a compromised hypervisor forms a force multiplier in a ransomware attack. 

Data from Huntress on threat hunting indicates the speed at which this trend is gathering pace. Initially in the early part of 2025, hypervisors were involved in just a few percent of ransomware attacks. However, towards the latter part of the year, this number had risen substantially, with hypervisor-level encryption now contributing towards a quarter of these attacks. This is largely because the Akira ransomware group is specifically leveraging vulnerabilities within virtualized infrastructure.  

Hypervisors provide attackers the opportunity by typically residing outside the sight of traditional security software. For this reason, bare-metal hypervisors are of particular interest to attackers since traditional security software cannot be set up on these environments. Attacks begin after gaining root access, and the attackers will be able to encrypt the disks on the virtual machines. Furthermore, attackers will be able to use the built-in functions to execute the encryption process without necessarily setting up the ransomware. 

In this case, security software would be rendered unable to detect the attacks. These attacks often begin with loopholes in credentials and network segmentation. With the availability of Hypervisor Management Interfaces on the larger internets inside organizations, attackers can launch lateral attacks when they gain entry and gain control of the virtualization layer. Misuse of native management tools has also been discovered by Huntress for adjusting Machine Settings, degrading defenses, and preparing the environment for massive Ransomware attacks. 

Additionally, the increased interest in hypervisors has emphasized that this layer must be afforded the equivalent security emphasis on it as for servers and end-points. Refined access controls and proper segmentation of management networks are required to remediate this. So too is having current and properly maintained patches on this infrastructure, as it has been shown to have regularly exploited vulnerabilities for full administrative control and rapid encryption of virtualized environments. While having comprehensive methods in place for prevention, recovery planning is essential in this scenario as well. 

A hypervisor-based ransomware is meant for environments, which could very well go down, hence the need for reliable backups, ideally immutables. This is especially true for organizations that do not have a recovery plan in place. As ransomware threats continue to evolve and become more sophisticated, the role of hypervisors has stepped up to become a focal point on the battlefield of business security. 

This is because by not securing and protecting the hypervisor level against cyber threats, what a business will essentially present to the cyber attackers is what they have always wanted: control of their whole operation with a mere click of their fingers.
Read more »
Supply chain vulnerability
Airport Cyberattack Aviation Cyber Threats Collins Aerospace Hack Critical Infrastructure Security Cybersecurity Breach Data Extortion Digital Resilience Ransomware attack Supply chain vulnerability

Collins Aerospace Deals with Mounting Aftermath of Hack


One of the most disruptive cyber incidents to have hit Europe's aviation sector in recent years was a crippling ransomware attack that occurred on September 19, 2025, causing widespread chaos throughout the continent's airports.  

The disruption was not caused by adverse weather, labour unrest or mechanical failure but by a digital breakdown at the heart of the industry's technological core. The Collins Aerospace MUSE platform, which is used for passenger check-ins and baggage operations at major airport hubs including Heathrow, Brussels, Berlin, and Dublin, unexpectedly went down, leading airports to revert to paper-based, manual procedures. 

There was confusion in the terminals and gate agents resorted to handwritten manifests and improvised coordination methods to handle the surge, while thousands of passengers stranded in transit faced flight cancellations and delays. While flight safety systems remained unaffected, and a suspect (a British national) was apprehended within a few days of the attack, it also exposed an increasingly frightening vulnerability in aviation's growing reliance on interconnected digital infrastructure. 

This ripple effect revealed how one breach of security could cause shockwaves throughout the entire ecosystem of insurers, logistics companies, and national transport networks that are all intertwined with the digital backbone of air travel itself, far beyond an aviation issue. 

In the aftermath of the Collins Aerospace cyberattack, the crisis became worse when on Sunday, a group linked to Russian intelligence and known as the Everest Group claimed to have accessed sensitive passenger information allegedly stolen by Dublin Airport and claimed to have been possessed by the group. This group, which operates on the dark web, announced that they had acquired 1.5 million passenger records and threatened to release the data unless a ransom was paid by Saturday evening before releasing the data. 

It has been reported that Everest, which had earlier claimed credit for breaching systems connected to Collins Aerospace's MUSE software on October 17, believes that the security breach occurred between September 10 and 11, using credentials obtained from an insecure FTP server in order to infiltrate the company's infrastructure. 

On September 19, Collins Aerospace shut down affected servers that blocked cybercriminals from accessing these servers, according to the cybercriminals who claimed their access to those servers was later stopped. This move occurred simultaneously with a wide array of operational outages in major European airports including Heathrow, Berlin Brandenburg, Brussels, and Dublin. 

A spokesperson for the Dublin Airport Authority (DAA) confirmed that a probe has been initiated in response to the mounting concerns regarding the incident, as well as in coordination with regulators and impacted airlines. It should be pointed out that as of yet no evidence has been found of a direct hacking attack on DAA's internal systems, indicating that the dataset exposed primarily consists of details regarding passenger boarding for flights departing Dublin Airport during the month of August.

While this happened, ENISA, the European Union Agency for Cybersecurity, categorised the Collins Aerospace hack as a ransomware attack, which underlined the escalation of sophistication and reach of cybercriminals targeting critical aviation infrastructure across the globe. There have been signs of gradual recovery as European airports have struggled to regain operational stability since the Collins Aerospace cyber incident. 

Although challenges persisted throughout the days of the cyberattack, signs of gradual recovery did emerge. While flight schedules at London's Heathrow airport and Berlin Brandenburg airport had begun to stabilize on Sunday, Brussels Airport continued to experience significant disruptions. A statement issued by Brussels Airport on Monday stated that it had requested airlines cancel about half of the 276 departures scheduled for Monday due to the non-availability of Collins Aerospace's new secure check-in software, which had not been available for the previous few days.

As manual check-in procedures remained in place, the airport warned that cancellations and delays were likely to continue until full digital functionality had been restored. In spite of the ongoing disruptions, airport authorities reported that roughly 85% of weekend flights operated, which was made possible by ensuring additional staffing from airline partners and ensuring that the online check-in and self-service baggage system were still operational, according to Airport Authority reports. 

The airport’s spokesperson Ihsane Chioua Lekhli explained that the cyberattack impacted only the computer systems being used at the counters staffed by employees, and that in order to minimize the inconvenience to passengers, backup processes and even laptops have been used as workarounds.

It is important to note that RTX Corporation, the parent company of Collins Aerospace, refused to comment on this matter in a previous statement issued on Saturday, when RTX Corporation acknowledged the disruption and said it was working to fully restore its services as soon as possible. According to the company, the impact will only be felt by electronic check-in and baggage drop and can be minimized by manual operations. 

During the weekend, Heathrow and Brandenburg airports both encouraged passengers to check their flight statuses before arriving at the airport, as well as to take advantage of online or self-service options to cut down on traffic. In its latest communication, Heathrow Airport stated that it was working with airlines "to recover from Friday's outage," stressing that despite the delays, a majority of scheduled flights were able to run throughout the weekend despite the delay. 

There has been a broader discussion around the fragility of digital supply chains and the increasing risk that comes with vendor dependency as a result of the Collins Aerospace incident. Increasingly, ransomware and data extortion groups are exploiting third-party vulnerabilities in order to increase the likelihood of a systemic outage, rather than an isolated cyber event. 

An analysis by industry analysts indicates that the true differentiator between organizations that are prepared, visible, and quick to respond during such crises lies in their ability to deal with them quickly, and in the ability to anticipate problems before they arise. According to Resilience's cybersecurity portfolio, only 42% of ransomware attacks in 2025 were followed by incurred claims, a significant decrease from 60% in 2024.

According to experts, this progress is largely due to the adoption of robust backup protocols, periodic testing, and well-defined business continuity frameworks, which are the foundation of this improvement. However, broader industry figures paint a more worrying picture. Approximately 46% of organizations that have been affected by ransomware opted to pay ransoms to retrieve data, according to Sophos' State of Ransomware report, while in the Resilience dataset, the number of affected organizations paid ransoms fell from 22% in 2024 to just 14% in 2025.

This contrast illustrates the fact that companies that have tested recovery capabilities are less likely to succumb to extortion demands because they have viable options for recovering their data. A new approach to cybersecurity has emerged – one that is based on early detection, real-time threat intelligence, and preemptive mitigation. Eye Security uncovered a critical vulnerability in Microsoft SharePoint in July 2025 and issued targeted alerts in response to the vulnerability. This proactive approach enabled Eye Security to scan its client ecosystem, alert its clients, and contain active exploitation attempts before significant damage could occur. 

According to experts, Collins Aerospace's breach serves as a lesson for what happens when critical vendors fail in a network that is interconnected. A recent outage that crippled airports across Europe was more than just an aviation crisis; it was an alarming reminder of the concentration risk that cloud-based and shared operating technologies carry across industries as well. 

Organizations are increasingly reliant on specialized vendors to manage essential systems in order to ensure their success, so the question isn't if a major outage will occur again, but whether businesses have the resilience infrastructure to stay operational if it happens again. It is clear from the Collins Aerospace incident that cybersecurity is no longer a separate IT concern, but rather a core component of operational continuity. 

It stands as a defining moment for digital resilience in the evolving narrative. The emphasis in navigating this era of global infrastructure disruption must shift to building layered defense ecosystems, combining predictive intelligence, rigorous vendor vetting, and a real-time crisis response framework, as businesses navigate through the challenges of a single vendor outage disrupting global infrastructure. 

In the end, the lesson is clear: resilience is not built when disruption happens but in anticipation of it, ensuring that when the next digital storm hits, we are prepared, not panicked.
Read more »
Subscribe to: Comments (Atom)