When Nation-States and Cybercriminals Hit Critical Infrastructure: This Week's Wake-Up Calls

Page content

When Nation-States and Cybercriminals Hit Critical Infrastructure: This Week’s Wake-Up Calls

I’ve been tracking several concerning developments this week that really highlight how our threat environment keeps evolving. From insider threats at tech giants to sophisticated vishing campaigns and critical infrastructure attacks, there’s a lot to unpack here.

The Google AI Theft Case: When Insiders Go Rogue

The conviction of Linwei Ding, the former Google engineer who stole AI supercomputer data and shared it with Chinese tech firms, is a stark reminder that our biggest threats often come from within. U.S. convicts ex-Google engineer for sending AI tech data to China

What makes this case particularly troubling isn’t just the theft itself, but the strategic nature of it. We’re talking about AI supercomputer technology – the kind of intellectual property that gives nations competitive advantages. This conviction should serve as a wake-up call for organizations handling sensitive technology. Your data loss prevention systems and insider threat programs need to be as sophisticated as your external defenses.

I’ve seen too many companies focus heavily on keeping attackers out while giving trusted employees broad access to crown jewel data. The reality is that motivated insiders with legitimate access can be incredibly difficult to detect and stop.

ShinyHunters Evolves: When Social Engineering Meets Technical Sophistication

Speaking of evolving threats, Mandiant’s latest research on ShinyHunters-style attacks shows how these financially motivated groups are getting more sophisticated. Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

The combination of advanced voice phishing (vishing) with credential harvesting sites specifically designed to mimic target companies is particularly clever. These aren’t your typical spray-and-pray phishing campaigns. The attackers are doing their homework, creating convincing replicas of company login pages and using social engineering to bypass MFA protections.

This is exactly why we need to move beyond just telling users “don’t click suspicious links.” When attackers are creating company-specific phishing sites and using voice calls to add legitimacy, traditional security awareness training falls short. We need to be implementing phishing-resistant MFA methods and creating verification procedures for any requests involving credentials or sensitive access.

Critical Infrastructure Under Fire: The Poland Power Grid Attack

The Russia-linked attack on Poland’s power grid represents a significant escalation in critical infrastructure targeting. ICS Devices Bricked Following Russia-Linked Intrusion Into Polish Power Grid

What’s particularly concerning here is that the Sandworm/Electrum hackers didn’t just gain access – they actually bricked industrial control system devices across 30 sites. This goes beyond reconnaissance or even typical destructive attacks. When attackers are willing and able to permanently damage critical infrastructure components, we’re looking at a new level of aggression.

For those of us working with or around industrial systems, this attack underscores the importance of network segmentation and having robust backup and recovery procedures for ICS environments. The fact that devices were permanently damaged means that even perfect incident response wouldn’t have prevented significant operational impact.

The Patch Management Reality Check

The critical vulnerabilities discovered in SmarterMail and Ivanti EPMM this week remind us why patch management remains one of our most important – and challenging – responsibilities. SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

The SmarterMail vulnerability (CVE-2026-24423) with its 9.3 CVSS score allows unauthenticated remote code execution. That’s about as bad as it gets from an attacker’s perspective and as urgent as it gets from ours.

Even more concerning are the two Ivanti EPMM zero-day RCE flaws that were actively exploited before patches became available. Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released The fact that one of these vulnerabilities (CVE-2026-1281) made it onto CISA’s Known Exploited Vulnerabilities catalog tells us that attackers are already using these in the wild.

What This Means for Our Day-to-Day Work

Looking at these incidents together, a few patterns emerge that should influence how we approach security:

First, insider threat programs need to be more than just monitoring for suspicious behavior. We need to understand what data matters most and ensure that access to it requires multiple controls and approvals.

Second, our security awareness programs need to evolve beyond basic phishing training. When attackers are using sophisticated vishing techniques and creating company-specific credential harvesting sites, we need to prepare our users for more targeted and convincing attacks.

Third, critical infrastructure protection requires a fundamentally different approach. The Poland attack shows that nation-state actors are willing to cause permanent physical damage, not just steal data or cause temporary disruptions.

Finally, the continued stream of critical vulnerabilities in widely-used software reinforces that patch management isn’t just about keeping systems updated – it’s about having processes that can respond quickly when actively exploited zero-days are discovered.

The threat environment we’re operating in today requires us to think beyond traditional perimeter defense. Whether it’s nation-state actors targeting critical infrastructure or financially motivated groups using sophisticated social engineering, we need defense strategies that assume both external attackers and malicious insiders will eventually succeed in their initial compromise attempts.

Sources