State‑Aligned Threat Actors Target Critical Infrastructure and Individuals

One of the main groups highlighted in the advisory is NoName057(16), a pro-Russian hacktivist collective that has been active since 2022 and is closely associated with the DDoSia platform. This platform allows sympathisers and volunteers to participate in coordinated DDoS campaigns by contributing computing resources, effectively crowdsourcing attack capacity. The group’s motivations are largely ideological and politically driven, with targets often selected based on their perceived alignment with governments or organisations that support Ukraine or oppose Russian geopolitical interests. This distinguishes their activity from financially motivated cybercrime groups and places it firmly within the broader context of cyber-enabled influence and disruption operations.

The NCSC notes that although DDoS attacks don’t typically result in data loss or permanent system compromise, they can still impose considerable costs on targeted organisations. These include the diversion of technical resources, the need to engage external mitigation services, and the disruption of essential services relied upon by citizens and businesses. For public sector organisations in particular, even short-lived outages can have a disproportionate impact due to the critical nature of the services they provide and the limited tolerance for downtime.

Recent international law-enforcement efforts have sought to disrupt the operations of NoName057(16) and related infrastructure, including the takedown of servers and the arrest of individuals linked to the group. While these actions temporarily reduced the group’s activity, the NCSC assesses that they did not eliminate the core leadership or operational capability of the group. Key operators are believed to remain outside the reach of UK and allied law-enforcement agencies, enabling the group to rapidly reconstitute its infrastructure and resume attacks. As a result, the threat is assessed to be ongoing and persistent.

In response to this activity, the NCSC urges organisations to focus on improving resilience rather than solely relying on detection or prevention. Recommended measures include working closely with internet service providers and content delivery networks to implement effective DDoS mitigation, understanding which services are most exposed and critical, and ensuring that systems are designed to degrade gracefully under attack. The NCSC also emphasises the importance of having well-rehearsed incident response and business continuity plans that account for prolonged or repeated service disruption.

Overall, the warning reflects a broader trend in which hacktivist activity, often aligned with state interests, is being used as a low-cost, high-visibility method of exerting pressure and causing disruption during periods of geopolitical tension. While the technical sophistication of these attacks may be limited, their strategic impact, persistence, and ability to strain organisational resources mean they should be treated as a serious and ongoing risk by UK organisations, particularly those operating public-facing or critical services.

https://www.bleepingcomputer.com/news/security/uk-govt-warns-about-ongoing-russian-hacktivist-group-attacks/ 

Cyberattack on Poland’s Energy Grid Nearly Causes Nationwide Blackout Amid Russian Sabotage Allegations

In late December 2025, Poland experienced a severe cyberattack targeting its energy infrastructure. Senior officials described it as among the most significant in recent memory and one that very nearly triggered a nationwide blackout. The attack unfolded during harsh winter weather, compounding the risk to the country’s energy systems, and was directed at communication links between renewable power installations, including wind and solar farms, and grid control operators.

Polish authorities characterised the incident not as a random intrusion but as deliberate sabotage intended to destabilise national power delivery, with Deputy Prime Minister and Digital Affairs Minister, Krzysztof Gawkowski, equating cyber weapons to “digital tanks” and asserting that “everything suggests that we are dealing with Russian sabotage”, reflecting Warsaw’s assessment of the geopolitical threat context. Despite the severity and coordination of the assault, Polish cyber defences and grid operators were able to stabilise the system before any widespread outages occurred, averting the worst-case outcome of a large-scale blackout and maintaining continuity of electricity supply during the period of attack.

Technical analysis of the incident indicates that the attackers deployed sophisticated destructive malware as part of the campaign, and cybersecurity firms such as ESET have subsequently linked the activity to the Russian state-affiliated threat group Sandworm - known for past disruptive operations against critical infrastructure. The malware, termed DynoWiper, was analysed by researchers and identified as a previously unseen wiper strain, although it did not achieve its destructive aims before being neutralised. ESET’s attribution to Sandworm comes with medium confidence, based on overlaps with historical tactics, techniques, and procedures employed by the group in attacks on Ukrainian energy systems and other critical targets. Polish authorities also publicly attributed the offensive to Russian actors, underscoring the growing use of cyber operations in geopolitical competition and the ongoing need to harden energy sector defences amid persistent hybrid threats.

https://thecyberexpress.com/poland-cyberattack-energy-grid-blackout/ 

Canadian Investment Regulator Confirms Major Data Breach Affecting 750,000 Investors

In early 2026, the Canadian Investment Regulatory Organization (CIRO) confirmed that a significant cybersecurity incident discovered, in August 2025, resulted in the personal and financial information of approximately 750,000 Canadian investors being exposed. CIRO the national self-regulatory body that oversees investment dealers, mutual fund dealers, and trading activity across Canada’s debt and equity markets, initially identified the intrusion on 11 August 2025 and promptly shut down portions of its systems to contain the threat. A comprehensive forensic investigation, involving more than 9,000 hours of analysis by external cybersecurity experts, was completed before the organisation publicly confirmed the full scale of the breach in January 2026. CIRO characterised the attack as the result of a sophisticated phishing campaign, emphasising that critical market surveillance and trading systems were unaffected and that there is currently no evidence the compromised data has been misused or exposed on the dark web.

According to CIRO’s disclosures, the types of personal information potentially accessed included dates of birth, phone numbers, annual income figures, social insurance numbers, government-issued ID numbers, investment account numbers, and account statements, all collected as part of the organisation’s regulatory, compliance assessment, and market surveillance activities. Login credentials, such as passwords, security questions, and PINs, were not compromised because they are not stored by CIRO.

Individuals identified as affected began receiving notification letters in mid-January 2026, with CIRO offering two years of free credit monitoring and identity theft protection services through major credit agencies to help mitigate potential risks. The regulator also expressed deep regret for the incident, reaffirmed its commitment to investor privacy and cybersecurity, and stated that it’s actively monitoring systems for further malicious activity while working to strengthen its security defences and support broader industry efforts.

https://therecord.media/canada-ciro-investing-regulator-confirms-data-breach

FBI Warns of North Korean APT “Quishing” Campaign Leveraging Malicious QR Codes in Targeted Spear-Phishing

In early January 2026, the US Federal Bureau of Investigation (FBI) issued a high-priority cybersecurity warning about an ongoing spear-phishing campaign conducted by the North Korean state-sponsored threat group Kimsuky (also tracked as APT43). According to the FBI alert, the group has evolved its tactics to embed malicious QR codes in carefully crafted phishing emails, a technique now commonly referred to as “quishing.”

Instead of relying on conventional clickable URLs that might be caught by email filters or endpoint security tools, these malicious QR codes require the victim to scan them with a mobile device, allowing the attackers to bypass traditional email and web security protections. Once scanned, victims are redirected through attacker-controlled redirectors that collect device and identity information and often lead to fake login pages designed to steal credentials for cloud services, VPNs, identity providers (such as Microsoft 365 or Okta), or other sensitive systems.

The campaign appears highly targeted and strategic, focusing on organisations and individuals with ties to government policy, research, academia, and non-governmental organisations. Malicious QR codes have been embedded as images or attachments in spear-phishing emails that impersonate trusted contacts or legitimate institutional correspondence, increasing the likelihood that recipients will scan the code. Because QR codes themselves are visually neutral and lack obvious indicators of malicious intent, attackers can exploit user trust and mobile device scanning behaviour to evade traditional safeguards.

Victims who scan the malicious codes may have their credentials harvested, session tokens stolen (potentially enabling MFA bypass), or devices profiled and fingerprinted for further exploitation. The FBI’s advisory emphasises the growing use of this QR code-based phishing vector and urges organisations to educate staff on the risks of scanning unsolicited QR codes, verify sources before interaction, enforce multi-factor authentication, and apply mobile device management policies to mitigate the threat.

https://thehackernews.com/2026/01/fbi-warns-north-korean-hackers-using.html