New attacks in Italy, reported data breaches, AI and cybersecurity

The role of ISO certifications in ACN cloud qualification: security and quality for the Public Administration

 View all
Threat Intelligence, News

Diverging attributions on the energy attack in Poland, new cybercrime offensives in Italy, multiple vulnerabilities exploited ITW

Weekly Threats hor Telsy

Poland: latest updates on the late-December attack on the power system

On December 29, 2025, a coordinated cyberattack hit numerous Polish power system sites connected to distributed generation, in particular cogeneration plants and dispatching systems for wind and solar. Although it did not cause power outages, the operation allowed attackers to gain access to operational technology (OT) systems critical to grid operations and to irreversibly disable some field equipment, demonstrating offensive capabilities with potential physical impacts. On January 13, 2026, Polish Energy Minister Milosz Motyka reported that, although the offensive was unsuccessful and did not cause disruptions to electricity supply, it was classified by the Polish cyber forces command as the strongest attack on energy infrastructure in recent years. On January 23, security researchers attributed responsibility with a medium level of confidence to the Russian state-sponsored group Sandworm. In the same context, they reported the use of a previously unknown wiper, dubbed DynoWiper, observed during the incident, which occurred coinciding with the tenth anniversary of the 2015 attack against the Ukrainian power grid based on the BlackEnergy malware, also attributed to Sandworm. A few days later, on January 28, other researchers attributed the offensive with moderate confidence to another Russian state-sponsored group known as ELECTRUM. The latter is often considered overlapping with Sandworm, but analysts explicitly clarified that the two entities do not perfectly coincide and that not all Sandworm activity is necessarily attributable to ELECTRUM and vice versa. From a capabilities standpoint, ELECTRUM demonstrates deep knowledge of electrical architectures, network operational flows, and industrial protocols used in control systems. In 2016 it developed and deployed purpose-built OT malware such as CRASHOVERRIDE, capable of interacting directly with ICS protocols such as IEC-104, IEC-101, IEC-61850, and OPC DA, also including destructive modules to hinder the restoration of SCADA systems. ELECTRUM has also been linked to the destructive operation against Viasat’s KA-SAT satellite network in February 2022, in the context of Russia’s invasion of Ukraine.

 

Italy: new ransomware claims and phishing operations

On the ransomware front, TA505 claimed on its leak site the compromise of Restart S.r.l., an SME based in Genoa active in the ICT sector, while SAFEPAY targeted LC Publishing Group S.p.A., a leading publishing group in Italy, Switzerland, the Iberian Peninsula, Latin America, and M.E.N.A., in the fully digital information sector related to legal, tax, financial, and food domains. As for phishing operations detected in Italy, the following are reported: a campaign themed on Intesa Sanpaolo, aimed at acquiring credentials for access to banking services and payment card data of potential victims; emails requesting verification of the SPID profile by directing the recipient to a malicious page that replicates the graphics of the official Public Digital Identity System (SPID) portal and displays the logos of AgID and the Department for Digital Transformation to exfiltrate personal information; an activity that exploits compromised email accounts belonging to Public Administration (PA) entities to steal Microsoft 365 credentials via Figma; and a campaign widely distributed via WhatApp that abuses previously compromised accounts to induce the potential victim to carry out a banking transaction. Added to these is a phishing operation themed on Deutsche Bank, which distributes an Android trojan nicknamed NFCShare, designed to steal payment card data via NFC technology. Although the specific targeting is unclear, the attack begins with a counterfeit website that imitates the Deutsche Bank Italy portal, where the victim is invited to enter their phone number and, subsequently, to download an alleged update of the banking app in the form of an APK file named deutsche.apk.

 

Vulnerabilities: exploitation reported of flaws affecting Broadcom, Microsoft, SmarterTools, GNU, Fortinet, and Ivanti products

CISA added Broadcom VMware vCenter Server CVE-2024-37079 to its KEV catalog. Fixed in June 2024, the flaw is an Out-of-bounds Write in the DCERPC protocol implementation, which could allow an adversary with network access to vCenter Server to send specially crafted network packets, with the risk of remote code execution. A new vulnerability in SmarterTools’ SmarterMail email software was subject to ITW exploitation activity two days after the release of a patch on January 15, 2026, following responsible disclosure on the 8th of the same month. Identified as CVE-2026-23760 (CVSS 9.3), it is an Authentication Bypass Using an Alternate Path or Channel that resides in the password reset API and, if exploited, would allow a remote attacker to bypass authentication mechanisms, gain administrator access, and subsequently execute arbitrary commands on the operating system. Microsoft released emergency security updates to fix a 0-day exploited in ITW attacks impacting Office. Tracked as CVE-2026-21509 (CVSS 7.8), the flaw is a Reliance on Untrusted Inputs in a Security Decision that allows an unauthorized malicious user to bypass a local security feature. Security researchers tracked nearly 800,000 IP addresses with a Telnet fingerprint, in the context of ongoing offensives exploiting CVE-2026-24061 (CVSS 9.8), a critical vulnerability in the GNU InetUtils telnetd server. Specifically, it is an Argument Injection that allows bypassing remote authentication via the “-f root” value of the USER environment variable. Both CVE-2026-21509 and CVE-2026-24061 have also been added to CISA’s KEV catalog. Fortinet began releasing security updates to address CVE-2026-24858 (CVSS 9.4), which affected FortiOS and was subject to ITW exploitation activity via two malicious FortiCloud accounts, which were disabled on January 22, 2026. Specifically, it is an Authentication Bypass Using an Alternate Path or Channel in FortiOS, FortiManager, and FortiAnalyzer that could allow an adversary with a FortiCloud account and a registered device to access other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. Finally, Ivanti fixed two critical 0-days in Endpoint Manager Mobile (EPMM) – CVE-2026-1281 and CVE-2026-1340 – both with CVSS scores of 9.8 and of the Code Injection type, which allow attackers to execute unauthenticated remote code.

 

Weekly Threats is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.