December closed out the year with a clear signal: cyber risk is accelerating across technology, governance, and geopolitics, with attackers exploiting speed, scale, and complexity faster than many organizations can respond. This month saw active exploitation of critical vulnerabilities, continued state-sponsored campaigns, and mounting evidence that AI is already lowering the barrier to entry for sophisticated cybercrime.

At the same time, governments and standards bodies moved to address these risks through new OT-focused guidance and governance frameworks, highlighting the growing convergence of cybersecurity, operational resilience, and executive accountability. From critical infrastructure targeted by hacktivists to warnings from AI developers themselves, December’s events underscore that cyber threats are no longer confined to isolated systems—they are increasingly systemic, automated, and operational in impact.

Below are the most important cyberattack and cyber-risk developments from December, with a focus on OT, critical infrastructure, ransomware, supply-chain compromise, AI misuse, and governance.

OT Governance and Guidance: AI, Cloud, and Regulatory Convergence

December brought a wave of governance and standards activity aimed squarely at operational technology.

A coalition of U.S. national security organizations, published Principles for the Secure Integration of Artificial Intelligence in Operational Technology, outlining expectations for introducing AI into industrial environments. The guidance emphasizes secure-by-design deployment, asset visibility, least privilege, human oversight, and fail-safe operation—reflecting concern that poorly governed AI could introduce new failure modes into safety-critical systems.

CISA also released Cybersecurity Performance Goals (CPG) 2.0 for Critical Infrastructure, an updated set of outcome-driven, voluntary baseline practices for both IT and OT environments. Notably, CPG 2.0 introduces a new governance-focused component, aligning with NIST Cybersecurity Framework 2.0 and emphasizing accountability, risk management, and the integration of cybersecurity into day-to-day operations. Rather than prescribing controls, the goals are designed to help operators benchmark maturity, guide investment, and reduce risk in measurable ways.

The International Society of Automation (ISA) updated guidance on cloud computing in OT environments, addressing areas where cloud computing can be leveraged to advance OT operations, as well as the risks associated with it. 

AI Actively Enables Cybercrime at Scale

This month OpenAI warned that its upcoming, more capable AI models could significantly increase cybersecurity risk if misused, including by enabling more effective vulnerability discovery, exploit development, and social engineering at scale. The company said it is preparing additional safeguards, internal risk reviews, and external engagement with governments to manage these risks, acknowledging that future models may meaningfully lower the barrier for sophisticated cyber operations. The disclosure reflects growing concern—even among AI developers themselves—that advances in model capability could accelerate both defensive and offensive cyber activity if governance and controls lag behind.

Those concerns are already being borne out in real-world activity. Researchers reported that the Brazilian Water Saci cybercrime group is using large language models (LLMs) to automate phishing campaigns, translate and adapt malware scripts, and improve payload reliability. Attackers were also observed leveraging AI-generated phishing content to distribute advanced banking trojans, producing highly convincing lures while reducing the skill and effort traditionally required to execute such campaigns. 

AI capabilities are already lowering the barrier to entry for cybercrime, reinforcing concerns that offensive use may outpace governance and controls. As AI becomes stronger, it will be critical for organizations to strengthen their preventative controls to harden their environments against an increased speed and volume of attacks. 

Hacktivists Continue Targeting Critical Infrastructure

A multinational advisory warned this month that hacktivist groups are actively targeting critical infrastructure, including water utilities, energy providers, and food and agriculture systems.

Although these groups often lack sophisticated tooling, they exploit exposed remote access services, particularly VNC, and weak segmentation. In multiple cases, attackers caused real operational disruption, underscoring how even low-skill actors can generate high-impact outcomes in poorly secured OT environments. 

The advisory underscores the real world risks that insecure remote access solutions can introduce into critical environments with little effort. It’s critical that critical infrastructure providers shift away from these legacy systems and adopt more secure, Zero Trust solutions that prevent credential abuse and lateral movement. 

State-Sponsored Malware Targets Virtualized Infrastructure

Meanwhile, CISA and the NSA have warned of a more sophisticated operation in which state-backed threat actors are using the BRICKSTORM backdoor to compromise VMware and Windows systems. The malware enables long-term, stealthy persistence, credential theft, lateral movement, and data exfiltration, and has been observed targeting public sector and critical infrastructure organizations. The campaign highlights continued state-sponsored efforts to maintain covert access to enterprise environments for espionage and potential future operations.