Nation-State Cyber Operations Move from Covert to Overt

US Cyber Operations Used in Maduro Capture

Reporting revealed that U.S. authorities used offensive cyber operations to disrupt power and radar systems in Caracas during a January operation aimed at capturing Venezuela’s president. Officials emphasized that the cyber effects were tightly scoped and reversible, with power restored quickly and minimal civilian impact reported. The disclosure represents one of the clearest public acknowledgments in recent years of cyber operations being used to directly enable kinetic or law enforcement objectives. It signals a broader normalization of cyber capabilities as a tactical state tool, particularly against infrastructure that lacks sophisticated defensive capacity.

As critical infrastructure is increasingly used as a lever in modern warfare, operators must reduce exposure to nation-state cyber activity by enforcing Zero Trust access at the device and workload level, limiting attackers’ ability to move laterally or manipulate control systems even after initial access.

APT28 and Mustang Panda Target Energy, Government, and Policy Organizations

Russia-linked APT28 conducted campaigns targeting global energy and nuclear research organizations, while China-linked Mustang Panda used spearphishing lures referencing U.S. policy toward Venezuela to target U.S. government entities. Both campaigns focused on credential harvesting and long-term access rather than immediate disruption. Energy research institutions, policy bodies, and telecom organizations remain high-value intelligence targets, offering insights into infrastructure vulnerabilities, regulatory planning, and crisis response strategies. Such activity often precedes broader geopolitical pressure, making it an important indicator of strategic intent rather than isolated espionage. 

Xage helps mitigate long-dwell espionage campaigns by continuously validating identity and access requests, reducing the value of stolen credentials and making persistent, covert access significantly harder to maintain.

Poland Thwarts Cyberattack on Distributed Energy Resources

Poland disclosed that it stopped a suspected Russian cyberattack targeting communications associated with multiple smaller power generation sources rather than a single centralized facility. Officials described the activity as an attempt to interfere with energy operations by exploiting the growing complexity of distributed power generation. As national grids decentralize and integrate renewable sources, the attack surface expands to include thousands of smaller assets that are often less visible and less consistently protected. This incident illustrates how distributed energy resources (DERs) are becoming attractive targets for disruption precisely because of their scale and interconnectedness.

In the United States, the most recent revisions to the North American Electric Reliability Corporation’s Critical Infrastructure Protection (NERC CIP) standards are catching up with this shift, with updates in 2025 aimed at extending cybersecurity requirements beyond traditional bulk generation and transmission assets to include more distributed and previously low-impact systems that could nevertheless affect grid reliability. Under these updates, NERC CIP standards such as CIP-003-9 and CIP-005-7 are expanding expectations for secure remote and third-party access and raising security baselines, while evolving criteria around asset categorization are bringing more DERs and associated communications systems under compliance scrutiny. These developments reflect a broader effort to align regulatory protections with the risks posed by DER proliferation and interconnected grid assets that were previously outside CIP enforcement.

Xage enables consistent identity-based security across distributed energy assets, helping operators enforce uniform access policies and strong authentication for DERs and control communications while aligning with emerging NERC CIP expectations for asset identification, access control, and monitoring to support grid reliability.

Critical Infrastructure and OT Face Sustained Pressure

Energy Sector Ransomware and Disruption

Romanian energy producer CET Oltenia suffered a ransomware attack, Chilean energy firm Copec confirmed a ransomware incident affecting internal systems, and Taiwan reported a tenfold increase in cyberattacks against its energy sector, with attackers exploiting software update windows. While the operational impact varied across incidents, each reflected a broader pattern of sustained pressure on energy operators from both criminal and state-aligned actors. Ransomware continues to intersect with geopolitical risk, particularly when attacks target organizations that support national energy stability and economic continuity.

Xage reduces ransomware impact by enforcing least-privilege access and isolating OT systems from compromised IT identities, helping prevent ransomware from propagating into operational environments.

AI and Supply-Chain Risk via Developer Infrastructure

Recent disclosures highlighted two related threats targeting developer infrastructure that sits at the heart of modern software supply chains. GitLab patched a high-severity vulnerability that allowed attackers with partial credential knowledge to bypass two-factor authentication, exposing both enterprise and community environments to account takeover risk. Separately, researchers observed a rise in domain resurrection attacks, in which threat actors register expired domains tied to abandoned developer email addresses, then use control of those domains to reset credentials, hijack accounts, and distribute malicious code through trusted package repositories.

Together, these incidents illustrate how attackers are increasingly exploiting identity weaknesses and overlooked lifecycle gaps in developer tooling rather than attempting direct code compromise. As software supply chains become more automated and interconnected, identity control and access governance within developer environments are emerging as some of the most critical and least mature security control points.

AI Abuse, Identity Attacks, and Emerging Threat Models

AI-Generated Malware Reaches New Level of Maturity

Security researchers reported that a newly discovered Linux malware dubbed VoidLink was likely written almost entirely by AI, using a structured “spec-driven development” approach in which an AI model generated not only the code but also development plans, specifications, and iterative testing workflows. Unlike earlier examples of AI-assisted malware, VoidLink showed a level of architectural coherence and operational sophistication typically associated with experienced human developers, suggesting that AI is now being used to accelerate the full malware lifecycle rather than simply assist with individual coding tasks. This development signals a shift in how quickly capable malware can be produced, lowering the cost and time required to create high-quality threats and increasing the likelihood of rapid iteration and customization by attackers.

Voice Cloning Defenses Easily Bypassed

Researchers demonstrated that AI-based voice cloning defenses can be bypassed, allowing attackers to convincingly replicate voices even when countermeasures are in place. These techniques undermine voice biometric systems used by banks, telecom providers, and customer service operations. As voice cloning becomes more accessible and more accurate, voice authentication is rapidly losing its reliability as a trust signal. Organizations that rely on voice-based identity verification face increased exposure to fraud and social engineering unless additional controls are layered in. It’s critical to decoupling trust from single-factor identity signals and enforcing cryptographically verifiable identities for users, devices, and workloads.

LLM Infrastructure Actively Scanned by Threat Actors

Security researchers observed large-scale scanning activity targeting exposed and misconfigured large language model (LLM) servers. Attackers appear to be probing for unsecured APIs, weak authentication, and configuration flaws that could enable data theft, model manipulation, or downstream system compromise. As AI platforms transition from experimental deployments to operational infrastructure, they are increasingly treated by adversaries as high-value enterprise assets. Many organizations deploying AI systems are still developing governance and security practices, creating opportunities for early exploitation.

Xage helps secure AI infrastructure by applying Zero Trust principles to model access and service interactions, ensuring that only verified identities and authorized workloads can interact with sensitive AI systems.

Economic Pressure Turns Cyber Risk into Systemic Risk

Jaguar Land Rover Cyberattack Slows UK Economy

Jaguar Land Rover disclosed that a September cyberattack led to a 43 percent drop in wholesale volumes, with production disruptions lasting several weeks. The Bank of England later cited the incident as a factor contributing to slower UK economic growth. The case demonstrates how cyber incidents in manufacturing can propagate far beyond the affected organization, impacting suppliers, logistics networks, and labor markets. In highly integrated industrial supply chains, cyber risk increasingly translates into macroeconomic risk.

What Executives Say: Cyber Risk Now Tops the Enterprise Risk Agenda

A recent survey of more than 1,500 board members and C-suite executives in Protiviti’s “Executive Perspectives on Top Risks” report shows that cybersecurity has emerged as the foremost near-term risk and a leading strategic investment priority, with 43 percent of global leaders ranking it at the top of their risk register and as a key focus area for resource allocation. In addition to cyber threats, respondents highlighted third-party and supply chain risks, the challenges of integrating AI with existing technology and workforce processes, and performance gaps in legacy IT infrastructure as among the most pressing concerns shaping their organizations’ risk landscapes. The survey also found that nearly seven in ten executives see significant opportunities for revenue growth over the next two to three years, indicating that risk management and growth strategies are increasingly intertwined, with resilience and innovation both seen as drivers of competitive advantage.