Google: state-backed actors are using Gemini across the full attack lifecycle
What happened: Google’s Threat Intelligence Group (GTIG) and related coverage describe multiple state-backed clusters leveraging Gemini for end-to-end campaign support: target research, translating and tailoring phishing content, drafting pretexts, troubleshooting scripts, and iterating on payload components when something breaks in the field. GTIG also notes interest in “agentic” workflows, prompts that try to turn the model into a repeatable operator (e.g., pseudo-auditors, “expert pentester” personas) rather than a one-off helper.
Why it matters: The biggest shift isn’t magically novel exploits, it’s throughput. When recon, lure-quality, and tooling iteration get cheaper, defenders see more tailored attempts against cleared staff, vendors, and frontline operational roles.
What to do next:
- Tighten identity and inbox controls where “good-enough lures at scale” hurt most: MFA enforcement, conditional access, and high-signal detections for impersonation and unusual login paths.
- Run short, frequent simulations focused on recruiter/vendor themes and “attachment-less” social engineering.
Poland’s wind/solar incident: destructive intent, OT impact, and the edge-device reality
What happened: Poland’s CERT describes coordinated destructive attacks on Dec. 29, 2025 that hit at least 30 wind and solar farms, plus other targets (including a combined heat-and-power plant and a manufacturing firm). The report frames the activity as cyber sabotage, comparing it to deliberate arson, and notes the attacks affected both IT and OT, which is still relatively rare in publicly reported incidents. Operationally, the renewables impact centered on loss of communications/visibility between facilities and distribution operators; generation continued, but CERT stresses the access level created risk of disruption at affected sites.
CISA later highlighted the same event as a warning signal for OT/ICS programs: insecure edge exposure and weak remote access hygiene remain the consistent “front door” for these outcomes.
Why it matters: DER (distributed energy resources) expands the target surface: many small sites, many vendors, uneven hardening, yet still a national resilience concern because loss of view/control is often the step before physical effect.
What to do next:
- Make “no default creds, no shared creds” a commissioning gate (and enforce it contractually with integrators).
- Segment OT/DER management paths like critical sites, not “remote closets.”
- Establish passive asset discovery + anomaly visibility in OT networks. Where that maturity isn’t in-house, teams often start with pragmatic steps: inventory, remote access controls, and monitoring that doesn’t require deploying fragile endpoint agents into OT.
Dell RecoverPoint zero-day (CVE-2026-22769): exploited since mid-2024 with stealthy backdoors
What happened: Reporting and primary research describe active exploitation of a critical Dell RecoverPoint for Virtual Machines flaw (CVE-2026-22769), assessed at CVSS 10.0 and rooted in a hardcoded credential risk. Activity was observed since at least mid-2024 and tied to a China-nexus cluster tracked as UNC6201.
Post-compromise, investigators describe deployment of webshell/backdoor tooling and techniques aimed at staying quiet inside virtual infrastructure, precisely the kind of environment where one control-plane foothold can amplify access across many systems.
Why it matters: Backup/replication and virtualization-adjacent platforms sit in the blast radius of everything. When adversaries get persistence there, the problem is not one server, it’s credential access, snapshot abuse, and lateral movement at scale.
What to do next:
- Treat “virtualization and backup control planes” as Tier-0: fastest patch SLAs, strict admin access, and dedicated monitoring.
- Hunt for unusual admin actions, unexpected network interfaces/routes, and suspicious outbound patterns from management systems.
- If patch + verification capacity is thin, pair vulnerability management with targeted hunting.
Salt Typhoon: FBI says the telecom espionage threat is still ongoing
What happened: U.S. officials continue signaling that Salt Typhoon activity remains live. Reporting from CyberScoop quotes an FBI cyber leader describing the threat as “still very much ongoing,” reinforcing that the telecom compromise problem is not a closed 2024 chapter, it’s an enduring exposure with long-tail risk to public and private sectors.
Why it matters: Telecom-layer access can enable surveillance, metadata exploitation, and downstream targeting, classic national security stakes with broad second-order effects.
What to do next:
- Reduce “quiet persistence” with continuous validation: harden and monitor edge infrastructure, enforce least privilege, and aggressively baseline what “normal” management traffic looks like.
- Make sure DDoS, outages, or “routine” service events don’t become cover for stealthier intrusion steps, tie network events into incident response workflows.
- Many organizations benefit from an IR retainer or on-call escalation path here; it’s less about buying tools and more about being able to prove eradication when adversaries optimize for staying power.
