REPORT ON THE CYBER ATTACK AGAINST THE POLAND ELECTRICITY GRID
This attack, already documented in this Newsletter, occurred by the very end of 2025 – a good timing for attackers. Reports on it have in particular been provided by the Polish CERT and the French ANSSI. What strikes : a combination of several simultaneous attacks – the use of poorly protected devices as entry points in the global IT system – the attempt to trigger massive destruction of data, with the objective of long lasting disruption. And it is obvious that such attacks, where Russian services are suspected, will repeat… Regarding such key infrastructures, security actions should be quickly executed: isolation of different parts of the IT system to prevent an infection from spreading, inventory and suppression of weak points, reinforcement of strong access credentials.
MORE ON THE ATTACK AGAINST STRYKER
This Newsletter has recently exposed the attack which has targeted a major supplier of health connected equipments. It now appears that the hackers have succeed to compromise an administrator’s access to Microsoft INTUNE, the platform used to manage all the equipments, and have wiped out the data. Once again, an attack on a single weak point can trigger a major disaster…
McKINSEY GEN AI SYSTEM FOUND VULNERABLE
LILLI, the GEN AI platform designed and used by McKinsey group, has been rather easily hacked by an AI agent, in a vulnerability test. It seems that the agent has then accessed millions of internal data and messages. McKinsey says that, further to this test, vulnerabilities have been quickly settled.
AIKIDO EXPOSES NEW INFILTRATION ELUSIVE TECHNIQUES
GLASSWORM is another hacking campaign, it has a specificity : the hackers insert “invisible” code instructions into legitimate software, with the aim to open backdoors to be further used to infiltrate an IT system. While the technique itself is not brand new, the new campaign seems to be propelled by automation linked to massive use of LLM capacities. Says AIKIDO, a Belgian expert vendor in code verification, also well known to the ECA : “The malicious injections in 151 distinct repositories are accompanied by changes in coverage that are stylistically consistent with each targeted project: version increments, minor fixes, documentation tweaks that mimic the contribution style specific to each codebase. Customization at this scale exceeds what a human operator could manually produce. Aikido Security concludes that LLMs were likely used to generate these coverage commits”.
HACKERS EXPOSED
The EU Council has decided to ban three aggressive cyber hackers : 2 Chinese, Integrity Technology Group et Anxun Information Technology (alias i-Soon), and 1 Iranian : Emennet Pasargad. I-Soon has also been toppled in the USA where 12 affiliates are being sued. The Chinese companies are indicted for endpoints compromission and data stealing on behalf of the Chinese services. The Iranian one has stolen data and infiltrated the media to display false information.
AND OTHER TOPPLED
Heard of AISURU, KIMWOLF, JACKSID, MOSSAD (not the Israeli service !) ? These names are those of the controllers of worldwide malicious bots networks, used to launch DDoS campaigns. The four have been dismantled by a police international coordinated operation, with the USA/Alaska, Germany and Canada at the front end.
CONSOLIDATION
MEMORY, a French vendor of IDENTITY & ACCESS management running in SAAS mode, will take over the IS ZYGON, expert in detecting unmanaged used applications and in identify usage analysis. The objective is to better resort to AI in ID governance and access control.
NIS2 PREPARATION
Though the EU NIS2 prescription is still not transposed into French law, ANSSI has published a report on how to implement the rules. Gérôme Billois, the known Wavestone cybersecurity head, was part of the elaboration of the report, he comments (Tribute to his post on LinkedIn):
What does it contain? 20 security objectives, and a clear distinction of requirements between important entities (IE) and essential entities (EE). It’s the basis given the differences in sensitivity. The first 15 objectives apply to everyone, the last 5 (risk-based approach, audit, hardening, dedicated administration, supervision) are reserved for EEs.
What I particularly like about the approach is the fact that there is a ‘security objective’ to explain what we want to do and ‘acceptable means of compliance’, in short a guide on what needs to be done, precise but not mandatory in order not to fall into mindless compliance.
Note, there are still “ambitious” measures such as third-party management (ecosystem mapping, contractual requirements, periodic verification…), mandatory inventories and full patch application, IT system segmentation, continuity mechanisms, or dedicated administration platforms. Especially since the scope of NIS2 is the entire IT system (well, almost, there is an exclusion mechanism for systems that present no risk in availability, confidentiality, and integrity… you’ll have to look for them and the justification must be substantiated)
