January 5th – This Week’s Top Cybersecurity and Dark Web Stories

UK Government Investigating Hack

Cyber security officials are currently investigating a confirmed hack on UK government systems, following an attack in October. Trade Minister Sir Chris Bryant stated investigations are “ongoing,” with suspicions pointing towards a Chinese-affiliated group.

The incident saw Home Office systems, operated by the Foreign Office, accessed, prompting the National Cyber Security Centre (NCSC) to work with government partners to fully understand the impact. The incident, which may have targeted information including visa details, has been referred to the Information Commissioner’s Office. Sir Chris Bryant downplayed the risk, suggesting the security gap was “closed pretty quickly” and that the risk of individual compromise is “fairly low.”

While a Chinese-affiliated group is suspected, the UK government has not officially named the responsible party, and Sir Chris noted he was “not able to say whether it is directly related to Chinese operatives, or indeed the Chinese state.”

For its part, China has consistently denied backing cyber-attacks against the UK, labeling such accusations as “malicious slander.” The hack adds complexity to the UK’s relationship with China, especially ahead of a planned visit to Beijing by Sir Keir Starmer next year. Sir Keir recently advocated for a more consistent relationship, arguing that a failure to engage with China on issues like trade and technology would be a “dereliction of duty,” while still recognizing the national security threats posed by the nation.

Amazon Uncovers Russian Cyber-Campaign Targeting Western Critical Infrastructure

Amazon’s threat intelligence team has revealed details of a “years-long” Russian state-sponsored cyber-campaign that targeted Western critical infrastructure between 2021 and 2025.

The campaign, attributed with high confidence to Russia’s Main Intelligence Directorate (GRU) and linked to the group APT44 (also known as Sandworm), focused primarily on energy sector organizations and critical infrastructure providers across North America and Europe, as well as entities with cloud-hosted network infrastructure.

The attackers notably shifted their initial access strategy, favoring misconfigured customer network edge devices with exposed management interfaces over traditional N-day and zero-day vulnerability exploitation.

This tactical shift was designed to facilitate large-scale credential harvesting and lateral movement into victim organizations. The intrusion activities specifically targeted devices like enterprise routers, VPN concentrators, network management appliances, and cloud-based platforms.

The campaign’s method involves compromising a network edge device hosted on AWS, leveraging native packet capture to gather credentials from intercepted traffic, and then replaying those credentials against victims’ online services.

This credential replay activity has focused on energy, technology/cloud, and telecom providers. Furthermore, the intrusion set shares infrastructure overlaps with another cluster called “Curly COMrades,” suggesting that the two may represent specialized, complementary operations within a broader GRU objective. Amazon confirmed it identified and notified affected customers and disrupted active threat actor operations.

Organizations are urged to audit network edge devices for unexpected packet capture utilities, implement strong authentication, and monitor for suspicious authentication and credential replay attempts.

Ransomware Attack Strikes Romanian Water Management, Compromising 1,000 Systems

Romania’s water management administration, Administrația Națională Apele Române (Romanian Waters), has confirmed a major ransomware attack that has compromised approximately 1,000 systems, with remediation work ongoing. The affected systems include geographical information system servers, database servers, Windows workstations and servers, as well as email, web, and domain name servers, leaving the organization’s website offline. Romanian Waters, which oversees the country’s water infrastructure, including dams and drinking water supplies, has had its operational capabilities remain unaffected, with hydrotechnical operations continuing as normal, managed locally by on-site staff. The attack, which began on December 20, also spread to ten of the country’s 11 river basin management organizations.

The Romanian National Cyber Security Directorate (DNSC) confirmed that files were encrypted and ransom notes were left, demanding negotiations within seven days. However, the DNSC strongly advises against contacting or negotiating with the attackers. Interestingly, the DNSC noted that the attackers exploited Windows’ BitLocker to encrypt files, suggesting the incident may not be the work of a known ransomware group’s payload. The DNSC also stated that Romanian Waters’ network was not protected by Romania’s critical national infrastructure safeguarding system, but steps are now underway to integrate it into the system for enhanced cyber protection. This attack is the latest in a series of similar incidents affecting water administrations in Western countries, highlighting the growing acute concern of cyber threats to critical national infrastructure.