Intelligence agencies warn of Russian hacktivists targeting critical infrastructure.

Summary

By the CyberWire staff

Intelligence agencies warn of Russian hacktivists targeting critical infrastructure.

The US intelligence community and its international partners from thirteen countries have issued an advisory warning of pro-Russian hacktivist groups targeting critical infrastructure. The threat actors, including the Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16, are "capitalizing on the widespread prevalence of accessible VNC devices to execute attacks against critical infrastructure entities, resulting in varying degrees of impact, including physical damage." The hackers are targeting water and wastewater systems, food and agriculture entities, and the energy sector.

The advisory notes, "These groups have limited capabilities, frequently misunderstanding the processes they aim to disrupt. Their apparent low level of technical knowledge results in haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact. Despite these limitations, the authoring organizations have observed these groups willfully cause actual harm to vulnerable critical infrastructure."

Control what runs in your environment. Reduce your attack surface.

ThreatLocker helps organizations reduce risk by allowing trusted applications to run while limiting their access to only the resources they need. It’s a straightforward, default deny approach that gives you more control and visibility—without slowing down operations. Explore how ThreatLocker can help simplify your security strategy.

North Korean threat actors target React2Shell.

Sysdig warns that North Korean threat actors are using new malware in attacks targeting the recently disclosed React2Shell vulnerability (CVE-2025-55182) affecting React Server Components, SC Media reports. The malware, dubbed "EtherRAT," uses "Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and downloads its own Node.js runtime from nodejs.org."

The researchers explain, "EtherRAT represents a significant evolution in React2Shell exploitation, moving beyond opportunistic cryptomining and credential theft toward persistent, stealthy access designed for long-term operations. The combination of blockchain-based C2, aggressive multi-vector persistence, and a payload update mechanism demonstrates a level of sophistication not previously observed in React2Shell payloads."

Humans Are Not the Weakest Link. Guess who FAIls?

Humans have been labeled the weakest link for ages. But this year showed how easily both humans and AI can be manipulated. In this session, Cato CTRL experts reveal real attacks from the wild where adversaries steered people and AI systems into harmful actions using simple prompts and inputs. The session reframes how you should think about AI risk and what to do when machines start making the mistakes, so register to join us.

IBM fixes over a hundred vulnerabilities.

IBM has issued fixes for more than 100 vulnerabilities across its products, most of which affected third-party dependencies, SecurityWeek reports. The company patched six critical flaws in Storage Defender, one critical vulnerability in IBM Guardium Data Protection's implementation of the Apache Tomcat server, and another critical bug in the form-data library used in Maximo Application Suite.

Other less-severe flaws were fixed in Content Collector, DataPower Operations Dashboard, License Metric Tool, Planning Analytics, Watsonx Subscription, InfoSphere Information Server, StreamSets, and Db2 for Linux, UNIX, and Windows.

Notes.

Today's issue includes events affecting the Democratic People's Republic of Korea, Russia, and the United States.

Attacks, Threats, and Vulnerabilities

Thousands of Exposed Secrets Found on Docker Hub, Putting Organizations at Risk (Flare) More than 10,000 Docker Hub images contained leaked secrets (including live credentials to production systems) found in just one month of scanning

Trends

DryRun Security Finds Over 80% of Large Language Model Application Risks Go Undetected by Traditional Code Scanners (GlobeNewswire News Room) DryRun Security's analysis of the OWASP Top 10 App Risks finds that over 80% of LLM app risks go undetected by traditional code scanners. ...

Litigation, Investigation, and Law Enforcement

US charges former Accenture employee with misleading feds on cloud platform’s security (Nextgov.com) Danielle Hillmer, most recently employed with SentinelOne, allegedly concealed a cloud product’s noncompliance with federal security regulations.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Newly Noted Events

Wild West Hackin’ Fest @ Mile High 2026 (Denver, Colorado, USA, Feb 11 - 13, 2026) More than just a conference, Wild West Hackin’ Fest (WWHF) is committed to offering high quality information security education to beginners and seasoned professionals alike. With reasonably priced training, conferences, hands-on labs, and workshops, WWHF lowers the barrier to entry for those seeking to enter into the world of information security. WWHF also offers a venue for those already established in the industry to share ideas, give back, and continue learning.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 12.11.25

Top stories.

Intelligence agencies warn of Russian hacktivists targeting critical infrastructure.

North Korean threat actors target React2Shell.

IBM fixes over a hundred vulnerabilities.

Notes.

Attacks, Threats, and Vulnerabilities

Trends

Litigation, Investigation, and Law Enforcement

Newly Noted Events