Top stories.
- CISA cracks down on end-of-support edge devices.
- Poland's energy infrastructure lacked basic security measures, CERT Polska says.
- Romania’s oil pipeline operator discloses cyberattack.
- Suspected Chinese hackers hijacked Notepad++ update traffic.
- French police raid X's Paris offices.
CISA cracks down on aging edge devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a Binding Operational Directive (BOD 26-02) ordering Federal Civilian Executive Branch (FCEB) agencies to replace end-of-support (EOS) edge devices that no longer receive vendor patches. Agencies must produce an inventory of EOS devices within three months, and replace them within a year. CISA stated, "The imminent threat of exploitation to agency information systems running EOS edge devices is substantial and constant, resulting in a significant threat to federal property. CISA is aware of widespread exploitation campaigns by advanced threat actors targeting EOS edge devices. Recent public reports of campaigns targeting certain vendors highlight actors' attempts to use these devices as a means to pivot into FCEB information system networks."
Separately, CISA warned this week that a critical vulnerability in SolarWinds Web Help Desk is being actively exploited in attacks. The agency ordered FCEB entities to patch the flaw by yesterday, February 6th. The SolarWinds vulnerability (CVE-2025-40551) was disclosed last week and given a CVSS score of 9.8. The flaw is an untrusted data deserialization vulnerability that can lead to unauthenticated remote code execution.
While both directives apply to Federal agencies, other public- and private-sector organizations should follow similar best practices regarding unsupported products and unpatched vulnerabilities.
Poland's energy infrastructure lacked basic security measures, CERT Polska says.
Poland’s Computer Emergency Response Team (CERT Polska) has published a report on a Russian cyberattack that targeted the country's energy infrastructure in December, noting that the compromised systems had extremely poor security measures. The attack compromised wind and solar farms and a heat-and-power plant, though the incident did not result in power disruptions. CERT Polska says the compromised entities demonstrated various security failings, including the use of default usernames and passwords, unpatched perimeter devices, and a lack of multifactor authentication.
TechCrunch notes that researchers at ESET and Dragos have attributed the attack to the Russian GRU threat actor Sandworm, but CERT Polska ties the activity to a separate Russian group tracked as "Berserk Bear" or "Dragonfly." CERT Polska notes, "Public reports of this actor’s activities indicate significant interest in the energy sector and the ability to attack industrial devices, which aligns with the actions observed during the incident. However, this is the first publicly described destructive activity attributed to this cluster."
Romania’s oil pipeline operator discloses cyberattack.
Romania’s national oil pipeline operator, Conpet, has disclosed that a cyberattack disrupted its IT systems earlier this week, the Record reports. The company said the attack did not affect its operational technology (OT) or SCADA systems. Conpet said in a statement on Facebook, "The incident does not affect the operational activity, the stability of the company, or the ability of the entity to fulfill its contractual obligations."
The Record notes that the Qilin ransomware group listed Conpet on its leak site this week, claiming to have stolen a terabyte of data. Conpet's website is still down as of today.
Suspected Chinese hackers hijacked Notepad++ update traffic.
Text and source code editor Notepad++ has disclosed that a suspected Chinese state-sponsored threat actor hijacked the service's update mechanism after compromising its shared hosting provider. The attack "involved infrastructure-level compromise that allowed malicious actors to intercept and redirect update traffic destined for notepad-plus-plus.org." The compromise lasted from June to December 2025. Notepad++ has since moved to a new hosting provider.
Security researcher Kevin Beaumont published a blog post on the activity in December, noting that "highly targeted" attacks compromised "telcos and financial services with interests aligned to China." Beaumont praised Notepad++'s developer for taking the issue seriously.
French police raid X's Paris offices.
French prosecutors raided X's offices in Paris as part of a criminal inquiry into the platform's Grok AI tool, BleepingComputer reports. The investigation was opened in January 2025 over allegations of interference with automated data systems and fraudulent data extraction, then expanded to include Grok's generation of sexually explicit underage deepfakes and Holocaust-denial content. French authorities have also summoned Elon Musk and former CEO Linda Yaccarino for voluntary interviews in April 2026. X has criticized the probe as a politically motivated attack on free speech.
Separately, the UK's Information Commissioner’s Office (ICO) announced this week that it has opened a formal investigation into X and xAI, "covering their processing of personal data in relation to the Grok artificial intelligence system and its potential to produce harmful sexualised image and video content."
