Network devices in at least one Norwegian organization
February 5, 2026
•[ state-sponsored espionage, network device compromise, telecom ]
The Record reported that Norways Police Security Service (PST) disclosed that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations. PST made the disclosure in its 2026 annual threat assessment and said the actor exploited vulnerable network devices, consistent with a broader telecom/critical infrastructure espionage focus described by allied authorities. The article does not identify specific victim organizations or provide incident-level dates/effects for one named target, so it is best treated as campaign-level reporting rather than a single victim event record.
Conpet
February 4, 2026
•[ cyberattack, ransomware, data breach ]
Romanias national oil pipeline operator Conpet said a cyberattack disrupted parts of its technology infrastructure and knocked its website offline earlier in the week, while operational technology systems (including SCADA and telecoms) remained functional and oil transport operations were not affected. Conpet did not confirm a data breach or name the attacker, but the Qilin ransomware group listed Conpet on its leak site and claimed to have stolen nearly one terabyte of data, publishing images of alleged internal documents, financial records, and passport scans. Conpet said it took immediate mitigation steps, worked with national cybersecurity authorities, and filed a criminal complaint.
Venezuelan Power Grid
January 3, 2026
•[ cyber-physical disruption, critical infrastructure, state-led operation ]
Reporting described a U.S. cyber operation on January 3, 2026 that allegedly plunged parts of Venezuelas capital into darkness by disrupting electric power systems and also interfered with military air-defense radar as part of a broader U.S. raid/capture operation. Sources cited in public reporting characterized it as a high-visibility use of offensive cyber capabilities designed to create a temporary but precise disruption window, including the ability to restore systems afterward. The incident is best coded as a state-led cyber-physical disruption targeting critical infrastructure and defense-related systems in support of an operational objective; public reporting did not provide victim counts, exact affected assets, or detailed dwell time.
Undisclosed Poland distributed energy facilities
December 29, 2025
•[ cyberattack, OT security, critical infrastructure ]
Coordinated cyberattack targeted distributed energy sites in Poland, compromising OT control and communications systems at roughly 30 facilities and damaging some equipment beyond repair, but failing to disrupt electricity supply.
Romanian Waters (Administrația Națională Apele Române)
December 20, 2025
•[ ransomware, IT disruption, critical infrastructure ]
Romanias national water authority, Romanian Waters, suffered a ransomware incident that began on December 20, 2025 and disrupted IT services across the organization. Romanias National Cyber Security Directorate (DNSC) reported the event affected approximately 1,000 computer systems, including workstations, email services, and web servers, and spread from the main office to 10 of 11 regional river management branches. The disruption took down key digital tools such as domain services and GIS mapping, and the agencys public website remained offline while updates were shared through other channels. Authorities stated that operational technology supporting dams and flood defenses remained safe and that field staff continued critical functions manually.
Meat processing facility in Los Angeles
December 12, 2025
•[ spearphishing, vulnerability exploitation, critical infrastructure ]
This article reports on a DOJ/CISA warning and related indictments about Russia-linked cyber actors targeting U.S. critical infrastructure, including techniques like spearphishing and exploiting known vulnerabilities.
At least one drinking water supplier in Britain
November 3, 2025
•[ cyberattack, critical infrastructure, ransomware ]
A Recorded Future News investigation based on freedom-of-information disclosures from the UK Drinking Water Inspectorate found that five cyberattacks have been reported against Britains drinking water suppliers since the start of 2024, a record number over two years. The incidents, which affected out-of-NIS-scope IT systems rather than the operational technology delivering safe water, were shared with the regulator as resilience risks even though they did not trigger mandatory reporting thresholds. The findings highlight growing concern in British intelligence circles about ransomware and other attacks on critical infrastructure and are feeding into a planned Cyber Security and Resilience Bill to strengthen reporting and defences across essential services.
Australian Treasury Department
November 1, 2025
•[ cyber espionage, phishing, Shadow Campaigns ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard)
An undisclosed critical infrastructure company in Zambia
November 1, 2025
•[ espionage, phishing, vulnerability exploitation ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard), but it does not provide a single discrete victim organization record with a specific primary effect suitable for one CED event entry.
Svenska Kraftnät
October 25, 2025
•[ ransomware, data breach, critical infrastructure ]
Swedens national power grid operator Svenska Kraftnt experienced a data breach on October 25, 2025, when ransomware group Everest accessed an external file-transfer system and claimed to have stolen roughly 280 GB of data. Electricity transmission operations were not affected.
Canadian water facility
October 1, 2025
•[ hacktivism, critical infrastructure, industrial control system ]
Hacktivists tampered with water-pressure valves at a Canadian water facility, degrading water service to the local community; actions intended to draw attention to activist causes.
Undisclosed Canadian electric utility
July 29, 2025
•[ cyberattack, service disruption, critical infrastructure ]
Canadian utility reported a cyberattack that disrupted smart/power meters and required onsite remediation to restore accurate billing and service.
POST Luxembourg (national telecommunications infrastructure)
July 23, 2025
•[ cyberattack, outage, critical infrastructure ]
Cyberattack targeting Huawei telecommunications equipment caused a nationwide outage of 4G and 5G mobile networks in Luxembourg, disrupting emergency services, internet access, and electronic transactions for several hours.
Undisclosed Ukrainian Energy Organization
June 6, 2025
•[ malware, apt, data destruction ]
PathWiper malware associated with a pro-Russian APT destroyed data at an undisclosed Ukrainian energy organization on June 6, 2025; Cisco Talos and CERT-UA confirmed data destruction; no data theft reported.
At least one government agency or state-owned enterprise in Southeast Asia
April 10, 2025
•[ data leak, espionage, government ]
The Record, citing Symantecs Threat Hunter Team, reported that the China-linked APT group Billbug (also known as Thrip and Lotus Blossom) compromised multiple government and critical infrastructure organizations in a Southeast Asian country in April 2025. The campaign involved exploitation of legitimate digital certificates and living-off-the-land tools to exfiltrate sensitive documents from government and military networks. No encryption or disruption was reported, and the activity is assessed as political espionage conducted under Chinas Ministry of State Security.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Refinadora Costarricense de Petróleo
November 27, 2024
•[ ransomware, energy, critical infrastructure ]
Refinadora Costarricense de Petrleo (RECOPE), the state-owned energy provider for Costa Rica is hit with a ransomware attack, requiring the company to shift to manual operations and call in help from abroad.
Cyprus’ critical infrastructure and government websites
October 18, 2024
•[ cyberattacks, pro-Palestine hacker groups, critical infrastructure ]
Cyprus critical infrastructure and government websites are targeted in a series of coordinated cyberattacks claimed by several pro-Palestine hacker groups.
Danish Water Utility
January 6, 2024
•[ cyberattack, state-sponsored, critical infrastructure ]
Danish authorities stated that Russia carried out a destructive and disruptive cyberattack against a Danish water utility in 2024. Reporting cited by Danish media said the incident involved manipulation of pump pressure, which caused pipes to burst and left some homes temporarily without water. The public reporting did not name the utility or provide precise dates beyond year-level timing.
