Port of Vigo
March 24, 2026
•[ ransomware, critical infrastructure, logistics ]
A ransomware attack disrupted digital systems at Spain's Port of Vigo, affecting servers used for cargo traffic and other services, locking some equipment, and forcing parts of the port's logistics coordination to shift to manual procedures.
Neukölln district heating plant
March 20, 2026
•[ ransomware, internal IT systems, accounting ]
Berlin police confirmed a ransomware attack against the Neuklln district heating plant that had been known since March 20, 2026; reporting said internal IT systems including accounting and internal communications were affected, while technical systems and heat supply remained unaffected.
Iranian energy and aviation infrastructure
March 2, 2026
•[ DDoS, wipers, intrusions ]
This SecurityWeek link is an overview/analysis of cyber activity during escalating USIsraelIran conflict, describing multiple incidents (e.g., DDoS, wipers, claims of intrusions) by different actors across different targets. It does not describe one discrete cyberattack against a single clearly identified victim with a bounded timeline and measurable primary effects suitable for a single incident record.
Network devices in at least one Norwegian organization
February 5, 2026
•[ state-sponsored espionage, network device compromise, telecom ]
The Record reported that Norways Police Security Service (PST) disclosed that the Chinese state-sponsored espionage campaign tracked as Salt Typhoon compromised network devices in Norwegian organizations. PST made the disclosure in its 2026 annual threat assessment and said the actor exploited vulnerable network devices, consistent with a broader telecom/critical infrastructure espionage focus described by allied authorities. The article does not identify specific victim organizations or provide incident-level dates/effects for one named target, so it is best treated as campaign-level reporting rather than a single victim event record.
Conpet
February 4, 2026
•[ cyberattack, ransomware, data breach ]
Romanias national oil pipeline operator Conpet said a cyberattack disrupted parts of its technology infrastructure and knocked its website offline earlier in the week, while operational technology systems (including SCADA and telecoms) remained functional and oil transport operations were not affected. Conpet did not confirm a data breach or name the attacker, but the Qilin ransomware group listed Conpet on its leak site and claimed to have stolen nearly one terabyte of data, publishing images of alleged internal documents, financial records, and passport scans. Conpet said it took immediate mitigation steps, worked with national cybersecurity authorities, and filed a criminal complaint.
Venezuelan Power Grid
January 3, 2026
•[ cyber-physical disruption, critical infrastructure, state-led operation ]
Reporting described a U.S. cyber operation on January 3, 2026 that allegedly plunged parts of Venezuelas capital into darkness by disrupting electric power systems and also interfered with military air-defense radar as part of a broader U.S. raid/capture operation. Sources cited in public reporting characterized it as a high-visibility use of offensive cyber capabilities designed to create a temporary but precise disruption window, including the ability to restore systems afterward. The incident is best coded as a state-led cyber-physical disruption targeting critical infrastructure and defense-related systems in support of an operational objective; public reporting did not provide victim counts, exact affected assets, or detailed dwell time.
Undisclosed Poland distributed energy facilities
December 29, 2025
•[ cyberattack, OT security, critical infrastructure ]
Coordinated cyberattack targeted distributed energy sites in Poland, compromising OT control and communications systems at roughly 30 facilities and damaging some equipment beyond repair, but failing to disrupt electricity supply.
Romanian Waters (Administrația Națională Apele Române)
December 20, 2025
•[ ransomware, IT disruption, critical infrastructure ]
Romanias national water authority, Romanian Waters, suffered a ransomware incident that began on December 20, 2025 and disrupted IT services across the organization. Romanias National Cyber Security Directorate (DNSC) reported the event affected approximately 1,000 computer systems, including workstations, email services, and web servers, and spread from the main office to 10 of 11 regional river management branches. The disruption took down key digital tools such as domain services and GIS mapping, and the agencys public website remained offline while updates were shared through other channels. Authorities stated that operational technology supporting dams and flood defenses remained safe and that field staff continued critical functions manually.
Meat processing facility in Los Angeles
December 12, 2025
•[ spearphishing, vulnerability exploitation, critical infrastructure ]
This article reports on a DOJ/CISA warning and related indictments about Russia-linked cyber actors targeting U.S. critical infrastructure, including techniques like spearphishing and exploiting known vulnerabilities.
At least one drinking water supplier in Britain
November 3, 2025
•[ cyberattack, critical infrastructure, ransomware ]
A Recorded Future News investigation based on freedom-of-information disclosures from the UK Drinking Water Inspectorate found that five cyberattacks have been reported against Britains drinking water suppliers since the start of 2024, a record number over two years. The incidents, which affected out-of-NIS-scope IT systems rather than the operational technology delivering safe water, were shared with the regulator as resilience risks even though they did not trigger mandatory reporting thresholds. The findings highlight growing concern in British intelligence circles about ransomware and other attacks on critical infrastructure and are feeding into a planned Cyber Security and Resilience Bill to strengthen reporting and defences across essential services.
Australian Treasury Department
November 1, 2025
•[ cyber espionage, phishing, Shadow Campaigns ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard)
An undisclosed critical infrastructure company in Zambia
November 1, 2025
•[ espionage, phishing, vulnerability exploitation ]
BleepingComputer summarized Unit 42 research on a state-aligned espionage group tracked as TGR-STA-1030/UNC6619 conducting global operations dubbed Shadow Campaigns. The report said the actor compromised at least 70 government and critical infrastructure organizations across 37 countries and conducted reconnaissance activity targeting government entities connected to 155 countries during NovDec 2025. The article describes initial access via tailored phishing (Mega-hosted archives) and exploitation of multiple known vulnerabilities, use of webshells and tunneling tools, and a custom Linux eBPF rootkit (ShadowGuard), but it does not provide a single discrete victim organization record with a specific primary effect suitable for one CED event entry.
Svenska Kraftnät
October 25, 2025
•[ ransomware, data breach, critical infrastructure ]
Swedens national power grid operator Svenska Kraftnt experienced a data breach on October 25, 2025, when ransomware group Everest accessed an external file-transfer system and claimed to have stolen roughly 280 GB of data. Electricity transmission operations were not affected.
Canadian water facility
October 1, 2025
•[ hacktivism, critical infrastructure, industrial control system ]
Hacktivists tampered with water-pressure valves at a Canadian water facility, degrading water service to the local community; actions intended to draw attention to activist causes.
Sewage treatment plant in Witków
August 19, 2025
•[ industrial control systems, hacktivism, operational disruption ]
Russian hacktivists allegedly manipulated industrial control systems at the sewage treatment plant in Witkw, with video evidence and analyst review indicating operational disruption to plant processes.
Sewage treatment plant in Kunica
August 19, 2025
•[ industrial control systems, hacktivism, operational disruption ]
Russian hacktivists allegedly interfered with industrial control systems at the sewage treatment plant in Kunica, and publicly released video that Polish analysts assessed as showing real operational disruption.
Polish hydropower plant in Tczew in May 2025
August 19, 2025
•[ hacktivism, critical infrastructure, operational disruption ]
Russian hacktivists allegedly targeted a hydropower plant in Tczew in May 2025, but reporting suggests the facility may have been offline at the time, limiting evidence of meaningful operational disruption.
Polish hydropower plant in Tczew in August 2025
August 19, 2025
•[ hacktivism, industrial control systems, critical infrastructure ]
Russian hacktivists allegedly targeted a hydropower plant in Tczew in August 2025, releasing video evidence that Polish analysts said showed disruption to control systems and turbine operations.
Szczytno water treatment plant
August 12, 2025
•[ hacktivism, industrial control systems, critical infrastructure ]
CyberDefence24 reported pro-Russian hacktivists published another recording on Aug. 12, 2025 from the same Polish hydroelectric plant previously referenced in early July 2025 reporting. The outlet said the new video suggested the attackers accessed the control panel while the plant was operating (generator/rotor turning and current visible) and that this represented a more serious incident than the earlier case where the plant appeared off. The report stated attackers did not appear to have full control of the infrastructure, but the incident indicates unauthorized access to industrial control interfaces and potential cyber-physical risk.
