Emerging Threats and Vulnerabilities in Government and Critical Infrastructure Systems

Introduction

Today’s cybersecurity news highlights evolving tactics in state-sponsored cyber espionage and ongoing risks in industrial control systems. From sophisticated implants targeting government networks to actively exploited vulnerabilities in critical infrastructure software, security teams and business leaders must remain vigilant against these diverse threats.

State-Sponsored Cyber Espionage: Tomiris Group’s New Tactics

Shift to Public-Service Implants

The threat actor known as Tomiris has recently been linked to attacks on foreign ministries, intergovernmental organisations, and government entities within Russia. This group is now increasingly using implants that exploit public communication services such as Telegram and Discord to establish stealthier command-and-control (C2) channels.

This shift is significant because leveraging popular public platforms allows attackers to blend malicious traffic with legitimate communications, making detection and attribution much more challenging. Government agencies and cybersecurity teams need to account for these covert methods when monitoring network traffic and designing detection strategies.

The primary risk lies in the ability of Tomiris to maintain persistent remote access and deploy additional tools without raising immediate suspicion, potentially leading to prolonged espionage campaigns and data exfiltration.

Vulnerabilities in Critical Infrastructure Software: CISA Updates KEV Catalog

Actively Exploited XSS Vulnerability in OpenPLC ScadaBR

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability, to its Known Exploited Vulnerabilities (KEV) catalog. This flaw affects both Windows and Linux versions of OpenPLC ScadaBR, an open-source industrial control system (ICS) platform.

Despite being discovered some time ago, recent evidence shows active exploitation attempts targeting this vulnerability. The CVSS score of 5.4 indicates a moderate level of severity, but within the context of ICS environments, even such vulnerabilities can have outsized consequences, potentially disrupting critical infrastructure operations.

Security teams managing ICS environments should prioritise patching and mitigating this vulnerability promptly. This incident underscores the persistent risk posed by known vulnerabilities in operational technology (OT) systems and the importance of integrating vulnerability intelligence into ICS security programmes.

Connecting the Dots: Stealth and Persistence Across Threat Landscapes

Both stories emphasise a common theme: attackers are evolving their techniques to maintain stealth and persistence. Tomiris’s use of public-service implants mirrors a broader trend where threat actors exploit widely trusted platforms to evade detection, while the exploitation of known vulnerabilities in critical infrastructure highlights ongoing challenges in patch management and vulnerability prioritisation.

For organisations, these developments reinforce the need for a layered defence approach combining network monitoring, threat intelligence, timely patching, and awareness of emerging attacker methodologies.

Key Takeaways

• The Tomiris threat actor now uses public communication platforms like Telegram and Discord to conduct stealthy command-and-control operations against government targets.
• Leveraging popular public services for implants complicates detection and necessitates enhanced network traffic analysis.
• CISA’s addition of CVE-2021-26829 to the KEV catalog signals active exploitation of a moderate severity XSS flaw in OpenPLC ScadaBR, critical for industrial control system security.
• Known vulnerabilities in operational technology systems remain a significant risk that requires prompt patching and ongoing vigilance.
• Both stories highlight the evolving tactics of attackers to maintain persistence and evade traditional security controls.
• Organisations should adopt comprehensive security strategies that include monitoring, threat intelligence, and proactive vulnerability management to defend against these threats.