SSO vishing attacks

Nation-State Wiper Malware and SSO Vishing Attacks: Two Threats Demanding Immediate Action in 2026

Francois

6 min read
Nation-State Wiper Malware and SSO Vishing Attacks: Two Threats Demanding Immediate Action in 2026

Within 48 hours of the tech news, it delivered a stark reminder that cybersecurity threats are evolving on two fronts simultaneously: nation-state actors targeting critical infrastructure and financially motivated groups exploiting identity systems with unprecedented sophistication. Recognizing these recent threats highlights the vital role security leaders play in safeguarding assets and should inspire proactive measures.

The Week That Was: Two Major Campaigns Expose Critical Gaps

DynoWiper: Sandworm Returns to Target NATO Ally Infrastructure

On January 25, 2026, ESET researchers publicly attributed a late-December cyberattack on Poland's power grid to Sandworm, the Russian GRU-affiliated threat group responsible for the first-ever malware-caused blackout in Ukraine a decade ago. The attack deployed a new destructive wiper malware dubbed DynoWiper against multiple Polish energy entities, including heat-and-power plants and renewable energy management systems.

Polish authorities have stated that, if successful, the attack could have cut power to 500,000 people in Poland. While the attack was ultimately thwarted, the operation is described as "unprecedented" in Poland, as past cyberattacks targeting the country were neither disruptive in nature nor intended to be.

The timing was deliberate. The coordinated attack occurred on the 10th anniversary of the Sandworm-orchestrated attack against the Ukrainian power grid, which resulted in the first-ever malware-facilitated blackout.

ShinyHunters: Voice Phishing at Enterprise Scale

Simultaneously, the ShinyHunters extortion gang has confirmed responsibility for an ongoing campaign targeting single sign-on credentials across approximately 100 organizations. In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication codes on phishing sites that impersonate company login portals.

The group has successfully breached multiple high-profile targets, including market intelligence firm Crunchbase and financial advisory firm Betterment. Investigators link the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials.

What makes this campaign particularly dangerous is the sophistication of the phishing infrastructure. Threat actors who specialize in vishing have started using phishing kits that can intercept targets' login credentials and allow attackers to control the authentication flow in a targeted user's browser in real time.

Why These Threats Converge on Identity

Despite targeting different objectives—destructive impact versus data theft—both campaigns share a common thread: they exploit gaps in authentication and access controls.

The OT/IT Convergence Problem

Modern industrial control systems increasingly rely on networked authentication and cloud-connected management interfaces. Energy operators managing renewable assets through centralized platforms face the same identity security challenges as enterprise IT environments, with far greater consequences in the event of failure.

SSO: The Keys to the Kingdom

SSO services from Okta, Microsoft Entra, and Google enable companies to link third-party applications into a single authentication flow, giving employees access to cloud services, internal tools, and business platforms with a single login.

This convenience creates a single point of failure. Compromising a single SSO-enabled Okta account bypasses authentication controls and grants access to multiple business-critical systems, including Slack, CI/CD pipelines, HR management tools, cloud data stores, and other enterprise applications.

Actionable Defense Strategies

For Critical Infrastructure Operators

1. Implement Network Segmentation with Verified Monitoring. Before deploying advanced controls, ensure your organization has a secure network architecture baseline, including properly configured firewalls and data diodes where appropriate. Monitor all traffic crossing these boundaries for anomalous behavior patterns to detect early signs of compromise.

2. Deploy Wiper-Resistant Backup Architectures. Wiper malware specifically targets backup systems and recovery mechanisms. Implement air-gapped backup solutions with verified restoration procedures. Test recovery capabilities at a minimum of quarterly.

3. Adopt Threat Intelligence Specific to ICS/SCADA Subscribe to sector-specific threat intelligence feeds from organizations like ICS-CERT and relevant ISACs. Sandworm's tactics, techniques, and procedures are well documented; ensure your detection signatures are up to date.

4. Establish Communication Redundancy. The Poland attack specifically targeted communication between renewable hardware and distribution operators. Maintain out-of-band communication channels that don't depend on your primary network infrastructure.

For Enterprise Identity Security

1. Implement Phishing-Resistant MFA FIDO2 security keys and passkeys, which eliminate the credential harvesting vector that ShinyHunters exploits. Be aware that deploying hardware-based solutions may face logistical or user adoption challenges; plan accordingly to ensure smooth integration and user compliance.

2. Establish Help Desk Verification Protocols. Train employees to verify IT support calls through established out-of-band channels before taking any authentication actions. Create a published verification procedure that legitimate support staff will follow.

3. Deploy Session Monitoring and Anomaly Detection Monitor for unusual SSO session patterns: new device enrollments, geographic impossibilities, mass application access following authentication, and bulk data exports from connected applications.

4. Audit Connected Application Permissions: Review all applications integrated with your SSO platform. Remove unnecessary connections and implement least-privilege access for remaining integrations. Pay particular attention to data export capabilities.

5. Implement Just-In-Time Access: Replace standing privileged access with time-limited, approval-based access grants. This limits the blast radius when credentials are compromised.

Common Mistakes to Avoid

Over-reliance on MFA without considering the attack vector. Push notification fatigue attacks and real-time phishing proxy kits bypass traditional MFA. The solution isn't more factors—it's phishing-resistant factors.

Assuming signature-based detection will catch new threats. The signature-based defenses that Congress questioned in 2012 are still protecting critical systems in 2025, while adversaries have leapfrogged ahead with automation, AI, and constantly shifting tactics designed to evade detection.

Treating voice phishing as a user awareness problem alone. While training matters, technical controls must assume some users will be deceived. Build detection and response capabilities that don't depend on perfect human judgment.

Neglecting third-party identity provider risk. Your security posture is only as strong as your SSO provider's. Understand their incident response capabilities, review their security certifications, and monitor their security advisories.

The Regulatory Landscape Adds Urgency

The SEC's 2026 examination priorities have elevated cybersecurity and AI governance concerns above cryptocurrency risks for the first time. AI is shifting from being considered by the SEC as an emerging fintech area just two years ago to a clear operational risk area, linked to cybersecurity, disclosures, and internal use for critical functions in 2026.

For critical infrastructure operators, CISA's delayed incident reporting rule is expected to be finalized by May 2026 [VERIFY: current timeline as of publication]. Organizations should prepare reporting procedures now rather than scrambling at implementation.

Looking Forward: Building Adaptive Defenses. Both Sandworm and ShinyHunters demonstrate that threat actors are not static. They time operations to create psychological impact, adapt tooling to evade detection, and exploit gaps between security domains. Emphasizing ongoing adaptation encourages security professionals to stay engaged and resilient. Both Sandworm and ShinyHunters demonstrate that threat actors are not static. They time operations to create psychological impact, adapt tooling to evade detection, and exploit gaps between security domains.

Professionals are becoming increasingly aware that the future of cybersecurity will be built on trust, intelligent automation, and heightened public scrutiny around data privacy.

The organizations that will fare best in 2026 and beyond are those building adaptive security architectures—ones that don't just respond to yesterday's attacks but anticipate tomorrow's through continuous validation, threat intelligence integration, and cross-functional collaboration between IT security, OT security, and identity management teams.

Next Steps for Your Organization

The convergence of nation-state and criminal threats targeting both operational technology and identity systems demands a unified security strategy. If your organization operates critical infrastructure, manages sensitive data through SSO-connected applications, or both, now is the time to assess your exposure.

Consider the following questions:

  • When did you last test your wiper malware recovery procedures?
  • Are your MFA methods phishing-resistant or merely phishing-deterrent?
  • Do you have visibility into bulk data exports from SSO-connected applications?
  • Can your help desk verify its own identity to users?

Sources

  1. ESET Research - "ESET Research: Sandworm behind cyberattack on Poland's power grid in late 2025" - https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/
  2. BleepingComputer - "Sandworm hackers linked to failed wiper attack on Poland's energy systems" (January 24, 2026) - https://www.bleepingcomputer.com/news/security/sandworm-hackers-linked-to-failed-wiper-attack-on-polands-energy-systems/
  3. The Register - "ESET: Russia likely behind Poland power grid attack" (January 26, 2026) - https://www.theregister.com/2026/01/26/moscow_likely_behind_wiper_attack/
  4. Zero Day (Kim Zetter) - "Cyberattack Targeting Poland's Energy Grid Used a Wiper" - https://www.zetter-zeroday.com/cyberattack-targeting-polands-energy-grid-used-a-wiper/
  5. BleepingComputer - "ShinyHunters claim hacks of Okta, Microsoft SSO accounts for data theft" (January 25, 2026) - https://www.bleepingcomputer.com/news/security/shinyhunters-claim-to-be-behind-sso-account-data-theft-attacks/
  6. The Register - "Canva among ~100 ShinyHunters credential-theft targets" (January 26, 2026) - https://www.theregister.com/2026/01/26/shinyhunters_okta_sso_campaign/
  7. Help Net Security - "Okta users under attack: Modern phishing kits are turbocharging vishing attacks" (January 23, 2026) - https://www.helpnetsecurity.com/2026/01/23/okta-vishing-adaptable-phishing-kits/
  8. Tech Startups - "Crunchbase Hacked: Company confirms January 2026 data breach after ShinyHunters leak millions of records" (January 26, 2026) - https://techstartups.com/2026/01/26/crunchbase-hacked-crunchbase-confirms-january-2026-data-breach-after-shinyhunters-leak-millions-of-records/
  9. EclecticIQ - "ShinyHunters Calling: Financially Motivated Data Extortion Group Targeting Enterprise Cloud Applications" - https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications
  10. Federal News Network - "The federal government ignored a cybersecurity warning for 13 years. Now hackers are exploiting the gap" (January 26, 2026) - https://federalnewsnetwork.com/commentary/2026/01/the-federal-government-ignored-a-cybersecurity-warning-for-13-years-now-hackers-are-exploiting-the-gap/
  11. National Cybersecurity Alliance - "National Cybersecurity Alliance Launches Data Privacy Week 2026" (January 26, 2026) - https://www.globenewswire.com/news-release/2026/01/26/3225693/0/en/National-Cybersecurity-Alliance-Launches-Data-Privacy-Week-2026.html
  12. ISACA - "The 6 Cybersecurity Trends That Will Shape 2026" - https://www.isaca.org/resources/news-and-trends/industry-news/2026/the-6-cybersecurity-trends-that-will-shape-2026
  13. Corporate Compliance Insights - "2026 Operational Guide to Cybersecurity, AI Governance & Emerging Risks" - https://www.corporatecomplianceinsights.com/2026-operational-guide-cybersecurity-ai-governance-emerging-risks/

Read more