Executive Summary

Week 02 of 2026 saw continued threats to industrial control systems with CISA issuing advisories for Columbia Weather Systems MicroServer and a critical CVSS 9.8 vulnerability in WHILL electric wheelchairs allowing unauthorized Bluetooth control. Pro-Russia hacktivist groups including Cyber Army of Russia Reborn continue targeting critical infrastructure, prompting joint government advisories. The automotive sector prepares for Pwn2Own Automotive 2026 in Tokyo, while JLR continues recovery from their September 2025 ransomware attack.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of January 5-11, 2026

Critical Alerts & Advisories

CISA ICS Advisory: Columbia Weather Systems MicroServer

January 6, 2026 - CISA released ICS Advisory ICSA-26-006-01 for Columbia Weather Systems MicroServer affecting weather monitoring infrastructure:

CVE	Vulnerability	CVSS	Impact
CVE-2025-61939	Reverse SSH without mutual authentication	Medium	Unauthorized access
CVE-2025-64305	Admin web portal vulnerability	Medium	Credential theft
CVE-2025-66620	Shell access vulnerability	Medium	Limited command execution

Attack Vector: An unused function in the MicroServer can initiate a reverse SSH connection to a vendor-registered domain without mutual authentication. An attacker on the local network with admin access and DNS manipulation capability can redirect the SSH connection to an attacker-controlled device.

Sectors Affected: Information Technology, deployed in the United States.

Status: No known public exploitation reported to CISA at this time.

Pro-Russia Hacktivist Threat Advisory Update

Following the December 2025 joint advisory (AA25-343A) from CISA, FBI, NSA, and international partners, pro-Russia hacktivist groups continue targeting critical infrastructure:

Active Threat Groups:

Cyber Army of Russia Reborn (CARR)
Z-Pentest
NoName057(16)
Sector16

Law Enforcement Action: The Justice Department announced indictments against Ukrainian national Victoria Eduardovna Dubranova for her role in critical infrastructure attacks. She was arrested, extradited to the U.S., and will face trial in early 2026.

Key Mitigations:

Reduce exposure of OT devices to the public-facing internet
Disable or secure internet-facing VNC connections
Implement network segmentation
Monitor for simultaneous DDoS and SCADA intrusion attempts

Automotive CPS Security

Pwn2Own Automotive 2026 Imminent

Pwn2Own Automotive 2026 takes place January 21-23, 2026 in Tokyo, Japan:

Prize Pool: Over $1 million in cash and prizes
Sponsors: Alpitronic joins Tesla as title sponsor
Registration Deadline: January 15, 2026
Focus: Connected car vulnerabilities, software-defined vehicles (SDVs)

Building on Pwn2Own Automotive 2025 which uncovered 49 zero-day vulnerabilities, this event remains the premier venue for automotive security research.

Connected Car Security Market Growth

The connected car security market is projected to grow from $3.37 billion (2025) to $6.99 billion by 2032 (11% CAGR), driven by:

Software-defined vehicles (SDVs)
OTA update capabilities
V2X communication expansion
Escalating threats to vehicle ECUs, telematics units, and cloud platforms

Jaguar Land Rover Recovery Continues

JLR continues recovery operations following the September 2025 ransomware attack that halted production for nearly six weeks. More than 5,000 businesses across JLR’s global supply chain were affected, with full recovery not expected until January 2026.

Medical Device CPS Security

CISA Medical Advisory: WHILL Electric Wheelchair Vulnerability

CVE-2025-14346 | CVSS 9.8 (Critical)

CISA issued ICS Medical Advisory ICSMA-25-364-01 for WHILL Model C2 and Model F power wheelchairs:

Vulnerability Details: Missing Authentication for Critical Function (CWE-306)

Wheelchairs do not enforce authentication for Bluetooth connections
Attacker within Bluetooth range (~30 feet) can pair without credentials
Attack capabilities: Issue movement commands, override speed restrictions, manipulate configuration profiles

Discovery: Identified by QED Secure Solutions during their annual hackathon. Researcher Billy Rios and team disclosed the vulnerability to CISA.

Impact: Direct physical harm risk to wheelchair users in healthcare settings and public environments.

Vendor Response: WHILL deployed firmware fixes on December 29, 2025:

Safeguard prevents unauthorized modification of speed profiles
Blocks unlock commands while wheelchair is in motion

CISA Recommendation: Users should contact WHILL for security updates and consider limiting Bluetooth connectivity when not using companion apps. Healthcare facilities should assess deployments and implement physical security measures.

FDA Regulatory Developments

The FDA’s final Quality System Regulation amendment (21 CFR Part 820) takes effect February 2, 2026. Key implications:

FDA expected to shift focus from pre-market paperwork to active operational execution
Auditing of real-world effectiveness of post-market security processes
Section 524B requirements: Security controls built into design, vulnerability management, software bill of materials (SBOM)

HHS OCR January 2026 Newsletter: The January 2026 OCR Cybersecurity Newsletter emphasizes medical device labeling for security information and ongoing security posture maintenance.

Water & Wastewater Sector

Romanian Water Authority Attack

On December 20, 2025, attackers targeted Administrația Națională ‘Apele Române’ (Romanian Waters), the national authority responsible for managing Romania’s water resources.

Combined with the Oltenia Energy attack (see below), this suggests a deliberate, coordinated campaign against Romanian critical infrastructure during holiday periods of reduced operational readiness.

Ongoing Threat Landscape

Per the December 2025 CISA advisory:

Pro-Russia hacktivist groups continue targeting Water and Wastewater Systems
Attack methods: Internet-exposed VNC connections, default credentials, SCADA manipulation
Groups have successfully caused physical damage including pipe bursts and tank overflows

Key Vulnerability: Water utilities using centralized SCADA systems create single points of failure. Internet-exposed PLCs with default passwords remain “exceedingly trivial to discover.”

Energy & Power Grid

Oltenia Energy Complex Ransomware Attack (Romania)

December 26, 2025 - Gentlemen ransomware struck Romania’s largest coal-based energy producer:

Target: Complexul Energetic Oltenia

40-year-old Romanian energy provider
19,000+ employees
4 power plants with 3,900 MWh installed capacity
Provides ~30% of Romania’s electricity

Impact:

Files encrypted
ERP systems, document management, email, and website disrupted
Operations partially affected
Power supply and National Energy System remained stable

Response:

Systems isolated and restored from backups on new infrastructure
Reported to National Cyber Security Directorate, Ministry of Energy, and DIICOT
Criminal complaint filed

About Gentlemen Ransomware:

Emerged August 2025
Nearly 50 organizations attacked since emergence
Known for exploiting internet-exposed services and compromised credentials
Multi-stage reconnaissance targeting ERP systems
Waited for holiday period to activate ransomware

Venezuela Grid Disruption During U.S. Military Operation

January 3, 2026 - A power outage in Caracas coincided with Operation Absolute Resolve, raising questions about potential cyber involvement:

Context: U.S. military operation resulting in capture of Venezuelan President Nicolás Maduro.

Official Statements: President Trump stated the lights in Caracas were “turned off due to a certain expertise that we have.” Gen. Dan Caine confirmed Cyber Command and Space Command supported the operation.

Expert Analysis:

Robert Lee (Dragos CEO): Cyberattack “completely reasonable to assess” and may have been “more Ukraine 2015 style (abuse of native functionality)”
Jacquelyn Schneider (Stanford): Cyber may have been “ideal tool” for covert, tightly scoped, reversible effects
NetBlocks: Telemetry doesn’t indicate specific cyber capability; timing matched kinetic operations

CPS Security Implications: Whether cyber or kinetic, the incident demonstrates power grid targeting as a military/intelligence objective and the potential for time-bounded, geographically limited grid disruption.

Enerparc AG Data Breach

German renewable energy company Enerparc AG experienced a data breach exposing technical infrastructure data:

Company: 4,500+ MW solar capacity connected to grid
Compromised: ~8.6 GB of data from Spanish solar projects (Mallorca, Alicante regions)
Exposed Materials: Station requirement tables, tenders, technical proposals, FAT protocols, transformer station documentation

Risk: Technical specifications for transformer stations and switchgear systems could enable future targeting of solar infrastructure.

Manufacturing & Industrial

Manufacturing Ransomware Surge Continues

Manufacturing accounted for 72% of Q3 ransomware cases in industrial sectors:

61% increase in ransomware attacks on manufacturing YoY
87% increase in ransomware attacks against industrial organizations overall
Critical manufacturing received 46% of all CISA ICS security advisories

Top Threat Groups Targeting Manufacturing:

Group	Alternative Name	Activity
GOLD SAHARA	Akira	High activity
GOLD FEATHER	Qilin	High activity
GOLD ENCORE	PLAY	High activity
SafePay	-	Emerging
Clop	-	Persistent

Recovery Statistics:

Average recovery cost: $1.3 million (24% decline YoY)
58% of manufacturers fully recover within one week (up from 44%)
Estimated $17 billion in downtime costs since 2018

ICS/OT Threat Trends for 2026

Security experts predict critical infrastructure will be a top cyber battleground in 2026:

Key Statistics:

By 2026, more than 1/3 of global energy and utilities infrastructure will have experienced cyber pre-positioning activity
90% of top 10 CVEs disclosed in H1 2025 impacting OT have been actively exploited
70% exploited by APTs

VoltRuptor Malware: Sophisticated ICS/SCADA malware developed by Infrastructure Destruction Squad with multi-protocol support, persistence, and anti-forensics capabilities. Analysts believe it aligns with state-sponsored campaigns targeting countries not aligned with Russia or China.

Threat Intelligence Highlights

APT Activity Targeting ICS/OT

CVE-2025-0282 (Ivanti Connect Secure): Reportedly exploited by UNC5221, a suspected China-nexus espionage actor, allowing lateral movement into networks and potential ICS impact.

Kimwolf Android Botnet: Compromised millions of low-cost Android-based TV and streaming devices through residential proxy networks and unauthenticated ADB services. Capable of DDoS operations with potential for CPS targeting.

Key Vulnerabilities This Week

CVE	Product	CVSS	Impact
CVE-2025-14346	WHILL Wheelchairs	9.8	Bluetooth hijacking, physical harm
CVE-2025-54322	Xspeeder SXZOS	10.0	Remote code execution (root), ~70K devices
CVE-2025-13915	IBM API Connect	9.8	Authentication bypass

CYFIRMA Weekly Intelligence Report Highlights

The January 9, 2026 CYFIRMA report notes:

Infrastructure data breaches exposing technical specifications (Enerparc, Pickett USA)
Qilin ransomware primarily targeting Manufacturing, Professional Services, Healthcare, and Construction
Increasing convergence of IT/OT attacks in industrial environments

Defensive Recommendations

Immediate Actions

For ICS/OT Operators:

Apply CISA advisory mitigations for Columbia Weather Systems MicroServer
Audit VNC connections - disable or secure all internet-exposed VNC
Review and change default credentials on all PLCs and SCADA systems
Implement network segmentation between IT and OT

For Healthcare Organizations:

Inventory WHILL wheelchair deployments and apply firmware updates
Implement physical security measures to prevent unauthorized Bluetooth access
Prepare for FDA cybersecurity regulation enforcement (February 2, 2026)

For Automotive Sector:

Monitor Pwn2Own Automotive 2026 findings (January 21-23)
Review connected vehicle telematics security
Assess EV charging infrastructure security

Medium-Term Actions

Develop systematic legacy/EOL device replacement plans
Implement behavioral analytics for CPS environments
Establish ICS-specific incident response procedures
Conduct vendor security assessments before procurement
Map data flows and access points for all OT assets

Strategic Priorities

Reduce Internet Exposure: Single most important action per CISA
Prepare for Regulatory Changes: FDA cybersecurity enforcement intensifying
Holiday Period Readiness: Attackers increasingly timing operations for reduced staffing periods
Supply Chain Security: Monitor vendor data breaches for technical specification exposure

Sources Referenced

RSS-Curated Sources:

Web Search Sources:

Note: Week 02 summary is complete. This week featured significant developments including a critical medical device vulnerability (WHILL wheelchairs), continued pro-Russia hacktivist threats to critical infrastructure, major ransomware activity against energy producers, and notable cyber-kinetic operations during the Venezuela military operation. The convergence of cyber capabilities with physical infrastructure targeting continues to accelerate into 2026.