The point: Russia-aligned APTs conduct first-known attacks on NATO energy infrastructure using wiper malware, while AI-enabled malware and North Korea cooperation establish new threat vectors.
Trend Micro’s report “Nation-Aligned APTs in 2025” documents an escalation of cyberattacks by Russia-aligned groups systematically targeting energy facilities in NATO member states for the first time. The attacks increasingly employ wiper malware and artificial intelligence and are closely intertwined with military operations.
In December 2024, Russia-aligned actors conducted coordinated cyberattacks on Polish energy infrastructure, targeting multiple wind and solar parks as well as a combined heat and power plant. The attackers deployed wiper malware designed for data destruction and IT system disruption. Although the attacks were contained in time and power supply was not interrupted, this marks the first known attack on energy facilities of a NATO member state by such actors.
For CISOs in critical infrastructure, this incident represents a qualitatively new threat landscape: Ukraine’s IT environment serves as a testing ground for attack patterns subsequently transferred to Western targets. The hacker group Sandworm has deliberately targeted railway companies, energy suppliers, and grain facility manufacturers in Ukraine. In parallel, APT28 (Pawn Storm) operates against Western technology and logistics companies supporting Ukraine. Public attribution by US and French authorities underscores diplomatic escalation.
New technical vectors significantly worsen the situation. For the first time, malware samples have been observed that leverage large language models (LLMs) to dynamically generate commands and flexibly circumvent defensive measures. This enables attackers to adapt defense mechanisms in real time and overcome security solutions more rapidly.
International collaboration between attackers is also deepening. A 2025 defense agreement between Russia and North Korea allegedly granted the latter access to powerful computing resources being abused for AI-driven cybercrime, cryptocurrency theft, and social engineering attacks. Notably, the North Korean group KONNI simultaneously conducts espionage against Russian government entities.
Central to security planning: cyber operations are no longer supplementary but an integral part of modern warfare. Attacks on energy, transportation, and communications networks occur in parallel with military offensives and political negotiations. This requires organizations to adapt their incident response and threat intelligence processes to anticipate such coordinated scenarios.
Source: www.it-daily.net · Published June 20, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.