NCSC warns CNI operators to act now on severe cyberthreats

The National Cyber Security Centre has issued a stark warning to UK critical national infrastructure operators, urging immediate action to defend against what it describes as “severe” cyber threats. The alert follows coordinated cyber-attacks in December that targeted Poland’s energy infrastructure using malware, underscoring the real-world risk to essentialservices.

Jonathan Ellison, the NCSC’s director for national resilience, stressed that disruption to every day services is not a remote possibility but an active and growing threat. He called on operators across energy, water, transport, health and telecommunications to strengthen their cyber defences and resilience without delay.

Severe threats are defined as deliberate, highly disruptive or destructive attacks designed to shut down operations, damage industrial control systems or erase data to prevent recovery. In response, the NCSC is advising organisations to improve threat monitoring, increase situational awareness and harden networks through best practices such as patching, access controls and multi-factor authentication.

Ellison also highlighted the Cyber Security and Resilience Bill as a key step in strengthening the UK’s collective defence against modern cyber threats.

Germany moves towards legalising offensive cyber operations

Germany is reportedly preparing new legislation that would formally authorise its intelligence agencies to carry out offensive cyber operations against hostile actors. If passed, the move would bring Berlin more closely in line with the UK and the United States, both of which already operate under clearer legal frameworks for cyber countermeasures.

The proposed measures would allow German agencies to deploy advanced, AI-driven cyber capabilities to respond to attacks and deter adversaries in an increasingly complex threat landscape. Germany’s military would also gain expanded authority to respond to “hybrid threats”, where cyber operations, disinformation and digital disruption are combined with conventional military activity.

Officials argue that modern conflict is no longer limited tophysical battlefields and that national defence strategies must evolve accordingly. A zero-tolerance stance is expected for cyberattacks against critical infrastructure, including energy, transport and aviation systems.

The issue is likely to feature prominently at the upcomingMunich Security Conference, as European leaders continue to balance cyber deterrence with concerns around escalation and responsible state behaviour in cyberspace.

Microsoft Patch Tuesday fixes six exploited zero-days

Microsoft’s February 2026 Patch Tuesday delivers security updates for 58 vulnerabilities, including six actively exploited zero-days and three that were publicly disclosed before fixes were available. Five of the flaws are rated “Critical”, spanning elevation of privilege and information disclosure risks, with elevation of privilege issues making up the largest overall category this month.

Of particular concern are multiple security feature bypass vulnerabilities affecting Windows Shell, MSHTML and Microsoft Word, alongside exploited flaws in Desktop Window Manager and Remote Desktop Services that could allow attackers to gain SYSTEM-level access. Microsoft has providedlimited technical detail, but several of the issues have been linked toreal-world exploitation by professional threat actors.

Alongside vulnerability fixes, Microsoft has begun a phased rollout of new Secure Boot certificates, replacing certificates from 2011 that expire in June 2026. The update relies on device health signals to reduce deployment risk.

Organisations are strongly advised to prioritise patching, review privileged access controls and monitor for signs of exploitation, particularly across Windows endpoints and remote access services.

Ransomware group abuses employee monitoring tools

Researchers have uncovered a ransomware intrusion where a member of the Crazy ransomware gang abused legitimate employee monitoring and remote support software to maintain access inside corporate networks. The attackers deployed Net Monitor for Employees Professional alongside the SimpleHelp remote support tool, allowing them to blend into normal administrative activity while quietly preparing for ransomware deployment.

In the incidents analysed, the threat actor installed the monitoring software directly from the vendor’s site using standard Windows utilities, gaining the ability to view desktops, transfer files and execute commands remotely. For added persistence, SimpleHelp was installed using PowerShell and disguised with filenames resembling trusted applications, including OneDrive components. This ensured continued access even if one toolwas removed.

The researchers also observed attempts to disable WindowsDefender and configure alerts for cryptocurrency wallet activity, signallingpreparation for both ransomware and theft. The activity highlights a growing trend in ransomware operations that abuse legitimate tools, reinforcing the need to monitor remote access software and enforce MFA on all VPN services.

State-backed hackers weaponise AI across cyber attacks

State-sponsored threat actors are increasingly using generative AI to support cyber operations from start to finish, according to new findings from Google’s Threat Intelligence Group. Groups linked to China, Iran, North Korea and Russia were observed using Google’s Gemini model for reconnaissance, target profiling, phishing lure creation, malware developmentand post-compromise activity.

Researchers found that some actors used AI to analysevulnerabilities, test exploits, translate content and troubleshoot malicious code, while others leveraged it to accelerate social engineering campaigns. In several cases, AI-assisted tooling was tied to phishing kits and malware frameworks designed to steal credentials, deploy second-stage payloads andevade detection.

Google also warned of attempts to extract and replicate AI models at scale through automated prompting and knowledge distillation, describing this as a growing intellectual property and security risk. While no dramatic technical leaps were identified, Google expects AI to become increasingly embedded in attacker workflows, reinforcing the need for stronger detection, identity security and user awareness as AI-driven threats mature.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.