Alan Grant | SOC Analyst | 2 February 2026       

‍

Welcome to Fortian’s January 2026 cyber environment update!

January 2026 highlighted how closely cyber activity continues to track broader political, economic and social pressures. State-linked cyber operations tied to conflict in Europe and domestic unrest in Iran remained prominent, while long-running espionage activity against government and telecommunications environments continued to surface. At the same time, cybercriminal groups continued to demonstrate how effective social engineering and identity abuse have become, enabling large-scale data theft without the need for sophisticated technical exploits.

International Developments

Rising European geopolitical tensions and cyber risk. The broader geopolitical landscape in Europe, particularly in the context of Russia’s ongoing war in Ukraine and an intensification of hybrid threat activity, continues to elevate cyber-related risks across the region. State-aligned hacking groups and their proxies are operating in an environment where offensive cyber activity is being used to exert pressure without crossing conventional military thresholds, driving heightened defensive postures among EU and NATO members and prompting renewed strategic focus on active cyber defence and deterrence.

• Polish officials have publicly attributed a series of destructive cyberattacks on 29 December 2025 to the Russian domestic spy agency, saying the incidents targeted about 30 renewable energy facilities, a manufacturing firm, and a plant that supplies heat to nearly 500,000 customers. According to a report by Poland’s national computer emergency response team, the attacks were “purely destructive in nature,” likened to arson, and aimed to irreversibly destroy data on industrial systems, although defensive software prevented the most damaging effects. (Reuters)
• Against this backdrop, Germany has announced a shift in its cyber security posture, with the interior minister stating that the country will be prepared to “strike back” against foreign cyber-attacks, particularly those attributed to Russian state-linked actors. This marks a departure from Germany’s traditionally cautious approach to offensive cyber operations, reflecting growing concern over a surge in cyber assaults, sabotage efforts, disinformation and covert activity linked to Russia. A key motivator for the change in stance was a Russian-attributed cyber-attack on the Munich Security Conference in 2025, which helped catalyse support for the more assertive policy direction. (FT)

Iranian Cyber Activity Intensifies Amid Domestic Unrest. In January 2026, researchers reported a suspected Iran-linked cyber espionage campaign, dubbed RedKitten, targeting human rights organisations and individuals documenting protest activity and alleged abuses inside Iran. The campaign emerged against a backdrop of sustained domestic unrest, heavy security crackdowns, and renewed restrictions on internet and communications access, as authorities sought to control information flows and suppress dissent. Rather than focusing on financial gain, the activity appears aimed at surveillance, intimidation and intelligence collection, consistent with Iran’s historical use of cyber operations to monitor activists and diaspora groups during periods of internal instability. (The Hacker News)

Salt Typhoon and the UK.  Reporting in late January suggests that suspected China-linked actors associated with the “Salt Typhoon” campaign conducted a long-running espionage operation that extended beyond US telecommunications providers and into the UK government, with phones used by Downing Street staff allegedly compromised over several years.  The campaign reported provided access to messages and metadata, but also, alarmingly, the reported ability intercept and record phone calls on demand, signalling a level of access that would enable real-time intelligence collection against senior political decision-makers.  UK authorities have been notably circumspect in their public commentary, neither fully confirming nor detailing the scope of the compromise, while Chinese officials have categorically denied involvement. (Telegraph)

EU Moves to Phase Out “High-Risk” Technology Suppliers. The European Commission has proposed revisions to the EU Cybersecurity Act that would enable the phased removal of “high-risk” technology suppliers from critical infrastructure across 18 sectors. Although no companies were explicitly named, the proposal is widely understood to target Chinese vendors. Under the plan, mobile operators would have up to 36 months to remove affected components after a high-risk supplier list is finalised, with similar timelines expected for fixed and satellite networks. If adopted, the changes are likely to further accelerate global technology decoupling and raise compliance and assurance expectations for organisations operating in or supplying into Europe.

Huawei and China’s foreign ministry have strongly criticised the proposal, describing it as protectionist and legally questionable under World Trade Organisation principles. Industry groups have warned that compliance could cost billions of euros. The proposal still requires negotiation with EU member states and the European Parliament before becoming law. (Reuters)

ShinyHunters expands attack campaigns.  January 2026, the ShinyHunters cybercrime group significantly escalated its extortion-led data theft campaigns, leaning heavily on social engineering and identity-layer compromise rather than software exploits.

• ‍Match group. ShinyHunters claimed to have obtained “over 10 million” lines of dating-app usage data linked to Hinge, Match.com and OkCupid, plus internal documents, with reporting suggesting the exposure may have originated via a third-party marketing analytics context. Match Group said it was investigating and stated there was no evidence that passwords/logins, financial data, or private chats were accessed, while acknowledging that some user data may have been affected and that notification processes were underway. (Upguard)‍
• Okta. ShinyHunters claims that it has compromised multiple organisations by abusing Okta-based single sign-on environments, using social engineering rather than technical exploitation of Okta’s core platform. According to the group and subsequent independent analysis, attackers targeted employees through voice phishing and related pretexting techniques to obtain one-time passcodes or session access, allowing them to authenticate legitimately via SSO and pivot into downstream SaaS platforms. This activity reportedly affected a broad cross-section of Okta customers and aligns with a wider campaign in which identity providers, rather than individual applications, have become the primary choke point for compromise. Targeted organisations reportedly include Atlassian, Canva, Epic Games and others. (The Register)‍
• Panera. The group also claimed a major haul of about 14 million Panera Bread customer records via Microsoft Entra SSO compromise, with stolen contact information including names, addresses and phone numbers reportedly being published on its leak site. (Malwarebytes)

These developments reinforce a broader shift toward high-impact social engineering and identity abuse, where compromising the enterprise identity plane provides scalable access to SaaS ecosystems and large, monetisable data sets.

Cyber Disruptions and Law Enforcement Wins.

IPIDEA disruption. Google’s Threat Intelligence Group has disrupted a major residential proxy network known as IPIDEA, which routed internet traffic through large numbers of consumer devices to help cybercriminals and other actors hide the origin of malicious activity.

• The operation involved legal takedowns of command-and-control and marketing domains, sharing intelligence with industry and law enforcement, and enforcing protections across the Android ecosystem so that apps containing IPIDEA software are blocked or removed. Google estimates these actions have significantly degraded the network and reduced the pool of available proxy devices by millions.
• While the operation significantly reduced IPIDEA’s scale, security researchers note that parts of the network remain active, highlighting the ongoing challenge posed by large residential proxy ecosystems. (Google)
  

Russian Anonymous Marketplace (RAMP) disruption. Federal law enforcement, including the FBI and Department of Justice, seized both clearnet and dark-web domains of the Russian Anonymous Marketplace (RAMP), a major cybercrime forum used by ransomware affiliates, malware developers and initial access brokers. The domain now redirects to official seizure notices, disrupting an important underground marketplace, though historical patterns suggest that new forums will quickly emerge to replace it. (Bleeping computer)

Australian Policy and Government Updates

‍ASIC Key Issues Outlook.  In its Key Issues Outlook 2026 published on 27 January, the Australian Securities and Investments Commission (ASIC) outlined some of the major shifts shaping Australia’s financial system and highlighted that, amongst other issues, cyber-attacks, data breaches, and weaknesses in operational resilience and crisis management now pose material risks to market confidence and consumer protection. (ASIC)

• ASIC pointed to rising cyber incident reports and increased engagement with the Australian Cyber Security Hotline, driven by ongoing digitisation, legacy technology constraints, growing reliance on third parties, and increasingly capable threat actors.
• At the same time, rapid advances in AI are transforming financial services, while also fuelling a surge in AI-enabled cybercrime that is testing organisational resilience and undermining public trust in AI-driven decision.
• This reinforces ASIC’s focus on improved governance, operational resilience, and management of third-party cyber risk.
  

Notable Australian Incidents

Victorian Department of Education.  All Victorian government schools and their students have been impacted by a breach of a Department of Education student database accessed via a compromised school network. Exposed data is understood to include student names, school-issued email addresses, encrypted passwords, school names, and year levels. The Department has initiated mass password resets, notified schools, temporarily disabled affected systems, and engaged cyber experts and government agencies. Authorities state there is no evidence the data has been publicly released. (ITNews)

Prosura.  Prosura, an Australian rental-car excess insurer, confirmed attackers breached its internal systems, exfiltrated customer data, and are now selling records linked to approximately 300,000 individuals. Exposed information reportedly includes personal details, policy data, and identity documents, creating elevated risk of identity theft, phishing, and fraud. Customer portals were taken offline, and regulators were notified. (Cyber News Centre)

Regis Resources. Regis Resources confirmed a cyber intrusion after a subsidiary appeared on the Lynx ransomware group’s leak site. A forensic investigation reportedly found no evidence of data exfiltration, no ransom demand, and no operational or commercial impact. Authorities have been notified. (Cyber Daily)

ACSC and CISA Critical Advisories

n8n Workflow Automation Platform RCE

• Australia’s ACSC has issued a critical alert for an unauthenticated remote code execution vulnerability (CVE-2026-21858) affecting n8n workflow automation platform versions 1.65.0 and earlier. The flaw allows attackers to exploit vulnerable form-based workflows to read arbitrary files and escalate privileges, potentially leading to full system compromise.
• Organisations should upgrade to n8n version 1.121.0 or later, avoid exposing n8n instances to the internet unless necessary, and enforce authentication on all forms. ((Cyber.gov.au)(Github)

VMware vCenter Server Heap Overflow

• VMware vCenter Server contains a heap-overflow vulnerability in its DCERPC protocol implementation. A malicious actor with network access to vCenter Server could trigger the flaw using specially crafted packets, potentially leading to remote code execution. Organisations should apply vendor patches as a priority. (CVE)(CISA)

Fortinet FortiCloud SSO Authentication Bypass Added to KEV

• CISA has added CVE-2026-24858 (CVSS 9.4) to the Known Exploited Vulnerabilities catalogue. The flaw affects FortiOS, FortiManager, and FortiAnalyzer and allows attackers with a FortiCloud account and registered device to gain unauthorised access to other customers’ devices when FortiCloud SSO is enabled.
• Fortinet has blocked vulnerable versions from using SSO and released patches. CISA has ordered US federal agencies to remediate by January 30, 2026. Immediate patching or disabling FortiCloud SSO is strongly recommended. (CISA)(CVE)

Key Takeaways

The ShinyHunters activity seen in January reinforces that many high-impact breaches now stem from social engineering and identity abuse rather than technical vulnerabilities. By tricking staff into approving or handing over SSO access, attackers can gain legitimate entry that bypasses traditional security controls.

For Australian organisations, this highlights the growing concentration of risk in identity platforms and SaaS ecosystems. A single compromised account can provide broad access across cloud services, customer data and internal systems, turning what appears to be a low-level incident into a material breach, particularly where staff are not well prepared to recognise social engineering.

The campaign also demonstrates the limits of MFA when vishing and helpdesk manipulation are in play.

Australian organisations should focus on both strong identity monitoring with targeted training and awareness for high-risk roles, checking escalation pathways for unusual access requests, and regular testing of access and support workflows against realistic social engineering scenarios.