Locked Shields has grown significantly over the past 16 years, with only four nations participating in the first edition.

The post Locked Shields 2026: 41 Nations Strengthen Cyber Resilience in World’s Biggest Exercise appeared first on SecurityWeek.

A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.

The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.

“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote. “TA416’s return to European government targeting occurred during heightened EU–China tensions over trade, the Russia–Ukraine war, and rare earths exports, and commenced immediately following the 25th EU–China summit.”

Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.

“This aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,” the firm said. “This likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.”

TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.

The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.

“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.

Proofpoint’s is not the only report of late about Chinese cyberespionage groups targeting Europe, with another focused on LinkedIn solicitations to NATO and European institutions.

The post European-Chinese geopolitical issues drive renewed cyberespionage campaign appeared first on CyberScoop.

The Justice Department has charged a Ukrainian national with conducting cyberattacks on critical infrastructure worldwide as part of two Russian state-sponsored hacking operations that targeted water systems, food processing facilities and government networks across the United States and allied nations.

Victoria Eduardovna Dubranova, 33, was arraigned on a second indictment Tuesday after being extradited to the U.S. earlier this year. She faces charges related to her alleged work with CyberArmyofRussia_Reborn, known as CARR, and NoName057(16), two groups federal prosecutors say received backing from Moscow to advance Russian geopolitical interests. 

Dubranova pleaded not guilty in both cases.

The indictments describe operations that evolved from distributed denial of service attacks to more destructive intrusions into industrial control systems. CARR, according to prosecutors, was founded and funded by Russia’s Main Directorate of the General Staff of the Armed Forces, known as the GRU. NoName057(16) emerged from the Center for the Study and Network Monitoring of the Youth Environment, an information technology organization established by presidential order in Russia in October 2018.

Brett Leatherman, the FBI’s assistant director in its cyber division, said the charges against Dubranova are the first time the U.S. has charged someone under the law designed to protect water systems.

“Let me emphasize, the FBI doesn’t just track cyber adversaries. We call them out and bring them to justice,” Leatherman said on a press call Wednesday. “That’s what today demonstrates.”

Both groups claimed credit for hundreds of attacks beginning in 2022, following the escalation of the Russia-Ukraine conflict. CARR maintained a Telegram channel with more than 75,000 followers and at times had over 100 members, including juveniles, according to the indictment. The group received financial support from a figure using the moniker “Cyber_1ce_Killer,” which federal authorities associate with at least one GRU officer.

The attacks attributed to CARR resulted in tangible damage to U.S. infrastructure. Public drinking water systems in several states experienced damage to control systems that caused hundreds of thousands of gallons of water to spill. In November 2024, an attack on a meat processing facility in Los Angeles spoiled thousands of pounds of meat and triggered an ammonia leak that forced an evacuation. The group also targeted U.S. election infrastructure and websites for nuclear regulatory entities.

NoName057(16) operated differently, developing proprietary software called DDoSia that recruited volunteers worldwide to participate in attacks. The group published daily leaderboards on Telegram ranking participants and paid top volunteers in cryptocurrency. Between March 2022 and June 2025, the group conducted more than 1,500 attacks on government agencies, financial institutions, railways and ports in Ukraine and NATO countries including Estonia, Finland, Lithuania, Norway, Poland and Sweden.

The group targeted Dutch infrastructure during the June 2025 NATO Summit in The Hague. Volunteers who downloaded DDoSia were required to read a manifesto describing pro-Russian geopolitical motivations before participating in attacks on targets selected by administrators.

Federal investigators from multiple agencies, including the FBI, CISA, NSA, Department of Energy and EPA, issued a joint advisory warning that pro-Russia hacktivist groups target minimally secured internet-facing connections to infiltrate operational technology control devices. The EPA emphasized the threat to public water systems, noting the defendant’s actions put communities and drinking water resources at risk.

Chris Butera, CISA’s acting deputy executive assistant director for cybersecurity, said Wednesday that organizations responsible for operating critical infrastructure should understand these groups are “actively engaging in opportunistic, low sophistication, malicious cyber activity across multiple sectors to gain notoriety and create mayhem.”

“The single most important thing people can do to protect themselves is to reduce the number of operational technology devices exposed to the public-facing internet,” Butera said. 

Dubranova faces one count of conspiracy to damage protected computers in the NoName case, carrying a maximum five-year sentence. The CARR indictment charges her with conspiracy to damage protected computers and tamper with public water systems, damaging protected computers, access device fraud and aggravated identity theft. If convicted on all CARR charges, she faces up to 27 years in federal prison.

The State Department announced rewards of up to $2 million for information on individuals associated with CARR and up to $10 million for information related to NoName057(16). Two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, were previously sanctioned by the Treasury Department in July 2024. Pankratova allegedly served as administrator of CARR, while Degtyarenko is described as a primary hacker who accessed a U.S. energy company’s supervisory control and data acquisition system.

The investigations are part of Operation Red Circus, an FBI initiative to disrupt Russian state-sponsored cyber threats to U.S. critical infrastructure. By late 2024, prosecutors say CARR administrators grew dissatisfied with GRU support and created a new group called Z-Pentest that employs similar tactics.

Trials are scheduled for Feb. 3, 2026, in the NoName matter and April 7, 2026, in the CARR case.

The post US charges hacker tied to Russian groups that targeted water systems and meat plants appeared first on CyberScoop.