By the CyberWire staff
Top stories.
- Sandworm blamed for cyberattack against Poland's energy grid.
- Google disrupts major residential proxy network.
- Microsoft provided the FBI with BitLocker encryption keys after receiving a warrant.
- Popular AI app exposes millions of users' chat messages.
- Threat actors continue to exploit months-old WinRAR flaw.
- SoundCloud breach affected nearly 30 million accounts.
Sandworm blamed for cyberattack against Poland's energy grid.
ESET has attributed a December 2025 attempted cyberattack on Poland's energy infrastructure to the Russian threat actor Sandworm. Poland's energy minister said earlier this month that the incident was "the strongest attack on the energy infrastructure in years," though the attack was largely thwarted. ESET said the attackers used a newly observed strain of wiper malware tracked as "DynoWiper." According to Reuters, the country's energy minister said the "failed attack aimed to disrupt the communication between renewable installations and the power distribution operators."
Researchers at Dragos say the incident breached around thirty sites connected to distributed energy generation, noting that this is "the first major cyber attack targeting distributed energy resources (DERs), the smaller wind, solar, and [combined heat and power] facilities being added to grids worldwide." Dragos adds, "While the attack did not result in power outages, adversaries gained access to operational technology systems critical to grid operations and disabled key equipment beyond repair at the site. Due to the lack of electric outages, asset operators and the broader community may be mistaken to think this is not overly concerning. However, what was demonstrated, especially for other countries who currently or will depend more on DERs, should be very alarming."
Sandworm, a threat actor associated with the GRU's unit 74455, is believed to be responsible for previous attacks targeting Ukraine's power grid in 2015 and 2016. ESET notes that the attempted attack in Poland occurred days after the tenth anniversary of the 2015 incident, which cut power to hundreds of thousands of people across Ukraine for several hours. The attempted attack against Poland's grid, as well as the two prior attacks against Ukraine, targeted civilian power supplies during the dead of winter.
Experience the Power of Community at RSAC 2026 Conference
RSAC™ 2026 Conference returns to San Francisco March 23–26, bringing together the global cybersecurity community for four days of expert insights, hands-on learning, and breakthrough innovation. Join thousands of practitioners, executives, and innovators as they tackle today’s toughest challenges and explore solutions shaping tomorrow. From cutting-edge ideas to immersive programs and vibrant networking, this is where meaningful progress happens. Register today and be part of the conversations driving cybersecurity forward.
Google disrupts major residential proxy network.
Google and its industry partners have disrupted a major residential proxy network that was used by a wide range of criminal and nation-state threat actors. The network, called "IPIDEA," allowed threat actors to route malicious activity through IP addresses owned by legitimate ISPs and used for small businesses and residential customers.
Google took legal action to seize domains used by the network, and has shared intelligence on IPIDEA software development kits with platform providers, law enforcement, and researchers. The company stated, "We believe our actions have caused significant degradation of IPIDEA’s proxy network and business operations, reducing the available pool of devices for the proxy operators by millions. Because proxy operators share pools of devices using reseller agreements, we believe these actions may have downstream impact across affiliated entities."
Microsoft provided the FBI with BitLocker encryption keys after receiving a warrant.
Forbes reports that Microsoft provided the FBI with BitLocker encryption keys to unlock the laptops of Windows users accused of fraud in Guam. Investigators were looking into fraudulent use of funds from the island’s Covid unemployment assistance program, and served Microsoft with a warrant last year requesting keys for three computers encrypted with BitLocker. Forbes notes that this is the first known instance where Microsoft has given customers' encryption keys to law enforcement.
Microsoft spokesperson Charles Chamberlayne told Forbes that "the company receives around 20 requests for BitLocker keys per year and in many cases, the user has not stored their key in the cloud, making it impossible for Microsoft to assist." However, Chamberlayne said the company "does provide BitLocker recovery keys if it receives a valid legal order."
Chamberlayne added, "[C]ustomers can choose to store their encryption keys locally, in a location inaccessible to Microsoft, or in Microsoft’s cloud. We recognize that some customers prefer Microsoft’s cloud storage, so we can help recover their encryption key if needed. While key recovery offers convenience, it also carries a risk of unwanted access."
Popular AI app exposes millions of users' chat messages.
Chat & Ask AI, one of the top AI apps in the Google Play and Apple App stores, exposed hundreds of millions of users’ private messages with the chatbot, 404 Media reports. An independent researcher found "a misconfiguration in the app’s usage of the mobile app development platform Google Firebase, which by default makes it easy for anyone to make themselves an 'authenticated' user who can access the app’s backend storage where in many instances user data is stored." The researcher was able to access 300 million messages from more than 25 million users, including extremely sensitive information that users discussed with the chatbot.
Codeway, the Turkish developer of Chat & Ask AI, fixed the issue within hours after the researcher disclosed the flaw. The company hasn't responded to 404 Media's request for a comment.
Threat actors continue to exploit months-old WinRAR flaw.
Google's Threat Intelligence Group (GTIG) warns of "widespread, active exploitation" of a WinRAR flaw (CVE-2025-8088) that received a patch in July 2025. GTIG says "government-backed threat actors linked to Russia and China, as well as financially motivated threat actors, continue to exploit this n-day across disparate operations." Attackers are exploiting the path traversal flaw to drop files in the Windows Startup folder in order to establish persistence.
SoundCloud breach affected nearly 30 million accounts.
Have I Been Pwned says a data breach disclosed by SoundCloud in December affected 29.8 million user accounts, representing approximately 20% of the music streaming platform's user base. The data included email addresses, names, usernames, avatars, follower and following counts, and, in some cases, users' countries.
BleepingComputer reports that the ShinyHunters criminal gang was behind the breach. The group tried to extort SoundCloud before publishing the stolen data online.
