剣 KENSAI
← All posts · security

Hacker legati all'Iran attaccano il centro di ricerca nucleare polacco, FBI indaga su giochi Steam con malware, Google paga 17 mln $ in bug bounty, 80 mln $ per la sicurezza degli agenti IA

← Torna al Blog

🔬 Poland Nuclear Research Centre Targeted by Iran-Linked Hackers - NIS2 Critical Infrastructure Under Fire

⚠️ CRITICAL INFRASTRUCTURE - NUCLEAR SECTOR

Poland's National Centre for Nuclear Research (NCBJ), which operates the country's only nuclear reactor (MARIA), detected and blocked a cyberattack on its IT infrastructure. Polish authorities found indicators pointing to Iran, though investigators caution these could be false flags. The MARIA reactor continues operating safely.

Regulation Impact: NIS2 - CER Directive - Nuclear Safety - EU Cyber Diplomacy

Poland's National Centre for Nuclear Research (NCBJ) this week confirmed that hackers targeted its IT infrastructure in what appears to be a state-sponsored attack. The institute's security systems detected the intrusion early, and internal teams blocked the attack before any systems were compromised. The MARIA reactor - Poland's only nuclear reactor, used for scientific research and medical isotope production - continued operating at full power throughout.

Reuters reported that Polish investigators found indicators suggesting Iran may be behind the attack, though officials are cautious about attribution given the possibility of false flags. The timing is notable: Poland's Defense Minister recently stated that Poland is not participating in the current Middle East conflict, yet the country's critical infrastructure has become a target.

This is not Poland's first infrastructure attack. In January, Russian threat group APT44 (Sandworm) attacked Poland's power grid, hitting around 30 distributed energy resource sites. An ICCT report in February placed Poland among the top targets of Russian cyber-actors, with 31 confirmed incidents between mid-2025 and early 2026.

NIS2 and Critical Infrastructure Implications

  • Nuclear sector is NIS2 essential entity. Under NIS2 Annex I, energy - including nuclear - is classified as a sector of high criticality. NCBJ's successful defense demonstrates exactly the kind of incident detection and response capabilities NIS2 mandates.
  • CER Directive physical-digital convergence. The EU's Critical Entities Resilience (CER) Directive requires critical entities to assess risks from man-made threats including cyber-attacks. A nuclear research facility attack exemplifies why the EU created dual cyber+physical resilience requirements.
  • 24-hour early warning obligation triggered. Even though NCBJ blocked the attack, NIS2 requires notification of significant incidents including near-misses that could have had a significant impact. A state-sponsored attack on nuclear infrastructure clearly meets this threshold.
  • Attribution complexity challenges response. The Iran indicators with possible false flags highlight a growing challenge: NIS2 requires proportionate response, but when attribution is uncertain, determining the appropriate response level becomes significantly more difficult.

⚡ DACH Takeaway

Germany's BSI has classified nuclear facilities under KRITIS since its inception, and NIS2 expands this to research institutions with nuclear materials. Switzerland's NCSC and Austria's national CERT should issue advisories to nuclear research facilities. The Poland attack pattern - targeting research institutes rather than power plants - suggests threat actors are probing softer targets in the nuclear sector. DACH nuclear research facilities should verify their incident detection capabilities against state-sponsored threat models.


🎮 FBI Opens Investigation into Steam Games Distributing Malware - Platform Accountability in Focus

Regulation Impact: EU Digital Services Act - Consumer Protection - Platform Accountability

The FBI's Seattle Division has formally asked gamers to come forward if they installed any of eight malicious Steam games that contained malware between May 2024 and January 2026. The affected titles - BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova - were used to steal cryptocurrency and hijack user accounts.

The investigation was sparked in part by a high-profile case: during a charity livestream, video game streamer Raivo Plavnieks lost over $32,000 in cryptocurrency after downloading BlockBlasters, a verified Steam game that initially appeared clean before malware was added post-upload.

The FBI's questionnaire focuses specifically on cryptocurrency theft, compromised accounts, and stolen funds, and asks for screenshots of communications with game promoters - indicating investigators are building cases against the distribution network.

Regulatory Implications for Digital Platforms

  • EU Digital Services Act platform obligations. Under the DSA, which applies to Steam as a very large online platform, Valve has obligations to assess and mitigate systemic risks including the dissemination of illegal content. Malware distribution through verified games represents a clear failure of content moderation.
  • Post-upload modification is the attack vector. The BlockBlasters case reveals a critical gap: games passed initial verification, then had malware added in updates. An 18-month window challenges claims of expeditious action.
  • Consumer protection across jurisdictions. The FBI investigation will likely surface victims across multiple countries. EU consumer protection laws could force Valve to disclose the full scope of affected users.
  • Supply chain security for digital distribution. Just as the EU Cyber Resilience Act addresses software supply chain security, the Steam malware case highlights that game distribution platforms are themselves software supply chains.

⚡ DACH Takeaway

Steam has massive user bases in Germany, Austria, and Switzerland. German consumer protection agencies (Verbraucherzentralen) should be monitoring this investigation for affected DACH users. The BNetzA, as Germany's DSA enforcement authority, may need to assess whether Valve's content moderation meets DSA standards.


💰 Google Pays $17 Million in Bug Bounties in 2025 - EU Cyber Resilience Act Reshapes Vulnerability Disclosure

Regulation Impact: EU Cyber Resilience Act - Coordinated Vulnerability Disclosure - NIS2

Google has revealed that it paid out over $17 million in bug bounty rewards in 2025, with more than $3.7 million going to Chrome vulnerability researchers and over $3.5 million for cloud security defects. The figures underscore the scale of the vulnerability ecosystem - and come as the EU's Cyber Resilience Act (CRA) is set to fundamentally change how organizations handle vulnerability disclosure.

The CRA, which entered into force in late 2024 with requirements phasing in through 2027, mandates that manufacturers of products with digital elements must establish coordinated vulnerability disclosure policies, report actively exploited vulnerabilities to ENISA within 24 hours, and provide security updates for the expected product lifetime.

Google's bug bounty figures are significant context: they demonstrate that a mature vulnerability disclosure program at a single company generates thousands of valid reports annually. The CRA will require similar programs from every software maker selling in the EU, including small and medium-sized enterprises.

Vulnerability Disclosure Meets Regulation

  • CRA vulnerability reporting is mandatory. Unlike current bug bounty programs, which are voluntary, the CRA makes vulnerability handling a legal requirement. Manufacturers must report actively exploited vulnerabilities to ENISA within 24 hours.
  • ENISA becomes the central node. The CRA positions ENISA as the EU's vulnerability coordination hub - a role that will require significant capacity building.
  • NIS2 amplifies the requirement. NIS2 Article 12 requires member states to establish coordinated vulnerability disclosure policies. Combined with the CRA, this creates a dual obligation.
  • Bug bounty economics will shift. As the CRA creates legal pressure to find and fix vulnerabilities, organizations without bounties may find vulnerabilities reported through regulatory channels instead.

⚡ DACH Takeaway

Germany's BSI is actively preparing CRA implementation guidance. Swiss-based software companies selling into the EU market will need to comply despite Switzerland not being an EU member. Austrian and German startups should begin establishing vulnerability disclosure policies now, before the CRA's full requirements take effect in 2027.


🚀 $80M Floods AI Agent Security in One Week - Bold Security and Onyx Security Launch from Stealth

Regulation Impact: EU AI Act - NIS2 AI Systems - DORA Operational Resilience

Two AI security startups emerged from stealth this week with $40 million each, bringing $80 million in combined funding into the nascent AI agent security market. Bold Security uses AI to turn devices into active protection agents that understand user behavior, while Onyx Security is building a control plane to help organizations oversee and govern autonomous AI agents.

The timing is not coincidental. The EU AI Act's requirements for high-risk AI systems are driving urgent demand for tools that can monitor, control, and audit AI agents in enterprise environments.

Onyx Security's focus on a control plane for autonomous AI agents directly addresses a gap the EU AI Act identified: organizations deploying high-risk AI systems must maintain human oversight capabilities and implement risk management systems.

AI Agent Governance Becomes a Market

  • EU AI Act creates the demand signal. Article 14 of the AI Act requires human oversight for high-risk AI systems. Organizations deploying AI agents that interact with critical business systems need tools to maintain that oversight.
  • NIS2 extends to AI systems in scope. When AI agents are deployed within essential or important entities, they become part of the NIS2 security perimeter.
  • DORA demands AI operational resilience. Financial institutions deploying AI agents must ensure these agents meet DORA's operational resilience requirements.
  • The $80M signal matters. Combined with OpenAI's Promptfoo acquisition earlier this week, over $100M has flowed into AI security in a single week. This is the market pricing in the regulatory certainty that the EU AI Act provides.

⚡ DACH Takeaway

The DACH region's strong financial sector (Swiss banks, German insurance, Austrian fintech) will be among the first to face combined AI Act + DORA requirements for AI agent governance. KENSAI's AI-powered security scanning already demonstrates the kind of autonomous AI agent oversight that regulators are demanding.


Is Your AI Infrastructure Regulation-Ready?

From NIS2 critical infrastructure requirements to EU AI Act agent governance, the regulatory landscape is tightening. KENSAI helps you identify vulnerabilities before regulators do.

Request a Scan →

The KENSAI Intelligence Desk publishes daily regulation roundups covering NIS2, DORA, GDPR, EU AI Act, and CRA developments. Compliance is not optional - it is infrastructure.

🛡️ Il tuo sito è sicuro?

Scopri le vulnerabilità prima degli attaccanti.

Scansiona il tuo sito gratis →

All posts · Permalink