剣 KENSAI
← All posts · security · 2026-03-14 · 8 min

Poland Nuclear Research Centre Targeted by Iran-Linked Hackers, FBI Investigates Steam Malware Games, Google Pays $17M in Bug Bounties, $80M Pours into AI Agent Security

Iran-linked hackers target Poland’s nuclear research centre in an attack intercepted before impact — a direct test of NIS2 critical infrastructure defenses. The FBI opens a formal investigation into malware-laden Steam games that stole cryptocurrency. Google reveals $17M in 2025 bug bounty payouts as the EU Cyber Resilience Act reshapes vulnerability disclosure. And $80M flows into two AI agent security startups in a single week.


🔬 Poland Nuclear Research Centre Targeted by Iran-Linked Hackers - NIS2 Critical Infrastructure Under Fire

⚠️ CRITICAL INFRASTRUCTURE - NUCLEAR SECTOR

Poland's National Centre for Nuclear Research (NCBJ), which operates the country's only nuclear reactor (MARIA), detected and blocked a cyberattack on its IT infrastructure. Polish authorities found indicators pointing to Iran, though investigators caution these could be false flags. The MARIA reactor continues operating safely.

Regulation Impact: NIS2 - CER Directive - Nuclear Safety - EU Cyber Diplomacy

Poland's National Centre for Nuclear Research (NCBJ) this week confirmed that hackers targeted its IT infrastructure in what appears to be a state-sponsored attack. The institute's security systems detected the intrusion early, and internal teams blocked the attack before any systems were compromised. The MARIA reactor - Poland's only nuclear reactor, used for scientific research and medical isotope production - continued operating at full power throughout.

Reuters reported that Polish investigators found indicators suggesting Iran may be behind the attack, though officials are cautious about attribution given the possibility of false flags. The timing is notable: Poland's Defense Minister recently stated that Poland is not participating in the current Middle East conflict, yet the country's critical infrastructure has become a target.

This is not Poland's first infrastructure attack. In January, Russian threat group APT44 (Sandworm) attacked Poland's power grid, hitting around 30 distributed energy resource sites. An ICCT report in February placed Poland among the top targets of Russian cyber-actors, with 31 confirmed incidents between mid-2025 and early 2026.

NIS2 and Critical Infrastructure Implications

⚡ DACH Takeaway

Germany's BSI has classified nuclear facilities under KRITIS since its inception, and NIS2 expands this to research institutions with nuclear materials. Switzerland's NCSC and Austria's national CERT should issue advisories to nuclear research facilities. The Poland attack pattern - targeting research institutes rather than power plants - suggests threat actors are probing softer targets in the nuclear sector. DACH nuclear research facilities should verify their incident detection capabilities against state-sponsored threat models.


🎮 FBI Opens Investigation into Steam Games Distributing Malware - Platform Accountability in Focus

Regulation Impact: EU Digital Services Act - Consumer Protection - Platform Accountability

The FBI's Seattle Division has formally asked gamers to come forward if they installed any of eight malicious Steam games that contained malware between May 2024 and January 2026. The affected titles - BlockBlasters, Chemia, Dashverse/DashFPS, Lampy, Lunara, PirateFi, and Tokenova - were used to steal cryptocurrency and hijack user accounts.

The investigation was sparked in part by a high-profile case: during a charity livestream, video game streamer Raivo Plavnieks lost over $32,000 in cryptocurrency after downloading BlockBlasters, a verified Steam game that initially appeared clean before malware was added post-upload.

The FBI's questionnaire focuses specifically on cryptocurrency theft, compromised accounts, and stolen funds, and asks for screenshots of communications with game promoters - indicating investigators are building cases against the distribution network.

Regulatory Implications for Digital Platforms

⚡ DACH Takeaway

Steam has massive user bases in Germany, Austria, and Switzerland. German consumer protection agencies (Verbraucherzentralen) should be monitoring this investigation for affected DACH users. The BNetzA, as Germany's DSA enforcement authority, may need to assess whether Valve's content moderation meets DSA standards.


💰 Google Pays $17 Million in Bug Bounties in 2025 - EU Cyber Resilience Act Reshapes Vulnerability Disclosure

Regulation Impact: EU Cyber Resilience Act - Coordinated Vulnerability Disclosure - NIS2

Google has revealed that it paid out over $17 million in bug bounty rewards in 2025, with more than $3.7 million going to Chrome vulnerability researchers and over $3.5 million for cloud security defects. The figures underscore the scale of the vulnerability ecosystem - and come as the EU's Cyber Resilience Act (CRA) is set to fundamentally change how organizations handle vulnerability disclosure.

The CRA, which entered into force in late 2024 with requirements phasing in through 2027, mandates that manufacturers of products with digital elements must establish coordinated vulnerability disclosure policies, report actively exploited vulnerabilities to ENISA within 24 hours, and provide security updates for the expected product lifetime.

Google's bug bounty figures are significant context: they demonstrate that a mature vulnerability disclosure program at a single company generates thousands of valid reports annually. The CRA will require similar programs from every software maker selling in the EU, including small and medium-sized enterprises.

Vulnerability Disclosure Meets Regulation

⚡ DACH Takeaway

Germany's BSI is actively preparing CRA implementation guidance. Swiss-based software companies selling into the EU market will need to comply despite Switzerland not being an EU member. Austrian and German startups should begin establishing vulnerability disclosure policies now, before the CRA's full requirements take effect in 2027.


🚀 $80M Floods AI Agent Security in One Week - Bold Security and Onyx Security Launch from Stealth

Regulation Impact: EU AI Act - NIS2 AI Systems - DORA Operational Resilience

Two AI security startups emerged from stealth this week with $40 million each, bringing $80 million in combined funding into the nascent AI agent security market. Bold Security uses AI to turn devices into active protection agents that understand user behavior, while Onyx Security is building a control plane to help organizations oversee and govern autonomous AI agents.

The timing is not coincidental. The EU AI Act's requirements for high-risk AI systems are driving urgent demand for tools that can monitor, control, and audit AI agents in enterprise environments.

Onyx Security's focus on a control plane for autonomous AI agents directly addresses a gap the EU AI Act identified: organizations deploying high-risk AI systems must maintain human oversight capabilities and implement risk management systems.

AI Agent Governance Becomes a Market

⚡ DACH Takeaway

The DACH region's strong financial sector (Swiss banks, German insurance, Austrian fintech) will be among the first to face combined AI Act + DORA requirements for AI agent governance. KENSAI's AI-powered security scanning already demonstrates the kind of autonomous AI agent oversight that regulators are demanding.