DigiCert’s Open-Source Intelligence (OSINT) Report – January 9 – January 15, 2026

Verizon Blames Nationwide Outage On a “Software Issue”

(TLP: CLEAR) On January 14, Verizon experienced a large-scale nationwide wireless service outage that disrupted voice, SMS, and mobile data connectivity for customers across multiple U.S. regions. According to recent reporting, the outage primarily affected Verizon’s core mobile network, causing devices to lose network registration and display “SOS only” indicators, preventing normal cellular and data communication. Reports of service degradation rapidly spread across social media and outage-tracking platforms, indicating broad geographic impact rather than a localized failure. Verizon later confirmed that the disruption was caused by an internal software issue within its network infrastructure and explicitly stated that there was no evidence of a cyberattack or malicious intrusion. The incident persisted for several hours before Verizon engineers restored service, after which the company announced it would provide account credits to impacted subscribers. While Verizon did not publicly disclose granular technical details, industry reporting suggests the root cause of the outage may have involved a failed or improperly deployed software update affecting network control or signaling functions. The outage highlights the growing complexity of modern telecommunications infrastructure, particularly as major carriers transition toward cloud-native, virtualized, and software-defined networking architectures that rely heavily on centralized orchestration and automation.

(TLP: CLEAR) Comments: The recent Verizon service outage underscores how operational failures in highly automated telecommunications environments can generate impacts comparable to deliberate denial-of-service attacks (DoS). As carriers adopt increasingly software-driven architectures, the attack surface expands not only for adversaries, but also for self-inflicted outages caused by configuration errors, regression bugs, or insufficient rollback safeguards. Furthermore, this event reinforces the need for rigorous change-management controls, staged rollouts, and real-time monitoring capable of detecting cascading failures before they propagate nationwide.

(TLP: CLEAR) Recommended best practices/regulations: Best Common Practice/Request for Comments 2182, “Selection and Operation of Secondary DNS Servers”: “A major reason for having multiple servers for each zone is to allow information from the zone to be available widely and reliably to clients throughout the Internet, that is, throughout the world, even when one server is unavailable or unreachable. “Multiple servers also spread the name resolution load and improve the overall efficiency of the system by placing servers nearer to the resolvers. Those purposes are not treated further here. “With multiple servers, usually one server will be the primary server, and others will be secondary servers. Note that while some unusual configurations use multiple primary servers, that can result in data inconsistencies and is not advisable.” 

 (TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), can protect your mission-critical web-based operations and avoid business disruptions with UltraDNS SiteBacker, a cost-effective monitoring and failover solution that can be quickly deployed with minimal effort. 

Source: https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html

Researchers Null-Route Over 550 Kimwolf and Aisuru Botnet Command Servers

(TLP: CLEAR) Security teams from Lumen Technologies’ Black Lotus Labs have null-routed traffic to more than 550 command-and-control (C2) servers that were actively managing the AISURU and Kimwolf botnets, significantly disrupting their capacity to coordinate infected devices. According to security investigators, these botnets are among the largest observed, estimating that Kimwolf alone has infected over 2 million Android-based devices, particularly Android media players and TV boxes with exposed ADB services. The malware turns these compromised endpoints into residential proxy nodes used for high-volume distributed denial-of-service (DDoS) attacks, proxy resale services, and anonymized traffic layers for other criminal operations. Additionally, investigators observed threat actors attempting to monetize proxy bandwidth in exchange for upfront payment, signaling commercialization of botnet resources. Null-routing these C2 nodes effectively severs the botnet’s ability to receive operational commands, issue attack targets, or update payloads. However, many compromised devices remain infected and dormant, meaning botnet infrastructure could rapidly rebound if the malicious operators rebuild control channels or pivot to alternate communication methods. The disruption effort spans several months of tracking and network coordination, suggesting a sustained campaign rather than a one-off takedown.

(TLP: CLEAR) Comments: The AISURU/Kimwolf ecosystem illustrates the continued industrialization of botnet operations, where infected devices are no longer used solely for single-purpose DDoS attacks but are monetized through proxy resale and modular criminal services. Null-routing campaigns represent an effective short-term containment strategy, but they do not address the systemic root cause: widespread deployment of insecure, unmanaged IoT devices with minimal patching or oversight. From an intelligence standpoint, analysts should expect rapid infrastructure migration and potential decentralization following this disruption. Continued telemetry monitoring, sinkholing, and ISP cooperation will be critical to sustaining pressure on these operators and preventing botnet recovery at scale.

(TLP: CLEAR) Recommended best practices/regulations: NIST Special Publication 800-189: “Distributed denial-of-service (DDoS) is a form attack where the attack traffic is generated from many distributed sources to achieve a high-volume attack and directed towards an intended victim (i.e., system or server). To conduct a direct DDoS attack, the attacker typically makes use of a few powerful computers or a vast number of unsuspecting, compromised third-party devices (e.g., laptops, tablets, cell phones, Internet of Things (IoT) devices, etc.). The latter scenario is often implemented through botnets. In many DDoS attacks, the IP source addresses in the attack messages are “spoofed” to avoid traceability.

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.

Source: https://thehackernews.com/2026/01/kimwolf-botnet-infected-over-2-million.html

Suspected Russian DDoS Attack Disrupts ICE Agent Data Leak Site

(TLP: CLEAR) The website known as ICE List, a controversial online platform intending to publish alleged personal data on U.S. Immigration and Customs Enforcement (ICE), Border Patrol agents, and supporting Department of Homeland Security (DHS) staff, was rendered inaccessible due to a coordinated distributed denial-of-service (DDoS) attack, which the site’s operators attributed the attack traffic to Russian IPs and proxies. According to recent reporting, the bulk of the targeted data included first and last names, phone numbers, email addresses, job titles, and even résumé-style biographical information on roughly 4,500 federal personnel, reportedly sourced from a DHS whistleblower who disapproved of recent law enforcement activity. Security investigators suggest the threat actors had planned to publish the full set of records when the attack escalated, overwhelming the site’s hosting infrastructure and knocking it offline before widespread distribution. Investigators described the attack as sustained and high-volume, targeting the site’s servers via proxy-masked traffic that made direct attribution challenging. ICE List’s founder stated that most attack sources appeared to be routed through proxy networks that obscured the true origin, but that a substantial share of proxy endpoints traced back to Russian infrastructure. Supporters of the site claim the attack prevented the release of data they consider politically significant, while critics emphasize the ethical and legal consequences of doxxing federal agents.

(TLP: CLEAR) Comments: This event demonstrates how DDoS attacks are increasingly employed as tools of digital interference rather than purely financial or criminal instruments. Whether conducted by state-aligned actors or ideologically motivated hacktivists, denial-of-service activity can shape the information environment by selectively silencing platforms during critical disclosure windows. Analysts should treat such disruptions as potential indicators of geopolitical interest or influence operations, even when technical sophistication remains relatively low. Monitoring attack telemetry, amplification methods, and infrastructure reuse may provide valuable attribution signals and early warning for similar interference campaigns targeting activist, journalistic, or whistleblower platforms.

(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA) publication “Additional DDoS Guidance for Federal Agencies”: “Many ISPs have DDoS protections, but a dedicated DDoS protection service would likely provide more robust protections against larger or more advanced DDoS attacks. Agencies should evaluate current defenses against DDoS, verify DDoS protections are in place, and consider implementing more robust protections if the agency determines its current protections may be lacking.”

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect is a purpose-built DDoS mitigation solution that offers comprehensive protection through on-premises hardware, cloud-based DDoS mitigation, or hybrid approaches. Tailored to meet any organizational need, Digicert’s array of DDoS Protection services include blocking DDoS attacks, redirecting DDoS attacks, and cloud DDoS prevention, ensuring the broadest and most adaptable DDoS defense services available.

Source: https://www.scworld.com/brief/suspected-russian-ddos-attack-disrupts-ice-agent-data-leak-site

Cisco Routers Knocked Out Due to CDN DNS Change

(TLP: CLEAR) In early January 2026, a minor sequencing change to DNS responses from Cloudflare’s 1[.]1[.]1[.]1 public resolver unexpectedly caused operational failures in various Cisco routers and small business switch environments. When Cloudflare adjusted the ordering and inclusion of DNS records for optimization purposes, downstream Cisco devices, particularly Small Business and IOS XE-based systems, experienced reboot loops, fatal DNS client errors, and some remaining in offline states. Network administrators reported that affected routers and switches repeatedly failed to resolve DNS, triggering critical internal faults that took dependent networks completely offline. According to reporting, Cloudflare responded by rolling back the update and restoring standard DNS record sequencing, which temporarily resolved the widespread disruptions. The event did not constitute a security breach or coordinated attack but exposed how even standards-compliant DNS adjustments can expose flaws in the DNS client stacks of major vendors. The incident drew parallels to past Cloudflare outages and configuration mishaps that propagated beyond their immediate environment, illustrating the systemic fragility that arises when global infrastructure providers make changes without sufficient backward compatibility testing.

(TLP: CLEAR) Comments: Despite DNS being a foundational protocol, variations in client implementation and error handling can result into significant network outages when globally used services like content delivery networks (CDNs) modify network configurations. This incident underscores the importance of thorough regression testing, not only at the provider level but also among major network equipment vendors whose code may not handle edge-case DNS formats. Intelligence and monitoring tooling should incorporate behavioral validation for critical protocols like DNS, BGP, and HTTP, as assumptions about resilience can be misleading. For OSINT reporting, this event highlights that not all service disruptions are security incidents, but differentiating between operational fragility and malicious exploitation remains a key analytical task.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SC-22: “ARCHITECTURE AND PROVISIONING FOR NAME/ADDRESS RESOLUTION SERVICE”: Control: 

• Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation. 

• Discussion: Systems that provide name and address resolution services include domain name system (DNS) servers. To eliminate single points of failure in systems and enhance redundancy, organizations employ at least two authoritative domain name system servers—one configured as the primary server and the other configured as the secondary server. Additionally, organizations typically deploy the servers in two geographically separated network subnetworks (i.e., not located in the same physical facility). For role separation, DNS servers with internal roles only process name and address resolution requests from within organizations (i.e., from internal clients). DNS servers with external roles only process name and address resolution information requests from clients external to organizations (i.e., on external networks, including the Internet). Organizations specify clients that can access authoritative DNS servers in certain roles (e.g., by address ranges and explicit lists).” 

(TLP: CLEAR) DigiCert: Digicert’s authoritative DNS solution, UltraDNS, ensures that your website and other online assets are always available with our 100% uptime guarantee and industry-leading SLAs. UltraDNS offers a global platform that is highly redundant with up to 47 nodes across 6 continents.

Source: https://www.networkworld.com/article/4115128/cisco-routers-knocked-out-due-to-cloudflare-dns-change.html

UK Government Warns About Ongoing Russian Hacktivist Group Attacks

(TLP: CLEAR) The United Kingdom’s National Cyber Security Centre (NCSC) has issued a global alert concerning the continued malicious activity from Russian-aligned hacktivist groups, most prominently NoName057(16), which have been conducting frequent distributed denial-of-service (DDoS) attacks against UK and allied organizations. These threat groups, active since at least March 2022, have maintained a sustained attack campaign of disruptive malicious activity against government, local authority, and private sector online services. Their operations primarily leverage volumetric distributed denial-of-service (DDoS) tactics designed to degrade availability, undermine public confidence in digital service delivery, and impose operational and reputational costs on targeted organizations, rather than to achieve persistent network compromise. Their tools, including projects such as DDoSia, rely on volunteer participation and publicly accessible attack infrastructure, enabling them to scale up simple DDoS vectors without advanced bespoke malware. The NCSC’s advisory emphasizes that although these actors do not possess the sophistication of state-level cyber espionage groups, they nonetheless pose a persistent threat to service availability, particularly for local government and public infrastructure. Analysts note that the tactics focus on traffic volume saturation, amplification techniques, and coordinated endpoint participation, creating significant operational and mitigation burdens for defenders. The advisory also points to financial and reputational costs associated with remediation and incident response, even when attacks are technically unsophisticated.

(TLP: CLEAR) Comments: Persistent hacktivist activity aligned with Russian geopolitical narratives illustrates the evolving threat landscape in which non-state actors support broader informational and influence campaigns through low-cost denial-of-service operations. Tools like DDoSia and community-driven attack frameworks lower the barrier for participation, making volumetric disruption a viable tactic even without advanced exploitation capabilities. Investigating and tracking shifts in target patterns, seasonal intensification observed around political events, and public claims of responsibility can provide valuable context for defensive prioritization. Analysts should also consider the psychological and resource impacts of repetitive disruptive activity on targeted organizations, as repeated DDoS incidents can erode confidence in digital service reliability and divert defensive resources from other priorities.

(TLP: CLEAR) Recommended best practices/regulations: UK National Cyber Security Centre “Denial of Service (DoS) Guidance”: We recommend that you: 

• Understand the denial-of-service mitigations that your ISP has in place on your account. If additional mitigations are available, decide whether you want them enabled on your account, or the circumstances under which you could deploy them if an attack was threatened. Examine the service’s SLA for details of any mitigation. 

• Look into third party DDOS mitigation services that can be used to protect against network traffic-based attacks. 

• Consider deploying a Content Delivery Network, for web-based services 

• Understand when and how your service provider might limit your network access in order to protect their other customers. 

• Consider using multiple service providers for some functionality” 

(TLP: CLEAR) DigiCert: Digicert UltraDDoS Protect, provides proven and consistent DDoS protection for any of your assets whether they reside in the cloud, multi-cloud, data center, or hybrid. With always-on DDoS protection, you can stop a DDoS attack instantly, and more complex DDoS attacks and be mitigated within seconds. 

Source: https://www.bleepingcomputer.com/news/security/uk-govt-warns-about-ongoing-russian-hacktivist-group-attacks/