Threat Analysis: Russian State Actors, ShareFile Emergency Shutdown, and DocuSign RMM Abuse, What UK SMBs Need to Know

Threats & Attacks

Threat Analysis: Russian State Actors, ShareFile Emergency Shutdown, and DocuSign RMM Abuse, What UK SMBs Need to Know

Hello, Mauven here.

This is your Daily Threat Analysis for 13th July 2026.

Three stories today. They look like separate incidents. They are not. They share a single theme: attackers are not breaking through reinforced doors. They are walking through the ones nobody thought to lock.


Story One: The NCSC Advisory That Is Not Just About Critical Infrastructure

This morning the NCSC, alongside cybersecurity agencies from the United States, Canada, Australia, New Zealand, Germany, France, the Netherlands, and Estonia, published a joint advisory warning that Russian state-aligned threat actors are actively exploiting poorly configured and vulnerable routers to gain persistent footholds in critical infrastructure networks.

The advisory names FSB-linked actors, referred to in some sources as Static Tundra and Berserk Bear, tracking names that have appeared in reporting on Russian state cyber operations for the better part of a decade. The EU and UK have now also issued joint sanctions against GRU-linked individuals and entities as part of what is being described as the first joint cyber sanctions package between the two.

Here is what the advisory says: these actors are targeting routers at the network perimeter to establish persistent access, conduct reconnaissance, and position themselves for further operations.

Here is what the advisory does not say loudly enough: the technique works on any router. Not just the ones sitting in front of power stations and water treatment facilities. The same poorly configured Cisco or Juniper box that a managed service provider deployed for a regional law firm or an accountancy practice three years ago and has not reviewed since is, from a technical standpoint, an equally valid target. The actor’s objectives may differ. The entry point does not.

The advisory attributes this activity to Russian state actors. What that attribution does not capture is the longer history here. NCSC has been publishing guidance on router hardening and network device security for years. The Cyclops Blink advisory in 2022 covered state-sponsored compromise of network devices. The VPNFilter advisory goes back to 2018. The fact that a Nine-Eyes joint advisory is still necessary in July 2026 tells you something about how seriously organisations have taken previous guidance.

What to do if you are an SMB:

  • If your router or firewall was configured by an IT provider and you have not reviewed it since, that review is now overdue. Ask for confirmation that default credentials have been changed, unnecessary remote management interfaces are disabled, and firmware is current.
  • If you use a managed service provider, ask them directly: are our network edge devices on a patching and configuration review schedule? Get the answer in writing.
  • Disable remote management interfaces that are not actively required. If you do not know whether they are enabled, assume they are.

Story Two: Progress ShareFile, Emergency Shutdown, Unknown Threat

Progress Software, the company whose MOVEit product became a byword for supply chain compromise in 2023, has ordered an emergency shutdown of ShareFile on-premises storage zone servers.

The vendor’s stated position is that there is no evidence of unauthorised access. The vendor’s action is to shut down servers as one of the most drastic precautions available, in their own words.

Those two statements deserve to sit next to each other for a moment.

Progress has not disclosed the nature of the threat. As of publication, no CVE has been assigned and no technical details have been released. What is known is that the shutdown applies to on-premises deployments, organisations hosting their own ShareFile storage zones rather than using the cloud-managed service.

This matters for UK SMBs for two reasons. First, ShareFile has significant adoption in UK professional services, accountancy, legal, and financial advisory firms in particular use it for client document exchange. If you or your clients use ShareFile for anything sensitive, you need to know whether your deployment is affected right now, not when Progress issues a full advisory.

Second, Progress’s history is relevant context. MOVEit was being actively exploited before the vulnerability was publicly disclosed. The Cl0p ransomware group hit over 1,000 organisations before the patch cycle even began. I am not asserting that history is repeating itself here, the facts do not support that claim yet. I am noting that Progress has form for situations where the gap between “no evidence of unauthorised access” and “significant breach” proved to be shorter than the vendor initially indicated.

What to do:

  • If you run ShareFile on-premises storage zones, follow Progress’s emergency guidance immediately. Do not wait for clarification on the nature of the threat.
  • If you use ShareFile via a managed provider or the cloud service, confirm with your provider whether you are affected.
  • Review what data transits through ShareFile in your environment. If a breach is later confirmed, you want to know what your exposure is before the question is asked by clients or regulators.

Story Three: DocuSign Impersonation, RMM Tools, and the Attack That Needs No Malware

Stormshield’s threat intelligence team has documented a phishing campaign that should concern anyone who sends or receives documents for electronic signature, which, at this point, is most businesses.

The mechanics are straightforward. Victims receive a convincing DocuSign-branded phishing email or land on a fraudulent webpage. They are prompted to download what appears to be a DocuSign update or document. The payload is an MSI installer that deploys a legitimate Remote Monitoring and Management tool, specifically Atera, in the analysed cases, onto the victim’s machine.

There is no exotic malware here. No zero-day. The RMM tool is legitimate software that many managed service providers use for routine support. That is precisely the problem.

Once an RMM agent is installed and beaconing to an attacker-controlled console, the attacker has persistent remote access to the machine. They can exfiltrate data, deploy further tooling, move laterally across the network, or simply sit quietly and observe. Endpoint detection tools frequently do not flag legitimate RMM software as malicious. Firewall logs show outbound connections to software vendor infrastructure, which looks normal. The Stormshield analysis also notes the use of Telegram for tracking victim interactions, with 577 indicators identified across the campaign.

This is part of a broader trend. The NCSC published guidance on the abuse of legitimate RMM tools in 2023. The US CISA issued a joint advisory on the same topic. The fact that campaigns of this type are still running at scale in mid-2026, still catching victims, tells you everything about how seriously organisations have taken that guidance.

The DocuSign impersonation is particularly effective in professional services contexts, solicitors, accountants, consultants, where receiving a DocuSign notification is a routine daily event. The cognitive load required to scrutinise each one is high. Attackers know this.

What to do:

  • Train anyone who handles document signing workflows to verify DocuSign notifications through the DocuSign portal directly, not by clicking email links.
  • Review what RMM tools are authorised in your environment. If you do not have a definitive list, that is your starting point.
  • Check endpoint detection configuration: if your AV or EDR solution has exceptions for RMM software, review whether those exceptions are still appropriate and whether the software in question is legitimately deployed.
  • If you receive an unexpected DocuSign prompt asking you to download software or an update, treat it as malicious until proven otherwise. DocuSign does not push software updates through document signing notifications.

The Pattern Behind the Three Stories

Today’s three stories are not coincidental. Russian state actors exploiting neglected routers, a vendor ordering emergency shutdown of an on-premises file transfer product, and attackers using legitimate software to avoid detection, all three rely on the same underlying condition: organisations that have not looked closely at their own infrastructure in some time.

The NCSC advisory is aimed at critical infrastructure operators. The ShareFile shutdown affects specific on-premises deployments. The DocuSign campaign is targeting individuals in document-heavy workflows. But in each case, the question for a UK SMB is the same: when did someone last actually look at this?

If the answer is “I am not sure,” that is your action item for this week.


Before the next story: if Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically, and pass it to someone in your network who needs the heads-up. The people who most need this information are often the ones least likely to go looking for it.


Sources

SourceTitleURL
NCSCUK and Allies urge critical sectors to improve defences against Russian intelligence targetinghttps://www.ncsc.gov.uk/news/uk-and-allies-urge-critical-sectors-to-improve-defences-against-russian-intelligence-targeting
BleepingComputerUS and allies warn of Russian critical infrastructure attackshttps://www.bleepingcomputer.com/news/security/us-and-allies-share-defense-tips-against-russian-hackers-targeting-critical-infrastructure/
The RegisterProgress orders emergency ShareFile server shutdown over mystery security threathttps://www.theregister.com/security/2026/07/13/progress-orders-emergency-sharefile-server-shutdown-over-mystery-security-threat/5270281
Stormshield CTISign here… and install an unwanted RMMhttps://www.stormshield.com/news/cti-phishing-campaign-rmm-installation/
BleepingComputerEU sanctions Russian GRU military hackers over cyberattackshttps://www.bleepingcomputer.com/news/security/eu-and-uk-hit-russia-with-first-joint-cyber-sanctions-package/
BleepingComputerUK charges suspects linked to Russian Coms call spoofing platformhttps://www.bleepingcomputer.com/news/security/uk-charges-suspects-linked-to-russian-coms-call-spoofing-platform/

Filed under

  • nation-state-attacks
  • uk-business
  • smb-security
  • remote-access
  • supply-chain-risk
  • social-engineering
  • incident-response