Brandsit

Tag: Cyberattacks

  • Why are AI agents becoming the target of cyber attacks? Trend overview 2026

    Why are AI agents becoming the target of cyber attacks? Trend overview 2026

    Over the past eighteen months, the enterprise sector has moved from a fascination with generative artificial intelligence to a phase of actively implementing it into operational processes. A key trend in this evolution is the shift from passive language models (LLMs) to AI agents – autonomous systems capable not only of generating text but also of performing tasks: writing code, managing email communications, calling APIs or authorising financial transactions. With this agility, however, comes a critical new category of threats: Indirect Prompt Injection (IPI). Recent data from reports by Google and Forcepoint shed new light on the scale and sophistication of these attacks, suggesting that agent systems security will become one of the biggest challenges for chief information security officers (CISOs) in the coming years.

    IPI mechanism: Data as instructions

    Traditional prompt injection attacks relied on direct manipulation of the model by the user (e.g. attempting to ‘jailbreak’ a bot by giving it the command to ignore security). Indirect Prompt Injection is a much more insidious phenomenon. It involves inserting malicious instructions into content that the AI agent processes as input – this could be web pages, PDF documents, emails or code repositories.

    The problem lies in the very architecture of current LLM models, which cannot absolutely separate system instructions (issued by the tool developer) from external data. When an AI agent analyses a web page in search of information, it may come across hidden text, which the model will interpret as a new overarching command. As a result, the attacker takes control of the agent’s logic, instructing it to, for example, send sensitive data to an external server or perform a destructive operation on the user’s file system.

    Analysis of market trends

    Google Security Research researchers, analysing CommonCrawl resources, point to an alarming trend. Between November 2025 and February 2026, there was a 32 per cent increase in the number of detected malicious injection attempts in publicly accessible web resources. This relatively short time frame demonstrates the dynamism with which the criminal community is adapting to new technologies.

    From a market perspective, Google’s observation on cost-benefit calculus is key. Until recently, IPI attacks were considered the realm of academic research – they were difficult to implement and often failed due to the instability of the results generated by AI. Now, with the increased reliability and agility of agents, these attacks are becoming ‘viable’. AI’s ability to autonomously call external tools (tool calling) means that a successful injection of instructions has an immediate and measurable financial or operational impact.

    The Google study allowed the current IPI trials to be categorised into five groups:

    1. Harmless jokes: Attempts to change the tone of an agent’s response.
    2. Helpful tips: Suggesting preferential answers to the model (often on the edge of ethics).
    3. Optimisation for AI (AI-SEO):Hidden phrases to position products in assistants’ responses.
    4. Deterring agents: Instructions prohibiting AI from indexing or summarising a particular page.
    5. Malicious attacks: Data exfiltration and sabotage (deletion of files, destruction of backups).

    Although the latter are often at an experimental stage at present, their increasing complexity suggests that it is only a matter of time before they enter the phase of mass attacks.

    From coding assistants to financial transactions

    The Forcepoint report provides concrete evidence of how IPI manifests itself in professional software and financial tools. Experts have identified ten verified indicators of attacks targeting popular tools such as GitHub Copilot, Cursor and Claude Code.

    The attack scenario is mundane: a programmer uses an AI agent to analyse a library or documentation on an external site. This site contains a hidden AI instruction. When the agent ‘reads’ the site, it is instructed to execute a command in the terminal that destroys local backups. Since the agent has permission to operate on the file system (which is essential in a programmer’s job), the command can be executed without additional verification.

    Even more dangerous are attempts at financial fraud. Forcepoint points to cases where complete transaction instructions are sewn into web content, e.g. PayPal.me links with a predefined amount along with step-by-step instructions on how the agent is to finalise the payment. In systems where AI has access to digital wallets or corporate payment systems, the risk of capital loss becomes immediate.

    The paradox of detection and the challenges for business

    One of the most worrying findings from the Forcepoint report is the so-called detection paradox. The phrases and keywords used by attackers to inject hints are identical to the terminology the cyber security community uses to describe and analyse these threats. This renders simple filters based on word blacklists ineffective – either blocking legitimate expert communications or letting intelligently worded attacks through.

  • 14,000 cyber attacks in three months: Why is the 1970s protocol still a big risk for the industry?

    14,000 cyber attacks in three months: Why is the 1970s protocol still a big risk for the industry?

    The security of modern factories and power plants still relies on technology from almost half a century ago, which is becoming a growing concern for global business. The latest report from experts at Cato Networks warns of a wave of cyber attacks targeting industrial controllers (PLCs). Hackers are taking advantage of the fact that the widely used Modbus protocol was developed in the 1970s and has no security features – for someone who knows how to use it, taking control of a networked machine is worryingly easy today.

    Modbus, a communication protocol developed in 1979, is in the spotlight. At the time of its creation, no one assumed that industrial controllers (PLCs) would ever be connected to the public Internet. Modbus was designed with trusted, isolated internal networks in mind. As a result, it was completely devoid of the mechanisms we recognise as elementary today: encryption and authentication. This openness, once an advantage to facilitate system integration, has become an invitation to hackers.

    The scale of the problem is illustrated by data collected by a team led by Dr Guy Waizel and Jacob Osmani. Over just three months in autumn 2025, they identified coordinated activity targeting PLCs, involving more than 14,000 attacked IP addresses in 70 countries. These are not isolated incidents, but a systematic mapping of global industry vulnerabilities.

    The attackers’ strategy is multi-layered and precise. Most of the identified interactions – more than 235,000 requests – involved so-called data extraction. The hackers do not immediately try to destroy machines; instead, they quietly read the contents of registers, learning about process parameters and device configuration. The next step is to ‘fingerprint’ the hardware. By knowing the manufacturer and software version, criminals can match specific security vulnerabilities to a particular machine.

    What starts as innocent information gathering can quickly turn into a catastrophic scenario. To understand the real risks, Cato Networks experts ran a simulation on the Wildcat-Dam project. They demonstrated that, with just a laptop and access to the unsecured Modbus protocol, they were able to take control of the digital logic of the firewall. By manipulating register values, the researchers caused an artificial flood, overriding security limits and remotely opening the dam’s gates.

    The geography of the attacks coincides with the map of global industrial powers. The United States, France and Japan have been the main targets, together accounting for 61 per cent of incidents. It is also worrying that attackers are not confined to one industry. Although the manufacturing sector is the most common victim, traces of intrusion have been found in healthcare facilities, construction and even urban infrastructure management systems. What emerges is a picture of opportunistic hacking: attackers are looking for any available controller that has been recklessly exposed to the public network.

    Technical analysis suggests that some of this activity is coming from infrastructure located in China, although the identity of the actors remains hidden behind intermediary server systems. For business decision-makers, however, the key conclusion is not to identify a specific culprit, but to realise a structural flaw in their own systems.

  • Iran war hits financial sector. 245% increase in cyber attacks in Akamai report

    Iran war hits financial sector. 245% increase in cyber attacks in Akamai report

    In classical military doctrine, a kinetic strike is preceded by a phase of prolonged and painstaking reconnaissance. Drones appear over enemy territory and electronic intelligence maps the location of key communication nodes. In digital reality, this process is accelerated and almost completely automated, blurring the lines between peacetime and hybrid warfare states. The latest data provided by Akamai, showing an unprecedented 245 per cent increase in malicious internet traffic linked to tensions over Iran, demonstrates that the European and global business sector has become an active, though often unwitting, training ground for big politics.

    This phenomenon should not be interpreted merely in terms of incidental hacking attacks. The scale and nature of the recorded activity suggest an intelligence operation on a massive scale. Instead of spectacular but short-lived acts of sabotage, what is being observed is a systematic ‘tug on the handles’ of digital infrastructure. Botnets based on advanced algorithms are constantly scanning ports, searching for open services and cataloguing security vulnerabilities. This phenomenon can be described as digital asset mapping. For operators, this means that every publicly accessible element of their IT architecture has most likely already been included in the databases of geopolitically inspired actors. The aim is not immediate destruction, but to create a precise map of targets to be used when political tensions reach a critical point.

    The logistics of these activities provide a picture of the extremely complex nature of contemporary threats. Although the political vector points to Tehran, the digital footprints lead to infrastructure located in Russia and China. More than a third of malicious traffic operates via Russian proxy servers, creating a kind of infrastructure of impunity. The use of systems located in countries that rarely co-operate with Western cybercrime law enforcement agencies allows attackers to almost completely obliterate attribution trails. In this context, the origin of the IP address ceases to be a reliable indicator of the location of the aggressor, becoming merely an element in a complex game of appearances. The conclusion for business decision-makers is that traditional traffic filtering methods based solely on geographical blacklists are becoming an inadequate tool against an adversary with such a deep logistical base.

    Of particular concern is the fact that the financial sector and the thriving fintech industry have become the main targets. Four out of ten recorded attacks targeted banking institutions. This choice is no accident. The financial system is the lifeblood of the modern economy, and customer confidence in the stability of their funds is the foundation of social order. The paralysis of a transaction system or the massive leakage of access data generates consequences far more severe and long-term than the destruction of physical infrastructure. The case of the US financial institution, which had to fend off 13 million packets of data coming from the Iranian direction in a short period of time, shows that we are dealing with attempts to create a digital shock that has a direct impact on the operational stability of entire countries.

    The concept of digital isolationism, or geofencing, is gaining ground as a pragmatic risk management strategy. The suggestion by experts to completely prevent access to key services from regions in which an organisation has no real business appears to be a rational response to the asymmetry of modern conflicts. There may be resistance to this approach, but from a capital security and data protection perspective, minimising points of contact with potentially hostile environments is a purely economic decision. Keeping infrastructure fully accessible to regions that generate only harmful traffic is a cost that becomes difficult to justify to shareholders and regulators in the current geopolitical situation.

    The role of boards of directors and chief operating officers in this process is evolving. Cyber security has become an integral part of political and strategic risk analysis. The realisation that the 245% increase in botnet activity is not information hype, but a precise preparatory exercise, is changing the way infrastructure protection investments are viewed. They are no longer just a fail-safe policy, but an essential part of defending against the effects of global political reshuffling.

    To summarise the scale of the challenges facing modern business, it is important to acknowledge that in the digital space, the first shot in the conflict with Iran has long since been fired. It was every automated port scan, every password collected and every data packet blocked as part of the shockwave that has been recorded in recent months. The adversary is not waiting for an official declaration of war; he is already there, patiently mapping resources and looking for the weakest link. For the organisation, the key question becomes how much of an unreadable and difficult-to-fix picture of their own structure they will present to those who are secretly watching their every digital move. In this game of survival, the advantage will be gained by those who are able to turn cold statistical data into a far-sighted strategy for protecting their own digital sovereignty.

  • Cyber attack on Poland’s only nuclear reactor Maria

    Cyber attack on Poland’s only nuclear reactor Maria

    The Polish National Centre for Nuclear Research has reported the successful thwarting of a targeted cyber attack on its IT infrastructure. Early detection systems and internal security procedures allowed IT staff to quickly isolate the threat before the integrity of key operating systems was compromised.

    The Institute plays a strategic role in Poland’s nuclear power programme, providing technical and scientific support to national infrastructure projects. NCBJ Director Professor Jakub Kupecki confirmed that the incident had no impact on the operation of Poland’s only research nuclear reactor MARIA. The unit, used for scientific purposes and medical isotope production, continues to operate at full power in safe operational mode.

    Although no official attribution of the attack has been made by the NCBJ authorities, there are reports in the public space of a possible Iranian trail. Investigators, however, are far from cautious, pointing to the high probability of a ‘false flag’ operation aimed at disinformation and misidentification of the perpetrators. The situation is part of a wider trend of increased cyber activity targeting Poland, as evidenced by data on last year’s attacks by the Russian group APT44 (Sandworm) on distributed and renewable energy systems.

    According to the latest analytical reports, Poland has become one of the main targets for state cyber actors in the region, recording more than 30 major incidents in the past few months. In response to the recent incident in Świerk, the country’s cyber security services have been placed on high alert. NCBJ continues to work closely with law enforcement agencies to fully explain the mechanism of the attack and strengthen the resilience of critical research assets.

  • Operation BRICKSTORM: When code becomes the target of a cyber attack and trust becomes the most expensive currency

    Operation BRICKSTORM: When code becomes the target of a cyber attack and trust becomes the most expensive currency

    In the classic iconography of cybercrime, the image of the attacker has evolved from the masked amateur hacker to organised crime groups paralysing hospitals for ransom. But the latest data flowing from the Google Threat Intelligence Group’ s 2025 report points to the birth of a new, much more sophisticated era. It is a time when the traditional ‘bank robbery’ – understood as the theft of personal data or outright theft of funds – is giving way to deeply strategic operations. In this new threat landscape, Operation BRICKSTORM is becoming a symbol of change. The attackers are no longer interested only in the contents of the vault; their targets have become the structural plans of the building itself, the schematics of the alarm systems and the fingerprints of the guards.

    Infrastructure as a soft underbelly

    For years, the cyber security narrative has centred around human error. Phishing and social engineering were cited as the main infection vectors, shifting the burden of responsibility to employee training and end-user vigilance. However, 2025 brings a brutal verification of these assumptions. Of the documented ninety zero-day vulnerabilities exploited in the past year, almost half – a record 48 per cent – targeted corporate technologies directly.

    A particular battleground has become edge devices and network products, which are often a kind of ‘no-man’s land’ in modern IT architecture. These devices, although crucial to business continuity, are rarely equipped with advanced detection and response mechanisms such as EDR systems. For espionage groups, especially those linked to state decision-making centres, they have become an ideal entry point. Exploiting a security vulnerability has now become the most common path of first penetration, overtaking even stolen credentials or social engineering attacks in the statistics.

    Strategic Theft: The Anatomy of a BRICKSTORM Operation

    Among the many incidents recorded in the autumn of 2025, Operation BRICKSTORM stands out as heralding a new trend in industrial espionage. Attributed to Chinese state actors, the activities were not limited to the routine collection of customer data. Their targeting vector was intellectual property in its purest form: source code and proprietary software documentation.

    From a business perspective, such a shift in priorities in attackers is a wake-up call of the highest order. After all, stealing source code is not a one-off loss; it is a process that allows attackers to carry out extremely precise reverse engineering. With an insight into the software architecture, groups such as UNC3886 can identify further vulnerabilities, not yet known to anyone, for future operations. This is a mechanism for building a long-term advantage, in which the victim not only loses their unique know-how, but becomes an unwitting testing ground for the next generation of exploits.

    Cascading risks and erosion of market confidence

    Source Kd is the foundation of market valuation and a guarantor of customer confidence. BRICKSTORM incidents carry a cascading risk that extends far beyond the walls of the attacked organisation. Once a technology provider loses control of its blueprints, the threat spills over to the entire ecosystem of its customers. The attacked company becomes, in this set-up, ‘patient zero’ in an epidemic of supply chain attacks.

    It is worth noting that knowledge of upcoming updates, planned functionalities or specific encryption methods contained in the software documentation allows competitors – or hostile state actors – to completely neutralise a brand’s innovative advantage. Product security thus ceases to be a mere technical issue and becomes an integral part of a market survival strategy. The loss of Intellectual Property is often irreversible, and its effects may only manifest themselves in the financial sheets after several years, when competitors manage to implement solutions based on stolen knowledge.

    Commercial zero-day market

    An extremely significant element of the landscape described by Google is the change in the authorship structure of attacks. For the first time in the history of observation, more zero-day vulnerabilities were attributed to commercial surveillance software providers than to classic state-sponsored groups. This phenomenon can be called the democratisation of advanced cyber defence. These entities are selling their services to both governments and private customers, drastically lowering the barrier to entry into the world of the most sophisticated hacking operations.

    From the point of view of the business decision-maker, this means that the profile of the potential adversary has blurred. The threat no longer flows only from the direction of the big powers, but can be funded by any market player who decides to purchase a ready-made ‘surveillance package’. The increase in financially motivated attacks, including those leading to the use of ransomware, confirms that zero-day vulnerabilities have become a common commodity and their exploitation a standard tool in the arsenal of modern economic crime.

    Beyond the limits of the fort

    Since the statistics clearly show the ineffectiveness of the traditional perimeter protection approach, a redefinition of security strategy becomes necessary. Focusing on building ever-higher walls around an organisation makes no sense when almost half of all attacks hit the very foundations of these walls – that is, the network infrastructure and VPN devices.

    The defence strategy should be based on deep value segmentation. Key resources, such as source code repositories, require isolation beyond standard procedures. It becomes necessary to implement a paradigm of limited trust (Zero Trust) not only at the user level, but above all at the level of machine-to-machine communication processes. Monitoring for anomalies inside the network must become a priority, because it is there, in the silence of edge devices, that attackers such as those in BRICKSTORM operations build their long-term presence.

    Arbitrator in the arms race

    In the report described, artificial intelligence is emerging as an accelerator of activity on both sides of the barricade. Attackers are using AI to automate the process of finding vulnerabilities and scaling attacks, reducing the time between the publication of a new technology and its first exploitation to almost zero. In this context, traditional vulnerability management, based on cyclical audits, is becoming an anachronism.

    The only real answer seems to be the use of AI agent-based systems that proactively and autonomously scour their own infrastructure and source code for bugs before they are spotted by an adversary. The race for security in 2026 therefore becomes largely a technological race to see who can integrate intelligent automation into their processes faster and more efficiently. The human role in this set-up is evolving from that of a security operator to a strategist who sets priorities for autonomous defence systems.

  • Cyber attack on hospital in Szczecin, Poland: IT systems paralysed

    Cyber attack on hospital in Szczecin, Poland: IT systems paralysed

    During the night between Saturday and Sunday, hackers infected the IT infrastructure of the Independent Public Regional Hospital in Szczecin, encrypting key data resources. The facility’s response was immediate, but the transition of all wards to the traditional way of keeping medical records drastically increased service times. While the administration assures patients’ lives and health remain safe, the call to other facilities in the region is a clear admission that the operational efficiency of the institution has been severely compromised.

    From a crisis management perspective, the incident sheds light on critical systems architecture, where ‘failure mode’ becomes the only safety net in the face of digital paralysis. For business and technology leaders, the situation in Szczecin is a case study in how resilience is not just about having backups, but the ability to keep processes running smoothly in the face of a complete network cut-off. The cost of such a backward transformation is enormous – from logistical chaos to the risk of loss of continuity of care.

    Management’s current priority remains the recovery of blocked resources, which in the reality of encryption attacks is an arduous process and requires close cooperation with the services. This event emphatically demonstrates that in the mission-critical services sector, cyber security has ceased to be the domain of technical departments alone, becoming fundamental to business continuity. Without investment in advanced network segmentation and rapid response mechanisms, any organisation runs the risk that one weekend incident will set its working standards back by decades.

  • New threat hierarchy: Cyber attacks dominate the G7 countries

    New threat hierarchy: Cyber attacks dominate the G7 countries

    This year’s Munich Security Report 2026 paints a picture of a world in which the traditional sense of stability is giving way to a new triad of threats: cyber attacks, financial instability and precision disinformation. The Munich Security Index data leaves no illusions – for G7 economic leaders, it is not climate change but digital security that has become an existential priority.

    As recently as 2022, cyber attacks ranked seventh in the list of concerns. Today, for the second year in a row, they dominate the top of the list. The trend is particularly pronounced in Germany, the UK and Japan, where more than 70% of respondents cite digital impacts as a key state risk. For the business sector, this sends a clear message: cyber security is no longer the domain of IT departments and has become the cornerstone of business continuity management strategies.

    An interesting divergence is being drawn between the rich West and the BICS group (Brazil, India, China, South Africa). While the G7 focuses on critical infrastructure and monetary stability, the BICS countries invariably see climate change as the biggest threat, pushing cyber issues to the background. This divergence of priorities may hinder the development of global standards for data protection and regulation of artificial intelligence in the coming years.

    Speaking of AI, it is worth noting the surge in concerns about autonomous robots and algorithms. In just five years, this area of risk has risen twelve places in the overall ranking. This is a reflection of concern about the pace of deployment of a technology that, while promising to increase efficiency, is also becoming a tool in the hands of ‘hostile actors’ for disinformation campaigns.

    The report also points to growing geopolitical tensions. While Russia remains the main focal point in the external threat category, there is growing scepticism about the role of the US, which is particularly evident within the US itself. Respondents there, along with India and the UK, are the only ones who believe that the overall level of risk has increased compared to last year, indicating a growing polarisation and erosion of democratic processes.

  • Russian military intelligence was behind December’s cyber attack on Poland’s critical infrastructure

    Russian military intelligence was behind December’s cyber attack on Poland’s critical infrastructure

    The December attempt to paralyse the Polish electricity system, attributed by ESET analysts to the Russian group Sandworm, is a critical point of reference for utility leaders in Central Europe. Although Prime Minister Donald Tusk and the Ministry of Climate and Environment confirmed that the integrity of the grid was preserved, the operation exposes a new risk dynamic in the region.

    According to the findings of experts from Slovakia-based ESET, the attackers used a tool called DynoWiper. This is wiper software whose sole purpose is to irretrievably destroy data on infected workstations, rendering control systems useless in practice. The technical coincidence of the code with previous operations of Sandworm – a unit directly linked to the Russian military intelligence service GRU – leaves no illusions about the intentions: the aim was not to steal data, but to cause a physical blackout.

    For executives, the temporal context is crucial. The attack came exactly on the tenth anniversary of the same group’s strike on Ukraine’s power grid, which went down in history as the first case of digital blackout. The fact that Poland – a key logistics hub for Ukraine – became the target of such an aggressive operation suggests that the critical infrastructure of NATO countries is no longer a ‘no-go zone’ for destructive cyber activities.

    From a business perspective, the incident is forcing a revision of the resilience strategy. The successful defence of the Polish system, described by Minister Milosz Motyka as the most serious test in years, proves that investments in network segmentation and advanced traffic analytics are yielding a real return. However, the emergence of DynoWiper signals that traditional backup systems may be insufficient if recovery processes are not fully isolated from the core operational infrastructure.

  • Logitech confirms attack. Customer and employee data at risk after Oracle vulnerability

    Logitech confirms attack. Customer and employee data at risk after Oracle vulnerability

    Logitech, one of the leading manufacturers of peripherals, has joined the growing list of victims of cybercrime group Clop. The company has confirmed that it was the victim of a hack enabled by a zero-day vulnerability in software provided by an external company. The incident is part of a wider campaign of supply chain attacks targeting users of the popular business suite.

    The source of the problem turned out to be a critical vulnerability in the Oracle E-Business Suite (EBS) software used by Logitech. Hackers from the Clop group identified and exploited the bug before Oracle had time to patch it. Although Logitech implemented the required patch as soon as it was made available, it turned out that it was too late to respond – the attackers had managed to infiltrate the systems and exfiltrate the data.

    The company acknowledges that information has been stolen, but seeks to tone down concerns. According to the official position, the leak is likely to relate to “limited information” about employees, customers and suppliers. Logitech stresses that at this stage of the investigation, there is no evidence that sensitive data such as ID numbers or credit card details have fallen into the hands of criminals. However, it is unclear exactly what data set was compromised; similar cases often involve email addresses and phone numbers.

    The Clop group, known for its high-profile attacks (including on MOVEit software), has publicly admitted to the hack and claims to be in possession of as much as 1.8TB of manufacturer data.

    Despite the seriousness of the incident, Logitech does not expect the intrusion to have a material negative impact on its financial results. The company’s management has advised that the costs associated with the response to the incident and its aftermath should be fully covered by its cyber insurance.

  • EY’s 4TB backup leak. What this incident teaches

    EY’s 4TB backup leak. What this incident teaches

    Some 4TB of EY’s database backup was publicly available online. For now, there is no confirmation of exactly what data was in the collection, but the scale of the disclosed volume is enough to set off another wave of discussion in the industry about what is usually neglected: the security of backups.

    For years, the cybersec market has focused on attacks and infiltrations of production systems. Meanwhile, backups are often full, 1:1 representations of running instances: not just tables, but also code, access tokens, API keys and configurations. The EY case demonstrates the mechanics of many high-profile incidents in recent months – no need for zero-day vulnerabilities, no need for advanced APT groups. All you need is a misaligned permission in a bucket or a snapshot with default permissions.

    Industry reports confirm the scale of the problem. Wiz Security calculated that in AWS alone, the number of misconfigured S3 resources grew at a double-digit rate quarter-on-quarter in 2024. Gartner predicts that by 2027, as many as 60 per cent of cloud incidents will be due to configuration errors rather than security breaches. For corporate security departments, this means one thing: the battle is no longer over the next EDR layer, but over control of the entire XaaS configuration.

    This is not a sensitive topic only for hyperscalers. There is no shortage of organisations that maintain backups based on a hybrid of simple NAS storage, public cloud and repositories inherited from previous generations of systems. Any such component is a potential back door if it is not subject to the same standards as the production environment: encryption, zero trust access, identity control, near real-time alerting.

    Interestingly, it is no longer about the backup itself. New XDR and posture management tools are starting to treat backup as a normal, active part of the attack surface. They are monitoring the configuration of Microsoft 365 services, analysing key exposure, scanning tokens in snapshots, looking for redundant role permissions and accounts that could serve as a pivot.

    The biggest lesson from the EY incident is paradoxically minimal: backup is not a neutral entity. It is a full-fledged asset, often more important than production, because it contains the completeness of data and the complete history of processes. A single mistake in backup exposure can undo years of investment in security and re-align the accents in the strategies of CISOs across the market, including in Poland. Proactive configuration audits and control automation are as critical a part of cyber hygiene today as the defence tools themselves.

    Update:

    In response to the above publication, we have received an official comment from EY, the content of which we publish below in its entirety:
    “Several months ago, EY became aware of a possible data breach and immediately implemented appropriate procedures. No customer information, personal data, or confidential company data was compromised. The situation did not involve EY Poland. It was related to an entity acquired by EY in Italy, which was not connected to EY’s global cloud or systems.”

  • F5 hacking attack. The giant admits: Breach will hurt demand.

    F5 hacking attack. The giant admits: Breach will hurt demand.

    F5 is facing serious consequences from its own security incident. On Monday, the company warned investors that a recent, deep breach of its systems would hurt demand and provided annual revenue forecasts below Wall Street expectations. The market reacted immediately, with the company’s shares down 5.8 per cent in after-hours trading.

    At the heart of the problem is an incident disclosed earlier this month in which hackers gained ‘long-term, persistent access’ to F5’s systems. Most worryingly, this access included source code for one of the company’s key security services. As Reuters reported, citing sources close to the investigation, Chinese-backed hackers may be behind the attack.

    The scale of the breach has caused alarm at the highest levels. Officials in the US and UK warned that federal networks were among the targets of attackers in the wake of the hack, calling for immediate action.

    Now F5 admits that this image crisis will translate into finances. The company officially anticipates “short-term disruptions to sales cycles” as its customers – mainly users of the BIG-IP platform – put their purchasing decisions on hold, focusing on risk assessment and urgent upgrades.

    The numbers don’t lie. F5 forecast full-year revenue growth in the range of just 0% to 4%, while analysts (according to LSEG) were expecting growth of 4.8%. Similarly, the forecast for the first quarter (USD 730-780 million) was below the market consensus (USD 791 million).

    Interestingly, during a conference call with investors, F5’s management stated that it has yet to see a real impact on demand. However, cautious financial projections suggest that the company expects the shockwave to come in the first half of the year. For a cyber security provider whose reputation is a key currency, regaining customer trust after its own stumble will now be its biggest challenge.

  • Cyber attacks accelerate: criminals steal data in as little as half an hour

    Cyber attacks accelerate: criminals steal data in as little as half an hour

    The cyber threat landscape has changed dramatically over the past three years – and the source of further alarm is data from Unit 42, the threat analysis unit at Palo Alto Networks. Their research shows that the median time from compromise to data theft has dropped from nine days in 2021 to just two days in 2023.

    It is worth highlighting the unit’s expert forecast that, by the end of 2025, some incidents could be completed in less than 30 minutes – representing a 100-fold increase in attack speed compared to three years ago.

    In parallel, the tactics of attackers are changing. Today, up to 86 per cent of ransomware incidents end in significant business disruption – the target of the attack is no longer just data encryption, but a hit to reputation, customer relationships and business continuity.

    A surprising, though confirmed by Unit 42, trend is also for encryption to be overlooked in around 10 per cent of cases – smash and grab attacks rely solely on the theft or deletion of data, based on the effectiveness of the threat of disclosure or permanent loss.

    Behind the acceleration and escalation of attacks is, among other things, the growing use of artificial intelligence technology in phishing campaigns. By 2024, according to experts, as many as 83% of phishing messages will have used AI to some degree, and around 78% of recipients of such messages will have opened them – creating huge room for manoeuvre for attackers.

    Additionally, a so-called ‘access-broker’ market is developing, where cybercriminals treat network entry as a commodity and the ‘ransomware-as-a-service’ model lowers the barrier to entry for new actors.

    The economics of attacks have also been transformed: the median ransom demanded in 2024 reached ~US$1.25m – representing 2% of the victim’s estimated annual revenue. While negotiations typically result in reduced payments of up to ~US$267,500, the total cost of an incident – according to Unit 42 – reaches an average of US$4.91 million, especially when attackers gain access to supply chain partners and multiply the number of victims.

    What does this mean from an IT organisation’s perspective? First and foremost: the traditional security approach, based on manual detection and response, no longer makes sense. Since attackers can compromise a system in an hour (or less), human-based defences without the support of automation and analytics can no longer keep up.

    Automation, AI-based solutions and close human-machine collaboration are becoming a prerequisite for defence.

    In practice, this means overhauling the security architecture: reducing the attack surface by rapidly deploying patches and reducing remote access (in 2023, exploitation of online vulnerabilities was the most common initial access vector – in ~38.6 per cent of cases), monitoring and analysing identity behaviour, network segmentation (‘least-privilege’), and implementing UEBA/ITDR tools to catch anomalous activity in real time.

    The threat environment is shrinking in terms of response time – and the pressure on business is increasing. No longer are only the largest corporations at risk: the healthcare sector, energy, government departments or smaller companies with valuable data are attractive targets. For technology organisations, this means acting today – because tomorrow may be too late.

  • F5 hacked: Risks to global networks and IT infrastructure

    F5 hacked: Risks to global networks and IT infrastructure

    There is an ironclad rule in the cyber security industry: even gatekeepers can become targets. The latest incident at US-based F5, a manufacturer of network and application security solutions, shows just how valid this rule is. According to reports from Bloomberg, hackers – possibly linked to China – were said to have been on F5’s network for up to a year, gaining access to files including pieces of source code and documentation on security vulnerabilities.

    F5 confirmed ‘unauthorised access’ to parts of its systems, while assuring that the company’s operations had not been disrupted. However, this is only part of the picture. The US Cyber Security and Infrastructure Agency (CISA) has assessed the risk as a direct threat to federal government networks, as knowledge stolen from F5 could become a map for large-scale intrusions – no longer just in the US, but across all organisations using their devices.

    The situation has a geopolitical dimension. Although CISA has not named the perpetrators, Bloomberg’s sources speak directly of a sophisticated group linked to China. This is part of a wider trend: the growing number of cyber espionage operations targeting critical infrastructure providers. Similar incidents have previously occurred at SolarWinds and Microsoft Exchange, among others.

    Significantly, F5 chose to involve several third-party companies – CrowdStrike, Mandiant, NCC Group – suggesting a high level of complexity in the attack. According to disclosures to the SEC, the US Department of Justice allowed F5 to delay public disclosure of the incident until 12 September, citing national security.

    For F5’s customers – from the financial sector to government to telecommunications – this incident is a wake-up call. It is not only about the need for immediate updates. If attackers have gained knowledge of yet unidentified vulnerabilities, the consequences can be stretched over time. The UK NCSC has already appealed for F5 systems to be updated, warning of potential secondary attacks.

    This story demonstrates a key change in attack vectors: instead of individual organisations, technology providers who, through their products, are the ‘gateway’ to thousands of networks are becoming the target. The ‘zero trust’ narrative is no longer a marketing buzzword – it is becoming a necessity when dealing with any supplier, even those in the cyber security industry.

  • Arrests after cyber attack on Kido nurseries. Hackers stole data of 8,000 children

    Arrests after cyber attack on Kido nurseries. Hackers stole data of 8,000 children

    British police have arrested two men, aged 17 and 22, in connection with a cyberattack on London-based nursery chain Kido International. The charges relate to computer misuse and blackmail. This is another in a series of ransomware incidents recently affecting key services in the UK, this time hitting an extremely sensitive target – the data of young children.

    The case is being investigated by the London Metropolitan Police’s Cyber Crime Unit. The arrests were made in the town of Bishop’s Stortford. The attack, which was claimed by a group identifying itself as Radiant, resulted in the theft of the data of more than 8,000 children attending 18 Kido institutions in London. The hackers did not disclose the amount of the ransom demanded.

    In order to prove their claims, cyber criminals published highly sensitive information on ten children on the darknet – including their names, photos, home addresses and family contact details. The incident has raised serious concerns about data protection and the safety of the youngest children.

    The attack on Kido is part of a growing trend of hitting so-called ‘soft targets’, i.e. organisations with sensitive data, but often with insufficient security. For IT companies, it is another sign that securing critical infrastructure, including educational and medical facilities, is becoming an absolute priority. UK law enforcement agencies, responding to a series of attacks this year, have stepped up action against ransomware groups, demonstrating that cybercrime is becoming one of the key challenges to national security.

  • Anatomy of a zero-day attack: How hackers exploit unknown vulnerabilities and how to defend against it?

    Anatomy of a zero-day attack: How hackers exploit unknown vulnerabilities and how to defend against it?

    In the digital arms race, there is a moment of absolute advantage for the attacker – the moment when a previously unknown vulnerability in software is used for the first time to launch an attack. This is ‘zero-day’.

    For security teams, this is the worst possible scenario: they are faced with a threat they did not know existed, against which they have no ready defence, and the software vendor has not yet had time to prepare a ‘vaccine’ in the form of a security patch. During this critical window of time, which can last for days, weeks or even months, attackers operate with impunity, with an open path to the most valuable company assets.

    Zero-day attacks are not theoretical musings, but a brutal reality. Incidents such as the crippling attack on MOVEit Transfer software have shown that a single, unknown vulnerability can have a knock-on effect, leading to the theft of tens of millions of people’s data and exposing thousands of companies to financial and reputational damage . This proves that the stakes in this race against time are extremely high, and understanding the anatomy of this threat is crucial for every IT department today.

    Vulnerability lifecycle: from a bug in the code to a global incident

    To effectively defend against zero-day attacks, it is essential to understand their lifecycle. Although these terms are often used interchangeably, each describes a different stage on the path from a bug in the code to a viable incident.

    • Zero-Day Vulnerability (Zero-Day Vulnerability): This is a flaw in software code, operating system or device that is unknown to the manufacturer or, if known, has not yet been patched. The name zero-day refers to the developer’s perspective – it is the day they find out about a problem without having a solution ready.
    • Zero-Day Exploit (Zero-Day Exploit): This is a specific tool – a piece of code or technique – created to actively exploit a vulnerability. An exploit is a ‘key’ that allows a ‘lock’ to be opened in the form of a vulnerability.
    • Zero-Day Attack (Zero-Day Attack): This is the actual use of an exploit against a target. The name emphasises the perspective of the victim, who has exactly ‘zero days’ to prepare for defence.

    The process from gap creation to gap patching can be divided into several key phases:

    1. Emergence and release: Software containing a hidden flaw is made available to users. The vulnerability exists but remains undiscovered.
    2. Discovery: The existence of a vulnerability is identified. The discoverer may be an ethical researcher, the manufacturer itself or – the worst-case scenario – a cybercriminal.
    3. Creating an Exploit: A theoretical vulnerability is transformed into a ready-to-use attack tool.
    4. Disclosure: Information about the vulnerability becomes known. In a responsible model, it goes to the manufacturer; in a malicious scenario, it goes to the black market or is exploited in secret.
    5. Issue of a fix: the manufacturer publishes an update that eliminates the flaw.
    6. Patch installation: The vulnerability lifecycle ends when users install the patch, closing the exploitation window.

    A critical factor is the time gap between the discovery of a vulnerability by a malicious actor and the widespread installation of a patch. The entire strategy of zero-day attacks focuses on maximising this window.

    Threat landscape 2023-2024: changing objectives and tactics

    Analysis of recent years’ data, in particular from Google Threat Analysis Group (TAG) and Mandiant reports, reveals a fundamental transformation in attackers’ strategy. After a record-breaking year in 2021 (106 exploits), there were 97 exploits in 2023 and 75 exploits in 2024. However, these figures hide a more important trend: a strategic shift in objectives.

    We have seen a dramatic decrease in the number of exploits targeting traditional targets such as web browsers and mobile operating systems . This is the result of years of investment in security by the technology giants, which have significantly increased the cost of creating effective exploits.

    This shift has forced attackers to shift their focus to the heart of the corporate infrastructure. The percentage of zero-day attacks targeting enterprise technology has increased from 37% in 2023 to as high as 44% in 2024.

    The targets were primarily edge devices and security software: firewalls, VPN gateways and load balancing systems . The compromise of one such device gives attackers a strategic entry point into the entire corporate network. This evolution is driven by simple economic logic – the ‘return on investment of an exploit’ is incomparably higher for an attack on a central piece of infrastructure than on a single user.

    Case study: global crisis MOVEit transfer (CVE-2023-34362)

    Nothing illustrates the new era of threats better than the global MOVEit Transfer software incident. It was a model example of a strategic hit to a key part of the digital supply chain.

    MOVEit Transfer is a popular solution for the secure transfer of sensitive files, used by thousands of companies, government agencies and hospitals . Its central role has made it an extremely valuable target. The attackers, identified as the ransomware group Clop (FIN11), exploited a critical SQL Injection vulnerability that allowed remote command execution.

    The operation was fast and automated. At the end of May 2023, the Clop group started a massive scan of the internet for MOVEit servers, automatically exploiting a vulnerability to gain access . They then installed a custom web shell (LEMURLOOT) as a backdoor and conducted automated data theft for several days . By the time the manufacturer released a patch on 31 May, it was too late for thousands of companies.

    The impact was devastating. More than 2,700 organisations were affected by the attack, and personal data belonging to some 93 million people was stolen . The incident exposed a fundamental truth: the security of an organisation is inextricably linked to the security of its key software providers.

    Zero-day economics: black market versus bug bounty

    Behind every attack is a complex economic ecosystem. On the black market, knowledge of vulnerabilities is a valuable commodity. Prices for high-quality exploits are astronomical – a full chain of zero-click exploits for the iPhone can cost between $5 million and $7 million. Buyers are mainly government agencies, commercial spyware vendors (CSVs) and elite cybercrime groups.

    An ethical alternative is bug bounty programmes, where organisations offer financial rewards to ethical hackers for responsibly reporting vulnerabilities. Platforms such as HackerOne and Bugcrowd coordinate this process, creating a legitimate market for the skills of security researchers . While rewards are important, many hackers are motivated by a desire to learn and build a reputation.

    These programmes effectively limit the supply of less critical vulnerabilities on the black market. However, for the most powerful exploits, which are worth millions of dollars, bug bounties are economically uncompetitive. This reinforces the need to build defence strategies based on the ‘assume breach’ model (the assumption that an intrusion will occur).

    Defence strategies for IT departments

    In the face of zero-day threats that evade traditional defences, IT departments must adopt a multi-layered strategy based on prevention and effective detection and response.

    Pillar 1: Prevention and strengthening of immunity

    The aim is to make the IT environment as difficult to penetrate as possible.

    • Update Management: Traditional monthly update cycles are outdated. The average time from vulnerability disclosure to exploitation has shrunk to just five days in 2024. It is essential to implement automated patch management systems and prioritise vulnerabilities from the CISA Known Exploited Vulnerabilities (KEV) catalogue.
    • Zero Trust Architecture: The ‘never trust, always verify’ philosophy rejects the outdated ‘castle and moat’ model. Key elements are network microsegmentation, which limits attacker lateral movement, and the principle of least privilege, whereby each user and system has only the necessary privileges .
    • Virtual Patching: This is a key tactic during the period when there is not yet an official patch. It involves implementing rules on Web Application Firewall (WAF) or Intrusion Prevention System (IPS) devices that block network-level attempts to exploit a known attack technique, allowing valuable time for the patch to be deployed.

    Pillar 2: Detection and response to incidents

    As 100 per cent prevention is not possible, having the ability to detect an attack quickly is crucial.

    • Incident Response Plan (IRP): Having a formalised and rehearsed plan, based on a framework such as those developed by NIST, is the difference between a controlled response and chaos. The plan should include preparation, detection and analysis, containment and recovery, and post-incident phases.
    • State-of-the-art tools (EDR/XDR): Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) technologies are key. Instead of relying on signatures, they monitor and analyse the behaviour of processes across the infrastructure. Unusual activity, such as unauthorised privilege escalation, may indicate the use of an unknown exploit.
    • Human factor: The most common vector of exploit delivery is spear-phishing – personalised emails designed to persuade the victim to click on a malicious link . Employees also need to be aware of watering hole attacks, where attackers compromise a legitimate website frequently visited by company employees to infect their devices. Regular training is an essential part of defence.

    The future of fighting an invisible enemy

    The anatomy of the zero-day attack has undergone a profound transformation. Threats have become more strategic, precisely targeting the heart of corporate infrastructure and driven by a profiled global ecosystem. A reactive approach based solely on patching is no longer sufficient.

    Effective defence must evolve at the same pace. It is necessary to move to a model oriented towards architectural resilience. The Zero Trust philosophy is no longer an option, but a necessity. Ultimately, there is no single recipe for success in the fight against zero-day threats. It is an ongoing process, requiring a synergy of advanced technology, robust procedures and, most importantly, constant vigilance and readiness to adapt in the face of a constantly evolving enemy.

  • Renault: Customer personal data stolen in cyber attack on third-party company

    Renault: Customer personal data stolen in cyber attack on third-party company

    Renault UK has become another victim in a series of cyber attacks targeting the automotive industry. The incident, which affected a third-party service provider, exposed customers’ personal data, once again highlighting weaknesses in the supply chains of global companies.

    The French manufacturer has confirmed that UK customer data was stolen as a result of the attack, including names, addresses, phone numbers and vehicle identification and registration data. Renault assures that financial information, such as bank details or passwords, was not compromised as the attacked supplier did not process this type of information.

    The company stresses that its own IT systems have not been compromised and that the incident at an external partner has now been contained. Renault has begun the process of informing affected customers, warning them of the potential phishing and social engineering fraud attempts that often follow these types of leaks. The exact number of people affected by the attack remains classified. What is known, however, is that the problem may not only affect vehicle owners, but also people who have shared their data during marketing campaigns, for example.

    The Renault incident is not an isolated case. On the contrary, it is part of a worrying trend of increasing cyber attacks on the automotive sector. In September, a major attack paralysed Jaguar Land Rover’s systems, significantly disrupting the company’s production and operations. BMW has also recently struggled with security incidents, including an attack on one of its financial services providers.

    These events show that complex and interconnected automotive supply chains are becoming an attractive target for cybercriminals. An attack on one, often smaller and less secure partner, can open the door to the data of a valuable corporate customer. For an industry that increasingly relies on connected vehicles and digital services, securing the entire ecosystem of partners is becoming one of the key challenges.

  • Cyber attack on Salesforce customers. Hackers claim to have taken over one billion records

    Cyber attack on Salesforce customers. Hackers claim to have taken over one billion records

    A cybercrime group, describing itself as ‘Scattered LAPSUS$ Hunters’, claims to have taken over nearly one billion data records belonging to Salesforce customers. However, the attack did not directly breach the cloud giant’s infrastructure. Instead, the hackers relied on social engineering, targeting the weakest link – employees of companies using the platform.

    The attackers admitted that they did not breach the security of Salesforce itself. Their method was based on voice phishing (vishing), involving telephone impersonation of IT support staff. In this way, they convinced employees to install a modified version of the legitimate Salesforce Data Loader tool, which is used to import data in bulk. After installing the malware, they gained access to company resources.

    Salesforce has strongly denied that its platform has been compromised. The company stressed that the incident is not linked to any known vulnerability in its technology and relates to actions directly against its customers.

    The ‘Scattered LAPSUS$ Hunters’ group also took responsibility for ransomware attacks earlier this year on well-known UK brands such as Marks & Spencer, the Co-op and Jaguar Land Rover. It published a list of around 40 other allegedly attacked companies on its darknet page.

    The group’s activity is part of a wider trend observed by security analysts. Back in June, the Google Threat Intelligence Group team described a campaign by a group tracked as ‘UNC6040′, which used identical techniques to get employees to install fake tools. Researchers link the attackers’ technical infrastructure to a loosely connected cybercrime ecosystem known as ‘The Com’.

    The case already has a thread in the real world. British police in July arrested four people under the age of 21 in connection with an investigation into cyber attacks on retail chains. The incident proves once again that even the most secure cloud platforms are helpless when the human factor fails.

  • Cyber attack on software provider paralyses key European airports

    Cyber attack on software provider paralyses key European airports

    A ransomware cyber-attack on RTX-owned Collins Aerospace caused chaos at leading European airports over the weekend. The incident, which hit MUSE’s check-in and boarding software, exposed the vulnerability of critical aviation infrastructure to threats in the digital supply chain. The result was massive delays, flight cancellations and a return to manual passenger handling procedures.

    The problem emerged on Saturday, with its epicentre covering some of Europe’s busiest airports, including London Heathrow, as well as Brussels, Berlin, Dublin and Cork airports. The failure of the MUSE system prevented automated check-in and baggage handling, forcing ground staff to process data manually. This immediately translated into extended queues and operational paralysis.

    The situation was so serious that Brussels Airport asked the airline to preemptively cancel some Sunday and Monday flights to avoid total congestion. Although Collins Aerospace worked to restore systems, it took time to deliver a secure and fully functional software update, prolonging the disruption. The European Union Cyber Security Agency (ENISA) has officially confirmed that the incident was the result of a ransomware attack and is being investigated by law enforcement authorities.

    The attack on airport systems is not an isolated incident. It is part of a growing wave of cyber attacks on key sectors of the economy. Recently, similar incidents have affected car manufacturers such as Jaguar Land Rover, where production was halted, as well as other global companies in the retail or healthcare industries.

  • Hybrid threat: How drones over Poland translate into cyber risk

    Hybrid threat: How drones over Poland translate into cyber risk

    The night of 9-10 September 2025 will go down in history as the moment when the war across our eastern border ceased to be a mere media report and became a tangible threat. Russian drones over Poland and their downing by the Polish armed forces is an unprecedented event.

    However, anyone who views this incident solely in military terms is making a strategic mistake. For the violation of airspace was a high-profile prologue to the silent offensive that is about to begin in Polish cyberspace.

    Drones over Poland and the anatomy of Russian cyber-aggression: how does the Kremlin machine work?

    To understand what lies ahead, we must first grasp the adversary’s philosophy of operation. For years, Russia has perfected a doctrine of hybrid warfare in which missiles, beats and disinformation form a single, integrated arsenal.

    The aim is no longer just to conquer territory, but to paralyse the state from within – breaking its economy, destroying trust in its institutions and dividing its society.

    In this strategy, cyber attacks play a key role, with specialised secret service units acting with finesse and brutality.

    These operations are headed by two main actors whose code names should be familiar to any security professional:

    • GRU (APT28/Fancy Bear): This is the digital equivalent of the Specnaz units. Units subordinate to military intelligence specialise in high-profile, destructive and sabotage operations. Their goal is chaos. They are behind the attacks on Ukraine’s power grid, the hacking of electoral systems or the devastating Wiper malware attacks that irretrievably erase data. If something is to be destroyed, switched off or paralysed – the GRU steps in.
    • SVR (APT29/Cozy Bear): They are the aristocracy of Russian digital intelligence. They operate more quietly, more subtly and their operations are characterised by extreme patience. The Foreign Intelligence Service focuses on long-term espionage. They are responsible for the notorious attack on the SolarWinds software supply chain, which gave them access to the networks of thousands of companies and government agencies around the world for months. Their focus is on information, strategic advantage and quietly placing ‘digital sleeper agents’ on key enemy systems.

    Significantly, Russian services are blurring the line between state operations and common cybercrime.

    Ransomware groups such as Conti or LockBit often receive tacit permission from the Kremlin to operate in exchange for fulfilling ‘orders’ hitting Western targets – hospitals, corporations or local governments. This allows them to wreak havoc at the hands of seemingly independent criminals and further complicates the attribution of attacks.

    Scenarios for Poland: predicted attack vectors

    In the context of recent events, Poland is becoming a high-priority target. We can expect to be hit from several directions simultaneously.

    Scenario 1: Impact on critical infrastructure (ICS/SCADA)

    This is the most dangerous scenario. Industrial control systems on which the functioning of the state depends will be targeted. Attacks could target:

    • Energy sector: Attempts to take control of transformer substations in order to trigger regional or even national blackouts.
    • Transport and logistics: Paralysis of rail traffic management systems, which would have a direct impact on support shipments to Ukraine, but also on the national economy.
    • Water supply and treatment plants: manipulation of control systems can lead to interruptions in water supply or, in extreme cases, to water contamination.

    Scenario 2: Administrative paralysis and data theft

    Key institutions of the state will become the main target of espionage operations (conducted by the SVR). Massive spear-phishing campaigns should be expected, precisely targeting officials and military officers from the Ministry of Defence, the Ministry of Foreign Affairs or the Ministry of Digitalisation.

    The aim will not only be to steal security data and defence plans, but also to take control of accounts that can be used for further escalation or disinformation operations.

    Scenario 3: Information warfare and social chaos

    This attack is already underway, but it will now enter a new, intense phase. Its aim is to destroy the social fabric. We can expect:

    • DDoS attacks on major news portals and banking services to give the impression that the state is losing control.
    • Defacement (content substitution) of government websites to publish false messages and sow panic.
    • Massive disinformation campaigns on social media, run by troll farms and bots. Narratives will focus on undermining the effectiveness of the Polish army (‘they didn’t shoot everything down’), accusing the government of ‘provoking Russia’ and stoking anti-Ukrainian sentiment.

    Why is increased activity inevitable?

    These predictions are not mere speculation. They stem directly from an analysis of Russian war doctrine and the logic of the current situation.

    1. First: Asymmetric Retaliation. Russia cannot afford an open armed conflict with a NATO country. The downing of its drones was a slap in the face that cannot go unanswered. Cyberspace is the ideal theatre for retaliation – allowing painful blows to the economy and infrastructure while avoiding crossing the threshold of open war.
    2. Second: Phase Two of the Operation. The drone attack was designed not only to strike Ukraine, but also to test the response time and procedures of the Polish defence. Now Phase Two begins: creating internal chaos in a country that is a key logistical hub for Ukraine and a pillar of NATO’s eastern flank. Weakened and preoccupied with its own problems, Poland is a strategic target for the Kremlin.
    3. Third: Testing the Alliance. Russia wants to test in practice how Article 5 solidarity mechanisms work, not only in the military dimension but also in the cyber dimension. A massive attack on Poland will be a test for response procedures and cooperation within NATO.

    The front runs through every server room today

    We must abandon the illusion that cyber security is a technical problem locked up in IT departments. Today, it is the foundation of national security, with every administrator, developer and manager becoming a defender on the digital front line.

    The time of reactive firefighting is irrevocably over. A paradigm shift towards proactive defence and resilience building is required.

    It is worth emphasising at this point: the purpose of this analysis is not to sow panic, but to build strategic awareness and resilience. It is sound knowledge and cool risk assessment, not fear, that provide the basis for effective preparation for scenarios that could materialise at any time.

    For the IT industry, this means immediate action is required:

    • The implementation of the ‘Zero Trust’ architecture: The principle of “never trust, always verify” must become standard in every corporate and government network.
    • Proactive Threat Hunting: Security teams need to actively hunt for signs of intruders on their networks, rather than passively waiting for alerts from SIEM systems.
    • Audit and Testing of Incident Response Plans (IRPs): Having a plan on paper is not enough. It needs to be tested regularly through simulations so that when a crisis occurs, everyone knows what to do.
    • Building Public Resilience: The IT sector has a huge role to play in educating employees and the general public on how to recognise disinformation and phishing.

    The red sky over eastern Poland was a test of our military procedures. The upcoming digital offensive will be a test of the resilience of our entire state and society. This is not a time for fear, but for the consolidation of forces – for cooperation between the private sector and public administration, for sharing knowledge about threats and for building a digital shield that neither massive DDoS attacks nor precision spying operations can break. History teaches that Poland’s greatest strength in the face of threats has always been its ability to mobilise and adapt. Today, this mobilisation must take place in our networks, server rooms and minds.

  • Akamai Technologies warns: 4-step blackmail defines the new face of ransomware

    Akamai Technologies warns: 4-step blackmail defines the new face of ransomware

    Cybercriminals are refining their methods, moving to more complex, four-phase extortion tactics to maximise the pressure on their victims.

    According to the latest ‘Ransomware 2025’ report published by Akamai Technologies, although double blackmail – involving the encryption of data and the threat of making it public – is still the dominant method, a new, more aggressive trend is on the horizon.

    The new tactic, referred to as quadruple extortion, expands the attackers’ arsenal to include additional activities. In addition to data theft and encryption, cybercriminals are turning to DDoS (distributed denial of service) attacks to cripple a company’s operations.

    Moreover, third parties such as customers, business partners or the media are also harassed to increase psychological pressure. These actions turn a cyber-attack into a widespread business crisis that forces organisations to fundamentally rethink their existing security and incident response strategies.

    A significant driver of the evolution and scale of threats is the growing role of generative artificial intelligence and large language models (LLMs).

    These tools significantly lower the entry threshold for less experienced criminals, allowing them to create advanced ransomware code and refine their social engineering techniques, resulting in more effective campaigns.

    The report also highlights the growing activity of hybrid groups that combine financial motivations with hacktivism. They use ransomware-as-a-service (RaaS) platforms to amplify their influence. Similar strategies, albeit with different objectives, guide cryptomining groups.

    Akamai’s analysis found that almost half of such attacks targeted the education sector and NGOs, likely due to their limited resources for cyber security. The changing threat landscape poses new challenges for companies that include not only technology, but also legal and regulatory aspects.

  • The lost innocence of the web: the story of the first great cyber attack

    The lost innocence of the web: the story of the first great cyber attack

    On the evening of 2 November 1988, the computer centres of America’s most prestigious universities and research laboratories were in chaos. System administrators watched in disbelief as their powerful machines, the backbone of the fledgling Internet, slowed down and then froze completely.

    In just 24 hours, the mysterious programme infected around 6,000 of the 60,000 computers connected to the global network – crippling nearly 10 per cent of the entire internet at the time.

    The incident, which became known as the ‘Morris Worm’ attack, was an unprecedented event.

    It slowed down key military and university operations, and delayed email exchanges for days, severing the delicate threads of digital communication.

    An experiment that got out of hand

    The creator of the programme was Robert Tappan Morris, a bright 23-year-old computer science student at Cornell University. His official motivations, later presented at trial, indicated a desire to “demonstrate the inadequacy of current security measures” or, according to other sources, an attempt to measure the size of the internet. To cover his tracks, Morris released the worm from a computer at MIT.

    The Morris worm, unlike the primitive viruses of the time, was an advanced programme. Its strength lay in its multi-vector nature – it used several different, independent methods to spread :

    • Software vulnerabilities: The worm exploited flaws in popular UNIX system programs, such as the sendmail mail server and the finger service, which was used to check user information. One of these methods was an early example of a buffer overflow attack, which involves sending too much data to a program, allowing it to take control.
    • Abuse of trust: The programme used trusted host mechanisms that allowed logins between machines on the network without a password.
    • Password cracking: The last resort was to guess passwords. The worm had a built-in dictionary of common words and tried simple combinations such as username.

    Fatal design error

    The worm was intended to be discreet. It had a mechanism that checked whether a computer was already infected, to avoid multiple infections. However, Morris, fearing that system administrators might outsmart it, made a fatal modification to the code: even if a computer reported that it was already infected, the worm had a 14% probability of reinfecting it anyway.

    This decision proved disastrous. Morris underestimated the power of exponential growth. Computers were repeatedly infected, and each successive copy of the worm launched new processes, rapidly consuming CPU and memory resources. Thus, through a single error in logic, a harmless experiment turned into a global denial-of-service attack that crippled the network.

    Digital immune response

    Faced with an unprecedented crisis, the decentralised academic community had to self-organise. Over the next 48 hours, experts from centres such as MIT and UC Berkeley undertook a race against time, decompiling the worm’s code to understand its operation and create safeguards. Eugene Spafford of Purdue University played a key role, creating a phage mailing list that became an informal coordination centre for experts across the country.

    As the technical chaos began to subside, the hunt for the culprit began. Morris, realising the consequences of his experiment, asked a friend to anonymously circulate a message with apologies and instructions on how to stop the bug. Unfortunately, due to network paralysis, the message never arrived in time. Shortly afterwards, The New York Times identified Morris as the culprit.

    Legacy: The end of innocence and the birth of cyber security

    Morris’ trial was historic. It was the first conviction under the recently enacted Computer Fraud and Abuse Act (CFAA). Robert Tappan Morris was found guilty and sentenced to three years of probation, 400 hours of community service and a fine.

    The 2 November 1988 incident was a painful but necessary shock that ended the era of innocence on the Internet forever. Its consequences shaped the cyber security landscape for decades to come.

    • Birth of CERT: In response to the crisis, DARPA funded the creation of the world’s first computer incident response team, the Computer Emergency Response Team (CERT). It became a model for hundreds of similar organisations around the world.
    • The end of an era of trust: The Morris worm made the entire technology community realise that the network is inherently vulnerable and security must become an integral part of its architecture.
    • The start of an industry: the incident has given a powerful boost to the commercial cyber security industry, creating real demand for anti-virus software and firewalls.

    It can be argued that the Morris Worm was a ‘happy disaster’. It exposed fundamental weaknesses early in the development of the web, long before the era of e-commerce and online banking. In doing so, it became a painful but necessary ‘vaccine’ for the internet that triggered a global immune response and allowed us to prepare for the much more dangerous pathogens of the future.