CyberSecurity news

FlagThis - #cyberattack

@www.oxford.gov.uk //
Oxford City Council has suffered a cyberattack resulting in the potential exposure of personal data relating to election workers. The incident, which occurred the weekend of June 7th and 8th, involved unauthorized access to the council's network. Automated security systems detected and contained the intrusion, minimizing the attackers' access to systems and databases.

As a precaution, the council took down its main systems to conduct thorough security checks. Most systems are now safely operational, with the remainder expected to be back online shortly. While email systems and wider digital services remain secure, the attackers managed to access historic data on legacy systems, specifically impacting individuals who worked on Oxford City Council-administered elections between 2001 and 2022, including poll station workers and ballot counters.

The council has stated that there is no evidence to suggest the accessed information has been shared with third parties, and investigations are ongoing to determine the precise nature and extent of the data compromised. Impacted individuals have been contacted, and the council has reported the incident to relevant government authorities and law enforcement agencies, assuring the public that actions have been taken to prevent further unauthorized access and that a full investigation is underway.

Recommended read:
References :
  • thecyberexpress.com: Oxford City Council Cyberattack Disrupts Services and Exposes Historic Election Data
  • www.oxford.gov.uk: Council’s automated defense systems had identified and contained an unauthorized presence
  • www.itpro.com: Personal data taken in Oxford City Council cyber attack
  • thecyberexpress.com: The Oxford City Council cyberattack, which occurred over the weekend of June 7–8, was identified by the council’s automated defense systems.

@cyberscoop.com //
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.

Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group."

The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry.

Recommended read:
References :
  • thecyberexpress.com: Insurance giant Aflac reported today that it was hit by a cyberattack on June 12 but was able to stop the intrusion “within hours.â€
  • eSecurity Planet: Aflac Discloses Cybersecurity Incident, Customer Data Potentially Exposed Amid Industry-Wide Attacks
  • www.prnewswire.com: Aflac Incorporated Discloses Cybersecurity Incident

@cyberscoop.com //
Aflac Incorporated, the insurance giant, has confirmed a cybersecurity incident that occurred on June 12, 2025. The company detected suspicious activity on its US network and promptly initiated its cyber incident response protocols, successfully stopping the intrusion within hours. According to Aflac's official disclosure, their systems were not affected by ransomware, ensuring business operations such as underwriting, claims processing, and customer support remain uninterrupted. However, Aflac warns that sensitive customer information may have been exposed during the breach.

Preliminary findings indicate that the unauthorized party used sophisticated social engineering tactics to gain access to Aflac's network. This method often involves tricking individuals into revealing sensitive information or granting access. Aflac has engaged leading third-party cybersecurity experts to assist with the ongoing investigation. CNN, citing sources familiar with the investigation, reported that this incident, along with others recently affecting the insurance sector, is consistent with the techniques of a cybercrime group known as “Scattered Spider.” Aflac acknowledged the broader context of the attack, stating, "This attack, like many insurance companies are currently experiencing, was caused by a sophisticated cybercrime group."

The review of potentially impacted files is still in its early stages, and Aflac has not yet determined the total number of individuals affected. However, the company has indicated that the compromised files may contain sensitive information. The Aflac breach is the latest cyberattack against the insurance industry.

Recommended read:
References :
  • cyberscoop.com: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • www.cybersecuritydive.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • www.cyjax.com: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
  • eSecurity Planet: eSecurityPlanet article on Aflac Cyber Security Incident
  • thecyberexpress.com: The Cyber Express article on Aflac Breach
  • cyberscoop.com: Aflac duped by social-engineering attack, marking another hit on insurance industry
  • DataBreaches.Net: Aflac notifies SEC of breach suspected to be work of Scattered Spider
  • Threats | CyberScoop: Cyberscoop reports Aflac duped by social-engineering attack, marking another hit on insurance industry
  • CYJAX: Weaving Chaos – Scattered Spider’s Cyberattacks Spin a Dangerous Web Across the Insurance Industry
  • www.esecurityplanet.com: Aflac Discloses Cybersecurity Incident, Customer Data Potentially Exposed Amid Industry-Wide Attacks
  • Threats | CyberScoop: Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry
  • www.prnewswire.com: Aflac incorporated discloses cybersecurity incident.
  • cyberpress.org: Aflac Incorporated, a major U.S.-based insurance company, reported a significant cybersecurity breach involving unauthorized access to its corporate network.
  • www.scworld.com: Aflac among victims in cyberattacks targeting US insurance industry

Nicholas Kitonyi@NFTgators //
A pro-Israel hacking group, known as Predatory Sparrow, has claimed responsibility for a cyberattack against Nobitex, Iran’s largest cryptocurrency exchange. The attack resulted in the theft of approximately $90 million in various cryptocurrencies, including Bitcoin and Dogecoin, as well as over 100 other cryptocurrencies. According to blockchain analytics firm Elliptic, the funds were drained from the exchange’s wallets into blockchain addresses containing anti-government messages explicitly referencing Iran's Islamic Revolutionary Guard Corps (IRGC).

The attackers, instead of attempting to profit financially, intentionally destroyed the stolen cryptocurrency in what has been described as a symbolic political statement. The funds were sent to blockchain addresses with the phrase "F***iRGCTerrorists" embedded within them. Experts say that generating addresses with such specific terms requires significant computing power, suggesting the primary goal was to send a message rather than to gain financially. The incident underscores the rising geopolitical tensions between Israel and Iran and the vulnerability of cryptocurrency exchanges to politically motivated cyberattacks.

The cyberattack on Nobitex is part of a broader pattern of cyber warfare between Israel and Iran. While the physical conflict has seen airstrikes and other military actions, the digital realm has become another battleground, with potentially significant repercussions for both countries and the wider global community. This incident also follows reports of internet restrictions within Iran, limiting citizens' access to information and communication amidst escalating tensions. The global cybersecurity community needs to stay prepared for security repercussions for the two combatants and the wider global community as the cyberwarfare portion of the conflict is already spilling over off the battlefield and outside the region.

Recommended read:
References :
  • Zack Whittaker: This article also discusses the attack against Nobitex, noting the financial losses and the involvement of a pro-Israel hacking group.
  • techcrunch.com: This news source provides information about the attack against Nobitex, mentioning the theft and destruction of cryptocurrency.
  • Metacurity: This article reports on the attack against Nobitex by the Predatory Sparrow group, highlighting the financial impact and geopolitical context of the event.
  • NFTgators: This news piece details the financial impact of the attack on Nobitex and the potential geopolitical implications.
  • WIRED: This article covers the same event with additional details about the actions of the attacker group and their motives.
  • aboutdfir.com: Pro-Israel hackers drained $90 million from Iran crypto exchange, analytics firm says
  • fortune.com: Pro-Israel group hacks Iranian crypto exchange for $90 million—but throws away the money
  • aboutdfir.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • www.darknet.org.uk: Israeli-linked hackers seized and destroyed over $90 million from Nobitex, an Iranian crypto exchange.
  • SecureWorld News: As kinetic conflict continues to unfold between Israel and Iran, a parallel battle is raging in cyberspace—one that is disrupting financial systems, wiping out crypto holdings, hijacking broadcast channels, and even triggering a near-total internet shutdown.
  • www.elliptic.co: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • Web3 is Going Just Great: Israeli-linked hackers steal and destroy $90 million from Iranian Nobitex exchange The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.

Ben Weiss@fortune.com //
A pro-Israel hacktivist group known as Predatory Sparrow has claimed responsibility for a cyberattack on Nobitex, Iran's largest cryptocurrency exchange. The attack resulted in the theft and destruction of approximately $90 million in cryptocurrency. The group stated that Nobitex was targeted for allegedly financing terrorism and evading international sanctions for the Iranian regime. This incident highlights the increasing cyber conflict between Israel and Iran, with hacktivist groups playing a significant role in disruptive operations.

The hackers reportedly sent the stolen funds to inaccessible blockchain addresses, effectively "burning" the cryptocurrency and taking it out of circulation. Blockchain analysis firm Elliptic confirmed the transfer of over $90 million to multiple vanity addresses containing variations of "F--kIRGCterrorists" within their public key. This symbolic act suggests the intention was to send a political message rather than financial gain. It has been noted that Nobitex has over 10 million customers, raising concerns about the potential impact of the breach.

The attack on Nobitex follows a recent claim by Predatory Sparrow of hacking Bank Sepah, another major Iranian financial institution. These cyberattacks come amid escalating tensions and exchanges of airstrikes between Israel and Iran. Cybersecurity experts warn of a growing digital conflict unfolding behind the scenes, with the potential for broader spillover effects. The situation emphasizes the vulnerability of cryptocurrency exchanges to sophisticated cyberattacks and the need for enhanced cybersecurity measures.

Recommended read:
References :
  • infosec.exchange: LorenzoFB post on Infosec Exchange about the group claiming responsibility for Iranian Bank Hack.
  • techcrunch.com: TechCrunch article on pro-Israel hacktivist group claiming responsibility for Iranian bank hack
  • Risky Business Media: Risky Bulletin: Israel-linked hackers claim Iran bank disruption
  • techcrunch.com: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • CyberScoop: Iran’s financial sector takes another hit as largest crypto exchange is targeted
  • fortune.com: The hackers, who call themselves Predatory Sparrow, sent the funds to likely inaccessible blockchain addresses, burning the cryptocurrency.
  • Zack Whittaker: Iran’s largest crypto exchange Nobitex said it was hacked and funds drained. Pro-Israel hacking group Predatory Sparrow claimed responsibility for the hack, which saw the group steal and destroy some $90 million in cryptocurrency from the Iranian exchange.
  • www.nftgators.com: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex
  • bsky.app: My latest for BBC Persian: 'Predatory Sparrow' hackers stole $90 million from Iranian cryptocurrency company to 'send a message'.
  • WIRED: Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System
  • NFTgators: Pro-Israeli Hacker Group Drains $90M from Iranian Crypto Exchange Nobitex.
  • Metacurity: Metacurity reports on the Predatory Sparrow group's activities, including the Nobitex attack and other Iranian targets.
  • Risky Business Media: Tom Uren and Patrick Gray talk about a Minnesota man who used people-search services to locate, stalk and eventually murder political targets. They also discuss purported hacktivist group Predatory Sparrow weighing in on the Iran-Israel conflict. It has attacked Iran’s financial system including a bank associated with the Iranian Revolutionary Guard Corp and also burnt USD$90 million worth of cryptocurrency from an Iranian exchange This episode is also available on Youtube.
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says  Iran’s largest cryptocurrency exchange, Nobitex, was hacked for more than $90 million Wednesday, according to blockchain analytics firm Elliptic.
  • SecureWorld News: Israel–Iran Conflict Escalates in Cyberspace: Banks and Crypto Hit, Internet Cut
  • www.metacurity.com: Israeli-linked hackers seized and burned $90 million from Iran's Nobitex exchange
  • aboutdfir.com: Pro-Israel hackers drain $90 million from Iran crypto exchange, analytics firm says 
  • The Hacker News: Iran's State TV Hijacked Mid-Broadcast Amid Geopolitical Tensions; $90M Stolen in Crypto Heist
  • CyberScoop: This article reports on the cyberattack claimed by Predatory Sparrow against Iran's Bank Sepah.
  • cyberriskleaders.com: This episode of Risky Business discusses the $90 million crypto hack of the Iranian exchange, Nobitex, and other recent cybersecurity incidents in the context of the Israeli-Iranian conflict. The hosts, Patrick Gray and Adam Boileau, are joined by special guest Chris Krebs to discuss various threat actor tactics and trends.
  • www.elliptic.co: The Israeli-linked Gonjeshke Darande hacking group claimed responsibility for the attack.
  • Industrial Cyber: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Web3 is Going Just Great: The Iran-based Nobitex cryptocurrency exchange suffered a $90 million hack, and the attacker has also promised to imminently release data and source code from the platform.
  • industrialcyber.co: Radware reports hybrid warfare as cyberattacks, disinformation escalate in 2025 Israel-Iran conflict
  • Risky Business Media: Russian hackers abuse app-specific passwords to bypass multi-factor, the tenth Salt Typhoon victim is identified, Predatory Sparrow destroys $90 million from an Iranian crypto-exchange, and Argentina arrests a Russian disinfo gang.

@www.euractiv.com //
References: bsky.app , databreaches.net ,
Sweden is currently facing a significant surge in cyberattacks, prompting Prime Minister Ulf Kristersson to sound the alarm. The attacks, primarily Distributed Denial-of-Service (DDoS) events, have targeted critical infrastructure, including SVT, Sweden's public television broadcaster, government websites, and key organizations. These disruptions have raised serious concerns about the resilience and security of Sweden's digital systems. The Prime Minister addressed the situation, acknowledging the severity and widespread nature of the cyber assaults impacting essential services.

The cyber offensive follows Sweden's recent entry into NATO in 2024, leading many to suspect potential involvement from Russia. While Prime Minister Kristersson refrained from explicitly naming the perpetrators, he alluded to previous reports from the Swedish Security Service identifying Russia, China, and Iran as frequent actors behind similar cyber operations. The focus of these attacks appears to be on disruption and undermining trust in institutions rather than data theft or ransomware, highlighting a strategy aimed at demonstrating cyber warfare capabilities.

Authorities are actively investigating the attacks and working to enhance the nation's cybersecurity defenses. The disruptions serve as a stark reminder of the evolving landscape of modern warfare, where cyberattacks can be leveraged to destabilize countries and critical infrastructure. The situation underscores the importance of international cooperation and vigilance in addressing cyber threats.

Recommended read:
References :
  • bsky.app: 🇸🇪 Sweden's PM says it is under cyberattack Swedish Prime Minister Ulf Kristersson says his country is under attack, after days of hard-hitting DDoS attacks against SVT Sweden's public TV broadcaster, government websites, and other key organisations.
  • databreaches.net: Sweden under cyberattack: Prime minister sounds the alarm
  • Graham Cluley: Sweden joined NATO in 2024, and has seen a dramatic rise in DDoS attacks ever since. Unsurprisingly all eyes are on Russia 🇷🇺 as likely culprits for the attacks.

@cyberpress.org //
Marks & Spencer (M&S), the prominent retail giant, was recently hit by a significant ransomware attack over the Easter period. The cyberattack, orchestrated by the DragonForce hacker group, disrupted crucial business functions, including online ordering and staff clocking systems. The attackers employed "double extortion" tactics, indicating that they stole sensitive data before encrypting the company's servers. This aggressive move puts M&S at risk of both data loss and public exposure.

An exclusive report reveals that the CEO of M&S received an offensive extortion email detailing the timeline and nature of the attack. The email, reportedly filled with abusive language, claimed that DragonForce had "mercilessly raped" the company and encrypted its servers. In response to the attack, M&S took drastic measures by switching off the VPN used by staff for remote work, which successfully contained the spread of the ransomware, but further disrupted business operations. The financial impact of this cyber incident has been substantial, with reports indicating losses of approximately £40 million per week in sales.

DragonForce, the ransomware group behind the attack, has reportedly compromised over 120 victims in the past year, establishing itself as a major player in the cybercrime landscape. The group has evolved from a Ransomware-as-a-Service (RaaS) model to a fully-fledged ransomware cartel, targeting organizations across various sectors, including manufacturing, healthcare, and retail. While the origins of DragonForce are speculative, technical indicators suggest a Russian alignment, including the use of Russian-linked infrastructure and recruitment efforts through Russian-speaking cybercrime forums. M&S has pointed to "human error" as the cause of the breach, with scrutiny falling on an employee of Tata Consultancy Services (TCS), which provides IT services to the retailer, although M&S has officially disputed claims that it didn't have proper plans to handle a ransomware incident.

Recommended read:
References :
  • www.bitdefender.com: Marks & Spencer’s ransomware nightmare – more details emerge
  • bsky.app: EXCLUSIVE: "We have mercilessly raped your company and encrypted all the servers" - the aggressive extortion email sent to the CEO of M&S has been revealed. The offensive blackmail note reveals lots of things about the nature of the attack, the timeline and the hackers
  • cyberpress.org: Reports over 120 victims have been compromised in the last year.
  • The Register - Security: M&S online ordering system operational 46 days after cyber shutdown
  • www.techradar.com: M&S online orders are back following cyberattack - here's what you need to know
  • www.cybersecuritydive.com: Marks & Spencer restores some online-order operations following cyberattack
  • www.techdigest.tv: M&S resumes online orders weeks after cyber attack
  • www.tripwire.com: Report on DragonForce's email to M&S CEO about taking responsibility for the attack.
  • bsky.app: DragonForce has started posting new victims to its darknet site. Two new orgs now being publicly extorted. Nothing yet on Co-op/M&S/ Harrods.
  • www.infosecworrier.dk: Details regarding the significant data breach and the ransomware attack targeting Marks & Spencer.

Sam Silverstein@cybersecuritydive.com //
United Natural Foods (UNFI), a major grocery distributor serving over 30,000 stores across North America including Whole Foods Market, is grappling with disruptions to customer orders following a recent cyberattack. The company, which acts as the "primary distributor" for Whole Foods, detected unauthorized activity on its IT systems on June 5th. In response, UNFI initiated its incident response plan, proactively taking certain systems offline to contain the breach. The incident has already caused temporary disruptions to business operations, and the company anticipates these disruptions will continue as they work to restore their systems.

UNFI has engaged third-party cybersecurity professionals and notified law enforcement as part of its efforts to assess, mitigate, and remediate the incident. The company is implementing workarounds to continue servicing customers where possible. Kristen Jimenez, a UNFI spokesperson, declined to comment on the nature of the cyberattack or whether any ransom demands have been made. UNFI is one of the largest grocery distributors in North America, supplying fresh produce, goods, and food products to a vast network of retailers, including major chains like Amazon, Target, and Walmart. In their most recent financial report they declared $8.2 billion in net sales.

This cyberattack on UNFI highlights the increasing vulnerability of the food supply chain to malicious actors. The incident follows a series of recent cyberattacks affecting the wider retail and grocery sector. UNFI did not say when it expects to recover its systems but assured customers, suppliers and associates that it was working to minimize disruption as much as possible. The company's agreement to be the primary distributor for Whole Foods, has been extended to May 2032.

Recommended read:
References :
  • Zack Whittaker: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders. A UNFI spox. wouldn't say if the company has received any demands from the hacker.
  • techcrunch.com: UNFI, a grocery distributor for Whole Foods and others, warned of disruptions to customer orders after a cyberattack.
  • cyberinsider.com: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
  • The Register - Security: Let them eat junk food: Major organic supplier to Whole Foods, Walmart, hit by cyberattack
  • www.cybersecuritydive.com: UNFI, a grocery retailer and wholesaler, is working to resume full operations following “unauthorized activity†involving its IT systems.
  • go.theregister.com: North American grocery wholesaler United Natural Foods told regulators that a cyber incident temporarily disrupted operations, including its ability to fulfill customer orders.
  • techcrunch.com: New: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the "primary distributor" to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
  • Threats | CyberScoop: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
  • CyberInsider: United Natural Foods, Inc. (UNFI) disclosed that it had detected unauthorized activity on its IT systems, prompting the company to initiate its incident response plan and take systems offline.
  • Catalin Cimpanu: A cyberattack is disrupting the operations of United Natural Foods, a distributor of grocery products in the US. United Natural Foods is the largest grocery carrier and the 14th largest logistics company in the US.
  • cyberscoop.com: United Natural Foods, distributor for Whole Foods Market, hit by cyberattack
  • www.ttnews.com: UNFI hit by cyberattack, orders may be disrupted
  • Techzine Global: Cyber incident disrupted food wholesalers’ operations
  • The Register: GeekNews.chat post about major organic supplier to Whole Foods, Walmart, hit by cyberattack
  • techcrunch.com: United Natural Foods said it is "diligently managing through the cyber incident" that sparked disruption outages.
  • www.techradar.com: Key Whole Foods supplier hit by major cyberattack - delays possibly on the way
  • BleepingComputer: Grocery wholesale giant United Natural Foods hit by cyberattack
  • SecureWorld News: Whole Foods Supplier United Natural Foods Hit in Cyber Attack
  • cyberscoop.com: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
  • The Dysruption Hub: NFI's cyberattack disrupts deliveries to 30,000+ stores, including Whole Foods. Stock drops 8% amid fears of ransomware and food shortages.
  • industrialcyber.co: Grocery wholesaler UNFI faces operational disruptions after cyberattack
  • Zack Whittaker: US grocery distribution giant United Natural Foods (UNFI) said it's working to bring its systems online after a cyberattack.
  • Tech Monitor: UNFI, a grocery wholesale distributor in North America, experienced a cyberattack that necessitated the shutdown of some specific systems.
  • Threats | CyberScoop: United Natural Foods fulfilling orders on ‘limited basis’ in wake of cyberattack
  • techcrunch.com: United Natural Foods (UNFI), a major grocery distributor to stores across North America and the primary distributor to Whole Foods, was hit by a cyberattack and is warning of ongoing disruption to customer orders.
  • Industrial Cyber: UNFI's systems are affected by the cyberattack.
  • www.cybersecuritydive.com: UNFI’s operations remain hobbled following cyberattack
  • Metacurity: US grocery distributor United Natural Foods is the latest retail-related cyber victim
  • www.itpro.com: Everything we know so far about the United Natural Foods cyber attack
  • techcrunch.com: Zack Whittaker's report on TechCrunch about the UNFI cyberattack.
  • www.esecurityplanet.com: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
  • www.bitdefender.com: The spate of cyber attacks impacting the retail industry continues, with the latest victim being United Natural Foods (UNFI), which supplies organic produce to Whole Foods, Amazon, Target, and Walmart, amongst many others.
  • bsky.app: United Natural Foods (UNFI), one of the USA's largest wholesale distributors of healthy and specialty food, has been hit by a cyber attack The supplier of organic produce to Whole Foods, Amazon, Walmart, and others, revealed its breach in a SEC filing
  • Graham Cluley: The supplier of organic produce revealed in a SEC filing that after discovering unauthorised network activity it had "activated its incident response plan and implemented containment measures, including proactively taking certain systems offline."
  • techxplore.com: With retail cyberattacks on the rise, customers find orders blocked and shelves empty
  • Lukasz Olejnik: Cyberattack on food store chain Whole Foods is leaving shelves empty as key distributor scrambles to restore systems. Shoppers and small grocers feel the heat—our food supply chain is fragile. In the digital age, cybersecurity is food security.
  • eSecurity Planet: Cyberattack Disrupts Whole Foods Supplier, Causing Delivery Delays and Empty Shelves
  • Graham Cluley: The spate of cyber attacks impacting the retail industry continues. The latest victim is UNFI, one of the USA's largest wholesale distributors of healthy and specialty food.
  • Vulnerable U: UNFI Cyberattack Halts Deliveries to Whole Foods and 30,000+ Grocery Stores
  • www.metacurity.com: US grocery distributor United Natural Foods is the latest retail-related cyber victim
  • techcrunch.com: Whole Foods warns of shortages after cyberattack at its primary distributor UNFI
  • securityaffairs.com: securityaffairs.com describes the cyberattack on United Natural Foods caused bread shortages and bare shelves.
  • ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
  • ciso2ciso.com: A cyberattack on United Natural Foods caused bread shortages and bare shelves – Source: securityaffairs.com
  • The Record: United Natural Foods (UNFI) said in a weekend update that it “made significant progress" toward restoring its ordering systems after a cyberattack affected the company's ability to keep grocery stores stocked.
  • Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
  • Zack Whittaker: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month.
  • techcrunch.com: NEW: United Natural Foods (UNFI) said it's making "significant progress" in restoring its systems after a cyberattack earlier this month. The hack left grocery stores and supermarkets across the U.S. and Canada without food supplies and caused shelf shortages, including at Whole Foods and others.

Rescana@Rescana //
Recent ransomware attacks have underscored the persistent and evolving threat landscape facing organizations globally. Notably, Coca-Cola and its bottling partner, Coca-Cola Europacific Partners (CCEP), were targeted in separate cyber incidents. The Everest ransomware gang claimed responsibility for breaching Coca-Cola's systems, asserting access to sensitive internal documents and the personal information of nearly a thousand employees. Concurrently, the Gehenna hacking group claimed to have breached CCEP's Salesforce dashboard, potentially compromising over 23 million records. These incidents highlight the vulnerabilities inherent in interconnected digital ecosystems, emphasizing the need for robust cybersecurity measures and vigilant monitoring of network activities.

The healthcare sector has been particularly vulnerable, with Interlock ransomware causing significant disruption at Kettering Health, a network of hospitals in Ohio. The attackers leaked almost a terabyte of data, including patient information, financial records, and employee details after claiming responsibility. This breach led to canceled medical procedures, and a temporary reliance on paper-based systems. Covenant Health also experienced a cyberattack that forced the shutdown of their systems across multiple hospitals. Similarly, Bailey’s catering services, associated with a restaurant group in Louisiana, has been listed as a victim by the Medusa ransomware group, with attackers demanding a $100,000 ransom. These events underscore the severe consequences of ransomware attacks on essential services and sensitive data.

In response to the rising ransomware threat, some countries are implementing stricter regulations. Australia, for example, now requires businesses with an annual turnover exceeding AUS $3 million to report ransomware payments to the Australian Signals Directorate within 72 hours. This legislation aims to improve the tracking of ransomware incidents and inform cybersecurity strategies, even though paying ransoms is still technically legal. The law also includes a six-month grace period for organizations to adapt to the new reporting requirements. Additionally, recent law enforcement operations like Operation Endgame have demonstrated progress in disrupting the ransomware ecosystem by targeting malware testing services and initial access malware strains.

Recommended read:
References :
  • Rescana: Coca-Cola and CCEP Cyber Incident: Everest Ransomware and Gehenna Breach of Salesforce Data
  • cyberinsider.com: Ransomware Attack at Lee Enterprises Impacted Nearly 40,000 Individuals
  • Zack Whittaker: Lee Enterprises, the newspaper publishing giant that was hit by a ransomware attack in February, causing widespread disruption to dozens of U.S. media outlets, has confirmed the cyberattack resulted in the theft of ~40,000 employees’ personal data.
  • www.it-daily.net: Ransomware attack on Kettering Health: Interlock publishes data

Pauline Dornig@it-daily.net //
The ransomware group Interlock has claimed responsibility for the recent cyberattack on Kettering Health, a US healthcare organization comprised of hospitals, clinics, and medical centers in Ohio. The attack, which initially disrupted the healthcare system on May 20th, forced the shutdown of all computer systems and has left Kettering Health struggling to fully recover over two weeks later. CNN first reported on Interlock’s involvement in the breach, but at the time, the group had not publicly taken credit, leading to speculation that ransom negotiations might be underway. However, Interlock has now come forward, potentially indicating that negotiations with Kettering Health have been unsuccessful.

Interlock announced its involvement by posting alleged stolen data on its dark web site, claiming to have exfiltrated over 940 gigabytes of data from Kettering Health’s internal network. A preliminary review of the posted files indicates that the stolen data includes sensitive private health information, such as patient names, patient numbers, and detailed clinical summaries. These summaries contain sensitive information including mental status assessments, medication lists, health concerns, and other specific details about patients' medical conditions. The stolen data also encompasses employee information and the contents of shared drives, raising concerns about further potential privacy breaches.

The cyberattack has severely impacted Kettering Health's operations. Since the initial breach, numerous medical procedures have been canceled or postponed, forcing healthcare professionals to revert to paper-based documentation. This digital standstill has significantly affected clinical care for approximately 1.5 million patients annually. While Kettering Health has reported progress in restoring its systems, including bringing the electronic health record (EHR) system "Epic" back online with the help of around 200 employees, the full extent of the damage and the long-term consequences of the data breach are still unfolding.

Recommended read:
References :
  • infosec.exchange: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • techcrunch.com: Ransomware gang Interlock claims responsibility for the Kettering Health hack, posting some alleged stolen data on its dark web site. Data includes private health information, such as patient names, patient numbers, and clinical summaries written by doctors, which include categories such as mental status, medications, health concerns, and other categories of patient data.
  • www.it-daily.net: Report on a ransomware attack on Kettering Health.
  • techcrunch.com: Health giant Kettering still facing disruption weeks after ransomware attack
  • The Register - Security: Ransomware scum leak patient data after disrupting chemo treatments at Kettering
  • BleepingComputer: Kettering Health confirms Interlock ransomware behind cyberattack
  • www.bleepingcomputer.com: Details about the leaked data.

Pradeep Bairaboina@Tech Monitor //
The Play ransomware group has been actively targeting organizations worldwide since June 2022, with the FBI reporting that approximately 900 entities have been compromised as of May 2025. These attacks span across North America, South America, and Europe, targeting a diverse range of businesses and critical infrastructure. The group employs a "double extortion" tactic, exfiltrating sensitive data before encrypting systems, putting additional pressure on victims to pay the ransom.

The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued updated advisories regarding the Play ransomware, highlighting new tactics, techniques, and procedures (TTPs) employed by the group. One notable tactic includes exploiting vulnerabilities in the SimpleHelp remote access tool. Specifically, multiple ransomware groups, including those affiliated with Play, have been actively targeting the CVE-2024-57727 path traversal vulnerability, which allows attackers to download arbitrary files from the SimpleHelp server. The advisories also note that Play operators regularly contact victims via phone, threatening to release stolen data if ransom demands are not met.

To mitigate the threat posed by Play ransomware, authorities recommend several proactive security measures, including implementing multifactor authentication, maintaining offline data backups, and developing and testing a recovery plan. It is also critical to keep all operating systems, software, and firmware updated to patch known vulnerabilities. SimpleHelp has released security updates to address the exploited vulnerabilities and strongly urges customers to apply these fixes immediately. While Play ransomware has been linked to attacks on critical infrastructure, including nine attacks impacting healthcare, experts recommend constant vigilance and proactive security strategies across all sectors.

Recommended read:
References :
  • cyberinsider.com: FBI: Play Ransomware Breached 900 Organizations Worldwide
  • DataBreaches.Net: CISA Alert: Updated Guidance on Play Ransomware
  • The Register - Security: Play ransomware crims exploit SimpleHelp flaw in double-extortion schemes
  • Tech Monitor: The FBI reports Play ransomware breached 900 firms by May 2025, up from October 2023, using recompiled malware and phone threats for ransoms.
  • www.cybersecuritydive.com: The hacker group has breached hundreds of organizations and is working with others to exploit flaws in a popular remote support tool.
  • CyberInsider: FBI: Play Ransomware Breached 900 Organizations Worldwide
  • securityaffairs.com: Play ransomware group hit 900 organizations since 2022
  • www.techradar.com: FBI warns Play ransomware hackers have hit nearly a thousand US firms
  • www.cybersecuritydive.com: Understanding the evolving malware and ransomware threat landscape