Singtel
February 10, 2026
•[ cyber espionage, telecom infrastructure, network data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Singtel. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
M1
February 10, 2026
•[ cyber espionage, telecom infrastructure, technical data exfiltration ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including M1. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
Simba Telecom
February 10, 2026
•[ cyber espionage, network data exfiltration, telecom infrastructure ]
Singapore confirmed that China-linked cyber espionage group UNC3886 targeted the countrys telecom infrastructure, including Simba Telecom. The government said attackers gained limited access to parts of telecom systems, did not disrupt services, and did not access personal data, but did exfiltrate a small amount of technical (network-related) data to advance operational objectives.
At least one government, military, and technology entity in Ukraine
January 30, 2026
•[ APT, vulnerability exploitation, state-sponsored attack ]
Security researchers reported that state-sponsored advanced persistent threat groups exploited a WinRAR vulnerability in real-world attacks that successfully compromised at least one government, military, and technology organization in Ukraine, using malicious archive files to gain unauthorized access to victim systems.
Delta (Russian Security and Alarm Services Company)
January 26, 2026
•[ cyberattack, service disruption, state-sponsored attack ]
A cyberattack attributed to a hostile foreign state disrupted Deltas alarm and vehicle services for thousands of users. No customer data compromise confirmed.
Knownsec
November 9, 2025
•[ data leak, cyber espionage, malware ]
According to coverage in The Register of research by Chinese blog MXRN, attackers breached the systems of Beijing linked security company Knownsec and leaked more than twelve thousand classified documents describing Chinese state cyber weapons, internal tools and global targeting lists, along with code for remote access trojans that can compromise major desktop and mobile operating systems; the cache also reportedly includes a spreadsheet of 80 successfully attacked overseas targets and massive datasets such as Indian immigration records, South Korean telecom call logs and Taiwanese road planning information that Knownsec had previously obtained in offensive operations, some of which were briefly published to GitHub before being removed.
National Time Service Center
October 20, 2025
•[ espionage, state-sponsored attack ]
China accuses U.S. NSA of cyber-espionage against NTSC timing systems
Williams & Connolly
October 8, 2025
•[ espionage, state-sponsored attack, data leak ]
Breach of U.S. law firm with major political clients linked to Chinese espionage campaign.
U.S. National Nuclear Security Administration (NNSA)
July 18, 2025
•[ data breach, vulnerability, zero-day ]
Breach of NNSA systems through a Microsoft SharePoint zero-day vulnerability. DOE stated a small number of systems were impacted and are being restored. Attack was later linked to Chinese state hacking groups Linen Typhoon and Violet Typhoon.
Netherlands Public Prosecution Service (Openbaar Ministerie)
July 17, 2025
•[ cyberattack, vulnerability exploit, state-sponsored attack ]
Strong indications that Russia was behind a cyberattack exploiting a Citrix vulnerability; the OM took systems offline on July 17 as a response; extent of data access not yet disclosed.
One undisclosed university in the United States
July 15, 2025
•[ espionage, vulnerability exploitation, malware ]
China-linked operators abused CVE-2025-53770 (ToolShell) weeks after Microsofts July patch to gain initial access at a telecom, escalate privileges (e.g., PetitPotam), harvest credentials, and deploy ShadowPad/Zingdoor/KrustyLoader for persistent espionage against telecom and government networks. Primary effect was covert access and collection, not service outage.
Wiley Rein LLP
July 12, 2025
•[ espionage, unauthorized access, state-sponsored attack ]
Firm notified clients that Microsoft 365 accounts of certain personnel were accessed in an apparent intelligence-gathering operation; suspected China-affiliated group.
Municipality of Tirana (City of Tirana)
June 20, 2025
•[ data leak, denial of service, state-sponsored attack ]
Iran-linked MOIS cluster EUROPIUM (Homeland Justice) conducted a coordinated cyberattack on Tiranas municipal government on Jun 20 2025, taking the city website offline and disrupting services; attackers claimed data theft and wiping of city databases; Microsoft and Albanian officials attributed the activity to MOIS-linked operators; restoration completed by Jun 24 2025.
At least one Ukrainian grain producer
June 1, 2025
•[ malware, wiper attack, state-sponsored attack ]
Russian state-backed threat group Sandworm, also known as APT44, used several data-wiping malware families in a series of destructive attacks against Ukrainian organizations in 2025, including newly reported operations targeting the countrys grain sector. An ESET APT activity report cited by BleepingComputer says that in June and September Sandworm deployed wipers like ZEROLOT and Sting against entities in the governmental, energy, logistics, and grain industries, with the grain sector highlighted as a less frequent but strategically important target. The wipers corrupt files, disk partitions, and master boot records in ways that prevent recovery, likely aiming to weaken Ukraines war economy by disrupting a critical export industry.
Kurdish forces
May 14, 2025
•[ espionage, vulnerability, zero-day ]
Turkey-linked espionage operators exploited a zero-day in Output Messenger to surveil Iraq-based Kurdish forces, collecting communications and device data; Microsoft attributed the activity to a Turkey-aligned group focused on intelligence collection.
Undisclosed Ukrainian critical infrastructure organization
April 1, 2025
•[ malware, data exfiltration, wiper ]
The FSBs 18th Center for Information Security (Gamaredon) deployed PathWiper malware against an undisclosed Ukrainian critical-infrastructure operator in early April 2025, exfiltrating large volumes of operational data before executing a destructive wiper that caused temporary service degradation.
Deutsche Gesellschaft für Osteuropakunde (DGO)
March 30, 2025
•[ espionage, data leak, state-sponsored attack ]
In late March 2025, German officials reported a cyber-espionage incident targeting the Deutsche Gesellschaft fr Osteuropakunde (DGO), a nonprofit academic association focused on Eastern Europe. Investigators attributed the intrusion to Russias Foreign Intelligence Service (SVR), also known as Midnight Blizzard, APT29, or NOBELIUM. Attackers accessed email servers and internal communications for intelligence-gathering purposes. No data encryption or operational disruption was reported, indicating a stealthy exploitation of application servers.
Deutsche Gesellschaft für Osteuropakunde (DGO)
March 30, 2025
•[ cyber-espionage, intelligence gathering, email breach ]
In late March 2025, German officials reported a cyber-espionage incident targeting the Deutsche Gesellschaft fr Osteuropakunde (DGO), a nonprofit academic association focused on Eastern Europe. Investigators attributed the intrusion to Russias Foreign Intelligence Service (SVR), also known as Midnight Blizzard, APT29, or NOBELIUM. Attackers accessed email servers and internal communications for intelligence-gathering purposes. No data encryption or operational disruption was reported, indicating a stealthy exploitation of application servers.
Digital Realty
March 1, 2025
•[ state-sponsored attack, espionage, vulnerability exploit ]
The Ministry of State Security (MSS)linked group Salt Typhoon infiltrated Digital Realty and other data-center operators in early 2025 by exploiting vulnerabilities in network-appliance infrastructure and stolen credentials. Microsoft attributed the campaign to PRC state-sponsored espionage targeting Western critical-infrastructure providers.
Undisclosed Myanmar government organization
March 1, 2025
•[ state-sponsored attack, malware, rootkit ]
Chinese state-linked threat actors deployed a kernel-mode rootkit to conceal ToneShell malware on systems belonging to a Myanmar government organization, enabling stealthy persistent access.
