From critical infrastructure targeting to platform-based scams and evolving phishing tactics, the past few weeks show a continued shift in how cyber threats are being carried out. Attackers are not only exploiting vulnerabilities in systems, but increasingly taking advantage of trusted platforms, user behaviour and gaps in visibility.
Iran-affiliated cyber actors have been linked to attacks targeting internet-facing operational technology devices across critical infrastructure in the United States. These include programmable logic controllers used to manage industrial processes.
According to the FBI, the activity has led to disrupted operations, manipulated system data and, in some cases, financial loss. The campaign is believed to be part of a wider escalation in response to ongoing geopolitical tensions.
This incident reflects the growing exposure of operational technology, particularly where legacy systems are connected to the internet without sufficient protection. As these environments become more accessible, they are also becoming more attractive targets.
The FBI and U.S. Department of Justice have dismantled a large-scale cyberespionage operation that compromised thousands of small office and home office routers. The campaign has been linked to a unit within Russia’s GRU, commonly tracked as APT28.
The operation, known as “Operation Masquerade”, involved gaining court authorisation to remove malware from affected devices, effectively cutting off attacker access.
Compromised edge devices continue to be a reliable entry point for attackers. Many routers are deployed with weak credentials or remain unpatched, which allows threat actors to scale their activity with relatively little resistance.
A cyberattack on the C2K network in Northern Ireland caused widespread disruption across schools, affecting access to coursework, teaching materials and communication systems. The Education Authority took systems offline as a precaution while investigating the incident.
The network supports a large number of schools, meaning even a short disruption had a broad impact on pupils and staff.
Incidents like this show how centralised systems can quickly become single points of failure. When they are disrupted, the operational impact is immediate and widespread.
Booking.com has reported an increase in scams where attackers gain access to hotel accounts and use them to message customers directly through the platform. These messages often ask guests to confirm payment details or re-enter card information due to supposed issues with their booking.
Because the messages come from legitimate accounts within real booking conversations, they are far more convincing than traditional phishing attempts.
This reflects a broader shift towards exploiting trusted platforms and real interactions, rather than relying on standalone phishing emails or fake websites.
Phishing campaigns targeting Microsoft 365 accounts are becoming more sophisticated, with attackers using AI-generated content to mimic internal communications, document sharing alerts and MFA prompts.
These attacks are leading to more successful account takeovers, particularly where users approve malicious MFA requests or enter credentials into highly convincing login pages.
As the quality of phishing improves, the line between legitimate and malicious communication continues to blur. This makes it harder for users to identify threats without additional layers of protection.
Ransomware groups are increasingly targeting mid-sized businesses, which often have fewer resources but still hold valuable data. Attackers are using a mix of phishing, credential theft and unpatched vulnerabilities to gain access, followed by data exfiltration and encryption.
Double extortion tactics remain common, with threats to leak data if ransoms are not paid.
This reflects a wider trend where smaller organisations are no longer being overlooked. Instead, they are being targeted more deliberately due to the balance of risk and reward.
Across multiple incidents, attackers are no longer relying solely on technical vulnerabilities. Instead, they are inserting themselves into trusted environments, whether that is a hotel platform, internal communications or widely used business tools.
The Russia and Iran examples are a reminder that state-backed cyberattacks are increasingly common, and that geopolitical tension is a predictor for increased threat levels. Although the ultimate targets are more likely to be national infrastructure or public sector organisations, their suppliers may also be targeted. This is why supply chain risk management and compliance have become so critically important in cybersecurity.
From schools to infrastructure, the impact of these incidents is often felt through disruption rather than direct data theft. This can affect services, supply chains and day-to-day operations just as significantly.
The use of AI and widely available tooling is lowering the barrier to entry for attackers, while increasing the quality of attacks. This combination makes threats more frequent and harder to detect.
Despite the evolving threat landscape, many incidents still come back to fundamentals such as patching, access control, monitoring and user awareness.
At Brigantia, we support channel partners in protecting their clients with our selected vendor portfolio, specialists and dedicated support.
To read more articles like this, head to our news and articles page. To explore our vendors or discuss how we can support your security offering, visit our vendor page or get in touch with the Brigantia team.