An Analysis of the Major Security Incidents and Cybersecurity News of 2025
Cybersecurity incidents are not just dramatic headlines; they are real-world post-incident reports written in production. Every outage, breach, and supply chain compromise uncovers vulnerabilities in identity management and configuration. It also highlights issues with third-party access that we believed were under control.
The recent wave of major cybersecurity incidents in 2024 and 2025 has made one thing clear: no sector is safe. No region is safe either.
In this article, we will walk you through the most significant incidents. More importantly, we will explain what these incidents reveal about gaps in today’s defenses and incident response plans.
Treat the following stories as exercises for your own environment. For each breach, ask yourself: would we have spotted it in time, contained it quickly, and communicated clearly? By mapping these incidents to your infrastructure and supply chain, you can gain valuable insights. Analyzing your Microsoft 365 setup helps you learn from the worst experiences of other organizations. This approach can improve your own resilience significantly.
October 2024 – Internet Archive Breach and DDoS Attack
In early October 2024, the non-profit Internet Archive (known for the Wayback Machine) suffered a significant data breach. It has affected over 31 million user accounts. Attackers gained access to a 6.4 GB database containing users’ email addresses, usernames, and Bcrypt-hashed passwords, among other details.
Around the same time, a hacktivist group dubbed BlackMeta launched a series of distributed denial-of-service (DDoS) attacks. These attacks were against the Archive’s websites, temporarily knocking them offline. This incident highlighted vulnerabilities in the Archive’s configuration management (an exposed GitLab configuration file was reportedly the attack vector).
There are two takeaways from this one. Even if you’re a not-for-profit or “too insignificant to be vulnerable”, you’re always a target. Additionally, you should always check your developer’s configuration of their code repositories as misconfiguration could negatively impact you down the road.
December 2024 – U.S. Treasury Hack by Chinese APT
In late December 2024, the U.S. Department of the Treasury disclosed it had been the victim of a state-sponsored cyberattack attributed to the Chinese government.
Attackers linked to a Chinese APT (Advanced Persistent Threat) group exploited a supply-chain weakness by compromising an identity and remote support platform from BeyondTrust, a vendor used by the Treasury. By obtaining a BeyondTrust admin key, the hackers were able to remotely access multiple Treasury employees’ workstations and steal unclassified documents.
Treasury officials labelled it a “major cybersecurity incident” and notified U.S. cybersecurity authorities (CISA) on December 8, 2024, soon after BeyondTrust alerted them to the intrusion. The breach, coming on the heels of other China-linked attacks on U.S. targets, heightened tensions and prompted urgent reviews of third-party access security and government cyber defenses.
The main lesson here is understanding your threat model, and dependency risks. If you have implemented a security solution, where’s the “master key” for that security solution? What happens if it’s compromised, and how do you detect that before it’s too late?
January 2025 – Critical VPN Zero Day Exploits (Ivanti & SonicWall)
January 2025 saw attackers actively exploiting critical zero-day vulnerabilities in two popular enterprise remote access products, prompting emergency security alerts worldwide. Ivanti (Pulse Secure) disclosed that its Connect Secure VPN appliance contained a critical authentication bypass flaw that was being exploited in the wild.
This zero-day, which allowed remote code execution without login, was used to infiltrate at least 17 organizations (including Nominet, the U.K. domain registry) as early as December 2024. Mandiant researchers linked the Ivanti VPN exploits to a China-based threat actor, given the tools and malware used.
Around the same time, SonicWall warned that a zero-day in its Secure Mobile Access (SMA) 1000 series VPN was similarly exploited by attackers. Microsoft and CISA confirmed that the SonicWall flaw – also allowing unauthenticated remote code execution – had been used in attacks, with incidents later in July as well.
These recent VPN security failures highlight the serious risk of adversaries exploiting trusted remote access systems. As a result, organizations worldwide are quickly implementing essential patches and mitigations.
These are but two examples of a trend over the last few years, where the very technology you’ve deployed to protect your network (firewalls, VPN appliances) are so poorly architected and maintained that they instead serve as an easy access point for attackers into your environment.
No matter the size of your vendor, you must demand better from them. Procuring security tech to protect you that makes you more vulnerable just isn’t acceptable.
Cybersecurity Report 2026
The AI-Driven Acceleration of Global Threats
March 2025 – Juniper Networks Router Espionage Campaign
In March 2025, cybersecurity firm Mandiant disclosed an ongoing espionage campaign aimed at network infrastructure. A China-linked APT group, known as UNC3886, was exploiting a newly discovered vulnerability in Juniper Networks’ Junos OS, which operates Juniper routers.
Starting in mid-2024, attackers utilized this zero-day vulnerability to infiltrate enterprise and possibly government routers. They then installed custom backdoor malware on the affected devices. These stealthy backdoors allowed the hackers to monitor network traffic, and they potentially pivoted further into networks without detection.
Juniper patched the flaw once it was discovered, but the incident drew comparisons to past supply chain and infrastructure attacks. It underscored that advanced threat actors are now directly targeting network routers and firewalls to conduct long-term espionage, bypassing traditional endpoint security.
This incident is something you can take directly to your networking team. Routers and switches are part of the “plumbing” of your infrastructure and once deployed tend to be mostly forgotten as long as they work.
This situation creates an ideal hiding spot for attackers, especially since Endpoint Detection and Response (EDR) cannot run on them. Therefore, you must monitor these devices for configuration changes and ensure regular patching.
June 2025 – UNFI Ransomware Attack Disrupts Food Supply Chain
In June 2025, a ransomware attack on United Natural Foods, Inc. (UNFI), a leading food distribution company, demonstrated the real-world impact of cyberattacks on supply chains. UNFI, known as the primary distributor for Whole Foods and other grocers, detected unauthorized activity on its IT systems on June 5.
The company took affected systems offline to contain the threat. This action temporarily crippled its ability to process orders and deliveries. Consequently, some grocery retailers faced product shortages and delivery delays. The disruption lasted for several days. UNFI announced that the incident would cause ongoing operational delays and add extra costs.
The food supply chain impact garnered attention from regulators and highlighted the need for stronger cyber defenses in distribution and manufacturing sectors, as even brief outages can have cascading effects on consumers.
If your business provides a service that’s part of larger mesh of companies where an interruption can cause a cascading effect, reaching the public or critical infrastructure, your risk modeling must include this, not only the immediate effect a cyber-attack can have on your own operations. Because in the public’s eye (and regulators’ view), you’ll be held responsible for those wider impacts.
July 2025 – Scattered Spider Hacks (Airlines and Retail – Qantas Breach)
In some reporting of various incidents over the last few years, “Scattered Spider” has been called a hacking group. This isn’t quite accurate, as it’s more a loose affiliation of many different actors, with similar tactics, thus it’s more accurate to refer to “Scattered Spider-like” techniques.
Their approach relies heavily on social engineering, tricking (often outsourced) helpdesk staff to reset credentials. It’s less about hacking computers, and more about hacking people. Another notable difference compared to many other threat actors is that they are young, they live in western countries and are native English speakers, predictably leading to many of them being arrested over the last year or two.
Earlier in 2025, Scattered Spider had been linked to attacks on major British retailers (Marks & Spencer, Co-op, Harrods) and insurance firms like Aflac.
In July 2025, the group turned its attention to the aviation sector. Qantas Airways, Australia’s flag carrier, announced that a third-party contact center platform it uses was compromised, exposing the records of approximately 6 million customers. Stolen data included names, contact details, birth dates, and frequent flyer numbers, though not financial information.
Qantas confirmed it was facing an extortion attempt related to the breach, and cyber investigators noted the attack bore the hallmarks of Scattered Spider’s tactics. Around the same time, WestJet (Canada) and Hawaiian Airlines (USA) were also reportedly hit in related incidents.
The main lesson to take from these attacks is to look at your helpdesk procedures, particularly for resetting credentials (“I’ve lost my phone”), especially for high privilege accounts. All the usual knowledge-based verification details (employee ID, managers name, mother’s maiden name etc.) is information that can be gleaned from LinkedIn and other social media and it’s not strong enough.
As a first step, require anyone recovering a privileged account to do so in person at a company office.
July 2025 – Ingram Micro Ransomware Attack
In the first week of July 2025, Ingram Micro, one of the world’s largest IT distribution companies, was knocked offline by a critical ransomware attack.
On July 4, reports emerged that Ingram Micro was experiencing a major systems outage; the company soon confirmed it had been hit by a ransomware incident and had proactively taken many systems offline to contain it. The attack disrupted Ingram’s operations globally, shuttering its online ordering and logistics systems for nearly a week.
By July 10, the distributor had restored all business operations, but not before significantly impacting resellers and partners who rely on Ingram’s supply chain services. Cybersecurity journalists identified a relatively new ransomware group called SafePay as the culprit.
Ingram Micro lacks a public-facing presence, unlike UNFI. However, the key lesson remains significant. If your business is crucial for others, interruptions can disrupt operations. An outage lasting over a week will severely affect many. This situation will create additional pressure for payments. You must incorporate this insight into your threat assessment.
July 2025 – “ToolShell” Zero Day Attacks on Microsoft SharePoint
In July 2025, security researchers warned about a wave of cyberattacks exploiting zero-day vulnerabilities in Microsoft SharePoint Servers. These vulnerabilities were collectively referred to as “ToolShell.” By July 23, over 400 SharePoint servers worldwide were compromised through this exploit chain. We published a blog post with more details about this attack here.
The attacks allowed unauthorized access and code execution on SharePoint hosts, effectively giving attackers a foothold in victims’ corporate networks. A mix of victims were reported, including private sector firms and at least a few U.S. government agencies; even the U.S. Department of Energy confirmed it was “minimally impacted”.
Microsoft’s threat intelligence teams linked the activity to several Chinese state-sponsored groups. These groups are codenamed Linen Typhoon, Violet Typhoon, and Storm-2603. They quickly adopted the exploits as soon as they became known.
Separately, criminals linked to a new ransomware called Warlock also leveraged ToolShell to infiltrate organizations and deploy malware. Microsoft released patches for the SharePoint flaws, and, along with agencies like CISA, urged all organizations to update immediately.
The take-aways here are to carefully evaluate whether you still want to rely on on-premises software (from any vendor) as that’s often not the focus of the vendor in favor of their SaaS offerings, and if you must, make sure these systems aren’t publicly accessible. Protect them with a VPN, or better yet, a cloud-based SASE solution. You must also make sure to have a patch program in place to keep these servers up to date.
August 2025 – Salesloft+Drift
In late August 2025, it became clear that Salesloft, an integration for Salesforce (and Slack/Pardot), had been compromised. As a result, Salesforce disabled the Drift integration for these systems.
The attack actually began in June 2025, when the Salesloft GitHub account was compromised. This led to access to their AWS environment, where attackers obtained OAuth tokens for Drift’s customer environments.
This type of supply chain attack, where compromising one vendor can expose numerous victim organizations, is particularly concerning. OAuth tokens are very powerful, and once in the hands of criminals, only revoking them and the integration will offer protection, not MFA or resetting credentials, unlike compromised user credentials.
The list of victims is long, and includes BeyondTrust, CloudFlare, CyberArk, Nutanix, Palo Alto Networks, Qualys, Rubrik, Tenable and Zscaler.
Incident response is challenging because if you’re impacted, you must establish what data the integration had access to, what additional credentials for other systems might be available in that data (and so on) and then reset all of those credentials. There’s also the risk of exposure, or fines, depending on the content of the data that was exfiltrated.
The lesson here is exactly what we highlighted in last year’s report, non-human identities and integrations via APIs and OAuth across cloud and your different SaaS vendors must be monitored for anomalous activity. It’s part of the identity fabric, not supervised, and incredibly attractive to attackers because of it.
September 2025 – Jaguar Land Rover
On Monday the 1st of September 2025 Jaguar Land Rover (JLR) production ground to a halt across their UK, Slovakia, Brazil and Indian factories. As this is an ongoing situation, and only limited production has resumed at the time of writing four weeks later, this ransomware attack has had a huge impact across JLR themselves and their suppliers.
Technical details aren’t available yet, but JLR outsources most of its IT systems to Tata Consultancy Services (TCS). TCS is part of the Tata Group, which has owned JLR since 2008.
Many manufacturing industries, including car manufacturing, now move towards fully automated supply chains. They utilize “just in time” delivery and completely digital design and manufacturing workflows. This approach can be very efficient. However, understanding the complex web of interdependence in such a large system remains crucial. Incorporating cybersecurity at every weak point is essential.
Although JLR has substantial cash reserves, the UK government underwrites a £1.5 billion loan to help with the fallout. Experts expect the overall financial impact to reach £1.9 billion, affecting over 5,000 organizations.
JLR employs over 34,000 people, with a total of 120,000 in their supply chain. Some suppliers likely face bankruptcy. Additionally, JLR appears not to have had cybersecurity insurance, forcing them to cover the entire cost of this disaster.
The lesson here is clear, the call for digital transformation in every industry has been loud for the last decade, and while this is important for any business, not taking appropriate steps to mitigate cyber security weaknesses in every part of the overall system brings huge risks. And make sure you have cybersecurity insurance commensurate with your risk profile.
The last sobering take away is that with the government bailout, it’s likely that future attacks will target UK companies, as they’re more likely to pay up.
October 2025 – F5 Complete Compromise
In October 2025, F5 Networks, a major vendor of application delivery controllers and network security gear, disclosed a breach. The breach involved a highly sophisticated nation-state threat actor.
Subsequent investigations showed that the attackers likely accessed F5’s system in late 2023. They exploited an F5 system mistakenly left exposed online, bypassing internal security policies. This mistake allowed hackers to establish a foothold. They maintained long-term, stealthy access to F5’s internal network for at least 12 months without detection.
The breach surfaced in August 2025, and F5 announced it publicly in mid-October. This announcement raised serious supply-chain security concerns since F5’s products integrate deeply into many organizations. Once inside, intruders deployed a custom malware backdoor named “BRICKSTORM.” This backdoor allowed them to navigate F5’s virtualized environment while evading security controls. BRICKSTORM links to a China-based espionage group named UNC5221. It enabled attackers to remain nearly invisible.
At one point, the attackers lay dormant for over a year. They likely aimed to outlast F5’s log retention period and erase traces of their compromise. When they reactivated, the attackers exfiltrated extremely sensitive files. This included portions of the proprietary BIG-IP source code and internal reports on undisclosed (zero-day) vulnerabilities in F5’s products. The stolen data provided hackers insight into security flaws not yet patched or public. Experts viewed this cache of information as a “master key” for potential future attacks against F5 devices worldwide.
This incident highlighted how a single, well-executed breach of a core technology provider can pose broad risks. F5’s platforms protect and load-balance critical applications across government and enterprise networks around the globe.
The lesson here is an uncomfortable one and echoes the SolarWinds breach back in 2020: even the largest cyber security vendor can be compromised by a determined attacker, and without adequate monitoring and logging can remain undetected for a very long time.
This is a developing story and while we don’t have enough technical details yet to predict the outcome over the months to come, if your network relies on F5 equipment you need to update everything, including all credentials.
Stay ahead of the next wave of cybersecurity incidents with layered, real-world protection
Hornetsecurity’s Advanced Threat Protection and 365 Total Protection strengthen your Microsoft 365 environment. They secure it before attackers gain a foothold. This proactive approach helps you stay ahead of the incidents highlighted in this report. These solutions block zero-day exploits, malicious links, impersonation attempts and compromised identities at the email and collaboration layer, preventing threats from reaching your critical systems.
Combined with better configuration hygiene and tighter control over suppliers and third-party access, you can transition from reacting to the latest incident to proactively preventing the next one.
Schedule a demo today to see how Hornetsecurity can help you close the gaps exposed by recent major attacks and build an incident-ready security stack around Microsoft 365.
Conclusion
The incidents described in this article highlight an important yet uncomfortable reality: most cybersecurity failures are systemic, not random. A single leaked configuration file, over-privileged integration or unchecked third-party connection can result in a multi-million-euro outage or government-level security issue.
These cybersecurity incidents demonstrate how quickly attackers can exploit a single vulnerability. It also illustrates how its impact can spread across supply chains and critical services.
The latest major cybersecurity incidents also reveal that technology alone does not solve the problem. Organizations often stumble due to similar patterns, such as incomplete asset inventories and exposed legacy on-premises systems. Non-human identities often lack adequate monitoring, and third-party services receive extensive, long-lasting access.
Even a single overlooked router or unmonitored OAuth token can undermine an otherwise solid security strategy.
Organizations that navigate the next wave of threats treat security as a living system. They map, update, validate, and continuously monitor their security measures. This involves understanding your dependencies, rehearsing incident response scenarios and ensuring that your controls work under pressure, not just on paper.
Resilience comes from planning for failure, detecting it quickly and containing it before it escalates into a full-scale crisis.
Breaches are no longer rare edge cases; they are recurring reality checks on how resilient you really are. Use these incidents as a roadmap to strengthen your position now so that, when the next wave of cybersecurity incidents hits your sector, you can respond quickly, clearly and confidently instead of panicking.
FAQ
What’s the biggest pattern connecting these major security incidents?
Across these cybersecurity incidents, the common thread isn’t ultra-sophisticated magic tricks – it’s basic weaknesses in identity, configuration, and trust. Most attackers get in through a single soft spot: an exposed credential, an over-permissive integration, an unpatched edge device, or a misconfigured cloud service. They don’t need to break every control; they just need one gap that nobody is watching, then pivot quietly from there.
Why are supply-chain and third-party breaches so dangerous?
Supply-chain and third-party breaches sit at the intersection of high privilege and low visibility. A single vendor platform, integration, or contact-center provider can connect hundreds or thousands of organizations. When a compromise occurs, the blast radius becomes enormous. As the 2024 and 2025 cases show, OAuth tokens, remote support tools, and cloud integrations often carry broad, persistent access that’s easy to overlook and painful to unwind once an incident is underway.
What practical lessons should organizations take from these incidents?
Start by viewing your infrastructure and SaaS landscape the way an attacker would: map your dependencies, find the weak trust relationships, and assume that a credential, token, or configuration will eventually leak. Monitor non-human identities and third-party integrations, validate your helpdesk and recovery procedures, patch critical edge systems quickly, and avoid exposing on-premises services directly to the internet. Then layer on specialized protections – such as Hornetsecurity’s portfolio for Microsoft 365 – to catch targeted email, identity, and supply-chain attacks early, so fewer incidents ever turn into full-blown crises.
