Cybersecurity Executive Brief: February 2026

Section 1 — Executive Brief #

Cybersecurity Insights for Decision-Makers | 2-Minute Executive Summary | Full Analysis: ~10 pages

Scope: This brief covers the period of February 1–28, 2026. It synthesizes threat intelligence, vulnerability disclosures, regulatory developments, and operational data relevant to enterprise security leadership. Sources include vendor threat reports, government advisories, and verified incident disclosures.

The Month Your Defenses Were Used Against You #

Your CISO told you identity was the new perimeter. February proved the attackers heard it too — and industrialized against it.

Last spring, a mid-sized European telecom received a call from a woman identifying herself as an IT service desk analyst. She knew the employee’s name, his manager’s name, and the internal ticket number for a recent laptop replacement. She walked him through a “mandatory security update” that ended with him approving an MFA prompt on his personal device. Total cost of the call to the attacker: somewhere between $500 and $1,000. Total cost to the company: still being calculated.

That call came from SLH Operations Centre — not a nation-state unit, not a ransomware cartel’s in-house team, but a commercially operated vishing-as-a-service platform that recruits female operators, runs branded subdomains, and delivers adversary-in-the-middle phishing kits as a turnkey product.¹ By the end of February, SLH-linked campaigns had touched 15+ organizations and contributed to the exposure of more than 50 million records, including 12.5 million from CarGurus, 29.8 million from SoundCloud, 6.2 million from Odido, and 115,000 Harvard donor records.²

This is not a new category of threat. Readers of this brief have heard me say “identity is the perimeter” for the last year. What February proved is something different: the industrialization is complete. The playbook that once required a skilled operator and weeks of reconnaissance now ships as a service, priced per call, with quality assurance built in.

And identity was only one of three assumptions that February stress-tested.

While organizations focused on who was calling the help desk, nation-state actors were already inside the infrastructure those help desks exist to protect. A critical vulnerability in Cisco’s SD-WAN platform — the system that routes traffic across enterprise networks — had been silently exploited since 2023. Three years of undetected access, discovered only after the US government issued an emergency directive and five allied nations published a joint advisory.³ Dell’s RecoverPoint for Virtual Machines — the backup platform enterprises trust to restore operations after an attack — carried its own critical flaw, exploited by a China-linked group since mid-2024.⁴ The systems designed to bring you back online were themselves compromised — for eighteen months.

Meanwhile, AI crossed a threshold that matters operationally, not theoretically. IBM X-Force documented “Slopoly,” a likely AI-generated malware framework deployed during a live ransomware intrusion.⁵ Over 600 firewall devices across more than 55 countries were compromised by attackers using commercial AI services to generate exploitation playbooks.⁶ CrowdStrike measured an 89% year-over-year increase in AI-enabled attacks. The fastest observed time from initial breach to full control of a victim’s environment: 27 seconds.⁷

The patterns we’ve been tracking didn’t just continue in February. They converged. Identity industrialization, compromised recovery infrastructure, and AI-augmented offense aren’t three separate problems. They are three expressions of the same structural shift: the tools and workflows enterprises built for productivity and resilience are being turned against them at machine speed.

The organizations that treated our earlier signals as architecture decisions — not awareness items — are the ones that didn’t show up on a leak site this month.

The line to remember: February didn’t introduce new threats. It showed which organizations had already corrected their assumptions — and which were still operating on last year’s model.

Critical Actions Required #

🔴 IMMEDIATE — Validate that your identity verification workflows cannot be completed by voice alone. SLH campaigns succeed because help desk procedures treat voice + knowledge factors as sufficient. If your service desk can reset MFA or approve device enrollment over the phone, you have an open door. Mandate callback verification to a registered number and visual identity confirmation for any credential or MFA change.

🔴 THIS WEEK — Ask your CISO to confirm that emergency patches have been applied to Cisco SD-WAN and Dell RecoverPoint systems. Both carry maximum-severity vulnerabilities with confirmed exploitation in the wild. For RecoverPoint specifically: assume compromise until validated. Run integrity checks on backup infrastructure before trusting it for recovery. A backup you can’t verify is not a backup — it’s a liability. (Technical reference: CVE-2026-20127, CVE-2026-22769.)

🟡 THIS MONTH — Review your MFA posture against the NYDFS (New York’s financial regulator) February 6 advisory, which underscores broad MFA requirements and clearly favors higher-assurance methods, identifying push-based MFA as higher-risk without additional safeguards. The expanded requirement — MFA for any individual accessing any information system — has been in effect since November 2025. Annual compliance filings are due April 15.⁸ Even if your organization isn’t regulated by New York, this standard is becoming the industry expectation. Insurance underwriters increasingly treat MFA posture as a qualifying factor in claims adjudication.⁹

🟡 THIS MONTH — Assess your DORA reporting readiness if you operate in EU financial services. DORA (the EU’s Digital Operational Resilience Act) has applied since January 2025. From 2026, national regulators must forward operational resilience data to European authorities by March 31 — meaning firm-level submissions are due even earlier.¹⁰ Separately, the European Commission has sent formal warnings to 19 member states for failing to implement the NIS2 cybersecurity directive on time. Enforcement pressure is building across both regimes.

🟢 MONITOR — CISA is operating at approximately 38% workforce capacity, with roughly 888 of 2,341 staff remaining on the job during the DHS shutdown.¹¹ If your threat intelligence or vulnerability coordination depends on CISA products, build redundancy now. Do not assume federal support at historical levels for the remainder of 2026.

🟢 MONITOR — Ransomware payment rates have dropped to historic lows, but attack volume has not followed. Multiple tracking sources recorded over 600 victim claims across dozens of countries in February.¹² The economics are shifting: Arctic Wolf’s 2026 report documents that data-only extortion (no encryption, just theft and leak threats) grew from 2% to 22% of incident response engagements — an elevenfold increase.¹³ Healthcare ransomware targeting rose sharply month-over-month. Lower payments mean attackers need more victims — expect volume to increase, not decrease.

Key Metrics #

What to Say When the Board Asks… #

“Are we exposed to the vishing campaigns I’m reading about?” “We’ve reviewed our identity verification procedures against the SLH Operations Centre playbook. The key question isn’t whether we have MFA — it’s whether our help desk can be socially engineered into resetting it. We’re [implementing / have implemented] out-of-band verification for any credential or device enrollment change, and we’re testing it with red team exercises this quarter.”

“Can our backups actually recover us after a ransomware attack?” “That’s exactly the right question, and February gave us a reason to re-ask it. A critical vulnerability in Dell RecoverPoint — a widely used backup platform — was exploited by a nation-state group for eighteen months before discovery. We’re treating backup infrastructure as an attack surface, not just a recovery tool. We’re [validating integrity / scheduling validation] of our recovery environment independently from production.”

“What does AI mean for our threat exposure — practically, not theoretically?” “In February, IBM identified likely AI-generated malware used in a live ransomware intrusion, and over 600 FortiGate devices across more than 55 countries were compromised by attackers using commercial AI services to generate attack playbooks. The practical impact is speed: once attackers get in, they can take full control of an environment in under 30 minutes on average — and in one observed case, 27 seconds. Our response has to be pre-staged, not reactive. The same AI tools that improve our productivity are improving theirs — with fewer constraints.”

“Is regulatory pressure going to get worse?” “Yes. New York’s financial regulator tightened MFA requirements and issued a vishing-specific advisory in February. The EU’s operational resilience rules (DORA) and cybersecurity directive (NIS2) are both in enforcement mode. Twenty US states are now actively enforcing privacy laws. And insurers are scrutinizing MFA posture at underwriting and claims stages. The convergence point: regulators, insurers, and attackers are all now testing the same control — identity verification. Getting that right addresses all three pressures at once.”

Forward Section 2 to your CISO with one question: “What are we doing about each of these?”

Section 2 — Full Analysis #

Why February Matters #

February 2026 is not a continuation of January’s patterns. It is their convergence.

As noted in the Executive Brief above, three corrections redefined the threat landscape this month: identity-based intrusion went industrial, edge infrastructure exploitation reached maximum severity, and AI-generated malware entered live operations. Each of these was visible in January as a signal. In February, they became structural.

The ShinyHunters/SLH supergroup demonstrated what happens when social engineering adopts a business model. Outsourced call centers, branded impersonation infrastructure, and Microsoft Device Code OAuth exploitation turned vishing from a tactic into a supply chain — one that compromised 50+ million records across 15+ organizations in a single month. Mandiant’s M-Trends 2026 confirms the shift: vishing now accounts for 11% of all intrusion vectors, surpassing email phishing (6%) for the first time.¹⁴ This is not a blip. It is a reclassification of how breaches begin.

Simultaneously, two CVSS 10.0 zero-days — Cisco SD-WAN and Dell RecoverPoint — were disclosed with multi-year dwell times (three years and eighteen months, respectively). Both targeted infrastructure that organizations assume is safe: WAN controllers and backup systems. Both were exploited by actors assessed as nation-state with high confidence. Both came with emergency directives. And both landed while CISA operated at 38% workforce capacity after mass furloughs.¹⁵

Finally, IBM X-Force confirmed what the industry has debated for two years: AI-generated malware is no longer theoretical. Slopoly — a PowerShell C2 framework likely built by an LLM and deployed during a live ransomware intrusion — is technically mediocre but operationally significant.¹⁶ It crossed the line from proof-of-concept to production. CrowdStrike’s 2026 Global Threat Report, released the same week, documented an 89% year-over-year increase in AI-enabled attacks.¹⁷

For security leaders, February’s message is: the attack surface has shifted to identity, the infrastructure you trust most is compromised, and the tools that lower your development costs are lowering the adversary’s too.

Critical Incidents: Top 5 #

1. ShinyHunters/SLH Industrial Vishing Campaign #

What happened: The ShinyHunters/Scattered LAPSUS$ Hunters (SLH) supergroup industrialized voice phishing into a scalable operation throughout February. The group launched the “SLH Operations Centre” — recruiting outsourced callers at $500–$1,000 per call with pre-written scripts — and targeted employee SSO credentials across Okta, Microsoft Entra, and Google Workspace. Once credentials were captured, attackers pivoted into connected SaaS environments for mass exfiltration, publishing stolen data on a dedicated Tor leak site when ransom was refused.

New TTPs included branded subdomain impersonation (e.g., <organization>.sso-verify[.]com), live phone-guided adversary-in-the-middle phishing, mobile-first lures, and exploitation of Microsoft Device Code OAuth 2.0 flows — a legitimate authentication mechanism repurposed for credential theft.

Scale: 50M+ records across 15+ organizations: CarGurus (12.5M), SoundCloud (29.8M), Odido Netherlands (6.2M, including passport numbers and IBANs), Match Group/Hinge (10M+), Panera Bread (5.1M), Betterment (1.4M), Harvard University (115K donor records published February 4, 2026 after ransom refusal; breach discovered November 2025), Wynn Resorts (800K), Canada Goose (600K), Figure Technology (967K), Optimizely, and Eurail B.V.¹⁸

Why it matters: This is the industrialization of social engineering. The economics have flipped: Chainalysis reports, citing Darkweb IQ data, that initial access broker prices collapsed from $1,427 to $439 between Q1 2023 and Q1 2026, making stolen credentials cheaper than exploit development.¹⁹ Vishing bypasses every technical control — it exploits process gaps, not software bugs. The NYDFS responded with a formal vishing advisory on February 6 and a detailed MFA guidance webinar on February 26. The expanded Section 500.12 MFA requirement — covering any individual accessing any information system — has been in effect since November 1, 2025; the annual Part 500 compliance filing is due April 15.²⁰ DFS guidance identifies push-based MFA as higher-risk without additional safeguards.

The human cost is severe. Match Group/Hinge dating data carries extreme personal harm potential (outing, doxxing, extortion). Odido’s passport and IBAN exposure triggered secondary scam campaigns targeting Dutch consumers. Harvard’s donor records — including cultivation strategies for high-net-worth individuals — created an unprecedented high-value intelligence leak. What to do:

• CEO/CFO: Treat voice phishing as a board-level risk. Pre-approve budget for phishing-resistant MFA deployment (hardware-bound, FIDO2/WebAuthn) across all user populations — not just admins. Ask your CISO: “If someone called our help desk impersonating an employee today, what would stop them?”
• CISO: Implement out-of-band verification for all privileged account changes (password resets, MFA re-enrollment, admin access grants). Deploy identity anomaly detection covering impossible travel, bulk export events, and new admin account creation. Review Microsoft Device Code OAuth 2.0 configuration — disable where unnecessary.
• Legal/Compliance: For NYDFS-regulated entities, the expanded MFA requirement (Section 500.12) has been in effect since November 1, 2025; the annual Part 500 compliance certification is due April 15. Begin documentation of implementation evidence now. For all sectors, review whether current MFA implementations would withstand an AiTM attack.

Sources: ReliaQuest (Feb 26), Krebs on Security (Feb 2), NYDFS advisory (Feb 6), Dataminr (Feb 22), BleepingComputer, The Hacker News, Mandiant M-Trends 2026, IBM X-Force 2026.²¹

2. Cisco SD-WAN CVSS 10.0 Zero-Day (CVE-2026-20127) #

What happened: On February 25, Cisco Talos disclosed CVE-2026-20127 — a maximum-severity (CVSS 10.0) authentication bypass in Cisco Catalyst SD-WAN Controller/Manager. The vulnerability had been exploited by a sophisticated threat actor designated UAT-8616 since at least 2023 — a three-year dwell time before discovery.

The attack chain is methodical: bypass peering authentication, add rogue peers to the SD-WAN control plane, downgrade controller software to exploit CVE-2022-20775 for root access, then establish persistent access with anti-forensic techniques designed to survive reboots and evade standard investigation. No workarounds are available — only patching eliminates the risk.²²

CISA issued Emergency Directive 26-03. A Five Eyes joint advisory (CISA, NSA, ASD-ACSC, CCCS, NCSC-NZ, NCSC-UK) followed — a level of coordinated response typically reserved for the most severe infrastructure compromises.²³

Why it matters: SD-WAN controllers manage traffic routing across an entire enterprise wide-area network. Compromising them gives an attacker the ability to manipulate, intercept, or disrupt traffic at scale — and to do so invisibly. The three-year dwell time indicates patient, strategic nation-state objectives: intelligence collection, not smash-and-grab.

For boards: this is infrastructure your organization relies on daily but almost certainly does not monitor for compromise at the controller level. The fact that no workaround exists means patching is the only path — and the Five Eyes advisory means governments assess the risk as severe enough to warrant coordinated international action.

What to do:

• CEO/CFO: Ask whether your organization uses Cisco SD-WAN, whether emergency patching has been completed, and whether a compromise assessment has been conducted to rule out prior exploitation. If your CISO cannot confirm, escalate.
• CISO: Patch immediately. Conduct forensic review of SD-WAN controller logs, peer configurations, and software versions for signs of downgrade or rogue peer addition. Assume compromise until proven otherwise — the three-year dwell window is wide.
• Legal/Compliance: Federal agencies are subject to Emergency Directive 26-03. Private sector organizations operating critical infrastructure should treat this as a de facto mandate.

Sources: Cisco Talos, CISA Emergency Directive 26-03, Five Eyes joint advisory (CISA, NSA, ASD-ACSC, CCCS, NCSC-NZ, NCSC-UK), CCCS advisory.²⁴

3. Conduent Government Technology Breach #

What happened: SafePay ransomware breached Conduent — a major government technology contractor processing Medicaid claims and benefit payments across 46 states — between October 2024 and January 2025. The attackers operated inside the environment for 84 days, exfiltrating 8.5 TB of data including Social Security numbers, medical records, health insurance details, and claims data. Notification letters reached consumers nine months after the breach. The Texas AG launched an investigation, describing it as potentially the largest data breach in US history; media tallies of state notification filings placed the Texas count at approximately 15.4 million individuals.²⁵

When combined with contemporaneous healthcare supply chain breaches at TriZetto/Cognizant (3.4M individuals, unauthorized portal access persisting nearly one year) and Navia Benefit Solutions (2.7M individuals, API vulnerability exploited for 24 days), the healthcare data processor cascade totals 31+ million individuals exposed through three separate vectors.²⁶

Why it matters: This is a healthcare supply chain story, not a single-company story. Three different organizations, three different attack vectors (ransomware, unauthorized web access, API exploitation), one shared pattern: third-party data processors handling sensitive health information at scale with inadequate detection and disclosure timelines.

The 84-day dwell time at Conduent and the nine-month notification delay will define how regulators and courts evaluate reasonable care going forward. The Texas AG investigation may establish precedent for the largest healthcare breach in US history. At least 10 class-action lawsuits have been filed.

What to do:

• CEO/CFO: If your organization relies on third-party processors for healthcare claims, benefits, or government payments, validate their detection capabilities — not just their compliance certifications. Ask for mean time to detect (MTTD) data, not just SOC 2 reports.
• CISO: Review all third-party data processors with access to regulated health data. Verify that your contracts include breach notification timelines shorter than nine months. Implement independent monitoring of high-volume data transfers from third-party environments.
• Legal/Compliance: Evaluate your exposure to Conduent, TriZetto, or Navia as downstream data subjects. Ensure your notification procedures can handle multi-state, multi-regulator disclosure at scale.

Sources: State notification letters, Texas AG, HIPAA Journal, CybersecurityDive, SafePay leak site, Mississippi Today.²⁷

4. Dell RecoverPoint CVSS 10.0 + Shadow Campaign (37 Countries) #

What happened: Two linked China-nexus campaigns disclosed in February represent the most significant nation-state infrastructure targeting since Salt Typhoon.

Dell RecoverPoint (CVE-2026-22769, CVSS 10.0): Hardcoded Apache Tomcat Manager credentials in Dell RecoverPoint for VMs were exploited by UNC6201 — assessed by Mandiant/GTIG as overlapping with Silk Typhoon — since mid-2024. Attackers deployed SLAYSTYLE web shells, BRICKSTORM and GRIMBOLT backdoors, and used “Ghost NICs” (virtual network interfaces) for stealthy pivoting into VMware virtual infrastructure. CISA set an unprecedented 3-day remediation deadline.²⁸

Shadow Campaign (TGR-STA-1030): Palo Alto Unit 42 disclosed that 70+ government and critical infrastructure organizations across 37 countries — including 5 national law enforcement entities, 3 finance ministries, and parliamentary systems — were compromised using ShadowGuard, a novel Linux kernel rootkit leveraging eBPF technology to hide processes and intercept system calls at the kernel level. Countries affected include Brazil, Mexico, Cyprus, Greece, Indonesia, Malaysia, Taiwan, Germany, and the Czech Republic. The US and UK were not among confirmed victims, but active reconnaissance was detected against 155 governments in November–December 2025.²⁹

Reuters reported that Palo Alto’s original draft named China explicitly; attribution was softened due to reported concerns about commercial retaliation against Palo Alto’s Chinese operations.³⁰

Why it matters: The Dell RecoverPoint campaign targets backup and disaster recovery infrastructure — the systems organizations depend on to survive ransomware. Mandiant reports that 43% of ransomware intrusions now target virtualization infrastructure. Compromising backup systems before encryption renders the primary recovery strategy useless.

The Shadow Campaign’s scale — one in five countries globally experienced a government network breach — and the intelligence harvested (financial negotiations, banking data, military operational updates, rare earth mineral intelligence) point to strategic economic and geopolitical espionage at a scope that surpasses previous China-attributed campaigns.

What to do:

• CEO/CFO: Request confirmation that backup and disaster recovery infrastructure has been patched and assessed for compromise. The 18-month dwell time for Dell RecoverPoint means historical exploitation cannot be ruled out by current scanning alone.
• CISO: Patch Dell RecoverPoint immediately (version 6.0.3.1 HF1). Conduct forensic review of backup infrastructure for SLAYSTYLE web shells, unauthorized virtual NICs, and anomalous VMware configurations. For the Shadow Campaign: review Linux kernel integrity across critical servers — eBPF-based rootkits evade standard endpoint detection.
• Legal/Compliance: Organizations in the 37 affected countries should conduct proactive threat hunts. For regulated industries, document the assessment and response as evidence of due diligence.

Sources: Mandiant/GTIG, Palo Alto Unit 42, CISA KEV, Dell advisory, Reuters.³¹

5. Slopoly: Likely AI-Generated Malware Used in a Live Ransomware Intrusion #

What happened: IBM X-Force identified Slopoly, a PowerShell-based command-and-control framework assessed as likely generated by a large language model, deployed during a ransomware intrusion by Hive0163 (Interlock ransomware affiliate). The malware’s characteristics — extensive inline comments, detailed logging, accurately named variables, and consistent error handling — match known LLM code generation patterns. Variable naming indicated the model was intentionally prompted to create malicious tooling, meaning guardrails were circumvented.³²

The same week, CrowdStrike’s 2026 Global Threat Report documented an 89% YoY increase in AI-enabled attacks, with an average eCrime breakout time of 29 minutes (fastest observed: 27 seconds). Adversaries used legitimate GenAI tools at 90+ organizations via prompt injection to generate credential-stealing commands.³³ Separately, a financially motivated actor used commercial GenAI services to compromise more than 600 FortiGate devices across more than 55 countries between January 11 and February 18, 2026.³⁴ ESET discovered PromptSpy, the first Android malware integrating Google Gemini at runtime for adaptive persistence and detection evasion.³⁵

Why it matters: Slopoly is technically mediocre — IBM called it “only the initial phase.” But its significance is operational, not technical. AI has entered the ransomware kill chain. The barrier to producing functional malware dropped from “skilled developer” to “motivated operator with a prompt.” When combined with AI-augmented reconnaissance (Fortinet campaign), AI-generated credential attacks (CrowdStrike findings), and AI-integrated mobile malware (PromptSpy), the pattern is clear: AI is being operationalized across every stage of the attack lifecycle.

For defenders, the asymmetry is worsening. CrowdStrike reports that 86% of organizations are piloting GenAI. Cisco’s State of AI Security 2026 found only 29% are prepared to secure agentic AI deployments. Multiple industry surveys indicate that a majority of organizations suspect unsanctioned AI agent use in their environments.³⁶

What to do:

• CEO/CFO: AI security is no longer a research topic — it is an operational risk. Fund both defensive AI tooling and AI governance programs. Ask: “Do we know which AI tools our employees are using, and what data they are sharing with them?”
• CISO: Inventory all AI tools in use (sanctioned and unsanctioned). Block unsanctioned personal AI assistants immediately — Gartner specifically flags this as an urgent action. Update detection rules to account for AI-generated malware characteristics (consistent formatting, verbose logging, non-obfuscated code). Review Microsoft Device Code OAuth flows for abuse.
• Legal/Compliance: Begin building an AI governance framework that spans both defensive AI adoption and offensive AI risk. Over 1,000 legislative actions on AI were introduced globally in 2024–2025 — regulatory requirements are coming faster than most organizations expect.³⁷

Sources: IBM X-Force 2026 Threat Intelligence Index, CrowdStrike 2026 Global Threat Report, ESET, Risky Business #826, Gartner.³⁸

Other Significant Incidents #

• ManoMano (38M records): A Tunis-based customer support subcontractor was compromised via a Zendesk account, exposing records across six European countries. CNIL and ANSSI engaged. Outsourced support = invisible supply chain.³⁹
• FICOBA (1.2M French bank accounts): Attacker impersonated a civil servant using stolen credentials on an interministerial platform lacking MFA. 1.2M records from France’s national bank account registry exfiltrated. System taken offline for hardening.⁴⁰
• Cl0p Oracle E-Business Suite campaign: Sixth mass exploitation campaign (after Accellion, GoAnywhere, MOVEit, Cleo). 103 organizations listed, 77 datasets published. Zero-day exploitation with no encryption — pure exfiltration/extortion. Only ~25% of victims paid.⁴¹
• BeyondTrust CVE-2026-1731 (CVSS 9.9): Pre-authentication RCE exploited within 24 hours of PoC publication. ~8,500 internet-facing instances. CISA confirmed ransomware use. Previous BeyondTrust vulnerabilities were exploited by Silk Typhoon against the US Treasury.⁴²
• Microsoft Patch Tuesday (6 zero-days): All six added to CISA KEV on the same day — including a Desktop Window Manager zero-day for the second consecutive month. Discovery by MSTIC and Google TIG simultaneously suggests coordinated nation-state campaigns.⁴³
• Ivanti EPMM exploitation: Two CVSS 9.8 vulnerabilities exploited since August 2025. European Commission MDM compromised. By February 7, Rapid7 honeypots recorded hundreds of attempts from 130+ IPs in 24 hours.⁴⁴
• SolarWinds WHD (216+ victim hosts): CVSS 9.8 deserialization RCE exploited across government, education, and financial services. Post-exploitation included DCSync credential theft and QEMU SSH tunneling.⁴⁵
• Notepad++ state-sponsored supply chain compromise (CTIP26-003): CCCS issued alert on supply chain compromise of the ubiquitous text editor. Later linked to Chinese APT. Significant implications for developer environment security.⁴⁶
• Singapore: ALL telcos breached by Chinese state-sponsored actors. Complete telecommunications infrastructure compromise of a major global financial hub, extending the Salt Typhoon pattern across Southeast Asia.⁴⁷

Key Threat Actors #

Attack Methods: What Your Teams Should Brief Up #

This section is written for security and IT leaders to translate for their executive teams.

Eight methods defined February’s attack landscape. Each represents a capability that security teams should be able to detect, explain, and demonstrate controls against.

• Industrialized vishing with outsourced callers. Not lone actors — structured call centers with scripts, gender-diversified recruitment, and per-call compensation. Bypasses all technical controls by exploiting human process gaps.
• Microsoft Device Code OAuth 2.0 flow exploitation. Legitimate authentication mechanism repurposed for credential theft. Attackers trick users into entering a device code on a real Microsoft page, granting persistent access without triggering traditional phishing detections.
• Edge device exploitation (SD-WAN, firewalls, MDM). CVSS 10.0 vulnerabilities in Cisco SD-WAN and Dell RecoverPoint; continued exploitation of Ivanti EPMM and Fortinet. Edge devices remain the highest-value exploitation target because they sit between networks and often lack endpoint detection.
• Backup infrastructure targeting. Mandiant: 43% of ransomware intrusions now target virtualization infrastructure (up from 29% in 2024). Dell RecoverPoint exploitation specifically undermines disaster recovery. If your backup strategy depends on systems an attacker has already compromised, it is not a backup strategy.
• AI-generated malware and AI-augmented reconnaissance. Slopoly in ransomware. AI playbooks compromising 600+ FortiGate devices. PromptSpy integrating Gemini at runtime. The common thread: AI compresses development and exploitation timelines.
• 22-second IAB-to-ransomware handoffs. Median time from initial access broker compromise to ransomware operator handoff collapsed to 22 seconds — from 8+ hours in 2022. Automated, not manual.
• eBPF-based kernel rootkits (ShadowGuard). Used in the Shadow Campaign across 37 countries. eBPF operates at the kernel level, intercepting system calls before they reach standard monitoring tools. Most endpoint detection does not cover this vector.
• BYOVD (Bring Your Own Vulnerable Driver). Ransomware now ships with embedded vulnerable drivers to disable security software as a standard stage in the kill chain — no longer a rare technique.

Sector Impact Analysis #

Healthcare: Sharp ransomware increase, 31M+ exposed in supply chain cascade. The University of Mississippi Medical Center closed clinics for 11 days after ransomware took its Epic EHR offline. Conduent (25M+), TriZetto (3.4M), and Navia (2.7M) collectively exposed 31M+ patient records through three separate attack vectors. Nippon Medical School Hospital refused a $10M ransom demand. North Korea’s Lazarus Group was observed adopting Medusa ransomware against Middle East healthcare targets, with an attempted intrusion against a US healthcare organization.⁴⁸

Financial Services: Regulatory acceleration meets nation-state pre-positioning. The FICOBA breach compromised France’s national bank account registry — a systemic risk event. NYDFS issued a formal vishing advisory (February 6) underscoring broad MFA and clearly favoring higher-assurance methods; the expanded MFA requirement has been in effect since November 2025. DORA Register of Information submissions are due to national authorities ahead of the March 31 ESA deadline. Iran’s MuddyWater pre-positioned inside a US bank before the February 28 strikes. Cyber insurance claim severity rose significantly for large accounts, with MFA posture increasingly a factor in claims adjudication.⁴⁹

Critical Infrastructure: Maximum nation-state pressure, minimum defender capacity. Cisco SD-WAN CVSS 10.0 (exploited since 2023), Sandworm’s attempted Polish power grid sabotage (blocked by EDR), Iran’s pre-positioning in a US airport, and CONPET (Romania’s national oil pipeline) ransomware by Qilin — all while CISA operated at 38% capacity. Emergency Directive 26-03 and the Five Eyes advisory reflect the severity. BridgePay ransomware knocked municipal payment systems offline across multiple US locations, demonstrating third-party concentration risk in essential services.⁵⁰

Telecommunications: Espionage expansion continues. Odido Netherlands (6.2M records including passport data) was breached by ShinyHunters. Salt Typhoon expanded to South American telecoms with new implants (TernDoor, PeerTime, BruteEntry). Chinese state-sponsored actors breached all of Singapore’s telecommunications companies. The FCC moved to ban foreign-manufactured consumer routers. Globally, 600+ organizations across 80 countries remain affected by Salt Typhoon.⁵¹

Manufacturing: #1 target, 5th consecutive year. IBM X-Force confirmed manufacturing at 27.7% of all incidents — the top-targeted sector for the fifth year running. Breachsense recorded 94 ransomware victims in manufacturing in February alone. Advantest Corporation (semiconductors) and UFP Technologies (medical devices) reported confirmed incidents.⁵²

Government: Unprecedented scope of nation-state compromise. The European Commission’s MDM infrastructure was compromised via Ivanti zero-days. The Shadow Campaign breached 70+ government organizations across 37 countries. SolarWinds WHD exploitation affected 216+ hosts concentrated in government environments. Dutch municipalities were fined for illegal data processing. The convergence of edge device exploitation and degraded CISA capacity leaves government networks more exposed than at any point in recent memory.⁵³

Regulatory Timeline #

Strategic Threat Signals #

Post-quantum cryptography timelines are accelerating faster than most enterprises expected. Google announced acceleration of its PQC migration to 2029. FIPS 140-2 sunsets September 21, 2026 — six months from now. NSA CNSA 2.0 requires new NSS acquisitions to be compliant by January 1, 2027. No cryptographically relevant quantum computer exists today, but “harvest now, decrypt later” drives urgency for any data with multi-year sensitivity: contracts, M&A, health records, national security communications.⁵⁴

Agentic AI is emerging as a control-plane risk. Cisco’s State of AI Security 2026 found only 29% of organizations prepared to secure agentic AI deployments, even as most have moved to active testing or production. Industry surveys consistently find that a majority of organizations suspect unsanctioned AI agent use. The OpenClaw/ClawdBot security crisis — thousands of exposed instances — triggered Gartner’s first “Block Personal AI Assistants” advisory. MCP server exploitation enabling GitHub data exfiltration demonstrates that AI agents inherit the permissions of their operators, with none of the judgment.⁵⁵

Deepfake fraud has reached operational scale. Multiple industry reports document sharp year-over-year increases in AI-powered voice and video fraud, with Pindrop among several vendors reporting order-of-magnitude growth since 2023.⁵⁶ The Arup $25M loss case — where executives authorized a wire transfer based on a deepfake video conference — remains the benchmark for board-level awareness. Gartner predicts that by 2026, 30% of enterprises will no longer consider standalone identity verification reliable.

Blockchain-based C2 is emerging as a disruption-resistant attack infrastructure. The Aeternum botnet stores command-and-control instructions on the Polygon blockchain — making takedown effectively impossible through traditional methods. Operational cost: ~$1 of MATIC for 100–150 commands. The toolkit was offered for sale at $10,000.⁵⁷

Cyber resilience is being rebranded — with organizational implications. Gartner Predicts 2026 reports that by 2028, 50% of CISOs will own disaster recovery and business continuity. The convergence of cybersecurity and operational resilience is structural, not cosmetic.⁵⁸

SaaS vendor leverage has returned for the first time in five years. Megavendor stock declines through early 2026 — driven partly by AI disruption concerns — mean buyers have regained negotiating power for the first time in years. SAP is offering 24-month migration credits. Microsoft is discounting Copilot. This is the window to renegotiate security-critical contracts.⁵⁹

Market & Industry Intelligence #

• Palo Alto Networks completed its $25B acquisition of CyberArk — the second-largest cybersecurity deal ever — positioning identity security as the strategic center of its platform. Combined with Protect AI and Chronosphere ($3.35B), Palo Alto is building the most comprehensive integrated security platform in the market.⁶⁰
• Google’s $32B acquisition of Wiz received EU approval in February and closed March 11. Wiz crossed $1B in ARR during 2025. The deal confirms hyperscaler investment in security as a competitive differentiator and accelerates multi-cloud security consolidation.⁶¹
• 42 M&A deals in February alone. Notable: Varonis/AllTrue.ai ($150M, AI TRiSM), Zscaler/SquareX (browser security), Arctic Wolf/Sevco Security. Full-year 2025 exceeded $84B across 400+ deals. “Sovereign M&A” — EU-focused acquisitions driven by NIS2/CRA compliance — is emerging as a new deal category.⁶²
• Cybersecurity startup funding reached $18B in 2025 (up 26%), with AI-focused companies driving growth. Early-stage investment rose 63% YoY. February rounds: Cyera ($400M Series F at $9B valuation), UpGuard ($75M), Vega Security ($120M).⁶³
• Insurance market tightening. Premiums are rising after two years of declining rates, with claim severity increasing for large accounts. Insurers are scrutinizing MFA posture at both underwriting and claims stages. Lloyd’s formally excluded state-backed cyberattack losses. Coalition’s 2026 report notes that 86% of policyholders hit by ransomware refused to pay, and 64% of closed claims had no out-of-pocket loss.⁶⁴
• IBM X-Force 2026 and CrowdStrike 2026 Global Threat Report both released in February — providing the year’s most comprehensive threat landscape data. Key convergent findings: identity as the dominant attack surface, AI enabling both sides, edge devices as the new perimeter, and manufacturing as the top target.

Investment Priorities #

Board Discussion Points #

1. “If an attacker called our help desk today impersonating a senior employee, what verification steps would stop them — and when was the last time we tested that process?”

2. “Which of our backup and disaster recovery systems have been assessed for compromise — not just patched — given that the Dell RecoverPoint and Cisco SD-WAN attacks had multi-year dwell times?”

3. “What is our mean time to detect unauthorized bulk data export from SaaS platforms, and do we monitor identity-layer events (MFA changes, admin account creation) in real time?”

4. “How many AI tools are in use across our workforce today — sanctioned and unsanctioned — and what data are employees sharing with them?”

5. “If a nation-state actor has pre-positioned access in our environment, as Iran did in US banks and airports, how would we detect it — and what is our response plan?”

6. “Are we confident that our cyber insurance policy covers the incidents we are most likely to face — data exfiltration without encryption, third-party processor breaches, state-linked attacks — and what MFA evidence does our insurer require?”

Next Month Predictions #

Will happen (high confidence):

• SLH/ShinyHunters vishing operations will continue and expand to new sectors. The infrastructure is built, the callers are recruited, and the playbook works.
• Edge device and backup infrastructure exploitation will intensify. The Cisco SD-WAN and Dell RecoverPoint disclosures will prompt both defender patching and attacker scanning for unpatched instances.
• AI-generated malware quality will improve. Slopoly was a first draft. The next variants will be better.

Might happen (50–70%):

• Iranian retaliatory cyber operations following February 28 strikes. The CCCS assessed this as “very likely.” Pre-positioned access in US banks, airports, and defense suppliers provides the capability.
• A DORA enforcement action against a major financial institution or its ICT provider. The first reporting cycle creates the evidence base; regulators signaled they will act.
• Another mass exploitation campaign by Cl0p or a copycat using the same zero-day-to-extortion playbook against a widely deployed enterprise application.

Watch for (low probability, high impact):

• Activation of Iranian pre-positioned access for destructive operations against US critical infrastructure — especially during political escalation.
• An eBPF-based rootkit (ShadowGuard class) deployed against Western critical infrastructure, extending the technique from espionage to sabotage.
• A breach where AI agents — sanctioned or unsanctioned — autonomously exfiltrate sensitive data through their normal operation, triggering the first “AI agent breach” disclosure.

Key Conclusions #

• Identity is the perimeter, and it is now under industrial siege. The SLH campaign proved that vishing at scale works. Broad MFA with higher-assurance methods is no longer a best practice — it is a survival requirement, and regulators from NYDFS to the EU are making it an enforcement priority.
• The infrastructure you trust most is compromised. Backup systems, SD-WAN controllers, and MDM platforms were the targets of choice for nation-state actors — with multi-year dwell times. Assume breach; validate recovery.
• AI crossed from theory to production — on both sides of the fight. Defenders piloting GenAI should recognize that adversaries are doing the same, with fewer constraints and faster iteration. Governance is not optional.
• Nation-state activity reached a level that demands corporate attention. Two CVSS 10.0 zero-days, 37 countries compromised, Iranian pre-positioning in US critical infrastructure, CISA at 38% capacity. This is not just a government problem — it is an enterprise resilience problem.
• The regulatory wave is here. DORA, NIS2, UK Bill, 20 US states, APAC mandates, NYDFS deadlines. Organizations that treat compliance as a project rather than a capability will fall behind.

Bottom Line #

February 2026 proved that identity compromise at industrial scale, nation-state exploitation of trusted infrastructure, and AI-enabled attack acceleration are no longer emerging risks — they are the operating environment, and security strategy must be rebuilt around them.

Sources #