Man arrested in connection with cyber-attack on airports
bbc.com Imran Rahman-JonesTechnology reporter andJoe TidyCyber correspondent, BBC World Service The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex. A person has been arrested in connection with a cyber-attack which has caused days of disruption at several European airports including Heathrow. The National Crime Agency (NCA) said a man in his forties was arrested in West Sussex "as part of an investigation into a cyber incident impacting Collins Aerospace". There have been hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed, with some boarding passengers using pen and paper. "Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing," said Paul Foster, head of the NCA's national cyber crime unit. The man was arrested on Tuesday evening on suspicion of Computer Misuse Act offences and has been released on bail. The BBC has seen an internal memo sent to airport staff at Heathrow about the difficulties software provider Collins Aerospace is having bringing their check-in software back online. The US company appears to be rebuilding the system again after trying to relaunch it on Monday. Collins Aerospace's parent company RTX Corporation told the BBC it appreciated the NCA's "ongoing assistance in this matter". The US firm has not put a timeline on when it will be ready and is urging ground handlers and airlines to plan for at least another week of using manual workarounds. At Heathrow, extra staff have been deployed in terminals to help passengers and check-in operators but flights are still experiencing delays. On Monday, the EU's cyber-security agency said ransomware had been deployed in the attack. Ransomware is often used to seriously disrupt victims' systems and a ransom is demanded in cryptocurrency to reverse the damage. These types of attacks are an issue for organisations around the country, with organised cyber-crime gangs earning hundreds of millions of pounds from ransoms every year. Days of disruption The attack against US software maker Collins Aerospace was discovered on Friday night and resulted in disruption across many European airports, including in Brussels, Dublin and Berlin. Flights were cancelled and delayed throughout the weekend, with some airports still experiencing effects of the delays into this week. "The vast majority of flights at Heathrow are operating as normal, but we encourage passengers to check the status of their flight before travelling to the airport," Heathrow Airport said in a statement on its website. Berlin Airport said on Wednesday morning "check-in and boarding are still largely manual", which would result in "longer processing times, delays, and cancellations by airlines". While Brussels Airport advised passengers to check in online before arriving at the airport. Cyber-attacks in the aviation sector have increased by 600% over the past year, according to a report by French aerospace company Thales.
Flight delays continue across Europe after weekend cyber-attack
The Guardian Lauren Almeida Mon 22 Sep 2025 13.19 CEST First published on Mon 22 Sep 2025 10.03 CEST Software provider Collins Aerospace completing updates after Heathrow, Brussels and Berlin hit by problems Flight delays continue across Europe after weekend cyber-attack Software provider Collins Aerospace completing updates after Heathrow, Brussels and Berlin hit by problems Passengers are facing another day of flight delays across Europe, as big airports continue to grapple with the aftermath of a cyber-attack on the company behind the software used for check-in and boarding. Several of the largest airports in Europe, including London Heathrow, have been trying to restore normal operations over the past few days after an attack on Friday disrupted automatic check-in and boarding software. The problem stemmed from Collins Aerospace, a software provider that works with several airlines across the world. The company, which is a subsidiary of the US aerospace and defence company RTX, said on Monday that it was working with four affected airports and airline customers, and was in the final stages of completing the updates needed to restore full functionality. The European Union Agency for Cybersecurity said on Monday that Collins had suffered a ransomware attack. This is a type of cyber-attack where hackers in effect lock up the target’s data and systems in an attempt to secure a ransom. Airports in Brussels, Dublin and Berlin have also experienced delays. While kiosks and bag-drop machines have been offline, airline staff have instead relied on manual processing. The government’s independent reviewer of terrorism legislation, Jonathan Hall KC, said it was possible state-sponsored hackers could be behind the attack. When asked if a state such as Russia could have been responsible, Hall told Times Radio “anything is possible”. He added that while people thought, “understandably, about states deciding to do things it is also possible for very, very powerful and sophisticated private entities to do things as well”. A spokesperson for Brussels airport said Collins Aerospace had not yet confirmed the system was secure again. On Monday, 40 of its 277 departing flights and 23 of its 277 arriving services were cancelled. A Heathrow spokesperson said the “vast majority of flights at Heathrow are operating as normal, although check-in and boarding for some flights may take slightly longer than usual”. They added: “This system is not owned or operated by Heathrow, so while we cannot resolve the IT issue directly, we are supporting airlines and have additional colleagues in the terminals to assist passengers.”
Prefiguring Responsibility: The Pall Mall Process and Cyber Intrusion Capabilities – Andrew Dwyer
iscs.org.uk Research Institute for Sociotechnical Cyber Security Cyber intrusion capabilities—such as those used by penetration testers—are essential to enhancing our collective cyber security. However, there are various actors who build and use these capabilities to degrade and harm the digital security of human rights activists, journalists, and politicians. The diverse range of capabilities for cyber intrusion—identifying software vulnerabilities, crafting exploits, creating tools for users, selling and buying those capabilities, and offering services such as penetration testing—makes this a complex policy problem. The market includes those deemed ‘legitimate’ and ‘illegitimate’ by states and civil society, as well as those that exist in ‘grey’ areas between and within jurisdictions. The concern is that the commercial market for cyber intrusion capabilities is growing; as the range of actors involved expands, the potential harm from inappropriate use is increasing. It is in the context of this commercial market that the UK and France launched the Pall Mall Process in 2024 to tackle the proliferation and irresponsible use of commercial cyber intrusion capabilities (CCICs). With financial support from RISCS, I participated in the second conference of the Pall Mall Process in Paris in April 2025, having attended the inaugural conference in London in 2024. The conference strengthened my thinking and research regarding the political economies of cyber power. For the RISCS community, understanding how international fora shape social, technical, and organisational practice in a world where geopolitics is increasingly fraught and contested is essential—whether in the shaping of cyber security narratives, the building of technology ecosystems, or the addressing of harms perpetuated in the UK and beyond. Cyber diplomacy—of which the Pall Mall Process is part—is now decades in the making, with non-binding cyber norms beginning to emerge from various processes at the UN. The Pall Mall Process is but one of a burgeoning number internationally (see also a recent focus on new initiatives around ransomware), even as international agreement becomes trickier. Beginning with a look at the proliferation of CCICs through markets, I’ll consider the Pall Mall Process (‘the Process’) itself and how it is seeking to intervene, while reflecting on the shortcomings of the concept of ‘responsibility’ when it comes to coordinating international action against irresponsible use of cyber intrusion capabilities. Proliferation and markets CCICs have become a growing proliferation concern as they have become available to a wider number of actors. Most concern has centred on the role of surveillance and spyware tools (a focus of US initiatives), with popular public attention on the use of Pegasus software by the Israeli NSO Group against politicians, journalists, and activists. However, spyware is but one part of a broader ecology of ‘zero day’ vulnerabilities, processes, tools, and services that seek to both secure and exploit, with legitimate and illegitimate applications utilising similar technologies and techniques. The complexity of this ecology, alongside the fact that both desirable (e.g., targeting criminal actors) and undesirable (e.g., targeting human rights campaigners) activities are supported by CCICs, means that outright bans lack feasibility. Moreover, many states, particularly states of the global majority, do not have their own ‘in-house’ capabilities. As a result, CCICs are proliferating, which increases the risk that they will be exploited for undesirable activities—because some providers are willing to sell to both responsible actors and those who irresponsibly deploy their acquired capabilities. As James Shires observes in one of the most comprehensive assessments of the issue to date, the international approach to this problem is split between It is at this intersection that the Process seeks to intervene by acknowledging that proliferation will occur while seeking to impose upon the market both ‘hard’ obligations, such as export control frameworks, and ‘soft’ obligations, such as codes of practice (a code of practice for states was published during the second conference; one for industry may follow). However, the concept of responsibility pervasive within the CCICs discussion is informed by nuanced and contested notions of political economy that privilege western-centric views of democratic practice and strong state capability. The Pall Mall Process In June 2025, the UN adopted the final report of the Open-Ended Working Group on security of and in the use of information and communications technologies 2021-2025 (OEWG). This reaffirmed the applicability of international law on cyberspace and 11 previously agreed non-binding cyber norms, as well as establishing a future permanent Global Mechanism to continue international discussions. As Joe Devanny perceptively writes, as much as there was superlative praise for the OEWG, there has in fact been little substantive progress beyond simply ‘holding the line’ on past consensus that is challenged by states such as China and Russia (itself not an insignificant achievement in the current geopolitical environment). Yet, it seems, the global community are unlikely to move forward collectively. The Process then appears at a moment of increasing difficulty for international consensus. The Process is a much smaller grouping of states and international organisations, with 38 signatories to the initial declaration as of February 2025. Notable exclusions include Israel, which did not send delegates to the first conference, and several states that attended but did not sign. At the first conference in 2024, I had many conversations with state diplomats (some recognised as attending in public documentation, and others not) who were interested but could not sign, who did not have any expertise in CCICs, did not know of commercial operators on their territory, or who could not resolve civilian and military tensions over signing the declaration. The number of signatories reduced to 25 for the code of practice emerging from the second conference, which contained more detailed obligations for tackling CCICs. This demonstrates the difficulties states face not only in becoming public signatories to declarations but also in achieving internal agreement around committing to specific activities—challenges created by both the changing geopolitical climate and unresolved questions concerning what counts as ‘legitimate’ or ‘illegitimate’, or ‘desirable’ or ‘undesirable’, when it comes to CCIC use. One striking contention made at the Paris conference was that limiting the market could be interpreted as a form of colonial action taken by states with existing capability (e.g., the UK and France) against states that would rely on the commercial market to acquire such capability. There are excellent write-ups of the second conference that offer more detailed insight into the potential development of the process in the future (see, for example, Alexandra Paulus in Lawfare and Lena Riecke in Binding Hook). It is worth noting, however, that the states that signed are primarily those already aligned to the liberal rules-based international order, and predominantly European. There is, among these states, broad agreement on the political economies of responsibility built around rules-based orders and democratic practice. Perhaps this is the future of cyber diplomacy: limiting retrenchment from previous international consensus while advancing forward in smaller groupings in the hope that collective international agreements will be possible under different circumstances in the future. Essentially, this is all a lot of preparation work. Will such an approach genuinely resolve the issue of CCIC use and proliferation? I suggest that it is unlikely to do so in the short-to-medium term. I argue that the genie will be already out of the bottle by the time a plurality of states have agreed to the principles and codes of the Process. Responsible Principles The Process offers multiple principles that underpin a proposed way forward. These include four from the initial declaration—accountability, precision, oversight, and transparency—that inform the aforementioned code of practice for states. These principles are surprisingly similar to those that govern the UK’s National Cyber Force (NCF), which aims to be ‘accountable, precise, and calibrated’. (These, the NCF claims, are ‘the principles of a responsible cyber power’.) Although these principles are more operational in nature, the Process clearly attempts to draw together both policy and practice that might be considered ‘responsible’ when seeking to strike a balance between the counter-proliferation and market-driven perspectives with which it engages. As I have explored elsewhere (regarding the question of responsibility in UK cyber policy development), responsibility fits within the broader rubric of responsible state behaviour that is common within cyber diplomacy. Yet, it is at this precise moment that the political economies of responsibility are contested; responsibility simply no longer looks the same (if it ever did) from Moscow and Beijing as it does from Berlin and London. Indeed, as The Record reported, liberal sensibilities regarding responsibility were strongly challenged when one member of the US delegation, referring to CCIC developers, simply stated: ‘We’ll kill them.’ Cue astonishment from the other diplomats in the room—the common political economies of responsibility appeared, abruptly, to have been shattered. I’m sure that the delegations from the UK and France feared that this comment might overshadow the conference. In the end, it did not. But what it did show is that the issue of responsibility, as it infuses the Process, may pose problems for widening out state and industry partner involvement. This is not to say that the UK, France, or other ...
Luxembourg probes reported attack on Huawei tech that caused nationwide telecoms outage | The Record from Recorded Future News
therecord.media (01.08.2025) - Authorities in Luxembourg said a nationwide telecommunications outage in July was caused by a deliberately disruptive cyberattack. Huawei networking products were reportedly the target. Luxembourg’s government announced on Thursday it was formally investigating a nationwide telecommunications outage caused last week by a cyberattack reportedly targeting Huawei equipment inside its national telecoms infrastructure. The outage on July 23 left the country’s 4G and 5G mobile networks unavailable for more than three hours. Officials are concerned that large parts of the population were unable to call the emergency services as the fallback 2G system became overloaded. Internet access and electronic banking services were also inaccessible. According to government statements issued to the country’s parliament, the attack was intentionally disruptive rather than an attempt to compromise the telecoms network that accidentally led to a system failure. Officials said the attackers exploited a vulnerability in a “standardised software component” used by POST Luxembourg, the state-owned enterprise that operates most of the country’s telecommunications infrastructure. The government’s national alert system, which officials had intended to use to warn the population about the incident, failed to reach many people because it also depends on POST’s mobile network. POST’s director-general described the attack itself as “exceptionally advanced and sophisticated,” but stressed it did not compromise or access internal systems and data. POST itself and the national CSIRT are currently forensically investigating the cause of the outage. Although the government’s statements avoid naming the affected supplier, Luxembourg magazine Paperjam reported the attack targeted software used in Huawei routers. Paperjam added that the country’s critical infrastructure regulator is currently asking any organisations using Huawei enterprise routers to contact the CSIRT. Remote denial-of-service vulnerabilities have previously been identified in the VRP network operating system used in Huawei’s enterprise networking products, although none have recently been publicly identified. Huawei’s press office did not respond to a request for comment. The Luxembourg government convened a special crisis cell within the High Commission for National Protection (HCPN) to handle the response to the incident and to investigate its causes and impacts, alongside the CSIRT and public prosecutor. The CSIRT’s full forensic investigation is intended to confirm how the attack happened, while the public prosecutor will assess whether a crime has taken place and if a perpetrator can be identified and prosecuted. The incident has also accelerated Luxembourg’s national resilience review, a process already underway before the attack. Authorities, concerned that a single point of failure had such a dramatic disruptive effect, are now reassessing the robustness of critical infrastructure, including fallback procedures for telecom and emergency services. Luxembourg is also exploring regulatory changes to allow mobile phones to automatically switch to other operators’ networks during telecom outages, a practice already used in countries like the United Kingdom, Germany and the United States for emergency calls.
St. Paul Hobbled by Cyberattack, Prompting National Guard Response
nytimes.com (29.07.2025) - Gov. Tim Walz of Minnesota activated the National Guard to help the city of St. Paul address a cyberattack that was detected last Friday. Gov. Tim Walz of Minnesota on Tuesday activated the state National Guard to help officials in St. Paul, the capital, respond to a complex cyberattack that was first detected on Friday. Mayor Melvin Carter of St. Paul said the city had shut down the bulk of its computer systems as a defensive measure as state and federal investigators tackled what he called “a deliberate, coordinated digital attack, carried out by a sophisticated external actor.” Mr. Carter said that the F.B.I. and several state agencies were helping assess who was behind the attack. He declined to say whether ransom had been demanded or whether there was any evidence suggesting a foreign government was behind the attack. City officials said they have yet to ascertain whether sensitive data had been stolen. Emergency services, including police response systems, were not crippled by the attack, the city said in a statement. The shutdown meant that city employees did not have access to the internet in municipal buildings, and that routine services such as library loans and online payment systems were inaccessible. Large and small cities across the United States, along with school systems and hospitals, have been targeted in cyberattacks in recent years. Such attacks are often carried out by individuals who compromise networks and encrypt data, then demand ransom payments in order to restore access. Attackers sometimes steal sensitive data — such as credit card information — that they can later sell online. St. Paul officials said they detected unusual activity on their network Friday morning and eventually realized the city’s networks had been breached. Deeming it a serious attack, they sought help from the governor and federal law enforcement agencies as well as cybersecurity companies. Mr. Walz issued an executive order on Tuesday directing the National Guard to assign military computer experts to assist officials in St. Paul. In the order, Mr. Walz said that “the scale and complexity of this incident exceeded both internal and commercial response capabilities.”
Pro-Ukrainian hackers claim massive cyberattack on Russia's Aeroflot
reuters.com - Russian airline Aeroflot was forced to cancel more than 50 round-trip flights on Monday, disrupting travel across the world's biggest country, as two pro-Ukraine hacking groups claimed to have inflicted a crippling cyberattack. Aeroflot cancels dozens of flights Prosecutors say the airline was hacked Two pro-Ukraine groups claim responsibility Passengers vent fury, Kremlin calls situation 'alarming' MOSCOW, July 28 (Reuters) - Russian airline Aeroflot (AFLT.MM), opens new tab was forced to cancel more than 50 round-trip flights on Monday, disrupting travel across the world's biggest country, as two pro-Ukraine hacking groups claimed to have inflicted a crippling cyberattack. The Kremlin said the situation was worrying, and lawmakers described it as a wake-up call for Russia. Prosecutors confirmed the disruption at the national flag carrier was caused by a hack and opened a criminal investigation. Senior lawmaker Anton Gorelkin said Russia was under digital attack. "We must not forget that the war against our country is being waged on all fronts, including the digital one. And I do not rule out that the ‘hacktivists’ who claimed responsibility for the incident are in the service of unfriendly states," Gorelkin said in a statement. Another member of parliament, Anton Nemkin, said investigators must identify not only the attackers but "those who allowed systemic failures in protection". Aeroflot did not say how long the problems would take to resolve, but departure boards at Moscow's Sheremetyevo Airport turned red as flights were cancelled at a time when many Russians take their holidays. The company's shares were down by 3.9% by 1533 GMT, underperforming the wider market, which was 1.3% lower. A statement purporting to be from a hacking group called Silent Crow said it had carried out the operation together with Belarusian Cyberpartisans, a self-styled hacktivist group that opposes president Alexander Lukashenko and says it wants to liberate Belarus from dictatorship.
Wartime cyberattack wiped data from two major Iranian banks, expert says | Iran International
iranintl.com - A cyberattack during the 12-day Iran-Israel war destroyed banking data at major Iranian banks Sepah and Pasargad, halting services nationwide and triggering a high-stakes emergency response by an Iranian banking software firm, a senior engineer said. “Nothing was accessible. Nothing was visible,” wrote Hamidreza Amouzegar, deputy head of product development at the software firm Dotin, in a LinkedIn post recounting the June 17 breach. “We tried the backup site—same story there.” The internet banking, mobile banking, and ATMs of the two banks remained largely non-functional until recently. Dotin, a major provider of digital systems to Iranian banks, found itself at the center of the crisis. “Sepah Bank’s primary data center had gone dark, with monitoring dashboards frozen and all stored data apparently corrupted,” he added. When engineers attempted to switch over to the disaster recovery site, they found that it too had failed, with matching damage reported. “At that point, the priority was no longer identifying the culprit or mapping the technical details,” Amouzegar wrote. “It was about getting public banking services back online—fast.” To that end, he wrote, teams turned to Samsonite, a portable data center in a suitcase developed by Dotin following service disruptions in 2022. The system was designed to provide core banking functions—particularly card transactions—for short periods without reliance on the main network. Nobitex, Iran’s largest cryptocurrency exchange, had also confirmed cyberattacks against its systems during the war. The pro-Israel hacker group Predatory Sparrow, known for prior cyberattacks on Iran’s fuel infrastructure, claimed responsibility for "paralyzing" Sepah Bank and draining more than $90 million from Nobitex. Sepah Bank is responsible for processing the payments of military personnel. Pasargad Bank had already deployed Samsonite, allowing it to restore limited services by the early hours of June 19. Sepah, which had not yet installed the system, remained offline longer, Amouzegar added. Basic card functionality there was only restored by June 20 after a full system rebuild from partial offline backups, he wrote. “For a bank processing over a billion transactions monthly, losing just one day meant more than 30 million transactions vanished,” Amouzegar said. Sepah’s full recovery took until June 27, during which time Samsonite processed more than 60 million transactions. “The cyber war ended three days after the ceasefire,” he added. “But recovery will take months. What I’ve shared here is only a fragment of the story.”
Russian vodka producer reports disruptions after ransomware attack | The Record from Recorded Future News
therecord.media - Novabev Group, the Russian maker of Beluga Vodka and other brands, had to stop shipments and temporarily close stores in its WineLab subsidiary after a ransomware attack. More than 2,000 WineLab liquor stores across Russia have remained shut for three days following a ransomware attack on their parent company, one of Russia’s largest alcohol producers. Signs on WineLab doors said the stores were closed due to “technical issues.” The attack crippled parts of the Novabev Group’s infrastructure, affecting WineLab’s point-of-sale systems and online services. The company confirmed that the attackers had demanded a ransom but said it refused to negotiate. “The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands,” Novabev Group said in a statement on Wednesday. There is no indication so far that customer data has been compromised, though an investigation is ongoing, the company added. The identity of the attackers remains unknown. No ransomware group has claimed responsibility for the incident, and Novabev has not publicly attributed the attack. Novabev Group is a major Russian producer and distributor of spirits, including the Beluga and Belenkaya vodka brands. The cyberattack has halted product shipments from Novabev for at least two days, according to local retailers quoted by Russian media outlet Vedomosti. Customers also reported being unable to pick up orders from retail locations or parcel lockers, with customer service offering to extend storage periods for online purchases. WineLab’s stores are currently closed in major cities, including Moscow, St. Petersburg and surrounding regions, according to location data from Yandex Maps. Novabev’s website and mobile app also remain offline. Forbes Russia estimated that each day of downtime could cost WineLab 200 million to 300 million rubles ($2.6 million to $3.8 million) in lost revenue. Cybersecurity experts interviewed by Forbes said they could not recall a comparable case in which a major Russian retail chain was forced to shut down entirely due to a cyberattack. Novabev said its internal IT team is working “around the clock” with external specialists to restore operations and strengthen defenses against future threats.
Air Serbia delays staff payslips due to ongoing cyberattack
theregister.com - Exclusive Aviation insiders say Serbia's national airline, Air Serbia, was forced to delay issuing payslips to staff as a result of a cyberattack it is battling. Internal memos, seen by The Register, dated July 10 told staff: "Given the current situation and the ongoing cyberattacks, for security reasons, we will postpone the distribution of the June 2025 payslips. "The IT department is working to resolve the issue as a priority, and once the conditions allow, the payslips will be sent to your email addresses." Staff were reportedly paid their monthly salaries, but access to their payslip PDF was unavailable. HR warned staff earlier in the day against opening emails that appeared to be related to payslips, or those that mention the staff members' first and last names "as if you sent them to yourself." "We also kindly ask that you act responsibly given the current situation." According to other internal comms seen by The Register, Air Serbia's IT team began emailing staff warning them that it was facing a cyberattack on July 4. "Our company is currently facing cyberattacks, which may lead to temporary disruptions in business processes," they read. "We kindly ask all managers to promptly create a work plan adapted to the changed circumstances, in accordance with the Business Continuity Plan, and to communicate it to their teams as soon as possible." The same email communication chain mentioned the company's IT and security manager issuing a staff-wide password reset and installing security-scanning software on their machines on July 7. All service accounts were killed at this point, which affected several automated processes, and datacenters were added to a demilitarized zone, which led to issues with users not being able to sync their passwords. Additionally, internet access was removed for all endpoints, leaving only a certain few whitelisted pages under the airserbia.com domain available. IT also installed a new VPN client "due to identified security vulnerabilities." "We kindly ask you to take this situation seriously and fully cooperate with the IT team," the memo reads. "Please allow them to install the necessary software as efficiently as possible and carefully follow any further instructions they provide." Two days after this, another wave of password resets came, the source said. Instead of allowing users to choose their own, the replacements followed a template from the sysadmins. On July 11, IT issued a third wave of password resets, and staff were asked to leave their PCs locked but open before heading home for the weekend, so the IT team could continue working on them. A source familiar with the matter, who spoke to The Register on condition of anonymity, said Air Serbia is trying to clean up a cyberattack that led to a deep compromise of its Active Directory. As of July 14, the source claimed the airline's blue team has not fully eradicated the attackers' access to the company network and is not sure when the attackers broke in, due to a lack of security logs, although it is thought to be in the first few days of July. The attack at the company, which is government-owned, is likely to have led to personal data compromise, the insider suspects, and some staff expressed concern that the company might not publicly disclose the intrusion.
Ingram Micro outage caused by SafePay ransomware attack
An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Update 7/6/25: Added Ingram Micro's confirmation it suffered a ransomware attack below. Also updated ransom note with clearer version. An ongoing outage at IT giant Ingram Micro is caused by a SafePay ransomware attack that led to the shutdown of internal systems, BleepingComputer has learned. Ingram Micro is one of the world's largest business-to-business technology distributors and service providers, offering a range of solutions including hardware, software, cloud services, logistics, and training to resellers and managed service providers worldwide. Since Thursday, Ingram Micro's website and online ordering systems have been down, with the company not disclosing the cause of the issues. BleepingComputer has now learned that the outages are caused by a cyberattack that occurred early Thursday morning, with employees suddenly finding ransom notes created on their devices. The ransom note, seen by BleepingComputer, is associated with the SafePay ransomware operation, which has become one of the more active operations in 2025. It is unclear if devices were actually encrypted in the attack. It should be noted that while the ransom note claims to have stolen a wide variety of information, this is generic language used in all SafePay ransom notes and may not be true for the Ingram Micro attack.
Johnson Controls starts notifying people affected by 2023 breach
Building automation giant Johnson Controls is notifying individuals whose data was stolen in a massive ransomware attack that impacted the company's operations worldwide in September 2023. Johnson Controls is a multinational conglomerate that develops and manufactures industrial control systems, security equipment, HVAC systems, and fire safety equipment for buildings. The company employs over 100,000 people through its corporate operations and subsidiaries across 150 countries, reporting sales of $27.4 billion in 2024. As BleepingComputer first reported, Johnson Controls was hit by a ransomware attack in September 2023, following a breach of the company's Asian offices in February 2023 and subsequent lateral movement through its network. "Based on our investigation, we determined that an unauthorized actor accessed certain Johnson Controls systems from February 1, 2023 to September 30, 2023 and took information from those systems," the company says in data breach notification letters filed with California's Attorney General, redacted to conceal what information was stolen in the attack. "After becoming aware of the incident, we terminated the unauthorized actor's access to the affected systems. In addition, we engaged third-party cybersecurity specialists to further investigate and resolve the incident. We also notified law enforcement and publicly disclosed the incident in filings on September 27, 2023; November 13, 2023; and December 14, 2023."
Cyberattack on Brazil tech provider affects reserve accounts of some financial institutions
BRASILIA, July 2 (Reuters) - Brazil's central bank said on Wednesday that technology services provider C&M Software, which serves financial institutions lacking connectivity infrastructure, had reported a cyberattack on its systems. The bank did not provide further details of the attack, but said in a statement that it ordered C&M to shut down financial institutions' access to the infrastructure it operates. C&M Software commercial director Kamal Zogheib said the company was a direct victim of the cyberattack, which involved the fraudulent use of client credentials in an attempt to access its systems and services. C&M said critical systems remain intact and fully operational, adding that all security protocol measures had been implemented. The company is cooperating with the central bank and the Sao Paulo state police in the ongoing investigation, added Zogheib. Brazilian financial institution BMP told Reuters that it and five other institutions experienced unauthorized access to their reserve accounts during the attack, which took place on Monday. BMP said the affected accounts are held directly at the central bank and used exclusively for interbank settlement, with no impact on client accounts or internal balances.
Norwegian Dam Valve Forced Open for Hours in Cyberattack
Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password. In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected. According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second. The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway. Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.
Hawaiian Airlines discloses cyberattack, flights not affected
Hawaiian Airlines, the tenth-largest commercial airline in the United States, is investigating a cyberattack that has disrupted access to some of its systems. With over 7,000 employees, 235 average daily flights, and a fleet of over 60 airplanes, Hawaiian Airlines connects Hawai'i with 15 U.S. mainland cities and 10 other destinations across Asia and the Pacific. The airline stated in a statement issued on Thursday morning that the incident didn't affect flight safety and has already contacted relevant authorities to assist in investigating the attack. Hawaiian Airlines also hired external cybersecurity experts to asses the attack's impact and help restore affected systems. "Hawaiian Airlines is addressing a cybersecurity event that has affected some of our IT systems. Our highest priority is the safety and security of our guests and employees. We have taken steps to safeguard our operations, and our flights are operating safely and as scheduled," the airline said. "Upon learning of this incident, we engaged the appropriate authorities and experts to assist in our investigation and remediation efforts. We are currently working toward an orderly restoration and will provide updates as more information is available." A banner on the airline's website notes that the incident hasn't impacted flights in any way and that travel hasn't been affected. The same alert is also displayed on the Alaska Airlines website, which is owned by Alaska Air Group, a company that acquired Hawaiian Airlines last year.
More than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. Around 170 patients have suffered harm as a result of a cyber attack on blood services at London hospitals and GP surgeries, reports suggest. Pathology services provider Synnovis was the victim of a ransomware attack by a Russian cyber gang in June last year. As a result more than 10,000 appointments were cancelled at the two London NHS trusts that were worst affected. And a significant number of GP practices in London were unable to order blood tests for their patients. Now the Health Service Journal (HSJ) has reported that there were nearly 600 “incidents” linked to the attack, with patient care suffering in 170 of these.
India's TCS says none of its systems were compromised in M&S hack | Reuters
June 19 (Reuters) - Tata Consultancy Services (TCS.NS), opens new tab said none of its "systems or users were compromised" as part of the cyberattack that led to the theft of customer data at retailer Marks and Spencer (MKS.L), opens new tab, its client of more than a decade. "As no TCS systems or users were compromised, none of our other customers are impacted" independent director Keki Mistry told its annual shareholder meeting. The Reuters Daily Briefing newsletter provides all the news you need to start your day. Sign up here. "The purview of the investigation (of customer) does not include TCS," Mistry added. This is the first time India's No 1 IT services company has publicly commented on the cyber hack. M&S did not immediately respond to a request for comment. TCS is one of the technology services providers for the British retailer. In early 2023, TCS reportedly, opens new tab won a $1 billion contract for modernising M&S' legacy technology with respect to its supply chain and omni-channel sales while increasing its online sales. The "highly sophisticated and targeted" cyberattack which M&S disclosed in April will cost about 300 million pounds ($403 million) in lost operating profit, and disruption to online services is likely until July. Last month, Financial Times reported that TCS is internally investigating whether it was the gateway for a cyberattack. Mistry presided as the chairman at the company's annual shareholder meeting as Tata Group Chairman N Chandrasekaran skipped it due to "exigencies". The chairman's absence comes as the Group's airline Air India plane with 242 people on board crashed after take-off in Ahmedabad last week, killing all passengers except one. Reporting by Sai Ishwarbharath B and Haripriya Suresh, Editing by Louise Heavens
Major food wholesaler says cyberattack impacting distribution systems
One of the largest food distributors in the U.S. reported a cyberattack to regulators on Monday, explaining that the incident has disrupted its operations and ability to fulfil customer orders. United Natural Foods released a public statement and filed documents with the U.S. Securities and Exchange Commission (SEC) saying the cyberattack began on June 5. The statement said the Rhode Island-based company identified unauthorized activity on its systems on Thursday, prompting officials to take systems offline. The action “has temporarily impacted the Company’s ability to fulfill and distribute customer orders.” “The incident has caused, and is expected to continue to cause, temporary disruptions to the Company’s business operations,” United Natural Foods said. “The Company has implemented workarounds for certain operations in order to continue servicing its customers where possible. The Company is continuing to work to restore its systems to safely bring them back online.” Law enforcement has been notified and the company said it has hired a cybersecurity firm to remediate the incident. The investigation into the attack “remains ongoing and is in its early stages.” The press statement published on Monday said the company is working closely with “customers, suppliers, and associates” to minimize the disruption. The company did not respond to requests for comment. United Natural Foods is the main supplier for Whole Foods and is considered the largest health and specialty food distributor in the United States and Canada. The company reported $8.2 billion in net sales last quarter.
Algerian ��Jabaroot’ Group Behind CNSS Breach Attacks Moroccan Property Registry
The Moroccan National Agency for Land Conservation, Cadastre and Cartography (ANCFCC) has become the latest victim of a major cyberattack claimed by “Jabaroot,” the same hacker group behind April’s CNSS breach. The group, which identifies itself as Algerian, announced the attack on Monday, allegedly resulting in the theft and subsequent leak of thousands of sensitive property documents. According to claims the group made on their Telegram channel, the hackers have exfiltrated and released what they describe as “a massive amount of sensitive data” from ANCFCC’s databases. The leaked information reportedly includes 10,000 property ownership certificates out of a total database of more than 10 million land titles. The compromised data allegedly contains cadastral information, property owner identities, real estate references, and various personal and administrative documents.
ConnectWise Confirms ScreenConnect Cyberattack, Says Systems Now Secure: Exclusive
ConnectWise did not disclose information about when the data breach occurred, as well as the number of MSPs or end users impacted by the breach. ‘ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,’ ConnectWise said in a statement. ConnectWise has confirmed it suffered a recent cyberattack that led to unauthorized access of its ScreenConnect cloud infrastructure. “ConnectWise recently learned of suspicious activity within our environment that we believe was tied to a sophisticated nation state actor, which affected a very small number of ScreenConnect customers,” the Tampa, Fla.-based vendor said in a statement. “We have launched an investigation with one of the leading forensic experts, Mandiant. We have communicated with all affected customers and are coordinating with law enforcement. As part of our work with Mandiant, we patched ScreenConnect and implemented enhanced monitoring and hardening measures across our environment. We have not observed any further suspicious activity in any customer instances. The security of our services is paramount to us, and we are closely monitoring the situation and will share additional information as we are able.” No further signs of malicious activity have been detected since the update was applied, a source familiar with the situation, who asked for anonymity, told CRN.
Arla Foods has confirmed to BleepingComputer that it was targeted by a cyberattack that has disrupted its production operations. The Danish food giant clarified that the attack only affected its production unit in Upahl, Germany, though it expects this will result in product delivery delays or even cancellations. "We can confirm that we have identified suspicious activity at our dairy site in Upahl that impacted the local IT network," stated an Arla spokesperson. "Due to the safety measures initiated as a result of the incident, production was temporarily affected." Arla Foods is an international dairy producer and a farmer-owned cooperative with 7,600 members. It employs 23,000 people in 39 countries. The firm has an annual revenue of €13.8 billion ($15.5 billion), and its products, including the brands Arla, Lurpak, Puck, Castello, and Starbucks, are sold in 140 countries worldwide. The company told BleepingComputer that it is currently working to resume operations at the impacted facility, which should bring results before the end of the week. "Since then, we've been working diligently to restore full operations. We expect to return to normal operations at the site in the next few days. Production at other Arla sites is not affected." Considering that the first reports about a disruption at Arla's production operations surfaced on Friday, it is bound to cause shortages in some cases. "We have informed our affected customers about possible delivery delays and cancellations," explained Arla's spokesperson. BleepingComputer has asked the firm if the attack involved data theft or encryption, both staples of a ransomware attack, but Arla declined to share any additional information at this time. Meanwhile, there have been no announcements about Arla on ransomware extortion portals, so the type of attack and the perpetrators remain unknown.
Dear Friends, Neighbors, and Valued Cellcom/Nsight Customers, Over the past five days, many of you have been impacted by a service disruption — and I want to begin by saying something simple, and deeply meant: I’m here. While I’ve been closely involved from the very beginning, this is the first time I’m writing to you directly. That wasn’t because I didn’t want to — it was because I truly believed we’d be past this quickly. I stayed focused on the fix, confident that we’d be able to restore service fast. We’ve always believed in being present, open, and accountable to the people we serve. That’s what this letter is about. We experienced a cyber incident. While this is unfortunate, it’s not something we were unprepared for. We have protocols and plans in place for exactly this kind of situation. From the start, we’ve followed those plans — including engaging outside cybersecurity experts, notifying the FBI and Wisconsin officials, and working around the clock to bring systems safely back online. The incident was concentrated on an area of our network separate from where we store sensitive information related to you, our Cellcom/Nsight family. We have no evidence that personal information related to you, your name, your addresses, your financial information, is impacted by this event. Thanks to an incredible amount of hard work and tenacity, we achieved a major milestone last night. We are building on that success and expect to have the rest of service restored this week. Every part of this recovery is being handled with care and precision — we will not rush anything that compromises safety, security or trust. For 115 years, as a company that began as a local telephone provider, we've understood that connection is everything. Generations of my family have had the privilege of serving generations of yours. We've grown and changed with the times, but our purpose has always remained the same: helping you stay connected to what matters most. We know this disruption has caused frustration and, for some, real hardship — and for that, I am truly sorry. In the midst of it all, I’ve witnessed what makes this company special. Across the organization, people put mission ahead of role, put pride aside, and put the community first. We saw teams find creative solutions, take personal initiative, and step outside the bounds of job descriptions to make things right. That spirit — of care, urgency and accountability — has defined our response and will continue to shape our path forward. To our employees — thank you. Your heart and grit during these trying days make me proud beyond words. To our customers — thank you. Your patience, understanding and kindness mean the world to us. We’ve felt your support every step of the way, and we don’t take it for granted. We know that gratitude alone isn’t enough — we’re taking responsibility. We’re covering the time you were without service, and then some. Please know that we hear you, we appreciate you, and you have the very best team in the world on the case. I know we will be a better and stronger Cellcom/Nsight for this experience. Warmly, Brighid Riordan in cursive Brighid Riordan
Protecting Our Customers - Standing Up to Extortionists
Cyber criminals bribed and recruited a group of rogue overseas support agents to steal Coinbase customer data to facilitate social engineering attacks. These insiders abused their access to customer support systems to steal the account data for a small subset of customers. No passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We will reimburse customers who were tricked into sending funds to the attacker. We’re cooperating closely with law enforcement to pursue the harshest penalties possible and will not pay the $20 million ransom demand we received. Instead we are establishing a $20 million reward fund for information leading to the arrest and conviction of the criminals responsible for this attack. What happened Criminals targeted our customer support agents overseas. They used cash offers to convince a small group of insiders to copy data in our customer support tools for less than 1% of Coinbase monthly transacting users. Their aim was to gather a customer list they could contact while pretending to be Coinbase—tricking people into handing over their crypto. They then tried to extort Coinbase for $20 million to cover this up. We said no. What they got Name, address, phone, and email Masked Social Security (last 4 digits only) Masked bank‑account numbers and some bank account identifiers Government‑ID images (e.g., driver’s license, passport) Account data (balance snapshots and transaction history) Limited corporate data (including documents, training material, and communications available to support agents)
Hitachi Vantara takes servers offline after Akira ransomware attack
Hitachi Vantara, a subsidiary of Japanese multinational conglomerate Hitachi, was forced to take servers offline over the weekend to contain an Akira ransomware attack. The company provides data storage, infrastructure systems, cloud management, and ransomware recovery services to government entities and some of the world's biggest brands, including BMW, Telefónica, T-Mobile, and China Telecom. In a statement shared with BleepingComputer, Hitachi Vantara confirmed the ransomware attack, saying it hired external cybersecurity experts to investigate the incident's impact and is now working on getting all affected systems online. "On April 26, 2025, Hitachi Vantara experienced a ransomware incident that has resulted in a disruption to some of our systems," Hitachi Vantara told BleepingComputer. "Upon detecting suspicious activity, we immediately launched our incident response protocols and engaged third-party subject matter experts to support our investigation and remediation process. Additionally, we proactively took our servers offline in order to contain the incident. "We are working as quickly as possible with our third-party subject matter experts to remediate this incident, continue to support our customers, and bring our systems back online in a secure manner. We thank our customers and partners for their patience and flexibility during this time."
Emera and Nova Scotia Power Responding to Cybersecurity Incident
April 28, 2025 HALIFAX, Nova Scotia--(BUSINESS WIRE)-- Emera Inc. and Nova Scotia Power today announced, on April 25, 2025 they discovered and are actively responding to a cybersecurity incident involving unauthorized access into certain parts of its Canadian network and servers supporting portions of its business applications. Immediately following detection of the external threat, the companies activated their incident response and business continuity protocols, engaged leading third-party cybersecurity experts, and took actions to contain and isolate the affected servers and prevent further intrusion. Law enforcement officials have been notified. There remains no disruption to any of our Canadian physical operations including at Nova Scotia Power’s generation, transmission and distribution facilities, the Maritime Link or the Brunswick Pipeline, and the incident has not impacted the utility’s ability to safely and reliably serve customers in Nova Scotia. There has been no impact to Emera’s U.S. or Caribbean utilities. Emera will release its Q1 Financial Statements and Management Disclosure and Analysis on May 8, 2025, as planned. At this time, the incident is not expected to have a material impact on the financial performance of the business. Our IT team is working diligently with cyber security experts to bring the affected portions of our IT system back online.
Some M&S stores left with empty shelves after cyber attack
Some Marks & Spencer (M&S) stores have been left with empty food shelves as the retailer continues to struggle with a cyber attack affecting its operations. Online orders have been paused on the company's website and app since Friday, following problems with contactless pay and Click & collect over the Easter weekend. The BBC understands food availability should be back to normal by the end of the week. Meanwhile, security experts say a cyber crime group calling itself DragonForce is behind the mayhem.
Cyberattack disrupts Lee newspapers' operations across the US
Lee Enterprises, one of the largest newspaper groups in the United States, says a cyberattack that hit its systems caused an outage last week and impacted its operations.
In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound. First, it was reported that people associated with the newly created Department of Government Efficiency (DOGE) had accessed the US Treasury computer system, giving them the ability to collect data on and potentially control the department’s roughly ...
South Africa’s government-run weather service knocked offline by cyberattack | The Record from Recorded Future News
A cyberattack has forced the government-run South African Weather Service (SAWS) offline, limiting access to a critical service used by the country’s airlines, farmers and allies. The website for SAWS has been down since Sunday evening, according to a statement posted to social media. SAWS has had to use Facebook, X and other sites to share daily information on thunderstorms, wildfires and other weather events.
