Threat intelligence briefings and analysis for business and security leaders.https://adversarywire.com/https://adversarywire.com/commentary/china-orb-networks-defender-blind-spot/https://adversarywire.com/commentary/china-orb-networks-defender-blind-spot/A joint advisory from CISA, NCSC, and ten allied nations describes how China-linked threat actors have abandoned dedicated attack infrastructure in favour of networks of compromised home routers and IoT devices. The implication for defenders is worse than it sounds.Thu, 21 May 2026 00:00:00 GMTcommentarycritical-infrastructure,communications,ot-icsChinaVolt TyphoonFlax TyphoonORB networksSOHO routerspre-positioningnetwork securityFive Eyesthreat intelligencehttps://adversarywire.com/briefings/cisa-ics-rce-ruggedcom-scadabr-may-2026/https://adversarywire.com/briefings/cisa-ics-rce-ruggedcom-scadabr-may-2026/CISA's May 19 ICS advisories flag unauthenticated root-level code execution in Siemens RUGGEDCOM APE1808 and ScadaBR SCADA software. Neither has a patch. The ScadaBR vendor has not responded to CISA.Thu, 21 May 2026 00:00:00 GMTflash-briefingcriticalot-ics,critical-infrastructureSiemensRUGGEDCOMScadaBRRCEICSSCADACVE-2026-0300unpatchedOTCISAhttps://adversarywire.com/briefings/volt-typhoon-uk-utilities-briefing/https://adversarywire.com/briefings/volt-typhoon-uk-utilities-briefing/NCSC and Five Eyes partners have confirmed Volt Typhoon intrusions at operational technology networks in UK water treatment and regional energy distribution. The group is not causing disruption — it is waiting.Tue, 19 May 2026 00:00:00 GMTflash-briefingVolt Typhooncriticalot-ics,critical-infrastructureVolt TyphoonChinaOTICSNCSCpre-positioningwaterenergyhttps://adversarywire.com/analysis/volt-typhoon-deep-dive/https://adversarywire.com/analysis/volt-typhoon-deep-dive/A deep analysis of Volt Typhoon's objectives, methods, and targets — and what the sustained Chinese pre-positioning campaign in Western CNI means for how operators, regulators, and governments need to respond.Sun, 17 May 2026 00:00:00 GMTdeep-diveVolt Typhooncriticalot-ics,critical-infrastructure,communications,transportVolt TyphoonChinaOTICSLOTLCNIpre-positioningCISANCSChttps://adversarywire.com/briefings/nhs-ransomware-wave-briefing/https://adversarywire.com/briefings/nhs-ransomware-wave-briefing/A cluster of ransomware affiliates, several previously linked to ALPHV/BlackCat, has targeted three NHS trusts in the past six weeks. Attackers are exploiting legacy VPN appliances and unpatched remote access infrastructure.Thu, 14 May 2026 00:00:00 GMTflash-briefingRansomHub affiliateshighhealthcareransomwareNHShealthcareRaaSALPHVRansomHubVPNhttps://adversarywire.com/commentary/ransomware-ecosystem-commentary/https://adversarywire.com/commentary/ransomware-ecosystem-commentary/The ransomware-as-a-service model has created a resilient criminal infrastructure that survives law enforcement actions, FBI seizures, and individual prosecutions. Understanding why is the first step to defending against it.Tue, 12 May 2026 00:00:00 GMTcommentaryransomwareRaaSALPHVLockBitRansomHubcybercrimecriminal ecosystemhttps://adversarywire.com/analysis/salt-typhoon-deep-dive/https://adversarywire.com/analysis/salt-typhoon-deep-dive/The Salt Typhoon campaign against US and European telecommunications carriers was not a data breach in any conventional sense. It was a strategic intelligence operation targeting the systems governments use to conduct lawful surveillance.Sun, 10 May 2026 00:00:00 GMTdeep-diveSalt TyphooncriticalcommunicationsSalt TyphoonChinatelecomsCALEAlawful interceptespionageAT&TVerizonGhostEmperorhttps://adversarywire.com/briefings/fin7-financial-services-briefing/https://adversarywire.com/briefings/fin7-financial-services-briefing/The FIN7 group has refreshed its phishing infrastructure and is deploying a new loader variant against mid-tier UK and European financial institutions. Targets include wealth managers, brokers, and payment processors.Fri, 08 May 2026 00:00:00 GMTflash-briefingFIN7highfinanceFIN7phishingfinancial servicesmalwareloaderCarbon Spiderhttps://adversarywire.com/briefings/salt-typhoon-telecoms-briefing/https://adversarywire.com/briefings/salt-typhoon-telecoms-briefing/Fourteen months after the US disclosed Salt Typhoon's compromise of major American carriers, intelligence assessments confirm the same group retains access inside at least two major European telecommunications networks.Tue, 05 May 2026 00:00:00 GMTflash-briefingSalt TyphooncriticalcommunicationsSalt TyphoonChinatelecomsCALEAlawful interceptespionageGhostEmperorhttps://adversarywire.com/commentary/ot-ics-boardroom-blind-spot/https://adversarywire.com/commentary/ot-ics-boardroom-blind-spot/Most boards have a reasonable grasp of IT cyber risk. Almost none have adequate visibility into the operational technology that runs their industrial processes, utilities, and physical infrastructure. This gap is exactly what state actors are exploiting.Fri, 01 May 2026 00:00:00 GMTcommentaryot-ics,critical-infrastructureOTICSSCADAboardroomriskair gapPurdue modelhttps://adversarywire.com/briefings/clop-transport-logistics-briefing/https://adversarywire.com/briefings/clop-transport-logistics-briefing/The Cl0p ransomware group is mass-exploiting a newly disclosed vulnerability in a widely used managed file transfer platform. Several European freight and logistics operators have been impacted, with customs and supply chain data exfiltrated.Wed, 29 Apr 2026 00:00:00 GMTflash-briefingCl0phightransportCl0pransomwaretransportlogisticsMFTsupply chainfile transferhttps://adversarywire.com/analysis/scattered-spider-deep-dive/https://adversarywire.com/analysis/scattered-spider-deep-dive/The group behind the MGM Resorts and Caesars Entertainment attacks isn't a nation-state operation or a seasoned criminal enterprise. They're young, English-speaking, and they're better at manipulating people than most security teams are at stopping them.Tue, 28 Apr 2026 00:00:00 GMTdeep-diveScattered Spiderhighfinance,communicationsScattered Spidersocial engineeringvishingMFA fatigueSIM swappingMGMCaesarsidentityhttps://adversarywire.com/commentary/nation-state-threats-business-leaders/https://adversarywire.com/commentary/nation-state-threats-business-leaders/Most executives conflate nation-state cyber activity with the ransomware threat they're more familiar with. They are different in purpose, method, and the defences required. Getting this wrong shapes your entire risk posture.Wed, 22 Apr 2026 00:00:00 GMTcommentarycritical-infrastructure,finance,communicationsnation-stateAPTespionageChinaRussiaIranthreat intelligencehttps://adversarywire.com/commentary/true-cost-cni-attack/https://adversarywire.com/commentary/true-cost-cni-attack/When a critical infrastructure operator is hit, the ransom payment is usually the smallest line on the eventual damage assessment. The true costs — operational, regulatory, reputational, and systemic — are far larger and far longer-lasting.Wed, 15 Apr 2026 00:00:00 GMTcommentarycritical-infrastructure,ot-ics,transport,healthcareransomwarecostColonial PipelineNotPetyaincident responseregulatorybusiness continuity