Latest Cybersecurity News
European Space Agency Confirms Breach of External Servers
In a recent cybersecurity incident, the European Space Agency (ESA) has confirmed that external servers outside its corporate network were compromised, following claims by a threat actor on BreachForums. The attacker claimed access for approximately one week and shared screenshots of JIRA and Bitbucket environments, alleging exfiltration of over 200GB of data including private repositories.
Incident Details
The breach targeted servers not integrated into ESA’s primary corporate network, limiting the scope to external-facing systems. Threat actors demonstrated access through leaked screenshots showing project management tools like JIRA for issue tracking and Bitbucket for source code repositories. These platforms often store sensitive development data, configuration files, and credentials if not properly segmented.
Technical Analysis
Access likely exploited common vulnerabilities in web applications or unpatched servers hosting these tools. JIRA and Bitbucket, built on Java and Atlassian infrastructure, are prone to exploits like CVE-2023-22515 for privilege escalation or SQL injection flaws if not updated. The one-week dwell time suggests initial foothold via phishing, weak authentication, or exposed management interfaces. Data exfiltration of 200GB implies use of tools like Rclone or custom scripts over encrypted channels to evade detection, targeting repositories with proprietary space mission code, telemetry scripts, and API keys.
Historical Context and Implications
This follows a 2024 breach of ESA’s web shop via malicious JavaScript skimmers stealing payment data. Repeated incidents highlight persistent perimeter weaknesses in space agencies handling classified satellite data. Mitigation requires zero-trust architecture, network micro-segmentation, and endpoint detection with behavioral analytics to monitor anomalous repository access.
Former Incident Response Staff Plead Guilty to BlackCat Ransomware Attacks
Two former employees from cybersecurity firms Sygnia and DigitalMint have pleaded guilty to participating in BlackCat (ALPHV) ransomware attacks on US organizations in 2023, facing up to 20 years in prison with sentencing in March 2026.
Background on Accused
Ryan Clifford Goldberg, ex-incident response manager at Sygnia, and Kevin Tyler Martin, former ransomware negotiator at DigitalMint, conspired with a third accomplice as BlackCat affiliates. Their insider knowledge enabled targeting pharmaceutical, engineering, healthcare, and drone manufacturing sectors from May to November 2023, with ransoms from $300,000 to $10 million and at least $1.27 million paid.
Technical Tactics Employed
BlackCat employs a Rust-based ransomware variant evading EDR via process hollowing and API unhooking. Insiders likely provided reconnaissance on victim defenses, exploiting RDP misconfigurations or phishing with Cobalt Strike beacons for initial access. Post-exploitation involved Mimikatz for credential dumping, lateral movement via SMB and WinRM, and encryption using ChaCha20 with RSA-4096 keys. Negotiations used affiliate portals on Tor for demand communication.
Insider Threat Ramifications
The case underscores insider risks in cybersecurity firms, where access to playbooks and victim intel amplifies damage. Organizations must implement behavioral monitoring, least-privilege access, and anomaly detection in tools like SIEM for unusual data exports or dark web queries by employees.
Ransomware Attack Disrupts Romania’s Largest Coal Energy Producer
Oltenia Energy Complex, Romania’s largest coal-based electricity producer, suffered a ransomware attack encrypting ERP, document management, email, and website systems on December 26, 2025, though power production remained stable.
Attack Scope and Immediate Impact
The attack hit IT infrastructure on a holiday, encrypting files across multiple platforms. Business operations faced partial disruption, but critical SCADA systems for electricity generation were isolated, preventing grid instability. Reported to Romania’s National Cyber Security Directorate and DIICOT, with the Gentlemen ransomware group suspected.
Technical Breakdown
Gentlemen ransomware deploys via phishing or exploited vulnerabilities like Log4Shell, using living-off-the-land binaries for persistence. Encryption targets Windows environments with AES-256, appending .gentleman extensions and dropping ransom notes. Attackers likely used double-extortion, exfiltrating data via Mega or OnionShare before encryption. Recovery involved rebuilding from backups on new infrastructure, emphasizing air-gapped offline backups and immutable storage.
Broader Energy Sector Vulnerabilities
This incident echoes recent Romanian critical infrastructure attacks, exposing legacy OT-IT convergence risks. ICS protocols like Modbus lack encryption, vulnerable to Man-in-the-Middle. Recommendations include Purdue Model segmentation, anomaly detection in historians, and regular purple team exercises.
Aflac Data Breach Exposes Personal Data of 22.6 Million People
Insurance giant Aflac disclosed a breach on June 20, 2025, affecting 22.65 million individuals’ data including SSNs, addresses, DOBs, and health info, detected June 12 via suspicious US network activity, contained without ransomware.
Breach Timeline and Containment
Suspicious activity prompted isolation; third-party experts assisted. No operational disruption, with notifications post-investigation. Part of a campaign targeting insurers, data yet unused per Aflac, offering 24 months credit monitoring.
Technical Intrusion Vectors
Attackers likely entered via supply chain compromises or unpatched servers, using BloodHound for AD reconnaissance. Data harvest from SQL databases holding PII via UNION-based injections or NoSQL exploits. Exfiltration used DNS tunneling or HTTPS C2. Health data increases identity fraud risk, enabling synthetic identities or medical claims.
Insurance Sector Trends
Campaigns exploit sector’s valuable PII troves. Defenses need DLP with regex for SSN patterns, encryption at rest, and zero-trust with continuous verification. Post-breach, MFA enforcement and dark web monitoring are critical.