Google's Threat Intelligence Group disclosed that PRC-nexus actor UNC6508 spent more than a year inside U.S. and Canadian medical, academic and military-health research environments, compromising legacy REDCap servers, deploying custom INFINITERED malware and abusing Google Workspace email compliance rules to silently exfiltrate research and defense data.
Victim
U.S. and Canadian medical, academic and military-health research institutions
Iran-linked hackers breached Los Angeles' transit agency LA Metro in March 2026, stealing at least 700 GB of internal data and disrupting passenger-information and TAP fare systems.
Victim
Los Angeles County Metropolitan Transportation Authority
The Czech government publicly attributed a years-long cyber-espionage campaign against an unclassified network of its Ministry of Foreign Affairs to APT31, a group linked to China's Ministry of State Security. The intrusion, active since at least 2022, targeted designated critical national infrastructure.
China-linked Salt Typhoon infiltrated at least nine U.S. telecom providers — Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated, Windstream — including the CALEA lawful-intercept systems used for court-authorised wiretaps. Metadata for over a million users was exposed; the U.S. Treasury sanctioned a linked PRC contractor.
China-based Storm-0558 forged authentication tokens using a stolen Microsoft consumer signing key and read email at approximately 25 organisations — including the US State Department, the Department of Commerce, and the U.S. Ambassador to China. The 'cascade of errors' that enabled it became a defining case for cloud-provider key custody.
Victim
Microsoft customers (US State Department, Department of Commerce, ~25 organisations)
Greece's 'Predatorgate' wiretapping scandal exposed the use of Intellexa/Cytrox's Predator spyware and parallel legal surveillance against journalists, politicians and officials, toppling intelligence chiefs and ending in landmark 2026 convictions.
Victim
Greek journalists, politicians and state officials
Hungary's national security service used NSO Group's Pegasus spyware to covertly hack the phones of investigative journalists, lawyers, and government critics, with more than 300 Hungarian numbers appearing on a leaked target list.
Victim
Hungarian journalists, lawyers and government critics
A state-sponsored cyber-espionage operation attributed to China's APT31 breached the internal IT systems of the Finnish Parliament in 2020, compromising email accounts belonging to members of parliament.
A sophisticated, weeks-long intrusion hit Austria's Foreign Ministry over the 2020 New Year, attributed by Austrian media to the Russia-linked Turla APT. The ministry, which runs around 100 diplomatic missions, fought a prolonged espionage operation before declaring its systems cleaned.
Victim
Austrian Federal Ministry for European and International Affairs (BMEIA)
A sophisticated, likely state-sponsored actor breached the Australian National University's administrative systems in late 2018, exfiltrating up to 19 years of staff and student records in an intrusion praised by ANU's own report for its extraordinary operational security.
Chinese state-attributed operators sat undetected on Starwood's guest reservation database from 2014, surviving Marriott's 2016 acquisition. Disclosed 2018: 500 million guest records exposed, including 5.25 million unencrypted passport numbers.
Victim
Marriott International / Starwood Hotels & Resorts
Chinese state-attributed actors exfiltrated personal and outpatient medication records on 1.5 million SingHealth patients — including Prime Minister Lee Hsien Loong — in Singapore's most serious cyber incident.
Citizen Lab found Sandvine PacketLogic deep-packet-inspection devices on Telecom Egypt's network covertly redirecting users en masse to affiliate ads and cryptocurrency-mining scripts, while also blocking dozens of news and human-rights sites.
Victim
Telecom Egypt internet subscribers (millions of Egyptian users)
A multi-year cyber-espionage campaign tied to the Lebanese General Directorate of General Security (GDGS) stole hundreds of gigabytes of data from thousands of victims across 21+ countries using trojanized Android apps and desktop malware.
Victim
Activists, journalists, lawyers, military and government targets (21+ countries)
Attackers planted malware on Qatar's state news agency in April 2017 and exploited it on 24 May to publish fabricated quotes attributed to the Emir, providing the pretext used by Saudi Arabia, the UAE, Bahrain, and Egypt to launch a blockade of Qatar.
A targeted intrusion into Singapore's Ministry of Defence I-net web-surfing system stole the NRIC numbers, phone numbers and birth dates of 850 national servicemen and staff in the country's first publicly disclosed breach of a government defence network.
Russian GRU Units 26165 (APT28) and 31165 (APT29) compromised the Democratic National Committee, Hillary Clinton campaign, and DCCC. Stolen emails were selectively released via 'DCLeaks', 'Guccifer 2.0', and WikiLeaks to influence the 2016 U.S. presidential election.
Victim
Democratic National Committee + Clinton campaign + DCCC
Lazarus operators sent fraudulent SWIFT instructions through the New York Fed to wire $951 million out of Bangladesh Bank's reserve account. A typo on one transfer stopped $850M; $81M still escaped to Philippine casinos.
The Russia-linked Sandworm group used spear-phishing, BlackEnergy3, and KillDisk to remotely flip breakers at three Ukrainian regional electricity distribution companies, cutting power to approximately 230,000 customers for 1–6 hours. It is the first publicly acknowledged successful cyberattack on an electric power grid in history.
Victim
Ukrainian regional electricity distribution companies (Oblenergos)
Chinese state operators exfiltrated background-investigation forms (SF-86s) for 21.5 million U.S. federal employees and contractors — the most-damaging intelligence-loss cyber incident in U.S. government history.
Russian GRU Unit 26165 (APT28 / Fancy Bear) compromised the Bundestag's parliamentary network, exfiltrating ~16 GB of data including emails from Chancellor Merkel's parliamentary office. Forced a full Bundestag IT estate rebuild.
Chinese state-attributed actors exfiltrated personal data on 78.8 million current and former Anthem health insurance customers — at the time the largest healthcare-sector breach in U.S. history.
Attackers used spear-phishing to pivot from a German steel mill's office network into its production network, manipulating industrial controls so a blast furnace could not be shut down properly and suffered massive physical damage.
Gauss, a nation-state cyber-surveillance toolkit related to Flame and Stuxnet, infected over 2,500 systems — most heavily in Lebanon — and was the first publicly known state-sponsored malware engineered to steal online-banking credentials from specific Lebanese banks.
Victim
Lebanese banks (Bank of Beirut, Byblos Bank, Fransabank, BlomBank, Credit Libanais) and their customers
A spear-phishing email carrying a Flash zero-day gave attackers a foothold inside RSA, from which they exfiltrated data tied to the SecurID two-factor authentication system — data later used in an intrusion attempt against Lockheed Martin.