The final week of June 2025 marked one of the most devastating periods in cybersecurity history, with unprecedented credential theft affecting 16 billion login credentials and a surge in sophisticated nation-state attacks targeting critical infrastructure and major corporations. This period witnessed the emergence of advanced AI-powered attack techniques, including deepfake Zoom meetings by North Korean APT groups, the arrest of notorious hacker IntelBroker, and Iranian cyber threats escalating amid geopolitical tensions.
The week was dominated by the largest credential leak in history, affecting platforms including Apple, Google, Facebook, and government services, while Scattered Spider expanded operations to target the aviation industry with attacks on WestJet and Hawaiian Airlines. Critical infrastructure vulnerabilities emerged with Mitsubishi Electric HVAC systems affected by CVE-2025-3699, and ongoing industrial control system threats documented by CISA.
The convergence of AI-enhanced social engineering, supply chain attacks, and nation-state espionage underscores the rapidly evolving threat landscape where traditional security measures are increasingly insufficient against sophisticated adversaries employing cutting-edge tactics.
>>Outpace Attackers With AI-Based Automated Penetration Testing
Incident Analysis Feed
1. Record-Breaking 16 Billion Credential Leak
Date of Incident: June 18, 2025
Discovery Date: June 18-23, 2025
Threat Actor: Unknown (Infostealer malware campaign)
Impact: Massive credential exposure enabling global cyber exploitation
Overview
Security researchers uncovered the largest credential breach in history on June 18, 2025, exposing approximately 16 billion login credentials across 30 separate databases. The massive compilation included fresh, weaponizable credentials from major platforms including Apple, Google, Facebook, GitHub, Telegram, and government services, marking this as a “blueprint for mass exploitation”according to cybersecurity experts.
Explanation
The credentials originated from infostealer malware campaigns that silently harvested login data from infected devices and uploaded them to unsecured storage locations including Elasticsearch instances and cloud storage buckets. Unlike recycled breach data, investigators confirmed the credentials were recent and highly organized, making them particularly dangerous for credential stuffing, account takeovers, and targeted phishing campaigns.
MITRE ATT&CK Mapping:
- Initial Access: T1566.001 (Spearphishing Attachment), T1189 (Drive-by Compromise)
- Collection: T1005 (Data from Local System), T1113 (Screen Capture)
- Credential Access: T1003 (OS Credential Dumping), T1555 (Credentials from Password Stores)
- Exfiltration: T1041 (Exfiltration Over C2 Channel)
- Impact: T1565 (Data Manipulation)
Impact
The breach created unprecedented global cybersecurity risks:
- 16 billion credentials potentially affecting billions of users worldwide
- Fresh, weaponizable intelligence for cybercriminal operations
- Major platforms compromised including social media, email, and government services
- Identity theft and phishing campaign enablement at massive scale
- Account takeover risks across multiple services due to password reuse
Details
Technical Indicators:
- 30 separate datasets containing 10 million to 3.5 billion records each
- URLs, usernames, passwords plus tokens, cookies, and metadata
- Unsecured storage in Elasticsearch and cloud buckets
- Recent compilation from multiple infostealer campaigns
Attack Infrastructure:
- Distributed infostealer malware deployment
- Automated credential harvesting systems
- Cloud-based data aggregation platforms
- Dark web credential monetization markets
Remediation Actions:
- Immediate password reset campaigns across affected platforms
- Enhanced monitoring for credential stuffing attacks
- Multi-factor authentication enforcement
- User education on password security practices
Takeaway for CISO
This unprecedented breach emphasizes the critical need for zero-trust authentication and proactive credential monitoring:
- Mandatory multi-factor authentication across all systems and applications
- Password manager deployment with unique credential enforcement
- Continuous credential monitoring against breach databases
- Transition to passwordless authentication where technically feasible
- Employee education on infostealer malware and credential hygiene
2. Scattered Spider Aviation Sector Campaign
Date of Incident: June 12-30, 2025
Threat Actor: Scattered Spider
Impact: Aviation industry disruption and data theft
Overview
The notorious Scattered Spider cybercriminal group expanded their operations to target the aviation industry throughout June 2025, successfully breaching Hawaiian Airlines and WestJet using sophisticated social engineering tactics and MFA bypass techniques. This represents a concerning evolution in the group’s targeting strategy following previous attacks on insurance companies.
Explanation
Scattered Spider employed their signature social engineering playbook, impersonating employees and manipulating help-desk staff to bypass multi-factor authentication systems. The attacks leveraged MFA fatigue techniques and behavioral manipulation to gain unauthorized access to aviation networks, demonstrating the group’s ability to adapt tactics across industry verticals.
MITRE ATT&CK Mapping:
- Initial Access: T1566.002 (Spearphishing Link)
- Execution: T1204.002 (Malicious File)
- Persistence: T1078.004 (Cloud Accounts)
- Privilege Escalation: T1078 (Valid Accounts)
- Defense Evasion: T1550.001 (Application Access Token)
- Credential Access: T1621 (Multi-Factor Authentication Request Generation)
- Collection: T1005 (Data from Local System)
- Impact: T1565 (Data Manipulation)
Impact
The aviation sector attacks resulted in significant operational disruption:
- WestJet operations affected with ongoing investigation into data compromise
- Hawaiian Airlines confirmed technology system impact affecting 150 daily flights
- No flight safety concerns but continued operational monitoring required
- Industry-wide security alert for enhanced MFA monitoring
Details
Attack Methodology:
- Employee impersonation targeting help desk and IT support staff
- MFA fatigue attacks overwhelming users with authentication requests
- Behavioral detection evasion through sophisticated social engineering
- Third-party vendor targeting within aviation ecosystem
Technical Indicators:
- Suspicious MFA activity patterns from distributed IP addresses
- Help desk verification procedure bypasses
- Unauthorized access token generation
- Anomalous administrative account creation
Remediation Actions:
- Enhanced help desk verification protocols implementation
- MFA behavioral analytics deployment
- Third-party vendor access policy hardening
- Employee social engineering training intensification
Takeaway for CISO
This campaign highlights the persistent threat of social engineering against multi-factor authentication systems:
- Risk-based adaptive authentication implementation beyond traditional MFA
- Help desk verification protocol strengthening with multi-channel validation
- Behavioral analytics deployment for MFA anomaly detection
- Regular social engineering simulation exercises for all staff
- Third-party access governance with continuous monitoring
3. IntelBroker Hacker Arrest and Extradition
Date of Incident: February-June 2025
Date of Disclosure: June 26, 2025
Threat Actor: Kai West (alias “IntelBroker”)
Impact: Major cybercriminal operation disruption
Overview
On June 26, 2025, U.S. federal prosecutors unsealed charges against 25-year-old British national Kai West, known by the alias “IntelBroker”, for leading a global cybercrime operation that stole sensitive data from dozens of companies resulting in over $25 million in damages. West was arrested in France in February 2025 and faces extradition to the United States.
Explanation
West operated under multiple aliases including “IntelBroker” and “Kyle Northern”, leading a hacking collective called “CyberN” (formerly “The Boys”). The operation involved systematic corporate network infiltration to steal customer databases, marketing plans, and sensitive internal data7, subsequently monetizing the information through BreachForums and other dark web marketplaces.
MITRE ATT&CK Mapping:
- Initial Access: T1566.001 (Spearphishing Attachment)
- Execution: T1059.001 (PowerShell)
- Persistence: T1547.001 (Registry Run Keys)
- Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
- Defense Evasion: T1070.004 (File Deletion)
- Credential Access: T1003 (OS Credential Dumping)
- Collection: T1005 (Data from Local System)
- Exfiltration: T1041 (Exfiltration Over C2 Channel)
- Command and Control: T1102 (Web Service)
Impact
The IntelBroker operation caused extensive damage across multiple sectors:
- $25+ million in damages across 40+ corporations
- 158 data sale threads on BreachForums offering stolen information
- Telecommunications, healthcare, and government data compromised
- $2.4 million profit target from data monetization
- Major corporate victims including claimed attacks on AMD, Cisco, and HPE
Details
Investigation Timeline:
- February 2025: West arrested in France
- June 26, 2025: U.S. indictment unsealed
- Ongoing: Extradition proceedings to Southern District of New York
Technical Evidence:
- FBI undercover purchases of stolen credentials for $250 in Bitcoin
- Email, cryptocurrency wallet, and YouTube activity linking to West’s identity
- BreachForums administration and moderation activities
- Clear and dark web forum operations coordination
Law Enforcement Actions:
- International cooperation between U.S., French, and British authorities
- Coordinated takedown of BreachForums infrastructure
- Related arrests of ShinyHunters group members
Takeaway for CISO
This arrest demonstrates the increasing effectiveness of international cybercrime prosecution and the importance of threat intelligence:
- Enhanced threat intelligence sharing with law enforcement agencies
- Dark web monitoring for organizational data exposure
- Incident response coordination with federal cybercrime units
- Proactive threat hunting for advanced persistent access
- Legal preparation for potential criminal prosecution support
4. North Korean BlueNoroff Deepfake Zoom Attacks
Date of Incident: June 2025
Threat Actor: BlueNoroff (Lazarus Group)
Impact: Cryptocurrency sector targeting with AI-enhanced social engineering
Overview
The North Korean-affiliated BlueNoroff APT group launched a sophisticated campaign in June 2025 using AI-generated deepfake video feeds to impersonate trusted executives during live Zoom meetings. The attacks targeted cryptocurrency and Web3 sector employees, representing a significant evolution in nation-state social engineering tactics.
Explanation
BlueNoroff operatives initiated contact through Telegram, sending Calendly links that redirected to fake Zoom domains. During group meetings featuring deepfaked company executives, victims experienced fabricated audio issues and were instructed to install malicious “Zoom audio support” extensions. The extensions deployed AppleScript malware targeting macOS systems with keyloggers, cryptocurrency stealers, and remote access tools.
MITRE ATT&CK Mapping:
- Initial Access: T1566.002 (Spearphishing Link)
- Execution: T1059.002 (AppleScript)
- Persistence: T1547.011 (Plist Modification)
- Defense Evasion: T1564.001 (Hidden Files and Directories)
- Credential Access: T1555.003 (Credentials from Web Browsers)
- Collection: T1056.001 (Keylogging)
- Command and Control: T1071.001 (Web Protocols)
- Impact: T1565 (Data Manipulation)
Impact
The deepfake campaign posed significant risks to cryptocurrency operations:
- Web3 foundation employees directly targeted
- Advanced persistent access to cryptocurrency infrastructure
- Financial theft capabilities through cryptocurrency wallet access
- Supply chain implications for blockchain ecosystem security
Details
Attack Infrastructure:
- Fake Zoom domains with legitimate favicon hosting
- Calendly integration for meeting scheduling legitimacy
- Deepfake generation capabilities for executive impersonation
- Telegram-based initial contact vectors
Technical Payload Analysis:
- AppleScript malware with system log disabling
- Rosetta 2 installation for compatibility
- Keylogger and cryptocurrency stealer deployment
- Remote access tool installation for persistence
Detection and Response:
- Zoom favicon anomaly detection for fake domains
- Behavioral analysis of meeting participant authenticity
- Endpoint detection for unauthorized AppleScript execution
Takeaway for CISO
This represents a paradigm shift in social engineering sophistication requiring enhanced human verification protocols:
- AI-powered deepfake detection tools deployment
- Multi-channel identity verification for sensitive meetings
- Endpoint protection against script-based malware
- Employee training on AI-enhanced social engineering threats
- Meeting platform security hardening and monitoring
5. APT29 Sophisticated Phishing Campaign
Date of Incident: June 2025
Threat Actor: APT29 (Midnight Blizzard/Cozy Bear)
Impact: Expert targeting with novel authentication bypass
Overview
Russian state-sponsored group APT29 conducted a highly sophisticated phishing campaign in June 2025, successfully bypassing multi-factor authentication through app-specific password (ASP) abuse. The attack targeted Keir Giles, a prominent Russia expert and Chatham House senior consulting fellow, demonstrating refined tactics that avoided traditional red flags.
Explanation
Unlike previous campaigns, this operation featured convincing English, valid-looking domains, strategic timing, and no pressure tactics. The attackers, linked to Russia’s Foreign Intelligence Service (SVR), tricked the target into sharing an app-specific password, enabling Google account access despite MFA protection. This novel technique highlighted evolving threats that bypass modern security tools.
MITRE ATT&CK Mapping:
- Initial Access: T1566.002 (Spearphishing Link)
- Execution: T1204.002 (Malicious File)
- Persistence: T1078.004 (Cloud Accounts)
- Credential Access: T1621 (Multi-Factor Authentication Request Generation)
- Collection: T1114 (Email Collection)
- Command and Control: T1071.001 (Web Protocols)
Impact
The successful bypass demonstrated significant authentication vulnerabilities:
- High-value target compromise of Russia policy expert
- MFA bypass technique validation for future operations
- Intelligence gathering on diplomatic and policy discussions
- App-specific password exploitation creating new attack vectors
Details
Attack Sophistication:
- U.S. State Department impersonation with convincing materials
- Patient reconnaissance and target profiling
- Technical knowledge of Google authentication mechanisms
- Behavioral adaptation to avoid detection triggers
Technical Methodology:
- ASP generation through social engineering
- Account access maintenance despite MFA protection
- Email and document collection from compromised accounts
Takeaway for CISO
This attack reveals critical weaknesses in authentication bypass protections:
- App-specific password governance with strict controls and monitoring
- Advanced phishing simulation incorporating state-actor techniques
- High-value target protection with enhanced security measures
- Authentication architecture review for bypass vulnerabilities
- Threat intelligence integration for nation-state campaign detection
6. Critical Mitsubishi Electric HVAC Vulnerability
Date of Disclosure: June 26, 2025
CVE: CVE-2025-3699
CVSS Score: 9.8
Impact: Critical infrastructure and building automation systems at risk
Overview
CISA released an advisory on June 26, 2025, detailing a critical authentication bypass vulnerability in Mitsubishi Electric air conditioning systems. CVE-2025-3699 affects a wide range of HVAC models with a CVSS score of 9.8, enabling remote attackers to illegally control systems and tamper with firmware without credentials.
Explanation
The vulnerability stems from missing authentication for critical functions in web interfaces, classified under CWE-306. Attackers can bypass authentication and gain unauthorized control over HVAC systems, disclose sensitive information, and manipulate firmware. The flaw is particularly dangerous in externally accessible configurations without VPN protection.
MITRE ATT&CK Mapping:
- Initial Access: T1190 (Exploit Public-Facing Application)
- Execution: T1059 (Command and Scripting Interpreter)
- Persistence: T1546 (Event Triggered Execution)
- Privilege Escalation: T1068 (Exploitation for Privilege Escalation)
- Impact: T1565 (Data Manipulation)
Impact
The vulnerability poses significant risks to building automation security:
- Wide range of Mitsubishi Electric models affected including G-50, AE-200J, and others
- Commercial and industrial facilities at risk globally
- Building automation system compromise enabling lateral movement
- Operational disruption and safety concerns
Details
Affected Products:
- G-50/GB-50/AE-200J/AE-50A and related models
- Version ranges including G-50 Ver.3.37 and prior
- Multiple product lines across Mitsubishi Electric HVAC portfolio
Exploitation Scenarios:
- System Example 3 (external access without VPN): Vulnerable to remote exploitation
- Internet-facing systems without proper network segmentation
- Direct firmware manipulation capabilities
Mitigation Strategies:
- Network access restrictions from untrusted sources
- VPN deployment for external access requirements
- Physical access controls to systems and connected computers
- Firmware updates when available from vendor
Takeaway for CISO
This vulnerability underscores the critical importance of industrial control system security:
- Building automation system inventory and vulnerability assessment
- Network segmentation isolating HVAC from corporate networks
- Access control enforcement for all industrial control systems
- Firmware management with regular update deployment
- Physical security measures for building automation infrastructure
7. UNFI Grocery Supply Chain Cyberattack
Date of Incident: June 5, 2025
Recovery: June 27, 2025
Impact: Critical food supply chain disruption
Overview
United Natural Foods Inc. (UNFI), a $30 billion grocery wholesaler and Whole Foods Market’s largest supplier, suffered a devastating cyberattack on June 5, 2025, that crippled operations for over three weeks. The attack forced the company to switch to manual order-processing procedures, disrupting food supplies to over 15,000 retail locations nationwide.
Explanation
The cyberattack targeted UNFI’s electronic ordering and invoicing systems, forcing immediate network shutdown and manual operation implementation. As a critical supply chain node serving supermarkets, cooperatives, and health food stores, the disruption created cascading effects throughout the grocery industry.
Impact
The attack demonstrated the vulnerability of critical food supply infrastructure:
- Material impact on Q4 2025 financial performance
- Reduced sales volume and increased operational costs
- Supply chain pressure affecting thousands of retail locations
- $10 million estimated impact on quarterly operations
Details
Recovery Timeline:
- June 5, 2025: Initial attack detection and system shutdown
- June 27, 2025: Core systems restoration announcement
- Ongoing: Full operational normalization in progress
Business Continuity Measures:
- Manual processing implementation during outage
- Alternative supplier sourcing by affected retailers
- Cybersecurity insurance coverage for incident costs
Takeaway for CISO
This incident highlights supply chain cybersecurity criticality:
- Business continuity planning for extended system outages
- Supply chain partner assessment and monitoring
- Manual operation procedures for critical business functions
- Cybersecurity insurance adequacy for operational disruption
- Industry coordination for supply chain resilience
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
Related Posts:
