EU sanctions cyber actors after attacks on French and Swedish organisations

The European Union has imposed sanctions on three companies and two individuals linked to sustained cyber attacks against member states and partners, as geopolitical tensions continue to drive state-aligned activity. The measures include asset freezes, travel bans and restrictions on providing funds or resources to those listed.

Two China-based firms, were sanctioned for enabling large-scale compromises. EU officials state their tooling facilitated the breach of more than 65,000 devices across six member states, with links to the Flax Typhoon threat group. Anxun is also accused of targeting over 80 government and private sector systems globally.

Iranian firm Emennet Pasargad was sanctioned for targeting organisations in France and Sweden, including the theft of a French subscriber database and disruption of a Swedish SMS service, impacting large numbers of citizens.

The move reinforces the growing risk to critical infrastructure as increasing digitisation continues to expand the attack surface for state-backed cyber operations.

Companies house fixes flaw exposing UK company data

Companies House has restored its WebFiling service after taking it offline to remediate a security flaw that potentially exposed sensitive data linked to millions of UK-registered companies. The issue, introduced during a system update in October 2025, remained present for several months before being reported by security researchers.

The vulnerability allowed authenticated users to access another company’s dashboard by manipulating the filing workflow. This could have exposed non-public data including dates of birth, residential addresses and company email accounts. There was also a risk of unauthorised filings, such as changes to director details or submission of accounts, although this would have been limited to one company record at a time.

Companies House has confirmed that no passwords or identity verification data were compromised, and existing filed documents could not be altered.

The incident has been reported to the Information Commissioner’s Office and the National Cyber Security Centre. While no confirmed abuse has been identified, investigations remain ongoing, highlighting continued risks within critical public sector digital services.

Aura breach exposes customer data following vishing attack

Identity protection firm Aura has confirmed a data breach impacting nearly 900,000 records after a voice phishing attack compromised an employee account. The incident highlights the continued effectiveness of social engineering in bypassing traditional security controls.

The exposed data includes names, email addresses, phone numbers and home addresses. Aura states that Social Security Numbers, passwords and financial data were not compromised. The affected dataset largely originated from a legacy marketing platform inherited through a 2021 acquisition, with approximately 35,000 records linked to current and former customers.

Threat group ShinyHunters has claimed responsibility, alleging the theft of 12GB of data and subsequently leaking it after failed extortion attempts. Independent analysis indicates additional exposure of customer service notes and IP address data, with many records already circulating from previous breaches.

Aura is working with external cybersecurity specialists and has notified law enforcement. The incident reinforces the persistent risk posed by human-targeted attacks, particularly as threat actors continue to exploit employees as an entry point into organisations.

Interlock ransomware exploits cisco zero-day in firewall attacks

The Interlock ransomware group has been exploiting a critical remote code execution vulnerability in Cisco Secure Firewall Management Center (FMC) software as a zero-day, highlighting the continued risk posed by unpatched edge infrastructure.

The flaw, tracked as CVE-2026-20131, allows unauthenticated attackers to execute arbitrary code with root privileges. Threat intelligence indicates the vulnerability was actively exploited from 26 January, giving attackers over a month of access before Cisco released a patch on 4 March.

Interlock, first observed in 2024, has been linked to multiple high-profile attacks and previously targeted UK universities using NodeSnake malware. More recently, researchers identified the group deploying a new strain, Slopoly, believed to be developed using generative AI.

The campaign focused on enterprise firewall environments, a critical control point within corporate networks. This activity underscores the importance of rapid patching, continuous monitoring and threat detection capabilities, particularly as threat actors increasingly weaponise zero-day vulnerabilities to gain initial access and establish persistence.

Telus digital breach highlights supply chain risk

Telus Digital has confirmed a cybersecurity incident following claims by threat group ShinyHunters that up to one petabyte of data was stolen in a prolonged breach. The company is investigating the scope of the intrusion and has engaged external forensics experts, while confirming that core operations remain unaffected.

As a global business process outsourcing provider, Telus Digital manages customer support, billing and operational services for multiple organisations, making it a high-value target for attackers seeking aggregated access to sensitive data. Threat actors claim the breach originated from exposed Google Cloud Platform credentials discovered in previously compromised third-party data, enabling lateral movement across systems.

The reportedly stolen data spans customer support records, call centre data, voice recordings and internal systems, with potential exposure across multiple client environments. ShinyHunters has allegedly attempted extortion, demanding $65 million.

The incident underscores the growing risk within third-party and SaaS ecosystems, where a single compromise can have cascading impacts across multiple organisations and supply chains.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.