NHS trusts hit by cyberattack exploiting Ivanti flaw, patient data feared compromised

Several NHS trusts, including University College London Hospitals and University Hospital Southampton, have been affected by a cyberattack exploiting a flaw in Ivanti Endpoint Manager Mobile (EPMM) software. The breach, discovered and patched on 15 May, may have enabled unauthorised access to highly sensitive patient data through remote code execution (RCE).

Cyber experts who uncovered the scale of the incident, linked the attack to China-based threat actors. They warn that the attack's scope extends beyond data theft, potentially disrupting appointment systems and even medical devices.

Stolen data includes staff phone numbers, IMEI numbers, and authentication tokens, which could allow attackers deeper access across NHS networks.

NHS England and the National Cyber Security Centre (NCSC) are actively investigating. NHS England says it has high-severity alerts and 24/7 monitoring in place to prioritise and remediate critical vulnerabilities, but this breach serves as another urgent wake-up call.

Adidas data breach exposes consumer contact info following help desk attack

Adidas has confirmed a cyberattack in which customer personal data was stolen via a third-party help desk provider. The breach exposed “certain consumer data,” primarily contact details of those who had interacted with the company’s support channels. Crucially, no passwords, credit card, or payment data were compromised, according to Adidas.

The company stated it acted swiftly to contain the incident and launched an internal investigation in collaboration with cybersecurity experts. Authorities and affected customers are being informed in line with legal requirements.

Consumer group Which? urged Adidas to provide clear, timely updates and warned consumers to monitor accounts and credit reports for suspicious activity. Scammers may exploit the incident through phishing emails, fake calls, or fraudulent social messages.

While the attack didn’t affect Adidas’ core operations—unlike recent cyberattacks on M&S, Co-op, and Harrods—it follows a pattern of rising threats against global retailers. Adidas also confirmed earlier breaches in Turkey and South Korea.

Czechia Blames China for Cyberattack on Foreign Ministry, Summons Ambassador

The Czech government has publicly accused China of a state-backed cyberattack that infiltrated the country’s foreign ministry and exposed thousands of unclassified emails. The attack, attributed to Chinese group APT31, reportedly allowed access to diplomatic communications between Czech embassies and EU institutions from 2022, when Czechia held the EU presidency.

Czech Foreign Minister Jan Lipavský condemned the breach, stating it “undermines our resilience and democracy,” and announced the immediate summoning of the Chinese ambassador. “We must defend ourselves against cyberattacks, propaganda, and information manipulation,” Lipavský said.

This marks the first time Czechia has formally attributed a cyberattack to a state actor. The attribution came from an investigation involving the nation’s intelligence services and cyber agency NUKIB.

APT31, linked to China’s Ministry of State Security, has been previously accused of targeting US presidential campaign staff. The breach has drawn sharp criticism from NATO and the EU, with both expressing solidarity and urging China to respect international norms.

Ransomware group claims cyberattack on Mediclinic, threatens employee data leak

The Everest Group ransomware gang has claimed responsibility for a cyberattack on Mediclinic, a global private healthcare provider operating in South Africa, Namibia, Switzerland, and the UAE. The attackers say they’ve exfiltrated 4GB of internal documents and personal data from around 1,000 employees, and are threatening to leak the data unless a ransom is paid within five days.

Mediclinic has not yet publicly responded to the claim. The full scope of the breach remains unverified, but cyber security experts warn that the alleged data includes highly sensitive internal information, putting employees at risk of identity theft and phishing attacks.

The Everest Group has been active since 2021 and is linked to the Russia-affiliated BlackByte cartel. The gang has previously targeted Coca-Cola and AT&T, and has claimed 248 victims since 2023, according to Cybernews’ Ransomlooker tracker. Investigations into the Mediclinic breach are ongoing.

Nigeria and South Africa see surge in online threats in Q1 2025 says new report

A new report reveals a significant rise in online threats across Africa, with Nigeria and South Africa ranking among the top five most affected countries in the Middle East, Turkey, and Africa (META) region. In Q1 2025, 17.5% of Nigerian users and a similar percentage in South Africa were impacted by web-based threats.

The findings, highlight growing risks from ransomware, APTs, supply chain breaches, and mobile vulnerabilities—many of which are being intensified by AI and IoT exploitation.

The report noted that despite Africa’s lower ransomware prevalence compared to the Middle East, Nigeria and South Africa’s expanding digital economies and limited cyber awareness are making them more attractive targets. Groups like FunkSec are now using AI-generated code and RaaS to launch mass-scale, sophisticated attacks.

We advise implementing layered defences, updating systems, and training teams with up-to-date threat intelligence.

Industrial Ransomware attacks surged in Q1 2025

In Q1 2025, ransomware attacks against industrial entities surged to 708 incidents, according to new analysis by security researchers. While no novel strains specifically targeting industrial control systems (ICS) were identified, threat actors displayed a blend of persistent and emerging techniques that made attacks more damaging and harder to mitigate.

Among the tactics observed were AI-powered malware deployed by the FunkSec group, encryption-less extortion campaigns, and nation-state operations such as Moonstone Sleet’s use of Qilin ransomware. Tools like RansomHub’s EDRKillshifter showed heightened endpoint evasion, complicating detection for defenders.

As IT and OT environments become increasingly integrated, the impact of attacks grows—seen in production disruptions at National Presto Industries. Threat actors like Babuk Locker also issued false breach claims, using recycled or fabricated data to pressure victims.

Integrity360’s recently launched OT security services help you secure your industrial operations, ensure resilience, and maintain compliance in an evolving threat landscape.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.