#CyberWeekly

On February 28, the United States and Israel launched a joint military offensive against Iran — and the cyber dimension lit up within hours. Palo Alto Networks' Unit 42 threat brief documents what happened next: a multi-vector retaliatory campaign spanning phishing, hacktivism, and cybercrime that is still evolving as of this week.

• 60+ hacktivist groups activated within days, including pro-Russian groups joining the fray — a significant escalation in coordinated cyber retaliation
• Iran's internet dropped to 1-4% connectivity following the strikes. Unit 42 believes this temporarily mitigates nation-state cyber operations from within Iran — but proxies and affiliates abroad remain active
• Phishing campaigns weaponized a fake Israeli Home Front Command "RedAlert" app, delivering mobile surveillance malware through a legitimate-looking Android package
• European businesses are not spectators. Previous Iranian cyber campaigns have targeted European infrastructure. Pro-Russian hacktivist groups already active in Europe (remember the Milano Cortina Olympics DDoS) are now aligned in this conflict

What this means for Belgian SMEs: geopolitical cyber conflict doesn't stay in the conflict zone. Hacktivist groups target NATO-aligned countries, and Belgium — home to NATO HQ and EU institutions — is a symbolic target. Review your incident response plan and make sure your phishing defenses are sharp. The threat surface just got wider.

April 18, 2026. That's when essential entities must demonstrate at least CyFun Basic or Important level compliance. As of this week, that's 6 weeks away. If you've registered (4,000+ entities have) and selected a framework (75% did), that's great — but selecting a framework isn't the same as being audit-ready.

• Wiki checklists now work: you can check off compliance tasks directly in your wiki pages — no more switching between document and tracker. Each checkbox saves immediately and syncs across your team
• Assessment dropdowns polished: the CyFun level assessment now flows smoothly with no visual glitches — answer a few questions about your sector and size, and you'll know exactly which level applies
• Evidence as tasks, not deliverables: stop treating compliance evidence as something you assemble at audit time. Each piece of evidence appears as a task when it's due. Complete the task, and the audit trail builds itself — timestamped, linked to the right control, ready for the auditor
• 106 subcategories, not 106 projects: CyFun 2025 has 106 subcategories across 6 functions. The platform breaks them into "you have 14 tasks this month — here's the first one." Finish the basics, the next layer appears

The real question isn't whether you've registered — it's whether you can show measurable progress. If the auditor called next month, could you demonstrate an audit trail? Or just a registration? The implementation guide walks you through turning registration into readiness — and the IT partner guide shows MSPs how to deliver this at scale for €25/client/month.

A China-linked threat actor breached at least 53 government and telecom organizations across 42 countries — and used Google Sheets as their command-and-control channel. Google's Threat Intelligence Group disclosed the disruption of the group tracked as UNC2814, which has been active since at least 2017.

• GRIDTIDE backdoor: a C-based malware that abuses the Google Sheets API to disguise C2 traffic as normal cloud activity — making detection extremely difficult. Supports file upload/download and arbitrary shell commands
• 42 countries, 53+ organizations: primarily governments and telecoms across Africa, Asia, and the Americas, with suspicion of 20+ additional countries. Many organizations may have been compromised for years
• Google's response: sinkholed all domains, disabled attacker-controlled Google Cloud accounts, and terminated access to the Google Sheets instances used for C2. A coordinated industry effort
• Living off the land: the attackers used legitimate system tools for reconnaissance, privilege escalation, and lateral movement via SSH — the same "blend in" strategy that makes access control and monitoring essential

The supply chain lesson: if Google Sheets can be weaponized as a C2 channel, any SaaS tool in your stack could be. This is why supplier security assessments matter — and why NIS2's supply chain requirements aren't optional. Know what tools your organization uses, who has access, and what traffic they generate.

Legal data giant LexisNexis confirmed this week that hackers breached its AWS infrastructure and leaked 2 GB of stolen data. The threat actor "FulcrumSec" published the data on underground forums, claiming access to approximately 400,000 cloud user profiles.

• Government data exposed: 100+ accounts with .gov email addresses, including U.S. federal judges, DOJ attorneys, and SEC staff — making this a national security concern, not just a privacy incident
• Attack vector: the attackers claim they exploited a "React2Shell" vulnerability in an unpatched React frontend application to gain initial access to LexisNexis' AWS infrastructure
• Stolen data includes: real names, emails, phone numbers, job functions, IT incident tickets, and account credentials for government agencies and law firms
• Company response: LexisNexis characterizes the data as "legacy" and "mostly non-critical," has engaged external cybersecurity experts, and notified law enforcement

When your compliance vendor gets breached, your data goes with it. LexisNexis is used by thousands of legal and compliance professionals — the same people managing sensitive regulatory data. This is exactly the cost of a breach scenario we keep warning about. A local-first approach to compliance data means your security posture doesn't end up on a hacker forum when someone else's React app goes unpatched.