Data Breach Wave Hits Government, Education as DDoS Surges

Summary

The day's activity split cleanly between noise and damage. A high-volume DDoS campaign and a long tail of defacements gave hacktivist crews their usual visibility, but the more consequential signal was a broad data-breach wave concentrated on government ministries and universities -- the soft, record-rich targets that rarely make headlines individually but compound fast. Running underneath both was a quieter layer of state-linked espionage and a fresh enterprise remote-code-execution flaw, the kind of pairing that should keep defenders watching their edge rather than their dashboards.

Today's developments

The breach claims clustered around public-sector and academic victims. The actor The BlackH4t MD-Ghost claimed to have breached NASA and Venezuela's Consorcio Credicard, while Beregini claimed a data leak from Ukraine's Ministry of Defense. In Indonesia, which logged the second-highest victim count of the day, GHOSTNET-X claimed intrusions into the Ministry of Health and a plastics manufacturer, and separate actors claimed breaches of the education ministry and the manpower ministry. Universities were hit repeatedly: Anka Team claimed the University of Oregon, FYNTRIX claimed Thailand's Silpakorn University, and SHENHAXSEC and Morbius claimed Indonesian and Ukrainian institutions.

Financial and commercial targets featured as well. Xyph0rix claimed a breach of Santander in Spain and Vyntra claimed the Spanish dating platform Mobifriends, while Tanaka claimed the French logistics firm Colispriv. One prolific actor, Sorb, claimed a spread of victims across Brazil, Vietnam, Italy and Spain in a single run, several of them IT-services providers. On the disruption side, the pro-Russian crew NoName057(16) again led by volume with roughly 15 DDoS claims, part of a category that ran to 27 incidents alongside 32 ransomware and 21 defacement claims. All of these are unverified actor claims drawn from forum and channel posts.

External reporting filled in the verified picture. Researchers said a 7-Eleven data breach likely affected about 185,000 people, and Lithuanian authorities opened an investigation into the theft of more than 600,000 national register entries, which they suspect involved a foreign actor. Microsoft patched a SharePoint remote-code-execution flaw, CVE-2026-45659, across server versions, and a separate KnowledgeDeliver learning-management zero-day was reported exploited to deploy the Godzilla web shell and Cobalt Strike. Security reporters tracked Iranian state-linked operators on two fronts -- the MuddyWater group using DLL side-loading in an espionage campaign across nine countries, and another Iranian APT targeting aviation and software firms with updated tooling. India's CERT-In recommended a 12-hour patching window for internet-facing flaws amid a rise in AI-assisted attacks, and Dutch police arrested the administrators of a bulletproof-hosting service used by Russian hackers.

Threat landscape signals

Concentration sat with a handful of crews: the three busiest actors -- NoName057(16), the North Korea-linked Lazarus, and LOCKBIT 5.0 -- accounted for roughly a fifth of the day's 178 logged incidents, with PLAY, Sorb and SAFEPAY filling out the ransomware and breach tiers. Geographically the United States drew the most claims, followed by a strong Southeast Asian cluster in Indonesia and Thailand, and a steady European spread across Italy, France and Spain. By vertical, government administration and education were the most-targeted sectors, ahead of financial services -- a reminder that the highest-frequency intrusions land on under-resourced public institutions, not just banks.

For defenders the actionable items are concrete: prioritize the SharePoint CVE-2026-45659 patch and audit SharePoint exposure, treat learning-management and other internet-facing platforms as live targets given the KnowledgeDeliver zero-day, and shorten patch windows on edge systems in line with the CERT-In guidance rather than assuming hacktivist DDoS is the day's real risk.