Reports Highlight Identity, Supply-Chain, and Healthcare as Key Cyber Risk Drivers
Recent reporting highlights a shift in enterprise cyber risk toward external dependencies and identity abuse. Coverage of the EU’s NIS2 directive emphasizes that organizations are expected to treat supply-chain security as a core governance and architecture issue, reflecting the reality that third parties (e.g., cloud providers, software suppliers, maintenance access, and outsourced services) are frequent intrusion paths rather than risks contained “inside the firewall.” Separately, findings cited from Eye Security’s State of Incident Response Report 2026 indicate attackers are increasingly exploiting existing access rather than “hacking in,” with identity-based attacks dominating and passwords implicated in the vast majority of such incidents; common initial compromise paths still include phishing, exposed/misconfigured internet-facing systems, social engineering, and software supply-chain attacks.
In healthcare, a Trellix threat intelligence report based on 54.7 million detections from 2025 healthcare environments warns cyber incidents are escalating from IT disruption into a patient safety issue due to highly interconnected systems and “cascading” outages. The report identifies email as the leading threat vector and the U.S. as the primary target, and describes ransomware and extortion activity intensifying, including groups such as Qilin (noted for targeting EHR databases), INC Ransom, and newer actors like Sinobi focusing on biotech; it also reports a sharp rise in extortion-only tactics with per-patient ransom demands intended to sidestep corporate insurance dynamics. Across these sources, phishing remains a dominant initial access method, with lures increasingly tailored to privileged IT roles (e.g., “AI Transformation” themes).
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
NIS2 pushes organizations to reassess supply-chain security responsibilities
The article says the NIS2 directive requires CISOs to give greater weight to supply-chain and third-party security. It describes a shift from focusing only on internal systems to managing external dependencies as part of security architecture and executive governance.
CSO article highlights third-party attacks as a long-running supply-chain risk
A CSO Online article states that attacks have increasingly been carried out via third parties for years, including through software updates, maintenance access, and outsourced services. It frames supply-chain exposure as a structural cybersecurity risk rather than a new isolated trend.
Eye Security says common initial access methods remain largely unchanged
Despite the rise in identity abuse, Eye Security assesses that attackers' core initial compromise methods have remained broadly consistent. The report cites phishing, exploitation of misconfigured or vulnerable internet-facing systems, social engineering, and software supply-chain attacks as the main entry vectors.
Attackers increasingly shift to identity-based intrusions, Eye Security reports
Eye Security's State of Incident Response Report 2026 says cyberattacks against companies are increasingly carried out through abuse of existing access rather than direct system compromise. The report states identity-based attacks dominate incident response cases, with 97% of those incidents involving passwords.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
2025 Threat Landscape Reports Highlight Identity-Based Intrusions and High-Impact Ransomware Losses
Multiple 2025 retrospective threat reports describe **identity compromise** as the dominant initial access vector, with attackers repeatedly exploiting predictable control gaps such as weak identity security, third-party access paths, and exposed/perimeter systems. Barracuda’s Managed XDR telemetry analysis (spanning trillions of events and hundreds of thousands of alerts) reported that **Microsoft 365 anomalous login** and **“impossible travel”** detections were among the most common signals, consistent with credential theft and account takeover activity; it also noted post-compromise behavior including suspicious privilege manipulation (e.g., adding users to high-risk Windows groups). Dataminr’s 2026 Cyber Threat Landscape Report similarly characterized 2025 as a structural shift toward **accelerated identity-based intrusions**, citing that a significant share of intrusions leveraged **valid credentials**, alongside growth in **infostealer malware** and AI-enabled social engineering, and increased exploitation of third-party weaknesses. The same reporting also emphasizes that while overall ransomware activity may have stabilized in volume, **loss severity increased**, with “mega-loss” incidents exceeding **$100M** and in some cases **$1B**, driven by multi-vector campaigns combining credential theft, data exfiltration, and disruption. Other items in the set are broader commentary rather than incident- or disclosure-driven intelligence: an opinion piece argues that the rapid expansion of AI-driven data center infrastructure raises systemic risk from ransomware, supply-chain compromise, and OT disruption, while a predictions article discusses 2026 security investment themes without tying to a specific campaign. A separate news roundup recaps multiple 2025 events (including third-party/SaaS integration compromises and other vulnerabilities) rather than providing new, single-story reporting, making it only loosely aligned with the identity-and-ransomware trend narrative.
Mar 21, 2026
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
Mar 21, 2026
Reports Highlight Shift Toward Identity-First Attacks and Phishing-Driven Intrusions
Recent reporting and vendor research indicate threat actors are increasingly prioritizing **identity-based intrusion paths**—notably phishing, credential theft, and **Business Email Compromise (BEC)**—over traditional vulnerability exploitation as the most common initial access vector. A Darktrace report cited by SC Media describes identity breaches as the leading entry point, alongside broader trends including accelerated breach tempo, increased automation, and “converging” tactics; it also notes exploitation can occur **before public disclosure** and that overall **CVE volume rose by 20%+ year-over-year**. Email remains a dominant delivery mechanism in these identity-first campaigns. Darktrace telemetry referenced by SC Media reported **32M+ high-confidence phishing emails** across its customer base, with many messages bypassing baseline controls (including **70% passing DMARC**), targeting executives, using **malicious QR codes**, and leveraging newly registered domains. Separately, a SOCRadar analysis frames the U.S. financial sector as a disproportionate target for phishing and dark-web activity, emphasizing AI-enabled crime, persistent BEC, and third-party/supply-chain risk, and citing metrics such as **~48% of global financial phishing activity** and **~23.5% of finance-related dark web threat activity** attributed to the U.S. market.
Mar 21, 2026