Threat Pulse – August 2025 

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.  

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.  

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide. 

Bouygues Telecom (France) — 6.4M customers 

When: Detected Aug 4; disclosed Aug 6–7, 2025.
What happened: A cyberattack let intruders access records for 6.4 million customer accounts.
Data exposed: Contact and contractual details, civil status/company info, and IBANs (international bank account numbers).
Scope/impact: Bouygues has ~26.9M mobile customers; the breach affected a large subset.
Response: Reported to France’s CNIL; public victim-info page published; Bouygues declined to detail the intrusion method.
Why it matters: IBAN exposure raises fraud/phishing risk even without passwords.

TransUnion (US) — 4.46M people (notifications in late Aug)

When: Incident July 28, 2025; notifications Aug 28–29, 2025.
What happened: Data in a third-party application used for US consumer support was exfiltrated.
Data exposed: Names, SSNs, and dates of birth (per filings to Maine & Texas AGs).
Scope/impact: 4,461,511 individuals notified; core credit database not impacted.
Attribution/links: Reporting ties it to the broader Salesforce-targeting theft/extortion wave; ShinyHunters claimed involvement.
Response: 24 months’ credit monitoring offered; law-enforcement and third-party forensics engaged.

DaVita (US healthcare) — ransomware; 2.69–2.7M affected (disclosed in Aug) 

When: Intrusion Mar 24–Apr 12, 2025; ransomware on Apr 12; impact confirmed Aug 6 & Aug 22, 2025.
What happened: Interlock ransomware group stole data, then encrypted parts of the network.
Data exposed: Names, addresses, birth dates, SSNs, insurance details, and some clinical/lab results from a dialysis lab database.
Scope/impact: 2,689,826 individuals reported to HHS OCR; care delivery continued; Q2 costs cited at $13.5M.
Response: Systems restored; victims offered identity protection; multiple state AG notices. 

Orange Belgium — 850k customer accounts 

When: Attack in late July; disclosure Aug 20, 2025.
What happened: Unauthorised access to data tied to 850,000 customer accounts.
Data exposed: Name, phone number, SIM number, PUK code, tariff plan.
Not exposed: No passwords, email addresses, or bank/financial details.
Response: Access blocked, security tightened, authorities notified; customers being contacted and advised to stay vigilant. 

Data I/O Ransomware Attack 

What happened: Electronics manufacturer Data I/O, who supplies programming systems for integrated circuits to major tech clients (Tesla, Google, Microsoft, Amazon, Apple, etc), experienced a ransomware attack in early August. The breach was detected on August 6, leading the company to take critical IT platforms offline, including systems handling communications, shipping, receiving, and manufacturing support, to contain the threat. 

Impact: Although business operations appear to have continued, recovery and investigation efforts are expected to have significant financial implications. No ransom demand has been disclosed; suspects like Scattered Spider or ShinyHunters are under consideration. 

CTI Insight: This underscores the cascading risks ransomware poses across the tech supply chain, especially when a supplier serves multiple high-profile clients. Companies should employ adversarial emulation and proactive monitoring to defend critical infrastructure. 

Salesforce-Based Data Breach at Google and Other Tech Firms 

What happened: In a targeted phishing campaign, the ShinyHunters group breached multiple tech companies via their Salesforce CRM systems. Notable targets included Google, Cisco, and Workday. Google officially confirmed the breach in early August, and it stemmed from unauthorised access occurring in June via Salesforce’s “Data Loader” app, disclosure occurred on August 8th 2025. 

Impact: CRM data was compromised. Workday issued customer advisories about the breach, though their HR/payroll systems remained unaffected. Learn more. 

CTI Insight: This highlights the risks posed by phishing and supply-chain style attacks on third-party cloud apps. Even indirectly leveraged services like Salesforce can serve as attack vectors. 

Salt Typhoon Espionage Campaign & Chinese Tech Firms Advisory 

What happened: Though not a direct attack on specific tech companies, a global advisory was issued in late August by NSA, CISA, UK’s NCSC, CSIS, and others. It warned that several Chinese tech firms may be facilitating espionage-linked activities for the APT group Salt Typhoon, which reportedly executed widespread breaches across critical infrastructure sectors including telecoms, lodging, and transportation, targeting more than 200 US organisations across 80 countries. 

CTI Insight: Many tech firms rely on components and services from global suppliers. This advisory serves as a caution: vet vendors rigorously, monitor for embedded threats, patch promptly, and implement tight configuration controls. 

UK Hospitals Declared High-Risk Targets 

What happened: In early August, the UK government warned that hospitals (and schools) were “very likely” to suffer major cyberattacks in the near future. The statement followed recent disruptions in London hospitals caused by a pathology lab hack. 

Impact: The warning drew attention to systemic vulnerabilities in UK healthcare IT infrastructure. The government committed to a forthcoming Cyber Security and Resilience Bill, aiming to enforce baseline security standards and prohibit ransom payments. 

CTI Insight: This advisory reinforces that healthcare is part of national critical infrastructure. Organisations should anticipate regulatory tightening and proactively align with future requirements through continuous risk assessment, incident simulations, and resilience drills. 

Russian FSB-Linked Espionage on Industrial Control Infrastructure 

What happened: On August 20, 2025, the FBI and Cisco issued warnings about an ongoing cyber espionage campaign conducted by Russian FSB-linked actors (Centre 16). Attackers have been exploiting a seven-year-old vulnerability in outdated Cisco IOS software to compromise thousands of networking devices in U.S. critical infrastructure, including the manufacturing sector, enabling long-term access to industrial control systems. 

Impact: Unpatched industrial networking systems in manufacturing were compromised, increasing the risk of reconnaissance, sabotage, or long-term operational disruption, especially dangerous for time-sensitive production lines 

CTI Insight: Manufacturers must prioritise patching and updating legacy network infrastructure, especially older control systems. Enhancing visibility, applying segmentation between IT and OT environments, and monitoring device configurations are critical strategies to protect against stealthy espionage activities. 

Manufacturing: Top Target and AI Investments on the Rise 

What happened: Data from the Rockwell Automation 2025 “Global State of Smart Manufacturing Report” (released August 12, 2025) shows that cyber security is now viewed as one of the top external risks to manufacturing, second only to economic conditions. A majority of cybersecurity professionals plan to adopt AI-driven defences. Separately, the Bitsight TRACE 2025 State of the Underground report identified the manufacturing sector as the most-targeted industry for the third consecutive year, accounting for 22% of all tracked cyberattacks. 

Impact: The data signals persistent and escalating exposure for manufacturing, driven by the growing convergence of IT and OT and increased digitalisation, heightening stress on security capabilities. 

CTI Insight: AI-powered detection and response tools are becoming vital, especially to monitor complex OT environments. Manufacturers should fast-track AI integration, invest in threat modelling, and embrace cross-functional leadership to treat cybersecurity as a strategic, board-level issue. 

TransUnion Data Breach – Disclosure August 2025 

What happened: TransUnion, a major US credit reporting agency, confirmed a breach that occurred on July 28, 2025, discovered two days later. The breach originated via a third-party application linked to its US consumer support operations and manifested in August 2025 with public disclosure. While credit data wasn’t compromised, personal information such as Social Security numbers were exposed. 

Impact: Approximately 4.5 million individuals are affected. Exposure of highly sensitive personal data elevates the risk of identity theft, financial fraud, and long-term reputational damage. TransUnion is offering two years of free credit monitoring and fraud assistance via Cyberscout. 

CTI Insight: This incident highlights how vulnerabilities in third-party applications can bypass internal defences and compromise data at scale. Financial firms should enforce comprehensive third-party risk assessments, minimise data exposure, and implement rapid breach detection and response measures. 

Skyrocketing OT Cyber Risk in Energy Sector (Aug 14, 2025) 

What happened: A report by Dragos and Marsh McLennan revealed an estimated $329.5 billion in potential losses from OT cyber incidents globally in the energy sector. Though the number of attacks only slightly increased from 72 in 2023 to 76 in 2024 physical disruptions surged by 146% (1,015 impacted sites in 2024 vs. 412 in 2023). Nation-state incidents tripled, with automation protocols like Modbus (40%) and Ethernet/IP (28%) most targeted. 

Impact: The sector now faces dramatically higher physical risk, especially from state-backed adversaries exploiting control protocols to wreak operational havoc. 

CTI Insight: We’re past IT only defence, OT needs equal, if not greater, guardrails. Quantifying cyber risk in dollar terms underscores urgency. Firms should build visibility into OT environments, model threat scenarios, and prioritise investments accordingly. 

Trends in August: 

Rise of AI-Generated Ransomware 

Generative AI is increasingly weaponized in cybercrime. GTG‑5004 used AI to develop and sell advanced ransomware. GTG‑2002 leveraged Claude Code to automate the full ransomware lifecycle, from target selection to ransom note composition. This impacted at least 17 organisations.  

Deepfake Threats Targeting Executives 

Executive impersonation via deepfake technology escalated significantly. The Ponemon Institute revealed that 51% of security professionals reported executive-targeted attacks in 2025, up from 43% in 2023. These attacks exploit public profiles and weak security on personal devices, leading to unauthorised financial demands and other scams. Enhancing personal device security, strong MFA, and educating executives became crucial defences. 

“Vibe-Hacking” and AI-Assisted Cybercrime Tactics 

Anthropic’s threat intelligence flagged new AI-enabled tactics collectively called “vibe‑hacking”. A cybercrime ring employed Claude Code to craft emotionally manipulative ransom demands (>$500,000). North Korean operatives used AI to facilitate job scams at Fortune 500 firms. Romance scams used AI-powered Telegram bots for emotionally driven exploitation.  

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, while you take care of business.     

Talk to the team to see how you can start protecting your business against cyberattacks today.