Cybersecurity Threats: Initial Baseline Report — Early 2026
今回の要点
- 1.AI is being actively weaponized by nation-state actors and cybercriminals, with North Korean hackers using AI for malware development and fake company websites, stealing as much as $12 million in three months, according to [6] and corroborated by [7].
- 2.Supply chain attacks are targeting widely used NPM packages, including both the Axios and Bitwarden packages, with a North Korea-nexus threat actor identified in the Axios compromise [5] and TeamPCP claiming the Bitwarden attack [4].
- 3.Global law enforcement has intensified coordinated disruption operations, including the seizure of the LeakBase hacker forum, dismantlement of the world's largest IoT DDoS botnets, and disruption of a DNS hijacking network controlled by a Russian military intelligence unit [2] [3].
- 4.MITRE ATT&CK v18, released in October 2025, replaced Detections with Detection Strategies, adding 691 Detection Strategies and 1,739 Analytics for the Enterprise domain, and introduced 12 new techniques including Poisoned Pipeline Execution and Delay Execution [1].
- 5.A U.S. federal agency's Cisco firewall was infected with a backdoor called 'Firestarter' that maintains persistence even after patching, reflecting a growing trend of firmware-level malware targeting network infrastructure [4] [7].
エグゼクティブサマリー
- •This is the initial baseline report, compiled from sources collected during the reporting period. Future reports will track changes and trends relative to this baseline.
- •Artificial intelligence has emerged as a significant force multiplier for threat actors, with Mandiant's Google Threat Intelligence Group documenting adversarial AI misuse including model extraction, augmented attacks, and AI-enabled malware development [5], while the Zscaler ThreatLabz 2026 VPN Risk Report noted that AI has collapsed the human response window [8].
- •Software supply chain attacks represent a persistent and escalating threat vector, with open-source package repositories such as NPM identified as high-value targets for threat actors including North Korea-affiliated groups seeking broad downstream impact [5] [4].
- •Law enforcement agencies executed a sustained multi-front campaign against cybercriminal ecosystems, resulting in prosecutions including Aleksei Volkov being sentenced to 81 months for assisting cybercrime groups including Yanluowang, and a Florida man pleading guilty to conspiring in ransomware attacks against U.S. companies [2].
- •Network infrastructure and virtualization layers are increasingly targeted by sophisticated, persistence-capable malware, with Mandiant also publishing a defender's guide on vSphere and BRICKSTORM malware targeting virtualization infrastructure [5].
市場動向
AI Accelerating Nation-State and Criminal Cyber Operations
Multiple sources highlight a significant trend of AI being weaponized by both nation-state actors and cybercriminals. According to [7], AI is actively speeding up nation-state cyber programs, with a specific report noting that North Korean hackers used AI assistance to develop a near-undetectable attack. This is corroborated by [6], which reported that one group of North Korean hackers used AI for everything from coding malware to creating fake company websites, stealing as much as $12 million i…
Supply Chain Attacks Targeting Software Ecosystems
Supply chain attacks continue to emerge as a critical threat vector across multiple sources. SecurityWeek reported that the Bitwarden NPM package was hit in a supply chain attack tied to a Checkmarx incident claimed by TeamPCP, referencing the Shai-Hulud worm [4]. Mandiant's blog separately reported that a North Korea-nexus threat actor compromised the widely used Axios NPM package in a supply chain attack [5]. These incidents reflect a broader pattern of adversaries targeting software dependenc…
Global Law Enforcement Escalates Cybercrime Disruption Operations
A notable surge in coordinated international law enforcement actions against cybercriminal infrastructure is evident across recent FBI and DOJ press releases. The FBI and Indonesian authorities dismantled a global phishing network behind millions in fraud attempts, while U.S. authorities conducted cyber operations as part of a global crackdown on DDoS-for-hire services [3]. The Justice Department also announced the disruption of a DNS hijacking network controlled by a Russian military intelligen…
MITRE ATT&CK Framework Overhauled with New Detection Strategies
The October 2025 release of MITRE ATT&CK v18 introduced significant structural changes to the defensive portion of the framework. According to the release notes, Detections in techniques have been replaced with Detection Strategies, resulting in the addition of 691 Detection Strategies and 1,739 Analytics for the Enterprise domain alone [1]. Data Sources were deprecated in favor of updated Data Components, representing a major shift in how defenders are expected to operationalize the framework. …
Ransomware Ecosystem Faces Prosecutions and Tactical Shifts
The ransomware threat landscape is simultaneously seeing increased law enforcement pressure and tactical evolution. The DOJ announced that a Florida man formerly employed as a ransomware negotiator pleaded guilty to conspiring to commit ransomware attacks against U.S. companies in 2023, and a Russian ransomware administrator pleaded guilty to wire fraud conspiracy [2]. A Russian citizen, Aleksei Volkov, was sentenced to 81 months in prison for assisting major cybercrime groups including Yanluowa…
競合動向
AI Accelerating Nation-State and Criminal Cyber Operations
Multiple sources report that artificial intelligence is increasingly being weaponized by both nation-state actors and cybercriminals. According to [7], AI is speeding up nation-state cyber programs, and North Korean hackers used AI assistance to develop a near-undetectable attack. Wired reported that one group of North Korean hackers used AI for everything from coding malware to creating fake company websites, stealing as much as $12 million in three months [6]. Mandiant's blog highlights that t…
Supply Chain Attacks Targeting Software Ecosystems
Supply chain attacks continue to emerge as a critical threat vector across multiple platforms. SecurityWeek reported that the Bitwarden NPM package was hit in a supply chain attack tied to a Checkmarx incident claimed by TeamPCP, referencing the Shai-Hulud worm [4]. Mandiant's blog separately reported that a North Korea-nexus threat actor compromised the widely used Axios NPM package in a supply chain attack [5]. The MITRE ATT&CK v18 release also updated the Supply Chain Compromise technique (v1…
Global Law Enforcement Disruption of Ransomware and Cybercrime Networks
Law enforcement agencies conducted a series of significant actions against cybercriminal infrastructure in early 2026. The FBI and DOJ announced the dismantlement of one of the world's largest hacker forums, LeakBase, a platform used to buy and sell stolen data [2]. A Florida man who worked as a ransomware negotiator pleaded guilty to conspiring to deploy ransomware against U.S. companies in 2023 [2]. A Russian citizen, Aleksei Volkov, was sentenced to 81 months in prison for assisting major cyb…
MITRE ATT&CK v18 Overhauls Defensive Framework with Detection Strategies
The October 2025 release of MITRE ATT&CK version 18 introduced significant structural changes to the defensive portion of the framework. Detections in techniques were replaced with Detection Strategies, resulting in the addition of 691 Detection Strategies and 1,739 Analytics for the Enterprise domain alone, alongside major updates to Data Components and the deprecation of Data Sources [1]. The release also introduced 12 new Enterprise techniques, including 'Poisoned Pipeline Execution,' 'Select…
Malware Targeting Network Infrastructure and Firmware Persistence
Recent reporting highlights a growing trend of sophisticated malware designed to persist on network devices and evade remediation. SecurityWeek reported that a U.S. federal agency's Cisco firewall was infected with a backdoor called 'Firestarter,' which provides remote access and maintains persistence even after patching [4]. HelpNetSecurity similarly reported on new Cisco firewall malware that can only be eliminated by physically pulling the plug, indicating firmware-level or deep persistence m…
制度・規制動向
AI Accelerating Nation-State and Criminal Cyber Operations
Multiple sources highlight a significant trend of AI being leveraged to enhance both nation-state and criminal cyber capabilities. According to [7], AI is speeding up nation-state cyber programs, and North Korean hackers used AI assistance to develop a near-undetectable attack. Wired reported that one group of North Korean hackers used AI for everything from coding malware to creating fake company websites, stealing as much as $12 million in three months [6]. Mandiant's blog further corroborates…
Supply Chain Attacks Targeting Software Ecosystems
Supply chain attacks against widely used software packages and development tools are emerging as a persistent and growing threat vector. SecurityWeek reported that the Bitwarden NPM package was hit in a supply chain attack tied to a Checkmarx-identified campaign claimed by TeamPCP, referencing the Shai-Hulud worm [4]. Mandiant's threat intelligence blog reported that a North Korea-nexus threat actor compromised the widely used Axios NPM package in a supply chain attack [5]. HelpNetSecurity also …
Global Law Enforcement Escalates Cybercrime Disruption Operations
U.S. and international law enforcement agencies have significantly intensified coordinated operations against cybercriminal infrastructure and actors. The FBI and DOJ announced the dismantlement of one of the world's largest hacker forums through the seizure of the LeakBase database [2]. The DOJ also conducted a court-authorized disruption of a DNS hijacking network controlled by a Russian Military Intelligence Unit [3]. Authorities disrupted what was described as the world's largest IoT DDoS bo…
MITRE ATT&CK Framework Overhauled with New Detection Architecture
The October 2025 release of MITRE ATT&CK version 18 introduced a major structural overhaul to the defensive portion of the framework. According to the release notes, Detections in techniques have been replaced with Detection Strategies, resulting in the addition of Detection Strategies and Analytics, major updates to Data Components, and the deprecation of Data Sources [1]. The Enterprise domain now includes 691 Detection Strategies and 1,739 Analytics, while Mobile and ICS domains received 124 …
Malware Targeting Network Infrastructure and Firmware Persistence
Recent reporting highlights a trend of sophisticated malware specifically designed to compromise network infrastructure devices and maintain persistence even after patching. SecurityWeek reported that a U.S. federal agency's Cisco firewall was infected with a backdoor called 'Firestarter,' which provides remote access and control of infected devices and maintains post-patching persistence [4]. HelpNetSecurity corroborated this, reporting that new Cisco firewall malware can only be eliminated by …
重要な変化の整理
MITRE ATT&CK v18 Released with Major Defensive Framework Overhaul
新規MITRE released ATT&CK v18 in October 2025, introducing significant defensive changes including replacement of Detections with Detection Strategies, addition of Analytics, major updates to Data Components, and deprecation of Data Sources. The release adds 12 new Enterprise techniques including Poisoned Pipeline Execution, Delay Execution, and Selective Exclusion, and contains 910 pieces of software, 176 groups, and 55 campaigns across Enterprise, Mobile, and ICS domains. ATT&CK v19 is announced f…
FBI and DOJ Disrupt Major Cybercriminal Infrastructure in Multi-Front Operations
新規Multiple high-profile law enforcement actions were reported in early 2026. The DOJ announced the seizure of LeakBase, described as one of the world's largest hacker forums for buying and selling stolen data [2]. Separately, U.S. authorities conducted cyber operations targeting DDoS-for-hire services, and the Justice Department disrupted a DNS hijacking network controlled by a Russian military intelligence unit [3]. A Russian citizen, Aleksei Volkov, was sentenced to 81 months in prison for assis…
AI-Enabled Threats Accelerating Nation-State and Criminal Cyber Operations
新規Multiple sources highlight AI as a growing force multiplier for threat actors. Mandiant's Google Threat Intelligence Group published a report on adversarial misuse of AI covering model extraction, augmented attacks, and new AI-enabled malware [5]. Wired reported that North Korean hackers used AI for malware development and fake company websites, stealing up to $12 million in three months [6]. HelpNetSecurity noted that AI is speeding up nation-state cyber programs and that North Korean hackers a…
Supply Chain Attacks Target NPM Ecosystem and Software Dependencies
新規Multiple supply chain incidents were reported across sources. Mandiant's Google Threat Intelligence Group identified a North Korea-nexus threat actor compromising the widely used Axios NPM package [5]. SecurityWeek reported the Bitwarden NPM package was hit in a supply chain attack tied to a Checkmarx-identified campaign claimed by TeamPCP, referencing the Shai-Hulud worm [4]. These incidents reflect a continued pattern of adversaries targeting software dependencies to achieve broad downstream c…
Critical Infrastructure and Government Networks Targeted by New Malware
新規SecurityWeek reported that a U.S. federal agency's Cisco firewall was infected with a backdoor called 'Firestarter,' which provides remote access, control of infected devices, and maintains persistence even after patching [4]. HelpNetSecurity separately reported on new Cisco firewall malware that can only be eliminated by physically disconnecting the device, and noted that compromised everyday devices are powering Chinese cyber espionage operations [7]. Wired also reported on a newly deciphered …
示唆・見るべき論点
- 1.The convergence of AI with offensive cyber operations — from autonomous malware coding to fake identity infrastructure — signals that defenders must reconsider traditional response timelines, as AI has demonstrably compressed the window between vulnerability and exploitation [7] [6].
- 2.The repeated targeting of NPM and other open-source package ecosystems by nation-state actors, particularly North Korea-affiliated groups, suggests that software composition analysis and dependency monitoring should be treated as critical security controls rather than optional hygiene [5] [1].
- 3.The MITRE ATT&CK v18 overhaul — replacing Detections with Detection Strategies and adding 691 Detection Strategies and 1,739 Analytics for Enterprise — represents a maturation of the defensive framework that organizations should prioritize integrating into their threat detection programs, especially ahead of the planned v19 deprecation of the Defense Evasion tactic [1].
- 4.The persistence of malware such as 'Firestarter' on Cisco firewalls even after patching — and reports that some Cisco firewall malware requires physical disconnection to eliminate — underscores that perimeter network devices represent an under-remediated attack surface requiring firmware-level inspection and out-of-band verification [4] [7].
- 5.Despite escalating law enforcement actions — including ransomware prosecutions and botnet dismantlements — Mandiant's research indicates ransomware groups are actively adapting their tactics, techniques, and procedures in response to increased scrutiny, suggesting disruption operations alone will not neutralize the ransomware threat [5] [2].
ソース
Documents the ATT&CK v18 release including replacement of Detections with Detection Strategies, addition of 691 Detection Strategies and 1,739 Analytics for Enterprise, 12 new techniques, and announcement of v19 planned for April 28th.
関連: Threat Intelligence FrameworkReports on DOJ actions including seizure of LeakBase hacker forum, ransomware negotiator guilty plea, Aleksei Volkov sentencing to 81 months, and DNS hijacking network disruption linked to Russian military intelligence.
関連: Law EnforcementDocuments FBI-led operations including dismantlement of global phishing network with Indonesian authorities, disruption of DDoS-for-hire services, dismantlement of the world's largest IoT DDoS botnets, and DNS hijacking network disruption.
関連: Law EnforcementReported on Bitwarden NPM supply chain attack claimed by TeamPCP, Cisco firewall 'Firestarter' backdoor infecting a U.S. federal agency, and Palo Alto Networks' 'Zealot' multi-agent penetration testing proof-of-concept.
関連: Supply Chain & InfrastructurePublished AI Threat Tracker covering adversarial AI misuse including model extraction and AI-enabled malware, identified North Korea-nexus Axios NPM supply chain attack, released ransomware TTPs research report, and published vSphere and BRICKSTORM defender's guide.
関連: Emerging ThreatsReported that North Korean hackers used AI for malware coding and fake company website creation, stealing $12 million in three months, and reported on pre-Stuxnet sabotage malware 'Fast16' linked to US-Iran cyber tensions.
関連: Emerging ThreatsReported AI speeding up nation-state cyber programs and North Korean near-undetectable AI-assisted attack, new Cisco firewall malware requiring physical disconnection, compromised devices powering Chinese espionage, and supply chain threats to the financial sector.
関連: Emerging ThreatsReported on Zscaler ThreatLabz 2026 VPN Risk Report findings that AI has collapsed the human response window and turned remote access into the fastest path to breach.
関連: Emerging Threats