Global Cybersecurity Intelligence Briefing: July 8, 2025

// Executive Intelligence Summary

On July 8, 2025, the global cybersecurity landscape is defined by three strategically significant developments that demand immediate executive attention. First, a massive ransomware attack on IT distributor Ingram Micro has materialized the systemic risk inherent in the global technology supply chain, causing cascading disruptions for thousands of businesses worldwide. This incident serves as a stark validation of long-standing warnings about third-party vulnerabilities. Second, U.S. companies' compliance and legal landscape have been irrevocably altered as the Department of Justice begins full enforcement of its Bulk Data Transfer Rule. This new regime, carrying severe criminal penalties, imposes unprecedented data localization requirements and fundamentally changes the risk calculus for international data flows. Finally, the theoretical threat of AI-powered attacks has become tangible with the public disclosure of zero-click exploits against autonomous AI agents. This marks the emergence of a novel and dangerous attack surface, shifting the defensive paradigm from securing user actions to securing the autonomous decision-making processes of artificial intelligence itself. These events collectively signal a new era of heightened complexity, systemic risk, and regulatory pressure.

// Major Cyber Incidents and Breach Analysis

Today's major incidents highlight a clear trend: adversaries achieve maximum impact by targeting central nodes in the global economic and political infrastructure, from critical IT supply chain distributors to major airlines and international legal bodies.

Ingram Micro Under Siege: Anatomy of the SafePay Ransomware Attack

Global IT distributor Ingram Micro, a linchpin of the technology supply chain with a reported $50 billion in revenue and a distribution network covering 90% of the world's population, is grappling with a significant ransomware attack.¹ The incident, attributed to the SafePay ransomware group, began around July 3, 2025, and escalated into widespread system outages over the U.S. July 4th holiday weekend, a classic tactic to maximize disruption while defensive teams are understaffed.²

The initial access vector is believed to be a compromise of the company's Palo Alto Networks GlobalProtect VPN platform. This method aligns with the known tactics, techniques, and procedures (TTPs) of SafePay, which include targeting compromised VPN credentials and executing password spray attacks.² Palo Alto Networks has acknowledged the claims and is currently investigating.³

The operational impact has been severe and widespread. The attack forced the shutdown of critical internal systems, most notably the company's AI-powered Xvantage distribution platform and the Impulse license provisioning platform.¹ This effectively crippled order processing, fulfillment operations, and customer-facing e-commerce and support tools, creating significant disruption for thousands of B2B customers and partners who rely on Ingram Micro for their operations.¹

Ingram Micro publicly confirmed the ransomware attack on Saturday, July 5, following initial media reports and pressure from partners.² The company has engaged external cybersecurity experts, notified law enforcement, and filed a formal report with the U.S. Securities and Exchange Commission on July 8.³ As of July 8, the company reports it is making progress on restoring its transactional business, with subscription orders now being processed centrally through its support organization.³

The threat actor, SafePay, is a relatively new but highly prolific ransomware operation first observed in late 2024.³ The group ascended rapidly, becoming the most active ransomware gang in May 2025, responsible for 18% of all reported attacks that month.⁶ Security researchers suggest SafePay may be a rebrand of an older group, noting its use of a modified version of leaked LockBit ransomware code.⁷ The group practices double extortion, threatening to leak stolen data if the ransom is unpaid. In recent months, SafePay has exfiltrated an average of 111 GB of data per victim, underscoring the significant data breach risk associated with their attacks.⁶

Qantas Airways Grounded by Third-Party Breach

In another demonstration of supply chain risk, Australia's flag carrier, Qantas, disclosed a major data breach impacting as many as six million of its customers.⁸ The incident was not a direct compromise of Qantas's core IT systems but an attack on a third-party customer servicing platform that one of its offshore call centers used.⁸ The breach was detected on June 30, 2025.⁹

The compromised data includes sensitive personal information such as customer names, dates of birth, email addresses, phone numbers, and frequent flyer numbers.⁸ Qantas has stressed that more critical data, including credit card details, financial information, passwords, and passport details, were not stored on the affected third-party system and, therefore, were not compromised.⁸

The investigation took a new turn when a "potential" hacker contacted the airline, claiming responsibility for the breach.⁸ Qantas is now working with the Australian Federal Police to validate this claim. As of this report, no specific cybercrime group has taken public credit for the attack, and it remains unclear whether a ransom demand was made.⁸

In response, Qantas CEO Vanessa Hudson issued a public apology, and the airline has notified the relevant Australian authorities, including the Australian Cyber Security Centre (ACSC) and the Office of the Australian Information Commissioner (OAIC).⁸ A dedicated customer support line has been established, and the company is actively monitoring for any public release of the stolen data.⁹

The incidents at Ingram Micro and Qantas are not merely individual corporate crises but powerful illustrations of a fundamental truth in modern cybersecurity. Adversaries increasingly recognize that the most efficient path to widespread disruption is not always a frontal assault on a well-defended primary target but an attack on a softer, less secure node within its interconnected ecosystem. The compromise of an IT distributor like Ingram Micro creates a bottleneck that chokes the supply of technology products and services to thousands of other businesses.¹ Similarly, the breach of a single offshore vendor for Qantas exposes the data of millions of the airline's customers.¹⁰ These events forcefully validate the prescient warnings issued just months ago by figures like J.P. Morgan's CISO, Patrick Opet, who cautioned the entire software industry about prioritizing speed to market over the security of the supply chain.¹³ The strategic consequence is clear: third-party risk management must evolve from a periodic compliance exercise into a continuous, technically rigorous discipline that treats the supply chain as an extension of the organization's security perimeter.

Healthcare in the Crosshairs: New Threats and Persistent Targeting

The healthcare sector continues to be a prime target for cybercriminals, with the emergence of a new ransomware group and reports of multiple breaches. A new, multi-platform ransomware operation named Bert has been actively targeting organizations in the healthcare, technology, and event services sectors across Asia, Europe, and the U.S. since April 2025.¹⁵

Bert's operators have developed variants for both Windows and Linux environments. The Windows variant typically uses PowerShell scripts as a loader to turn off security controls like Windows Defender, firewalls, and User Account Control (UAC) before executing the primary ransomware payload.¹⁶ The Linux variant is particularly concerning for its focus on virtualized environments; it is optimized for speed using up to 50 threads for encryption and includes functionality to forcibly shut down all running ESXi virtual machines to maximize damage and impede recovery.¹⁶ This specific targeting of ESXi servers and other code characteristics has led researchers to suggest a possible lineage from the notorious REvil ransomware family.¹⁷ The use of Russian-registered IP addresses for its command-and-control infrastructure has also been noted, though attribution remains unconfirmed.¹⁶

The emergence of this new threat coincides with other attacks on the sector. A new ransomware gang, not yet publicly named, targeted rehabilitation clinics in Jacksonville, Florida, resulting in a breach affecting 34,498 individuals and compromising a vast trove of sensitive personal and protected health information (PHI).¹⁵ Separately, Compumedics, a vendor of diagnostic technologies for sleep disorder clinics, also reported a data security incident that affected patients of several of its healthcare provider clients.¹⁹

This fluid and dangerous environment for healthcare providers underscores a dynamic ransomware market. While new groups like Bert emerge with sophisticated, multi-platform tools, other groups are ceasing operations. For example, the SatanLock ransomware gang reportedly shut down its activities this week.²⁰ This lifecycle—where groups emerge, operate, and then disappear or rebrand—is a hallmark of the mature ransomware-as-a-service ecosystem. It demonstrates that the threat is not a single, monolithic entity to be defeated but a constantly evolving market of specialized criminal enterprises. Furthermore, research from WatchGuard indicates a broader strategic shift by many attackers away from pure data encryption and towards data theft and extortion, as improved corporate backup policies have made encryption-only attacks less profitable.²¹ This evolution means that data backups, while essential, are no longer a complete defense against the financial and reputational damage of a ransomware attack.

Geopolitical Flashpoints

Cyber operations continue to be a key element in geopolitical conflicts and espionage.

• Ukraine Conflict: A sophisticated cyberattack successfully disrupted the infrastructure used to distribute "1001" firmware. This custom software, developed by Russian entities, is used to convert civilian DJI drones into military assets for use in the war against Ukraine, demonstrating a direct link between cyber operations and kinetic warfare.¹⁵
• Nation-State Espionage: Pakistan's Transparent Tribe (also known as APT36) has been observed targeting the Indian defense sector with new Linux malware. The malware is specifically designed to run on BOSS (Bharat Operating System Solutions), a Linux distribution developed in India for government use, indicating a highly targeted espionage campaign.²⁰
• International Institutions Targeted: The International Criminal Court (ICC) in The Hague confirmed it suffered a new, "sophisticated" cyberattack. This is the second major incident to hit the court in recent years and notably occurred near a NATO summit, suggesting a possible link to heightened geopolitical tensions.²⁰

Works Cited

1. Ingram Micro Suffers Huge Ransomware Attack - Tech.co, accessed July 8, 2025, https://tech.co/news/ingram-micro-data-breach↑
2. Ingram Micro Confirms Cyberattack After Days of System Outage - Channel Insider, accessed July 8, 2025, https://www.channelinsider.com/news-and-trends/ingram-micro-ransomware-july-2025/↑
3. Ingram Micro outage caused by SafePay ransomware attack, accessed July 8, 2025, https://www.bleepingcomputer.com/news/security/ingram-micro-outage-caused-by-safepay-ransomware-attack/↑
4. One of America's leading IT companies hacked, says 'identified ransomware on..', accessed July 8, 2025, https://timesofindia.indiatimes.com/technology/tech-news/one-of-americas-leading-it-companies-hacked-says-identified-ransomware-on/articleshow/122278485.cms↑
5. Ingram Micro Update: r/msp - Reddit, accessed July 8, 2025, https://www.reddit.com/r/msp/comments/1ltxgfh/ingram_micro_update/↑
6. IT company Ingram Micro says ransomware targeted internal systems, accessed July 8, 2025, https://therecord.media/ingram-micro-ransomware-attack↑
7. Ingram Micro makes progress on restoring operations following the attack - Cybersecurity Dive, accessed July 8, 2025, https://www.cybersecuritydive.com/news/ingram-micro-progress-operations-attack/752438/↑
8. Qantas contacted by a hacker claiming responsibility for primary data ..., accessed July 8, 2025, https://english.news.cn/asiapacific/20250708/2e10f0e6d3654b058d6fef690abaf1fe/c.html↑
9. QANTAS CYBER INCIDENT, accessed July 8, 2025, https://www.qantasnewsroom.com.au/media-releases/qantas-cyber-incident/↑
10. Qantas hack: limits to the government's reach - The Strategist, accessed July 8, 2025, https://www.aspistrategist.org.au/qantas-hack-limits-to-the-governments-reach/↑
11. Canada Sets Timeline to Shield Government Systems from Quantum ..., accessed June 28, 2025, https://thequantuminsider.com/2025/06/28/canada-sets-timeline-to-shield-government-systems-from-quantum-threat/↑
12. Publications | ENISA, accessed June 28, 2025, https://www.enisa.europa.eu/publications↑
13. The Wild Wild West of Agentic AI - An Attack Surface CISOs Can't Afford to Ignore, accessed July 8, 2025, https://www.securityweek.com/the-wild-wild-west-of-agentic-ai-an-attack-surface-cisos-cant-afford-to-ignore/↑
14. Cyber security | UK Regulatory Outlook June 2025 | Osborne Clarke, accessed June 28, 2025, https://www.osborneclarke.com/insights/regulatory-outlook-june-2025-cyber-security↑
15. Cyber Security News Today | Articles on Cyber Security, Malware Attack updates | Cyware, accessed July 8, 2025, https://social.cyware.com/cyber-security-news-articles↑
16. BERT Ransomware Group Targets Asia and Europe on Multiple ..., accessed July 8, 2025, https://www.trendmicro.com/en_se/research/25/g/bert-ransomware-group-targets-asia-and-europe-on-multiple-platforms.html↑
17. New Bert Ransomware Group Strikes Globally with Multiple Variants - Infosecurity Magazine, accessed July 8, 2025, https://www.infosecurity-magazine.com/news/bert-ransomware-globally-multiple/↑
18. Patient Death Linked to NHS Cyber-Attack - Infosecurity Magazine, accessed June 28, 2025, https://www.infosecurity-magazine.com/news/patient-death-linked-nhs-cyber/↑
19. Compumedics Cyberattack Affects Almost a Dozen Healthcare Providers, accessed July 8, 2025, https://www.hipaajournal.com/compumedics-data-breach/↑
20. Hackread - Latest Cybersecurity News, Press Releases & Technology Today, accessed July 8, 2025, https://hackread.com/↑
21. New WatchGuard Research Reveals 171% Increase in Total Unique Malware as Attackers Defy Traditional Defenses | Morningstar, accessed July 8, 2025, https://www.morningstar.com/news/globe-newswire/9490587/new-watchguard-research-reveals-171-increase-in-total-unique-malware-as-attackers-defy-traditional-defenses↑