A brief overview of the main incidents in industrial cybersecurity. Q1 2026

Related tags

automotive

construction

cyberincidents overview

data leakage

denial of IT services

denial of operations

denial of service

electronics industry

energy sector

logistics

manufacturing

personal data leakage

ransomware

supply chain

transportation

utilities

In Q1 2026, 131 incidents were publicly confirmed by victims. All of these incidents are included in the table at the end of the overview, with select incidents described in detail.

Report at a glance

Several significant incidents were unveiled this quarter from the perspective of the threat landscape.

Reports of attacks on Poland’s critical infrastructure – including traditional and renewable energy , in an attempt to gain access to automated control systems, as well as loud statements about attacks on nuclear power facilities, allegedly “avoided” any potential negative consequences for the facility’s operation, clearly indicate that the Overton window is shifting in a dangerous direction for society.

The transportation industry once again demonstrated its vulnerability to attacks on third-party services that support numerous essential modern logistics tasks. For example, a breathalyzer vendor proved to be an unexpected weak point when a lack of access to its online device calibration service prevented many drivers from operating their trucks. Given real-world events, cyberattacks on transportation and logistics companies are becoming especially dangerous, as the process of disrupting global supply chains appears to have begun.

Attacks on healthcare organizations and pharmaceutical companies can limit the availability of medications and medical devices, directly threatening human health and lives. However, it seems that humanitarian considerations are becoming less important to hackers when they choose their targets.

Interesting shifts in the threat landscape can also be expected from a technical perspective. For example, in one incident, attackers destroyed data not only on the workstations and servers of the attacked organization but also on its employees’ mobile devices (including personal devices) connected to corporate services. In the near future, the list of common target types may expand to include other unexpected equipment, at least when it comes to the most “creative” ransomware and hacktivist teams.

ICS-targeting attack

Polish energy grid

Еnergy, manufacturing | APT | Wiper | Exploitation of network devices

On January 13, Poland’s energy minister announced at a press conference that there had been attempted attacks on the Polish energy sector at the end of 2025. According to a January 15 statement on the Polish government website, the targeted systems included combined heat and power plants, as well as a system that manages power derived from renewable energy resources, such as wind turbines and photovoltaic farms. There were no negative consequences, such as the destabilization of the national energy system or a blackout. The technical details of the attack were studied and described by ESET and CERT Polska, and briefly covered in APT and financial attacks on industrial organizations in Q1 2026.

Attempted attack on nuclear power object

Poland’s National Centre for Nuclear Research

Energy, manufacturing

On March 12, Poland’s National Centre for Nuclear Research (NCBJ) announced in a statement that an attempted cyberattack on the institute’s IT infrastructure took place. “Thanks to the rapid and effective response of the organization’s security systems and procedures, the attack was thwarted and the integrity of the systems was not compromised. All safety systems operated according to procedure, the attack was blocked, and the actions taken enabled the immediate securing of the infrastructure and maintenance of the institute’s operational continuity”. The director of the National Centre for Nuclear Research reported that no production, operational, or research processes were disrupted, and that the MARIA reactor continued operating safely and smoothly at full power. NCBJ worked closely with NASK-PIB, the Ministry of Digital Affairs, Deputy Prime Minister and Minister Krzysztof Gawkowski, and the Ministry of Energy and Minister Miłosz Motyka to ensure the highest level of security for critical infrastructure. Poland’s minister of digital affairs told private broadcaster TVN24+ that “the initial findings suggested the entry vectors had links to Iran”.

Severe service disruption

Intoxalock

Automotive, manufacturing | Denial of IT systems and services

Intoxalock, a US automotive breathalyzer manufacturer, reported on March 16 that it had been the target of a cybersecurity incident, resulting in its systems experiencing downtime, according to an announcement posted to its website. Intoxalock said the interlock devices themselves remained operational, but calibrations and related service-center transactions were disrupted. The cybersecurity event left some drivers with vehicles equipped with ignition interlock devices unable to start or drive their vehicles. The lockouts appeared to be the result of Intoxalock’s breathalyzers needing periodic calibrations that require a connection to the company’s servers. Drivers who were due for a calibration and couldn’t perform one due to the company’s downtime were stranded. The company stated on its website that it was offering 10-day extensions on those calibrations due to its cybersecurity disruption, as well as towing services in some cases. The company told Cybernews that for customers requiring calibrations, Intoxalock had developed a new system app that was pushed to all of its calibration devices while coordinating with state regulators to provide a temporary solution until the company could resume its systems. Intoxalock did not explain what sort of cyberattack it faced or whether hackers obtained any of the company’s user data. On March 22, Intoxalock issued an update stating that its systems had resumed, and installations, calibrations, and service center support was once again available.

Vladimir Bread Factory hit by cyberattack

Food and beverage, manufacturing | Denial of IT systems and services

According to a local media report, a cyberattack on a major Russian bakery manufacturer in the Vladimir region disrupted food deliveries. In a statement, the Vladimir Bread Factory said its internal digital systems were hit overnight on January 25, knocking out office computers, servers, electronic document management tools and the 1C enterprise accounting system. While production itself was not affected and the bakeries continued operating at full capacity, the outage complicated order processing and deliveries. Local residents, retail outlets and food suppliers for social institutions reported difficulties fulfilling existing contracts and temporary shortages of the company’s products in stores. Large retail chains acknowledged the delivery issues but said there was no widespread shortage of bread on store shelves. To keep supplies moving, the company shifted all office staff to a round-the-clock schedule and temporarily reverted to manual processing of orders and shipments. The factory did not provide a timeline for fully restoring its digital systems and apologized to partners and consumers for the disruption.

Attacks leading to denial of operations

Hazeldenes

Manufacturing, food and beverage | Denial of services and operations, personal data leakage | Ransomware

A cyberattack affected a plant owned by Australian chicken meat processor Hazeldenes, causing state-wide shortages in pubs and shops. The company said it was working with cybersecurity investigators to identify the cause of the attack. Retail and industry sources told the ABC that the chicken meat processor had been unable to fulfill some orders because it could not package its products. A manager at one meat wholesaler said it had to source chicken from another provider while Hazeldenes was offline. Workers at Hazeldenes told the ABC the problems began with the computer systems in the week of February 16-22, with some employees reporting difficulties logging on and using computers. They said that by February 19, the problem had become worsened, prompting the company to shut down the Wi-Fi at its Lockwood South site. Some customers said there had been a lack of communication from the meat processor. In March, the DragonForce ransomware group claimed responsibility for the attack on Hazeldenes.

In a statement published on its website on March 12, the company said that the investigation into the cyberincident confirmed that data, including personal information, was accessed. The review indicated that the data impact was largely limited to historical operational and corporate information. The company also stated that it was aware cybercriminals had named Hazeldenes online and had illegally shared data stolen from its environment. On March 30, Hazeldenes confirmed that it had safely and securely returned to regular production following the cyberincident.

Svealandstrafiken

Logistics, transportation | Denial of services and operations

According to a local news outlet, Swedish transportation company Svealandstrafiken experienced a major cyberattack on February 23. The attack impacted the company’s digital infrastructure and caused significant disruptions to operations, although specific details about the attack and its effects on systems and data were not disclosed. An investigation was launched to assess the full impact of the attack.

Stryker

Manufacturing | Denial of IT systems, services and operations | Hacktivist

US medical devices and equipment manufacturing company Stryker announced on March 11 that it was experiencing a global network disruption in its Microsoft environment due to a cyberattack. The company found no indication of ransomware or malware and believed the incident was contained. Stryker reported the incident in a Form 8-K filing with the United States Securities and Exchange Commission (SEC) on March 11. According to the filing, the incident caused disruptions and limited access to some of the company’s information systems and business applications that support its operations and corporate functions. On March 12, Stryker issued an update on its website, stating that the incident had disrupted order processing, manufacturing and shipping. In an update on March 15, the company stated that all its medical devices were safe to use, though electronic ordering systems remained offline and customers had to place orders manually through sales representatives.

Iranian hacktivist threat group Handala (aka Handala Hack Team, Hatef, or Hamsa) claimed responsibility for the attack on March 11. In their post, the group claimed to have wiped approximately 200,000 Stryker systems, servers and mobile devices, as well as exfiltrating 50 TB of company data. The attackers also defaced the company’s Entra login page with a Handala logo. A Stryker employee told BleepingComputer that the incident began early on March 11, when devices enrolled in the company’s mobile device management system were remotely wiped. The employee said that colleagues who had personal phones for work access also lost data when their devices were reset. Staff were instructed to remove corporate management and applications from their personal devices, including the Intune Company Portal, Teams, and VPN clients. Many employees also reported that the attack disrupted access to internal services and applications. A source familiar with the attack also told BleepingComputer that the threat actor used the wipe command in Intune, Microsoft’s cloud-based endpoint management service, to erase data. The attacker carried out the action after compromising an administrator account and creating a new Global Administrator account.

Nova Biomedical

Manufacturing | Denial of operations, personal data leakage

Nova Biomedical Corp., a US manufacturer of advanced technology blood testing analyzers, in vitro diagnostic devices, and clinical laboratory instruments, announced that on July 22, 2025, it experienced a sophisticated cybersecurity attack that disrupted its operations. An investigation determined that an unauthorized actor had accessed Nova’s electronic infrastructure and deployed malware. The company also determined that personally identifiable information may have been impacted.

Port of Vigo

Logistics, transportation | Denial of IT systems, services and operations | Ransomware

The Port Authority at Spain’s Port of Vigo was the target of a ransomware attack, according to local media reports. The incident was detected at 5:45 am local time on March 24, and affected servers used for cargo traffic management, the port’s website and other digital services. Some portions of the port’s network were disconnected, and cargo operations were managed manually. The president of the Vigo Port Authority said that although the port’s operational services and physical functioning were been affected, the programs would not reopen to the public until all security checks had been completed. There was no estimated date for resuming normal operations.

Incidents at large organizations

Deutsche Bahn

Logistics, transportation | Denial of IT services | DDoS

Deutsche Bahn, Germany’s state-owned railway company, suffered a distributed denial-of-service (DDoS) attack that began on February 17 and continued into February 18. According to the company, the attack came in waves and was substantial in scale. The DDoS attack disrupted Deutsche Bahn’s information and ticketing systems, including its websites and the DB Navigator app. The services were restored on February 18, though the company imposed temporary limitations on them. Deutsche Bahn wrote in a blog post that they were in close contact with the federal authorities.

Delta Electronics

Electronics, manufacturing | Denial of IT systems, personal data leakage

According to a bulletin from the Taiwan Stock Exchange (TWSE) portal published on February 10, an overseas subsidiary of the Taiwanese electronics manufacturing company Delta Electronics Inc. detected abnormal login attempts on its information systems. Upon investigation, systems at the overseas subsidiary were found to have been subject to cyberattacks, posing a potential risk of leakage of business-related data and employees’ personal data. After detecting the anomaly, the Information Technology Division worked with professional cybersecurity consultants to conduct a comprehensive investigation. All affected systems at the overseas subsidiary underwent security reviews and resumed normal operations without affecting business operations. Network monitoring and access controls were strengthened to ensure the overall operation of the information systems remained secure and stable. There was no material impact on the company’s operations based on the assessments.

AkzoNobel

Chemicals, manufacturing | Data leakage | Ransomware

In March, Dutch paints and coatings manufacturer AkzoNobel confirmed to BleepingComputer that hackers had breached the network of one of its US sites after the Anubis ransomware group claimed responsibility for an attack on the company. A company spokesperson said that the incident was limited to one of the company’s sites in the United States and had been contained. The impact was minimal, and AkzoNobel took the appropriate steps to notify and support affected parties. The company also planned to work closely with relevant authorities. However, the Anubis ransomware group claimed to have stolen 170 GB of data and almost 170,000 files from AkzoNobel, and leaked samples on its leak site that included screenshots of select documents and a list of the stolen files. The published data contained confidential agreements with high-profile clients, email addresses, phone numbers, private email correspondence, passport scans, material testing documents, and internal technical specification sheets.

LISI Group

Manufacturing | Personal data leakage | Ransomware

LISI Group, a French manufacturer of assembly solutions and high-value components for the aerospace, automotive and medical sectors, confirmed that it had suffered a cyberincident after the Qilin ransomware group published statements about the attack on its data leak website. According to the company’s CEO, the breach was confined to a very limited scope. Investigators confirmed that only a very small amount of data was exfiltrated, affecting two ancillary sites. According to the statement, the IT systems were entirely separate, and the breach did not affect the other sites of the aerospace and automotive divisions. The company confirmed that operations were not affected and no compromise of its infrastructure was identified.

Cybernews researchers examined the data samples provided by Qilin to back up its claims of a data breach. The samples included sales plans, internal business documents, files containing bank account details, employee consent forms, confidentiality agreements, provision contracts, and documents containing employees’ full names and contact information.

Michelin

Automotive, manufacturing | Data leakage | Ransomware

French tire manufacturer Michelin confirmed to SecurityWeek that it was affected by a data breach stemming from a massive cybercrime campaign that targeted organizations using Oracle’s E-Business Suite (EBS) solution. The company said its teams promptly conducted a thorough investigation and determined that an Oracle EBS zero-day was exploited in the attack. The company confirmed that hackers accessed some files, but said only a small, localized volume of data with no sensitive or technical IT information was affected by the incident. Michelin also noted that no ransomware was involved in the attack and that there had been no impact on its global systems. The Clop ransomware and extortion group took credit for the EBS hacking campaign, which targeted Michelin among other organizations.

Mazda Motor Corporation

Automotive, manufacturing | Personal data leakage

In March, the Japanese multinational automotive manufacturer Mazda Motor Corporation reported that in mid-December 2025 it identified traces of unauthorized external access to a management system used for warehouse operations related to parts procured from Thailand. The following personal information of company and group company employees, as well as business partners, may have been affected (692 records): user IDs issued by the company, name, email address, company name, business partner IDs. Following the discovery, Mazda promptly reported the matter to the Personal Information Protection Commission, an external bureau of the Japanese Cabinet Office, and implemented appropriate security measures. The company also conducted an investigation with the support of an outside specialist organization.

Ericsson

Manufacturing | Personal data leakage

The US subsidiary of global telecommunications equipment company Ericsson Inc. disclosed a data breach in March affecting the personal information of thousands of individuals. According to Ericsson, the breach occurred at a third-party service provider, which detected unauthorized access to data on its systems on April 28, 2025. The unnamed service provider conducted an investigation and determined that files storing personal information may have been accessed between April 17 and 22, 2025. The type of personal information potentially impacted by the incident varied by individual, but it may have included first and last name, as well as Social Security number.

Appendix. Full list of confirmed incidents