Week ending February 27, 2026

UAE says it foiled organized cyberattacks targeting “vital sectors”

What happened (Feb 21): The UAE reported it thwarted organized cyberattacks aimed at the country’s digital infrastructure and vital sectors.

Impacts:

• Signals continued critical-infrastructure targeting (energy, transport, finance, government services) as a baseline global condition.
• Reinforces the need for national SOC coordination and cross-sector incident playbooks (because “vital sectors” share vendors and shared dependencies).

What people can do (where you are):

• If you run any org (city, school, hospital, SMB): assume “pre-attack” posture—offline backups + MFA everywhere + incident runbooks and vendor access reviews.

Google disrupted a China-linked campaign that hit 53 groups globally

What happened (Feb 25): Reuters reported Google disrupted a set of Chinese-linked hackers that attacked 53 groups worldwide. (
Impacts:

• Shows threat activity is transnational and multi-target—civil society, government-adjacent orgs, and enterprises can all be in-scope.
• “Disruption” helps, but it also confirms a persistent pattern: platform-level defense is now part of the global security perimeter.

What people can do:

• High-risk groups (journalists, NGOs, activists, local officials): adopt phishing-resistant MFA (passkeys/security keys), lock down recovery channels, and separate personal from org accounts.

AI-augmented actor compromised 600+ FortiGate devices across 55 countries

What happened (Feb 20–23 reporting; still active in this window): AWS described an AI-augmented actor exploiting weak credentials/exposed management interfaces to access 600+ FortiGate devices in 55 countries—a classic edge-device “foothold” pattern, but accelerated by AI tooling.

Impacts:

• The “internet edge” (VPN/firewall appliances) remains a top systemic weak point; compromise there can become ransomware staging or OT network access.
• AI lowers the skill barrier and increases scale—more opportunistic actors can generate targeting, scripts, and recon faster.

What people can do:

• If you manage networks: disable internet-exposed admin, enforce MFA for management, rotate credentials, restrict by IP/VPN, and monitor for unusual logins.
• If you’re in critical infrastructure / manufacturing: segment IT/OT, and treat firewall/VPN logs as tier-1 telemetry.

EU cybersecurity governance “upgrade”: new package + tightening supply-chain security

What happened (EU-level, ongoing): The European Commission published a new cybersecurity package (often described as Cybersecurity Act 2 / CSA2 plus targeted NIS2 amendments) to strengthen resilience and reduce fragmentation—explicitly addressing ICT supply-chain risk and compliance clarity.

Impacts:

• Pushes EU markets toward more standardized assurance/certification and stronger expectations for vendor risk management across critical sectors.
• For global vendors, EU alignment pressure often becomes a de facto international baseline (because selling into the EU means meeting EU controls).

What people can do:

• If you buy IT (even as a small org): demand basic supplier controls—SBOM where relevant, patch SLAs, breach notification terms, and access logging.
• If you’re a local government: adopt procurement language that requires secure-by-default configurations and incident reporting.

• NIS2 transposition accelerates at the member-state level (Poland example)

  What happened (Feb 26–27 reporting): Poland finalized implementation steps for NIS2 via amendments to its national cybersecurity law, with the new regime expected to apply after a short runway (late March 2026).

  Impacts:

  • Drives “board-level” cyber governance: incident reporting, risk management, and supply-chain controls become harder to ignore for in-scope entities and their vendors.
  • Creates compliance sprints that ripple through the supply chain (SMBs often feel it because they’re suppliers).

  What people can do:

  • If you’re a supplier to regulated sectors: start with a minimum viable program—asset inventory, MFA, backups, patch cadence, and vendor access controls.

  ---

  “Patch hygiene” remains a frontline systems upgrade (Microsoft ecosystem exploited CVEs)

  What changed (operational reality): Security teams globally were still working through February’s Microsoft fixes, which included multiple actively exploited vulnerabilities—a reminder that patch velocity is itself a major resilience upgrade. 

  Impacts:

  • Organizations that can’t patch quickly become disproportionately exposed to commodity exploitation waves.
  • Raises the value of centralized endpoint management and vulnerability prioritization (patch what’s exploited first).

  What people can do:

  • Households: turn on automatic updates for OS/browser/router; use a password manager + MFA.
  • Orgs: focus on KEV-style prioritization (patch exploited-in-the-wild issues first), and test/rollout with clear SLAs.

  What this week adds up to (system-level impacts)

  • Critical infrastructure + edge devices remain prime targets, and AI is pushing compromise toward higher scale and lower effort.
  • Platform and policy layers are becoming part of the security perimeter (Google disruptions; EU governance packages; national NIS2 implementation).
  • The winning strategy is less “perfect security” and more fast recovery + fast patching + strong identity controls.

  What people can do where they are (simple checklist)

  For everyone

  • Use passkeys/MFA, a password manager, and keep devices updated.

  For small orgs / community groups

  • 3 must-haves: MFA, offline backups, and one tested incident plan (who to call, what to shut off, how to restore).

  For local governments / schools / hospitals

  • Prioritize: asset inventory, remove internet-exposed admin ports, segment networks, and require vendor logging + breach notification in contracts.

  ---

  Week ending February 20, 2026

  The ICT sector in early 2026 is marked by growth in spending, critical infrastructure upgrades (AI and networking), expanding regulatory focus on security and sovereignty, and breakthrough innovations in AI hardware and autonomous systems. These developments are reshaping how digital services are delivered, consumed, and regulated — unlocking efficiencies and capabilities for both businesses and societies, while also creating new policy, investment, and competitive dynamics.

  What moved this week wasn’t “one big new thing” — it was a set of stack upgrades across patching, critical infrastructure resilience, spyware exposure, and sovereignty-driven security rules.

  Exploited-vulnerability response accelerated (patch-or-get-hit)

  • CISA added multiple actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog (Feb 17), a signal that “patching cadence” is now a frontline control, not a best-practice nice-to-have.
  • Chrome shipped a security update for a high-severity flaw under active exploitation (reported Feb 11; pushed in the following days), reinforcing the “browser as battlefield” reality.
  • Microsoft’s February security release (Patch Tuesday) continued to emphasize exploited bugs (the backlog organizations must burn down).

  Systems upgrade: vulnerability management is shifting toward continuous exposure management (asset visibility → prioritization → rapid patching) instead of periodic patch cycles.

  Critical infrastructure took visible hits (availability is the new headline)

  • Germany’s national rail operator’s booking/info systems were disrupted by a DDoS attack and later restored, with the company citing effective countermeasures (Feb 18).

  Systems upgrade: resilience investments are increasingly about service continuity (traffic-shaping, scrubbing, redundancy, comms playbooks) — because even “non-destructive” attacks create public disruption and economic cost.

  “Security of devices” expanded beyond IT into cars, telecom, and edge systems

  • Poland barred Chinese-made vehicles from entering military facilities over concerns that onboard sensors/infotainment could collect sensitive data; they also restricted connecting official phones to certain vehicle systems (Feb 18).
  • In parallel, CISA messaging pushed organizations toward better lifecycle tracking and asset control (e.g., OpenEoX for end-of-support / end-of-life visibility).

  Systems upgrade: cybersecurity scope is expanding into cyber-physical supply chain governance: “What devices can enter sensitive places?” + “Do we know what’s supported vs. end-of-life?”  Spyware exposure + accountability pressure rose

  • Reuters reported on an Amnesty finding that a prominent Angolan journalist’s phone was infected with Predator spyware via a social-engineering link, highlighting ongoing risks to civil society and press freedom (reported Feb 18).

  Systems upgrade: the “human layer” (messaging apps + link hygiene + device hardening) is now inseparable from governance and rights — spyware is treated as a geopolitical/security instrument, not just crimeware.

  Identity and phishing remained the primary breach pathways

  • Incident-response analysis continued to show most breaches hinge on identity weaknesses (stolen credentials, MFA bypass, over-permissioned cloud identities) and faster attacker timelines.
  • Multiple breach disclosures/data-leak stories this week reinforced the pattern: phishing + third parties + credential abuse translate into real-world consumer exposure.

  Systems upgrade: “identity is the perimeter” is no longer a slogan — it’s the dominant incident root cause in modern environments (SaaS + cloud + contractors).

  Impacts (what this week’s signals mean)

  • Operational risk is rising: DDoS and service disruption are now “public-facing” failures that directly affect trust, commerce, and mobility.
  • Cyber sovereignty is hardening: device-origin and supply-chain rules (like restrictions on connected vehicles) will spread to more sectors and geographies.
  • The attacker advantage is speed: exploited vulns + identity abuse compress response windows from days to hours.

  What people can do where they are now (practical, high-leverage)

  For households / individuals

  • Update browsers and OS promptly (especially Chrome/Edge/Windows) — exploited bugs are being used “in the wild.”
  • Turn on phishing-resistant MFA where available (passkeys/security keys), and treat unexpected links/messages as hostile (spyware cases still start with a click).

  For organizations / communities

  • Run a weekly “Top 10 exposed assets” review: internet-facing systems, cloud IAM, privileged accounts, VPNs, email security.
  • Adopt a KEV-driven patch SLA (e.g., 48–72 hours for exploited items) and measure compliance.
  • Tighten identity hygiene: least privilege, remove standing admin rights, monitor token/session abuse, and lock down SaaS admin consoles.
  • For critical services (transit, utilities, hospitals): rehearse DDoS continuity playbooks (alternate comms, “graceful degradation,” vendor escalation paths).

  For local government / public infrastructure owners

  • Create “device entry rules” for sensitive sites (what connected devices/vehicles can connect to networks or cross perimeters) and require lifecycle inventories (what is end-of-support).

  Quick analysis (the pattern underneath)

  This week shows a clear convergence:

  Cybersecurity is becoming a governance + infrastructure discipline, not just IT.

  1. Exploit-driven patching is the baseline cost of operating online.
  2. Availability attacks (like DDoS) are “society-scale” because they interrupt real systems (transport, health, commerce).
  3. Connected devices (cars, edge gear, IoT) are being regulated like supply-chain risks — cybersecurity is now border policy by another name.
  4. Identity remains the #1 failure mode, so the fastest ROI is still IAM hardening and privilege reduction.