Allan Grant | SOC Analyst | 1 July 2026
Three themes defined June.
First, AI remained a key focus in June: the Five Eyes told boards it is a present business risk, the FBI dismantled a China-based AI-assisted phishing service blamed for $1.9 billion in losses, and the US government forced Anthropic to suspend its two most capable models over jailbreak fears. AI continues to dominate cyber security headlines, representing the weapon, the defence, and the thing being regulated all at once.
Second, identity remained the weakest link in most environments, and ShinyHunters kept dominating the breach headlines, this time exploiting an Oracle PeopleSoft zero-day to compromise 100+ organisations, two-thirds of them universities. Around it, FortiBleed's 75,000 compromised devices, an insider-access ruling against American Express, and over a terabyte of data stolen from Novo Nordisk rounded out a month of credential and access-control failures.
Third, Australia's policy updates spanned the Information Security Manual, the planned retirement of the Essential Eight, an OAIC-mandated overhaul of Amex's controls, and the $89.3 million Horizon 2 phase of the national cyber strategy, alongside a 280,000-person breach at Australian Clinical Labs and the emergence of the CMD Organisation extortion crew.
Anthropic in the month of June suspended access to its two most advanced AI models, Fable 5 and Mythos 5, for all foreign nationals. The US government cited national security concerns, specifically a potential jailbreak that could turn the models toward identifying software vulnerabilities. Anthropic disputed the basis for the order, describing the evidence as a "narrow, non-universal jailbreak", but complied by disabling both models for every customer worldwide rather than attempt to partition access by nationality. (Reuters)
The move adds to an already strained relationship between Anthropic and the Trump administration, which had previously clashed over the military's use of AI for domestic surveillance and autonomous weapons systems.
Similar events occurred later in June with OpenAI, which has delayed the full public release of GPT-5.6 at the US government's request, limiting initial access to a small group of vetted partners whose details were shared with authorities. The move reflects growing concern in Washington over the national security risks of powerful AI, with officials seeking early access to identify threats such as cyberattacks and military misuse before wider deployment. CEO Sam Altman said extensive safety testing was reasonable but objected to the government effectively choosing customers, and OpenAI cautioned that this level of oversight should not become permanent. (Reuters)
The FBI, working with Google and Black Lotus Labs, took down a sprawling China-based phishing-as-a-service operation known as 'Outsider Enterprise'. Running since at least 2023, the service combined AI with distributed phishing kits to impersonate trusted brands in scam text messages delivered through the major US carriers. (BleepingComputer)
The operation was tied to roughly 9,000 fake sites and more than a million fraudulent URLs and is blamed for the theft of over 3.8 million credit card records and an estimated $1.9 billion in losses. As part of the wider Operation Riptide, investigators seized administration servers, a Shopify storefront, a tester account, around $100,000 in USDT, and a Telegram bot holding customer data, then redirected the seized domains to an FBI splash page. In parallel, Google filed a civil suit against the infrastructure, is coordinating with AT&T, T-Mobile, and Verizon to block fraudulent messages, and is backing several bipartisan anti-scam bills including the Stop SCAMS Act.
FulcrumSec, a cyber extortion group active since October 2025, claims to have stolen more than a terabyte of data, over 700,000 files, from Novo Nordisk, the pharmaceutical company behind Ozempic, after spending roughly two months inside the network from March 2026. The group says the haul includes source code, proprietary drug research, trial data, internal AI model information, and personal data on employees, physicians, and patients. After Novo Nordisk reportedly refused a $25 million demand, FulcrumSec says it is now exploring private sales of portions of the data, while claiming it will withhold information tied to operational technology and production-facility sensors, along with employee, physician, and pseudonymised patient data, under a stated "harm reduction" approach. (Reuters) (X)
Novo Nordisk confirmed on 11 June that it had detected unauthorised access to a limited number of internal IT systems, including some personal data, and says it is cooperating with authorities. A separate report described an unrelated actor also compromising Novo Nordisk, which FulcrumSec maintains is a distinct incident from its own.
Between 27 May and 9 June 2026, the threat actor tracked as UNC6240 (ShinyHunters) exploited CVE-2026-35273, a critical unauthenticated remote code execution (RCE) zero-day in Oracle PeopleSoft's Environment Management Hub, to compromise more than 100 organisations worldwide. Around 68% of the victims were universities and colleges. (Google Cloud)
After gaining initial access through unauthenticated POST requests to the PSEMHUB endpoint, the group staged MeshCentral remote access agents disguised as Azure services across five sequential IP addresses, ran internal reconnaissance against PeopleSoft configurations, and moved laterally using a credential-spraying Secure Shell (SSH) script. Stolen data was compressed with zstd and published on the group's data leak site on 9 June 2026.
ShinyHunters remained one of the most prominent threats in the broader cybercrime ecosystem in June. This is due to their rapidly advancing tradecraft and employment of novel tactics. This also drives broader shifts in the threat landscape, as the continued effectiveness of their tradecraft inspires other groups to adopt the same tactics. Broader threat-actor trends continue to be driven by tactics first adopted by ShinyHunters, including OAuth token theft from third-party vendors, insider recruitment, and zero-day exploits. Therefore, it is crucial that organisations remain cognisant of ongoing ShinyHunters operations and fortify systems against their tradecraft.
Employment fraud operators, many of whom are linked to North Korea, are increasingly placing workers inside Australian organisations beyond the tech sector, with healthcare, civil engineering and customer service now targeted. Okta's research traced a few hundred confirmed identities behind roughly 25,000 interviews with around 6,000 organisations over eight years, with Australian targets rising from 1.7 to 10 percent of the non-US dataset, and recent approaches doubling from about 600 to 1,200 organisations in six months. Okta's researchers have cautioned against blanket denylisting, noting at least half of Okta's initial 40,000 identities were false positives, which risks flagging legitimate job seekers and creating legal liability. Okta's researchers outlined fraud techniques beyond deepfakes, including copied LinkedIn profiles and paying vulnerable people around US$500 or roughly A$725 to front interviews, citing one identity that applied for a role 46 times and succeeded 45 times. Recommended defences include closer collaboration with HR, scrutinising CV metadata for shared infrastructure, and watching for red flags such as first-day remote access tool installs, repeated changes to laptop delivery addresses, and frequent bank account changes. (ITNews) (Okta)
The Australian Signals Directorate (ASD) has updated its Information Security Manual (ISM) with a notable new directive: organisations should not assign software projects to developers who lack the security skills the work requires, part of a wider push toward "secure by default" development. The update also recommends using AI for threat intelligence, penetration testing, and software security testing. (ITNews)
Separately, the ISM now advises personnel to stop posting about their work duties, skills, and security clearances on platforms such as LinkedIn, a response to open-source intelligence (OSINT) driven espionage that the Australian Security Intelligence Organisation (ASIO) has flagged as costing Australia billions each year. The ISM is mandatory for government agencies handling government data and optional for everyone else unless other regulations enforce compliance. (cyber.gov.au)
The Australian Signals Directorate plans to phase out its long-standing Essential Eight cyber security framework over the next two years, beginning deprecation in around 12 months and fully retiring it by the 24-month mark. Its replacement, a wider "Essentials" series, will treat enterprise IT, operational technology, cloud, and potentially agentic AI as distinct security domains, shifting away from prescriptive, technology-specific controls towards an outcomes- and intent-based approach. The ACSC's Chris Horlyck explained that the Essential Eight, first published in 2017, was built for on-premises environments before cloud adoption became widespread, leaving it poorly suited to shared-responsibility and SaaS models. The new series also aims to fix a long-running complaint that shifting maturity-level requirements made organisations appear to regress on security, by decoupling threat-informed controls from a fixed maturity ladder. Both frameworks will run in parallel during the transition, existing Essential Eight investments will remain relevant, and consultation on the first chapter, Essentials for enterprise IT, is open via the ACSC Partner Portal until 12 July 2026. (ITNews)
The Office of the Australian Information Commissioner (OAIC) has ordered American Express to overhaul its internal access controls within six months, following an investigation into an employee who improperly accessed a former partner's data, including transaction and travel records spread across five internal systems, both during and after the personal relationship. (ITNews)
Amex did not dispute that the access occurred, and the OAIC found it had breached Australian Privacy Principle 11.1. The company must now implement account-level access logging and action logging across all five systems, alongside technical controls restricting staff access to specific customer records, including individualised arrangements for vulnerable or high-profile cardholders.
Cyber Security Minister Tony Burke has unveiled Horizon 2 of Australia's 2023 to 2030 Cyber Security Strategy, committing a further $89.3 million over four years. The phase bundles 19 actions and 64 initiatives across 12 government agencies for delivery by the end of 2028, built on three pillars: turning the workforce into a resilient "human firewall", hardening critical infrastructure and government systems, and supporting the secure adoption of emerging technologies. (Homeaffairs.gov.au)
Burke framed Horizon 1 as having fitted strong locks to the front door, with Horizon 2 turning to the supply chains feeding government and critical infrastructure, in his words, locking the windows. He also warned that technical defences alone are insufficient in an era of AI-enabled attacks, where a single employee deceived by a deepfake can undo an organisation's wider security investment.
June brought another steady run of domestic activity, spanning healthcare and retail.
Researchers have reported on a large, ongoing campaign which has compromised roughly 75,000 Fortinet firewall and VPN devices worldwide at the time of reporting, leading to stolen credentials at Fortune 500 companies and government agencies across more than 15 countries, with the US, India, and Taiwan hit hardest. Cybercrime tracking firm Hudson Rock described the scale as "staggering" and noted the campaign touches nearly every sector of the global economy. (Reuters)
Fortinet has confirmed it is aware of the credential-theft campaign but says attackers are brute-forcing logins using data leaked in earlier, unrelated incidents rather than exploiting a new vulnerability. Researcher Bob Diachenko, who found the exposed data on an open server, described a sophisticated multilayer password-cracking setup, with Russian-language scripts in the data pointing to a possible Russian cybercrime group. Victims swept up include US state agencies in Washington and Nevada, a South Carolina agency, and nearly 120 credentials tied to five government entities in Puerto Rico, though it remains unclear how many stolen credentials led to successful intrusions. The ASD's ACSC has published an advisory on the campaign. (cyber.gov.au)
The Five Eyes cyber security agencies have issued a joint statement warning that AI is rapidly reshaping the cyber threat landscape, and that leaders must act now rather than treat it as a future concern. While AI will eventually strengthen cyber defence, the agencies say it is currently accelerating the speed, scale, and sophistication of attacks and shrinking the window between a vulnerability being discovered and exploited. (ITNews) (cyber.gov.au)
The central message is that cyber risk is no longer a purely technical matter but a core business risk and a leadership responsibility, requiring boards and executives to confirm their controls will hold under the pressure of a real incident. The agencies urge organisations to get the basics right, reducing attack surface, patching faster, addressing legacy systems, strengthening identity and access controls, and preparing for incidents on the assumption that breaches will happen. They also encourage defenders to use AI deliberately, to detect vulnerabilities earlier, monitor for unusual behaviour, and respond faster, since adversaries are already doing exactly that.
The lessons of June can be summarised as follows: AI is now operational reality on both sides. Adversaries scaled phishing into a billion-dollar business, defenders were told to adopt AI or fall behind, and governments began export-controlling frontier models. Meanwhile the familiar failures persisted: a zero-day in a widely used platform, tens of thousands of edge devices undone by reused credentials, and an insider holding more access than his role required.
Key takeaways for organisations:
Request a consultation with one of our security specialists today or sign up to receive our monthly newsletter via email.
Get in touch Sign up!