Full Report
As lines blur between human error and machine intelligence, defense has never been more personal
Analysis Summary
# Main Topic
The core threat intelligence narrative centers on the convergence of human fallibility and machine intelligence (AI), leading to a highly personalized and difficult-to-defend threat landscape predicted for 2026, where trust is the biggest vulnerability.
## Key Points
- People remain the easiest entry point for attackers, significantly amplified by Artificial Intelligence making social engineering attacks (like voice spoofing and sophisticated phishing) nearly impossible to stop.
- Cloud environments present growing attack surfaces; attackers are actively exploiting forgotten access keys in code repositories to establish persistent Identity and Access Management (IAM) persistence and probing Infrastructure-as-Code (IaC) for misconfigurations and hardcoded secrets.
- Resilience in 2026 will depend less on the quantity of security tools and more on confidently knowing whom and what security teams can trust.
- Geopolitical tensions may provoke disruptive cyberattacks (like DDoS or disinformation) from nation-state actors in Russia and Iran against perceived adversaries.
## Threat Actors
- **Shiny Hunters (Extortion Group):** Compromised Salesforce instances globally in mid-2025 using vishing (voice phishing) to acquire credentials or trick employees into authorizing malicious OAuth applications.
- **Scattered Spider (Attack Group):** Known for sophisticated social engineering attacks, which compromised numerous Las Vegas casinos in 2023 and deployed DragonForce ransomware against UK retailers in 2025.
- **Nation-State Actors (Russia/Iran):** Potentially motivated by geopolitical pressures to launch disruptive or aggravating cyberattacks against adversaries (Ukraine, Israel, EU, US).
## TTPs
- **Social Engineering/Vishing:** Used by Shiny Hunters to gain entry via credentials or OAuth approval against Salesforce portals, requiring no malware.
- **OAuth Application Authorization:** Used to gain access to cloud platforms (specifically Salesforce).
- **IAM Exploitation:** Attackers actively comb code repositories for forgotten access keys to create new IAM users with elevated policies, establishing persistence in cloud environments.
- **IaC Probing:** Searching Infrastructure-as-Code templates for hardcoded secrets or misconfigurations that expose resources.
- **Disruption:** Nation-state actors may employ Distributed Denial-of-Service (DDoS) attacks and disinformation spreading.
- **Ransomware Deployment:** As demonstrated by Scattered Spider using DragonForce ransomware.
## Affected Systems
- **Salesforce Instances:** Targeted heavily by Shiny Hunters globally in 2025.
- **Cloud Environments:** Specific focus on exploitation pathways like IAM persistence and IaC weaknesses.
- **Airport Infrastructure:** Indirectly implicated via a potential template for scale; a ransomware attack against Collins Aerospace disrupted airport check-in systems across multiple airlines by impacting the Muse software.
- **Windows/UK Retailers:** Targets of Scattered Spider using DragonForce ransomware in 2025.
## Mitigations
- **Strengthen Human Trust/Validation:** Addressing social engineering risks, as people are the "easiest way in."
- **Zero-Trust Architectures:** Implementing strong Zero-Trust models to keep pace with evolving cloud attack surfaces.
- **Cloud Security Posture Management:** Organizations must actively identify vulnerabilities in cloud configurations.
- **Code Repository Review:** Proactively searching code repositories for forgotten or exposed access keys.
- **Incident Preparedness:** Being prepared for large-scale operational chaos similar to that caused by the ransomware disruption at European airports.
## Conclusion
The primary threat moving into 2026 is characterized by hyper-effective, personalized attacks driven by AI amplification of social engineering vectors, combined with increasing exploitation of complex cloud environments (IAM/IaC). Defense strategies must prioritize robust zero-trust implementation and stringent validation of human interactions, as traditional technical protections alone will be insufficient against threats blending social manipulation and automated cloud exploitation.