Sustained Multi-Sector Phishing Campaign Targets 500+ Organisations Across Critical Infrastructure
A years-long phishing campaign has compromised over 500 organisations across aviation, energy, infrastructure, logistics, public administration, and technology sectors. The extended campaign duration and cross-sector targeting suggest either a sophisticated threat actor or multiple coordinated groups with sustained operational capability.
Affected
A phishing campaign spanning years and affecting 500+ organisations indicates either exceptional operational security from threat actors or fragmented detection and response across victim organisations. The breadth of targeting across aviation, energy, critical infrastructure, and logistics suggests either a financially motivated group with broad targeting or a state-sponsored actor with infrastructure reconnaissance objectives.
The duration of the campaign without apparent widespread containment raises questions about phishing detection maturity in these sectors. Traditional endpoint-based email filtering typically catches commodity phishing within days or weeks. A years-long campaign implies either highly targeted spear-phishing with low volume, exploitation of trusted communication channels, or slow-moving credential harvesting that bypassed standard detection thresholds.
Critical infrastructure and aviation sectors face particular risk from compromised credentials. Initial access through phishing is a common precursor to supply chain attacks, ransomware deployment, or espionage operations. The targeting of public administration and technology firms alongside infrastructure suggests either opportunistic broad-based harvesting or deliberate intelligence collection across government and supply chain partners.
Defenders should prioritise determining if they were affected by requesting technical indicators from SecurityWeek or coordinating with sector ISACs. Organisations in affected sectors should assume phishing campaigns targeting their personnel remain active. Implement or strengthen email authentication controls (SPF, DKIM, DMARC), deploy advanced phishing detection (URL sandboxing, behavioural analysis), and conduct targeted user awareness training. Log ingestion and analysis systems should be reviewed for historical phishing indicators if sample data becomes available.
The limited technical detail in this report constrains assessment of threat actor sophistication. Follow-up analysis should identify whether the campaign uses known phishing-as-a-service platforms, employs custom infrastructure, or mirrors tactics from known groups. The lack of disclosed indicators of compromise significantly limits the utility for defenders.
Sources