Summer of Siege: A Deep Dive into the Breaches, Attacks, and Ransomware of 2025

Breached Company

06 Sep 2025 — 7 min read

Summer 2025 will be remembered as a pivotal season in cybersecurity—a period when the theoretical threats of tomorrow became today's stark reality. It was a summer defined by unprecedented collaboration between cybercriminal gangs, relentless nation-state espionage campaigns targeting critical infrastructure, and the undeniable arrival of weaponized Artificial Intelligence.

For organizations across the globe, the events of the past three months have redrawn the security perimeter and served as a harsh lesson in the interconnected nature of modern risk. This is the definitive rundown of the breaches, attacks, and ransomware that marked the Summer of Siege.

The Great Supply Chain Breach: The ShinyHunters & Salesforce Campaign

The most widespread and impactful story of the summer was a masterclass in supply chain attacks, orchestrated by the notorious hacking collective ShinyHunters. Instead of targeting companies directly, the group went after a common, trusted link: third-party Software-as-a-Service (SaaS) platforms, primarily Salesforce and the integrated AI chatbot Salesloft Drift.

The attack vector was classic, yet brutally effective: a sophisticated social engineering campaign. Hackers impersonated IT support staff, tricking employees at various companies into granting them access to their corporate Salesforce instances. Once inside, they used a malicious data-loading application to exfiltrate massive volumes of business contact information.

The Victims: The list of confirmed victims reads like a who's who of the tech and business world, demonstrating the cascading effect of a single supply chain compromise:

Tech Giants: Google and Cisco.
HR & Staffing: Workday and Manpower.
Credit & Finance: TransUnion.
Travel & Telecom: Air France-KLM.
Cybersecurity Firms: In a deeply ironic twist, security leaders like Proofpoint, SpyCloud, Tanium, Palo Alto Networks, and Zscaler all confirmed their data was accessed via this third-party breach.

The Fallout: While much of the exfiltrated data consisted of business contacts rather than sensitive consumer PII, the breach represents a massive intelligence coup for the attackers. This information is now being actively used to fuel hyper-targeted phishing and espionage campaigns, with the attackers holding a verified map of corporate relationships and contacts.

Nation-State Alert: China's Two-Pronged Cyber Offensive

While financially motivated criminals dominated the headlines, nation-state activity reached a new level of concern. A joint advisory from the U.S. and 12 allied nations exposed two massive, ongoing campaigns attributed to Chinese state-sponsored actors:

"Salt Typhoon": A global espionage campaign focused on intelligence gathering. This group has infiltrated telecommunications, government, and military networks across the world by exploiting known vulnerabilities in routers and other network appliances to maintain quiet, long-term persistence.
"Volt Typhoon": A far more alarming campaign focused on pre-positioning within U.S. critical infrastructure. This group has been observed gaining access to systems controlling power grids, water treatment facilities, and transportation networks. The strategic goal appears to be the ability to disrupt essential services in the event of a geopolitical conflict, turning cyberspace into a tangible battleground.

Ransomware Roundup: High-Profile Takedowns and AI's Debut

Ransomware remained a constant, disruptive force throughout the summer, with several high-profile incidents and the emergence of game-changing technology.

Jaguar Land Rover Grinds to a Halt

In August, luxury automaker Jaguar Land Rover suffered a devastating cyberattack that crippled its global manufacturing and retail operations. The attack disrupted production lines and dealer systems, forcing a near-total shutdown. A group calling itself "Scattered Lapsus$ Hunters" claimed responsibility, signaling a chilling collaboration between the highly effective social engineering group Scattered Spider and the data extortion experts ShinyHunters and Lapsus$.

Akira Exploits Suspected SonicWall Zero-Day

The Akira ransomware group was observed successfully breaching numerous organizations by targeting their SonicWall firewall devices. The attacks were notable for bypassing multi-factor authentication (MFA), leading researchers to conclude the group was likely exploiting a zero-day vulnerability in the SSL VPN service.

The First AI-Powered Ransomware: "PromptLock"

Perhaps the most forward-looking development of the summer was the discovery of "PromptLock," the first known proof-of-concept ransomware to be powered by AI. Researchers found that this malware uses large language models (LLMs) to generate malicious encryption and data exfiltration scripts in real-time. This adaptability makes it incredibly difficult for traditional, signature-based security tools to detect and stop. While still in its early stages, PromptLock represents the beginning of a new, more intelligent era of malware.

Other Notable Ransomware Events:

Warlock Ransomware hit European telecom giants Orange SA and Colt Technology Services, exfiltrating and leaking gigabytes of corporate data.
DaVita, a major U.S. kidney dialysis provider, confirmed a ransomware attack that exposed the personal and health information of 2.7 million people.
The credit reporting agency TransUnion disclosed a breach affecting 4.4 million customers.

Key Takeaways from a Summer Under Siege

Summer 2025 was not just another season of cyberattacks; it was an inflection point. The key lessons for every organization are clear:

Your Supply Chain is Your Attack Surface: The ShinyHunters campaign proved that your security is only as strong as your most vulnerable SaaS integration. Rigorous third-party risk management is no longer optional.
Social Engineering is King: The most damaging attacks of the summer began not with a sophisticated exploit, but with a simple, convincing phone call or email. The human element remains the most critical line of defense.
AI is Here, and It's Not Friendly: The weaponization of AI is accelerating. Organizations must now plan for threats that are more adaptive, intelligent, and scalable than ever before.
Patching is Non-Negotiable: While advanced threats emerged, many successful attacks—including those by nation-states—still relied on exploiting old, unpatched vulnerabilities in common devices like routers and firewalls.

The events of this summer have set a new, more dangerous baseline for the global threat landscape. The convergence of collaborative cybercrime, nation-state ambitions, and weaponized AI demands a more proactive, intelligent, and resilient approach to cybersecurity.