Public administration and government

Three operator clusters made the public-administration / government sector pattern this week. Secret Blizzard / Turla (FSB Centre 16) evolved Kazuar into a three-module P2P botnet; Microsoft Threat Intelligence's 2026-05-14 analysis documents historical targeting of government and diplomatic-sector organizations in Europe and Central Asia (Microsoft Security Blog; daily 2026-05-16). FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned) documented by ESET on 2026-05-14 with Polish, Lithuanian, and Ukrainian governmental, industrial, healthcare, and logistics targets in scope; the geofenced PDF → PicassoLoader JS → Cobalt Strike chain reuses CVE-2024-42009 (Roundcube XSS) for Polish targets (ESET WeLiveSecurity; The Hacker News; daily 2026-05-15). GTIG UNC6671 "BlackFile" (daily 2026-05-16) — vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim across mixed-sector victims including public-administration entities; the DLS-shutdown signal indicates a probable rebrand and is the watch-item for 2026-W21 (daily 2026-05-16).

The Swiss-specific signal worth flagging: the Sophos 2026 State of Identity Security report (covered daily 2026-05-15) records Switzerland as the country with the highest identity-breach incidence globally in the survey's reporting period; the daily 2026-05-15 reports energy as the hardest-hit sector in CH. The Sophos data corroborates the Secret Blizzard / FrostyNeighbor / UNC6671 public-administration pattern — identity-protocol abuse (Kerberos pre-auth, OAuth device-code, AiTM session-token theft) is the common pivot across all three operators and matches the identity-to-ransomware pipeline Sophos surfaces at 67% of cases (see § 6) (Sophos blog; daily 2026-05-15).