Cyber Europe 2026 — first EU-wide test of 2025 EU Cyber Blueprint and first live activation of the EU Cybersecurity Reserve

The public sector again carried the highest concentration of operationally severe items. France's sovereign Tchap messenger breach (§ 5) struck the French civil service directly; NCSC-CH's Week 23 report documented a coordinated surge in job-seeker targeting against Swiss residents — fake interviews, reshipping identity theft, and LinkedIn-to-GitHub infostealer delivery (NCSC-CH; daily 06-10); and ENISA ran its biennial Cyber Europe 2026 exercise (10–11 June), testing the revised EU Cyber Blueprint and triggering the first live activation of the EU Cybersecurity Reserve (ENISA; daily 06-14). The pattern for a Swiss/EU public-sector SOC: the threats are arriving through identity and through suppliers, and the EU's collective-response machinery is being stress-tested precisely because that is where the pressure is.

The eighth edition of ENISA's biennial Cyber Europe exercise ran on 10–11 June and put the 2025 EU Cyber Blueprint to the test alongside the first exercise activation of the EU Cybersecurity Reserve established under the Cyber Solidarity Act (ENISA, 2026-06-11). More than 5,000 participants from national cybersecurity agencies, EU institutions, the private sector and partner countries — including Switzerland, the UK, Norway and Ukraine — worked through a multi-stage scenario in which attacks on interconnected European rail and maritime transport networks escalated into a declared cross-border cyber crisis (Brussels Morning, 2026-06-11). The drill exercised the Reserve's standard operating procedure — the pathway by which a Member State CSIRT can request pre-vetted incident-response services and ENISA activates them within hours — and the political-level escalation procedures of the Blueprint.

Why it matters to us: Swiss federal defenders (BACS/NCSC-CH) took part as a partner country, and the scenario (ransomware against cross-border transport OT layered with disinformation) maps directly onto the threat picture in ENISA's NIS360 and NCSC-CH's mandatory-reporting data. Knowing the Reserve activation pathway — who can invoke it, the severity threshold, and the hours-scale SOP — is the operational takeaway for anyone who might one day need EU-level surge support during a major incident.

UPDATE (originally covered 2026-W23 weekly): 11 June 2026 is the CRA's first mandatory operational milestone: under Chapter IV, member states must have designated the national authority responsible for notifying conformity-assessment bodies (CABs) for higher-risk product classes (European Commission, 2026-06-10). This is the upstream gate for the September 2026 incident-reporting obligations (Article 14) and full CRA applicability in December 2027; manufacturers of Class II/III products can now begin engaging notified CABs.

No Commission communiqué naming specific member-state designations had been published as of this brief — the confirmed fact is the regulatory deadline itself. Public-sector procurement of connected devices is directly downstream of this milestone. [SINGLE-SOURCE]

Proofpoint reported this week that TA4922, a Chinese-speaking financially-motivated cluster running the highest campaign tempo of any cybercrime actor Proofpoint tracks, pivoted in March–April 2026 to localised campaigns against German, UK, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04; daily 2026-06-05). Native-language tax-authority, HR/payroll and invoice lures now pair the known ValleyRAT (Winos 4.0) with newly observed Atlas RAT (C-based), RomulusLoader, and SilentRunLoader (Python infostealer targeting Chrome credentials). A notable TTP shift: conversations are moved to LINE, WhatsApp and Microsoft Teams before payload delivery, pulling targets off enterprise email controls. DACH public-sector and finance staff are in direct scope. Hunt for DLL side-loading chains where AnyDesk/SyncFuture load from unexpected user-profile paths, for Python processes reaching Chrome DPAPI, and for unsolicited inbound contact on Teams/WhatsApp that pivots to a "document."

On 27 May 2026 the German Federal Cabinet adopted the Gesetzentwurf zur Stärkung der Cybersicherheit, now proceeding to Bundestag (German Federal Government, 2026-05-27; Digital Watch Observatory, 2026-05-31). The law grants: the BKA and Bundespolizei authority to shut down or disrupt attacker-controlled infrastructure including servers located outside Germany, reroute data traffic, and collect/modify/delete data on foreign systems; the BSI expanded authority to collect threat-preparation data and require telecoms and major platforms to relay BSI threat warnings to end users. Interior Minister Dobrindt: "In future, we will target the attacker, their servers, their software and their strategy." Personnel implications: BKA +264, Bundespolizei +90, BSI +21 positions by 2030. Civil-society analysis flags constitutional concerns (Basic Law, cross-border state action, jurisdictional conflict with Länder). For DACH/EU defenders: (a) once enacted, telecoms/platform operators gain a new duty-to-relay obligation for BSI warnings; (b) the law sets a precedent for EU active-cyberdefence norms that Swiss forthcoming cyber-resilience legislation (draft expected autumn 2026) will need to address.

Proofpoint reports that TA4922, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known ValleyRAT (Winos 4.0) with newly observed families: Atlas RAT (a C-based RAT) and RomulusLoader, which DLL-side-loads (T1574.002) AnyDesk and SyncFuture, plus SilentRunLoader, a Python infostealer pulling Chrome credentials and cookies (T1555.003). A notable TTP shift is the deliberate move of conversations to LINE, WhatsApp and Microsoft Teams to pull targets off enterprise email controls before payload delivery.

Why it matters to us: German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

On 2026-06-01 Switzerland's National Cyber Security Centre published a pre-event advisory warning that the G7 summit in Évian (France, 15–17 June) is a high-value target and that it "expects disruptive maneuvers in cyberspace again" (NCSC Switzerland, 2026-06-01). Although the summit sits on French soil, most delegations transit Geneva Airport and lodge on the Swiss side (Geneva, Vaud, Valais), putting Swiss federal and cantonal administrations, conference-linked suppliers, and Swiss telecom operators in the blast radius. An independently published threat map for the event frames the expected activity against the template of the 2024 Bürgenstock summit, when the pro-Russia hacktivist collective NoName057(16) ran DDoS waves against Swiss federal sites and conference-linked organisations on each summit day; the same map additionally flags state intelligence collection against hotel and telecom infrastructure, rogue-base-station cellular interception, and social-engineering against event staff as plausible vectors (ZENDATA Cybersecurity, 2026-05-03). The NCSC advisory itself recommends generic protective measures and DDoS preparedness for organisations linked to the event.

Why it matters to us: Organisations operating in the Geneva–Vaud corridor and Swiss federal/cantonal SOCs should pre-stage DDoS mitigation playbooks now, review MFA on customer-facing identity providers, rotate administrative credentials before the event window, and brief travelling staff on mobile-device physical security; hunt for anomalous authentication spikes from the summit region and unexpected reattachment events in MDM/MDM-adjacent telemetry around 15–17 June.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Law to Strengthen Cybersecurity) on 2026-05-27, granting three federal agencies — the Bundeskriminalamt (BKA), the Bundesamt für Sicherheit in der Informationstechnik (BSI) and the Bundespolizei — new authority to conduct what the government frames as active cyber defence rather than offensive hackback (Heise Security, 2026-05-27; onvista / dpa, 2026-05-27; t-online, 2026-05-27). Under the law the agencies may redirect attacker-controlled traffic, selectively intervene in IT systems used to attack Germany, delete or modify data on attacker servers, and shut down dangerous C2 nodes — explicitly including foreign infrastructure. Interior Minister Alexander Dobrindt (CSU) positioned the measure as active cyber defence targeting attacker command-and-control infrastructure rather than retaliatory hackback. The bill funds the order of 350 new positions across the three agencies and approximately €50 million per year in personnel and material (per onvista/dpa; t-online reports a smaller initial figure — see § 7). The Bundesverband der Deutschen Industrie (BDI) and civil-society voices warned of collateral-damage risk on shared hosting and VPN servers and flagged constitutional concerns. The bill next proceeds to the Bundestag; it does not yet have force of law.

Why it matters to us: German LE gaining the legal authority to sinkhole, redirect, or disable attack infrastructure will change the threat-intel attribution picture across Europe. SOC managers should expect that unexplained C2 outages on Germany-adjacent hosting may be LE action rather than malware infrastructure rotation. Threat-intel teams tracking takedown patterns should add de.bka, de.bsi, de.bpol as expected actors in the takedown attribution stack alongside CrowdStrike Counter Adversary Operations, Microsoft DCU and Europol.

The German federal cabinet approved the Cybersicherheitsstärkungsgesetz (Cyber Security Strengthening Act) on 2026-05-27 — the daily caught the Heise news hit; the primary government sources confirm the substance and, importantly, that it is a draft bill still requiring Bundestag passage and is not yet in force. Per the government's framing, it shifts the state from purely defending the target to acting directly against the attacker — "their servers, their software and their strategy" — with the BSI, BKA and Bundespolizei among the bodies gaining expanded authority to detect and counter large-scale, high-damage attacks (the announcement does not break the new powers down per agency in technical detail). For CH/EU defenders the watch item is the cross-border incident-response implication: once in force, German-authority active operations against infrastructure that may be hosted in or transit other jurisdictions raise coordination and deconfliction questions for any SOC running IR across the DACH region. Track the Bundestag passage; nothing changes operationally until it lands.

The Cyber Resilience Act reaches its first hard operational milestones. By 11 June 2026 (Chapter IV entry into application) member states must designate the national notifying authorities that assess and register conformity-assessment bodies for products with digital elements in the "important" and "critical" classes; until enough CABs are notified into NANDO (expected through December 2026), third-party conformity assessment cannot proceed at scale. From 11 September 2026 the Article 14 reporting obligations begin — manufacturers must report actively-exploited vulnerabilities and severe incidents via the ENISA Single Reporting Platform. For public-sector procurement teams this is a near-term planning input: factor CRA conformity status into product-selection criteria now, because the certification pipeline it depends on is only just being stood up.

INTERPOL announced on 2026-05-18 the completion of Operation Ramz — described as the first cyber operation of its scale coordinated by INTERPOL specifically targeting the MENA region — running October 2025 through 2026-02-28 across 13 countries (Algeria, Bahrain, Egypt, Iraq, Jordan, Lebanon, Libya, Morocco, Oman, Palestine, Qatar, Tunisia, UAE) (INTERPOL, 2026-05-18; The Hacker News, 2026-05-18; Help Net Security, 2026-05-18). Outcomes: 201 arrests, 382 further suspects identified, 3,867 victims, 53 servers seized, ~8,000 intelligence data points disseminated. Algerian authorities dismantled a phishing-as-a-service operation, seizing a server, computer and hard drives containing phishing software and scripts. Moroccan police seized devices with banking data and phishing tooling; Omani investigators identified a residential server with active malware infection. Jordanian police rescued 15 human-trafficking victims who had been coerced into running cybercrime operations — the same forced-labour-to-cyber-scam pipeline documented in Southeast Asian fraud compounds. Industry partners: Group-IB, Kaspersky, Shadowserver Foundation, Team Cymru, TrendAI. The operation is partially funded by the EU and Council of Europe under the CyberSouth+ project.

Why it matters to us: MENA-based PhaaS kits routinely target EU banking customers and EU payment rails (SEPA-Inst flagging, IBAN-based phishing lures); the disruption reduces commodity-kit availability and the Shadowserver / Group-IB intelligence shared via the operation will surface in NCSC / BSI / NCSC-CH advisories over the coming weeks. The trafficking-to-scam pipeline confirmed in Jordan is the same operator model EUROPOL has been mapping for fraud-compound disruption.

If you did nothing this week: Swiss and DACH healthcare operators with internet-exposed Cisco ASA / FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces — Akira's documented edge-device initial-access targets — face the same playbook used here. Groupe 3R confirmed the attack on its own website 2026-04-30, filed a criminal complaint, notified the Federal Office for Cybersecurity (BACS/OFCS), and explicitly stated it will not pay ransom; Akira's leak-site listing on approximately 2026-05-08 claims 48 GB exfiltrated including employee identity documents, patient records, payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07 · daily 2026-05-10).

Groupe 3R (Réseau Radiologique Romand) operates ~20 medical-imaging centres across seven Swiss cantons listed in the operator statement (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne — six in Romandie — plus Zürich in German-speaking Switzerland) — a direct Swiss critical-health-infrastructure incident, and the operator's second cyberattack within twelve months (the prior April 2025 incident is acknowledged in the operator's own statement as having involved different attackers and methodology). Legacy examination data remains inaccessible at week-end; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. Akira's documented playbook against European healthcare and SME targets emphasises edge-device initial access (Cisco ASA/FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics — observed ATT&CK techniques include T1190, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service. Defenders should re-validate patch state on the edge devices in Akira's standard target list, confirm EDR rules trigger on intermittent-encryption write-skip-write file-IO patterns, and verify radiology-modality VLAN segmentation from corporate Active Directory — PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. The Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary; logged with confidence HIGH on incident, MEDIUM on actor.

Dragos's 8th annual OT industrial-IR retrospective (covered 2026-05-08) is the week's most directly actionable annual-report reference for Swiss / EU CI operators reading after the Polish water OT attribution: Dragos's blog announcement records that 65 percent of sites assessed had insecure remote-access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions, and that many organisations believe they have proper IT/OT network segmentation while routine penetration tests reveal hidden connections. The report's NIS2 Annex-I compliance discussion directly contextualises the ABW 2025 Annual Report observation (§ 4) that the five Polish water-treatment facilities fell below the NIS2 essential-entity threshold and that legislative action is being considered to extend NIS2 obligations to critical-function entities regardless of headcount. The IEC 62443 zoning and conduit model is the recommended remediation reference architecture; the Swiss NCSC sector-specific ICS guidance (SARI framework) is the equivalent CH-side baseline. The defender lesson from the Dragos AI-assisted water utility attack item (2026-05-07) lands in the same line: AI tooling is progressively reducing the technical bar for OT-targeting attacks; prevention-only OT security strategies are inadequate as primary defences (daily 2026-05-08, daily 2026-05-07 — AI-assisted ICS attack).

The European Commission's 20 January 2026 cybersecurity package bundles a targeted NIS2 amendment (COM(2026) 13) with a new Cybersecurity Act 2 (CSA2). Public-feedback period closed 22 April 2026 — the package is now in the European Parliament preparatory phase, with political agreement targeted for early 2027. Key NIS2-amendment changes obligations-relevant to Swiss / EU public-sector SOCs: (1) scope expansion to submarine data-transmission infrastructure (SDTI) operators and European Digital Identity Wallet providers as essential entities; (2) mandatory ransomware reporting — competent authorities can demand whether a ransom was paid, to whom, and how much, when a reported incident involves ransomware; (3) Article 21 harmonised technical requirements at Commission level create a regulatory ceiling, blocking member states from adding further technical obligations — meaning an EU certification scheme can demonstrate compliance portably; (4) new Article 7(2)(k) mandates member-state PQC transition policies aligned with the 2030 (critical uses) / 2035 (medium/low uses) roadmap — the first time post-quantum is an explicit named NIS2 obligation rather than implied "state of the art" interpretation (DLA Piper, 2026-02-16 · Skadden, 2026-03-27 · PostQuantum.com — EU PQC NIS2, 2026-02-13).

CSA2 introduces the EU's first horizontal ICT supply-chain security framework: the Commission designates "key ICT assets" used by NIS2-essential entities, identifies high-risk supplier countries, and may prohibit or restrict their components in those assets — directly analogous to 5G supply-chain restrictions, now extended to all essential sectors. ENISA's budget rises 75%+ and it takes on operational functions including the European Vulnerability Database (EUVD), early-warning publication, and the CRA Single Reporting Platform (SRP) — live 11 September 2026 (Covington — Cybersecurity Act 2, 2026-01-23). What defenders need to do differently: (1) inventory current "state of the art" cryptography claims that relied on implicit NIS2 interpretation — the explicit PQC Article creates a documented compliance gap supervisors can cite in audit findings; (2) plan for SRP single-report submission flow ahead of 11 September 2026 — public-sector and vendor PSIRTs operating in NIS2-essential categories will be expected to publish through this channel rather than parallel-submit to member-state CSIRTs; (3) ransomware playbooks should anticipate the documentation question chain on payment-or-not, intermediary used, amount transferred. NIS2 amendment requires 12-month transposition; CSA2 applies directly.

A six-publisher investigative consortium (The Insider, The Guardian, Le Monde, Der Spiegel, VSquare, Frontstory) published more than 2 000 leaked internal documents from Bauman Moscow State Technical University on 2026-05-07 detailing a structured GRU recruitment-and-training pipeline operating under the cover of "Department No. 4 — Special Training" (Meduza (English), 2026-05-07 · The Guardian, 2026-05-07 · Le Monde, 2026-05-07 · Der Spiegel, 2026-05-07 · heise online, 2026-05-07). Each year 10–15 graduates are placed directly into Russian military intelligence units. The 144-hour core curriculum, labelled in the documents "Countering Technical Intelligence", covers password attacks, CVE-driven exploitation using Metasploit against US DoD network architectures by name, custom trojan development, DDoS methodologies, penetration testing against Western targets, computer-virus construction, and propaganda/manipulation training. Candidates are physically assessed at a mandatory training camp; each placement requires explicit GRU approval.

The leaked assignment records explicitly link graduates to GRU Unit 74455 (Sandworm / VoodooBear — responsible for the 2015–2016 Ukraine power-grid attacks, 2017 NotPetya global wiper, and 2023 Kyivstar telecom outage) and to APT28 (Fancy Bear — responsible for the 2016 Bundestag hack and the 2017 Macron campaign breach, with continuing 2025–2026 activity against EU government and election-adjacent targets). For European defenders the salient operational point is that the curriculum trains specifically against Western and US-DoD topologies — meaning the training pipeline is producing operators whose default mental model of a target network is a NATO-aligned environment, not a generic enterprise. The investigation does not change short-term defensive priorities but reframes the long-running attribution debate: GRU cyber units are not ad-hoc-recruited contractors, they are graduates of a structured technical-intelligence training stream with measurable annual throughput.

Flare researcher Assaf Morag documented PamDOORa, a Linux post-exploitation backdoor implemented as a malicious Pluggable Authentication Module targeting x86_64 systems, offered for sale on the Rehub Russian-language cybercrime forum (Flare.io, 2026-05-07 · The Hacker News, 2026-05-08). Rather than replacing pam_unix.so (which would be immediately visible in lsmod output and PAM stack configuration), PamDOORa installs a separate pam_linux.so module, gaining privileged insertion into the authentication pipeline without triggering obvious tampering indicators. Capabilities: (1) SSH access via a magic-password and specific TCP port combination, bypassing standard credential validation; (2) credential harvesting — all cleartext passwords submitted by legitimate users authenticating through the system are XOR-encrypted and written to a dynamically-named file in /tmp; (3) anti-forensic log manipulation — lastlog, btmp, utmp, and wtmp are scrubbed to remove the attacker's authentication events. The vendor ("darkworm") listed it at $1,600 USD for source code, later reduced to $900, suggesting limited uptake. A prior PAM backdoor family (Plague, 2025) is the only other public comparator. Flare rates the seller's technical credibility as medium-to-high based on cross-forum persona analysis.

Detection concepts: diff /etc/pam.d/sshd (and all files under /etc/pam.d/) against a known-good baseline; audit for unexpected .so files in /lib/security/ or /usr/lib64/security/; monitor for SSH logins that produce no corresponding pam_unix syslog entries; alert on /tmp files with high-entropy filenames created at authentication time. The Sysmon Linux equivalent (auditd rules) should cover openat syscalls on PAM configuration files and write syscalls to /lib*/security/.

Dragos released its 2025 OT Cybersecurity Year in Review — Frontlines IR Edition synthesising findings from industrial incident response engagements. Key statistics: 81% of engagements identified no meaningful IT/OT network segmentation, with operational networks reachable directly from enterprise IT; initial access via internet-exposed remote access tools (internet-facing HMI, unprotected VPN termination, or engineering workstation RDP) was the dominant entry vector in 62% of cases; and 34% of confirmed OT intrusions progressed to the operational process level before detection. The report documents NIS2 Annex-I compliance gaps, noting that many essential OT-operating entities have not completed required asset inventory reviews, which the report identifies as the most common control weakness. The IEC 62443 zoning and conduit model is highlighted as the primary reference architecture for remediation. Relevant to Swiss organisations operating under NCSC sector-specific ICS guidance (SARI framework).