Meta contempt complaint vs NSO Group over new WhatsApp spyware phishing

The University of Oxford disclosed a breach after Group GTI, the third-party provider of the CareerConnect career-services platform, reported its systems were compromised on 28 May 2026 (BleepingComputer, 2026-06-08; Oxford Careers Service, 2026-06-01). Exposed data includes student first names, last names and email addresses; for users who do not authenticate via institutional Single Sign-On, encrypted passwords were also taken. CareerConnect is used by Oxford, King's College London and the University of Manchester among others, so the breach spans multiple UK higher-education institutions (BleepingComputer, 2026-06-08); The Register notes further unnamed UK and overseas institutions are affected (The Register, 2026-06-06). GTI assessed the intrusion as credential-harvest oriented, raising the likelihood of follow-on phishing against institutional email addresses.

Defender takeaway: SSO adoption directly limited blast radius here — SSO users' passwords stayed with the identity provider, leaving only names and emails exposed. The case reinforces segregation of authentication credentials away from in-app stores and treating shared SaaS career/HR platforms as part of the institutional attack surface. Swiss Hochschulen using shared SaaS career portals should expect targeted phishing waves against the harvested address sets.

Meta disclosed it detected and disrupted a new spear-phishing campaign linked to NSO Group's Pegasus operation, and filed a federal contempt-of-court complaint arguing the activity violates the 2025 permanent injunction barring NSO from targeting WhatsApp or its users (Meta, 2026-06-08; CyberScoop, 2026-06-08). The campaign used one-click links sent to WhatsApp users that redirected them to external attacker-controlled websites — the same social-engineering pattern (T1566.002) tied to earlier NSO phishing chains; Meta states no WhatsApp protocol zero-day and no end-to-end-encryption bypass was involved (BleepingComputer, 2026-06-08). Meta removed test accounts and groups NSO created on the platform.

Why it matters to us: The threat vector is user-level social engineering, not platform exploitation — iOS Lockdown Mode and Android Advanced Protection both reduce the Pegasus delivery surface, and mobile-threat-defence monitoring of device-integrity attestation is the relevant control. NSO's confirmed customer base is governments and its targeting pattern (officials, journalists, activists) is documented across EU member states, keeping commercial-spyware exposure a standing concern for public-sector mobile fleets.

The FBI issued CSA 260526 on 2026-05-26 warning that Silent Ransom Group (SRG; tracked variously across cited sources as Luna Moth, Chatty Spider and UNC3753, with the Storm-0252 designation specifically referenced by CyberScoop) — a Russia-linked extortion-only gang that does not deploy ransomware — has escalated its campaign against US law firms by physically sending operatives into victim offices impersonating IT support when remote access attempts fail (CyberScoop, 2026-05-27; The Record, 2026-05-27; Help Net Security, 2026-05-27). The kill chain begins with callback phishing — an email or call pretexting urgent IT support with a callback number; on the call, the actor attempts to establish a remote desktop session. If the target resists, an associate physically visits the office and attempts to insert a USB storage device into a workstation. CyberScoop, citing the FBI, reports the group has claimed more than 100 attacks.

Defender takeaway: the in-person USB tactic is operationally unusual — it requires geographic proximity and a credible IT impersonation persona, which suggests SRG maintains a roster of field operatives in US cities. European law firms with US counterpart offices or US client matters should treat themselves as in scope. Detection: USB-device-insertion events (Windows Security EID 6416 / Sysmon EID 6) on workstations correlated with callback-phishing precursor in mail-security telemetry and with an unfamiliar visitor in physical access logs; flag remote-desktop session initiation by non-IT accounts (EID 4624 Logon Type 10). Hardening: enforce Conditional Access requiring a compliant / managed device for all remote-desktop pathways; disable USB mass-storage on user endpoints via Device Installation policy or EDR enforcement; require second-person authorisation at reception for any visitor claiming IT support.

Google Threat Intelligence Group published a teardown of around a dozen current Chinese-language phishing-as-a-service (PhaaS) offerings — case-studied through "YY Lai Yu" (YY来鱼) — whose shared headline capability is real-time OTP relay: a live operator admin panel captures the one-time code the victim types into a spoofed page and re-submits it on the genuine portal inside its validity window, completing the login and defeating TOTP- and SMS-based MFA without a classic reverse-proxy AiTM stack (Google Threat Intelligence Group, 2026-05-25). [SINGLE-SOURCE] — GTIG primary research at time of writing. Two delivery and evasion properties make it operationally distinct: lures ride RCS and iMessage, whose end-to-end encryption blocks carrier-level SMS content filtering (T1566.002); and the kits use Puppeteer-driven AI page cloning to emit per-campaign-unique HTML/JS that frustrates signature-based phishing detection. Captured card-plus-OTP material is immediately provisioned into contactless wallet tokens for high-value transactions (T1111 MFA interception). GTIG names Europe among explicitly targeted regions (alongside the Americas, Australia and the Middle East), notes targeting across 119 countries, and links UNC5814 to the Darcula PhaaS component; the infrastructure is rented, so victimology is buyer-driven rather than fixed to the Japan-heavy template library.

Why it matters to us: any CH/EU financial institution, e-government SSO portal or public-service login that relies on TOTP or SMS as its second factor is in scope — OTP relay neutralises both. FIDO2/WebAuthn (hardware keys or synced passkeys) removes the exposure entirely because the cryptographic assertion is bound to the legitimate origin and cannot be relayed; where FIDO2 cannot yet be deployed, bind the MFA validation to the original login session (IP/device) so a relayed OTP from a different ASN fails. Detection concept: correlate the IP/ASN seen at OTP issuance against the IP/ASN that consumes it within the SSO/IdP logs — an AiTM relay shows the victim's address on the phishing page and the operator's address on the real portal; alert on OTPs consumed seconds after issuance from a different ASN, and on contactless-wallet provisioning immediately following a credential submission from an unrecognised device.

Resolving a W21 carry-forward watch item: GTIG published a definitive UNC6671 / BlackFile profile in mid-May 2026, characterising the operation as an adversary-in-the-middle vishing specialist targeting Microsoft 365 and Okta SSO environments in retail and hospitality (vishing impersonating IT support → MFA-bypass / credential grant → AiTM session-token harvest → exfiltration → extortion over the Session messenger). The leak-site went offline in late April, briefly resumed on 2026-05-11 to announce "BlackFile is shutting down… under this name," and went dark again — GTIG's phrasing and the qualifier point to a probable rebrand rather than a genuine exit. Defenders should keep the AiTM-vishing → rogue-MFA → SSO-token-theft TTP set on watch under any new brand; the tradecraft, not the name, is the durable indicator.

Investigators confirmed on 2026-05-18 that the cyberattack on ARWINI — the Arbeitsgemeinschaft Wirtschaftlichkeitsprüfung Niedersachsen e.V., which audits prescription cost-effectiveness for statutory-health-insurance (GKV) patients in Lower Saxony via data exchange with Kassenärztliche Vereinigung Niedersachsen (KVN), AOK and other insurers — resulted in confirmed exfiltration of personal data (Deutsches Ärzteblatt, 2026-05-18; Heise Security, 2026-05-18). Intrusion signs were detected on ARWINI servers on 2026-05-04 and all systems were shut down on the same day; ARWINI's own statement, cited by Borns IT Blog on 2026-05-16, said particularly sensitive personal data (besondere Kategorien — GDPR Art. 9) are likely affected, with health and billing data on ≥70,000 patients in scope (Borns IT Blog, 2026-05-16). The Polizeidirektion Hannover is the investigating authority; the Landesbeauftragter für Datenschutz Niedersachsen (LfD) and BSI have been notified under the GDPR 72-hour rule and the German KRITIS / NIS2UmsuCG framework. Heise reports the Kairos ransomware group has claimed the attack and is threatening to sell approximately 2.87 TB of stolen data on its leak site, with attackers' leak-site claim dated 2026-05-11. The technical pattern is consistent with double-extortion ransomware now in the operator-leak-site phase.

Why it matters to us: GKV bodies and their mandated third-party auditors are NIS2 entities; the supply-chain relationship between KVN/AOK and ARWINI is precisely the data-processor scope hit by NMDL/IGJ in the Netherlands (covered 2026-05-14). Defender pattern: any GKV / AHV / cantonal health-insurance data-exchange counterparty should be inventoried as an in-scope critical-supplier under §8b BSI-Gesetz / NIS2UmsuCG, with breach-notification playbooks rehearsed for the 72-hour GDPR clock from a third party's detection event, not just one's own. Monitor for downstream phishing using GKV billing-data lures targeting affected patient cohorts.

If you did nothing this week: Swiss and DACH healthcare operators with internet-exposed Cisco ASA / FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces — Akira's documented edge-device initial-access targets — face the same playbook used here. Groupe 3R confirmed the attack on its own website 2026-04-30, filed a criminal complaint, notified the Federal Office for Cybersecurity (BACS/OFCS), and explicitly stated it will not pay ransom; Akira's leak-site listing on approximately 2026-05-08 claims 48 GB exfiltrated including employee identity documents, patient records, payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07 · daily 2026-05-10).

Groupe 3R (Réseau Radiologique Romand) operates ~20 medical-imaging centres across seven Swiss cantons listed in the operator statement (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne — six in Romandie — plus Zürich in German-speaking Switzerland) — a direct Swiss critical-health-infrastructure incident, and the operator's second cyberattack within twelve months (the prior April 2025 incident is acknowledged in the operator's own statement as having involved different attackers and methodology). Legacy examination data remains inaccessible at week-end; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. Akira's documented playbook against European healthcare and SME targets emphasises edge-device initial access (Cisco ASA/FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics — observed ATT&CK techniques include T1190, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service. Defenders should re-validate patch state on the edge devices in Akira's standard target list, confirm EDR rules trigger on intermittent-encryption write-skip-write file-IO patterns, and verify radiology-modality VLAN segmentation from corporate Active Directory — PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. The Akira-as-actor attribution comes from ransomware.live (aggregator), not from the victim or an independent primary; logged with confidence HIGH on incident, MEDIUM on actor.

GTIG's Europe data-leak landscape analysis (published 2026-04-15, first covered 2026-05-07) is the second-tier annual reference that materially affects DACH defender posture and merits cross-week synthesis: Germany is the primary European ransomware target with SAFEPAY accounting for 25% of German data-leak-site posts (76 victims claimed in 2025), Qilin tripling operational tempo in Germany during Q3 2025 with 13 additional German victims posted by early 2026 (Die Linke this week confirms continued activity into 2026-W19), and Sarcoma actively recruiting German network access via criminal forums since November 2024. 96% of German ransomware victims are organisations with fewer than 5,000 employees — exploited both directly and as supply-chain footholds into larger enterprises and government contractors; legal and professional services rose to 14% of victims — explicitly relevant to Swiss / EU public-sector procurement officers since those firms hold client IP and M&A intelligence. GTIG attributes part of the shift to AI-enabled high-quality localisation eroding the language-barrier protection that historically benefited non-English-speaking markets (daily 2026-05-07).

Akira listed Groupe 3R on its dark-web leak site on approximately 2026-05-08, claiming an attack dated 2026-04-30 and threatening release of 48 GB including employee identity documents (passports, driving licences, national IDs), patient records (addresses, phone numbers, medical data), payment information, and signed NDAs (Groupe 3R victim statement, 2026-04-30 · ICTjournal.ch, 2026-05-06 · Blick.ch, 2026-05-07). Groupe 3R operates 20 medical-imaging centres across seven Romandie cantons (Vaud, Valais, Fribourg, Genève, Neuchâtel, Berne, and a further canton listed in the operator statement) — making this a direct Swiss critical-health-infrastructure incident. The operator confirmed the attack publicly via its own website on 2026-04-30, notified the Federal Office for Cybersecurity (BACS/OFCS), filed a criminal complaint, and explicitly stated it will not pay ransom. Legacy examination data remains inaccessible at the time of the public update; new examination data security has been restored on rebuilt infrastructure. Data-exfiltration was not confirmed by the victim; Akira's leak-site post asserts 48 GB exfiltrated. The operator's own statement notes this is its second cyberattack within twelve months and characterises the prior April 2025 incident as having involved different attackers and methodology.

Akira's documented playbook against European healthcare and small-to-mid enterprise targets emphasises edge-device initial access (Cisco ASA / FTD CVEs, Fortinet SSL-VPN CVEs, VMware ESXi authenticated RCE) and intermittent file-encryption to evade EDR file-IO heuristics; ATT&CK techniques observed across recent Akira incidents include T1190 Exploit Public-Facing Application, T1133 External Remote Services, T1486 Data Encrypted for Impact, and T1567 Exfiltration Over Web Service.

Defender takeaway: Swiss and DACH healthcare operators with internet-exposed Cisco ASA/FTD, Fortinet SSL-VPN, or VMware ESXi management interfaces should validate that all 2025–2026 Akira-targeted CVEs are patched, that EDR rules trigger on intermittent-encryption file-IO patterns (write-then-skip-then-write of fixed-block ranges), and that radiology-modality VLANs are network-segmented from corporate AD; PACS/RIS environments tend to co-tenant with Windows file shares, providing trivial east-west reach once an attacker lands. Imaging operators that depend on a single ransomware-targeted partner should review business-continuity arrangements: this is the second 3R outage inside a year and referrers will already have continuity questions.