State-Backed Hackers Weaponize AI, Microsoft Patches Six Zero-Days, and Conduent Breach Exceeds 25 Million Victims

BridgePay Network Solutions has provided further details regarding the ransomware attack that began on February 6, 2026. The incident started at approximately 3:29 a.m. when monitoring systems detected degraded performance, quickly escalating to a full system outage as ransomware encrypted files. The company reiterates that its initial forensic investigation shows no evidence of usable payment card data being compromised or exfiltrated, suggesting the attackers focused primarily on disruption and extortion through encryption. This update confirms previous findings and adds a precise timeline for the attack's onset.

New analyses from Cyble and BlackFog reveal 2025 ransomware attacks surged by 52% to over 6,600 incidents. A critical development is the near-universal adoption of data exfiltration, with 96% of attacks now employing double extortion tactics. The Qilin group remained highly active, and the IT and Food & Agriculture sectors experienced significant increases in targeting. Reports also highlight that an estimated 86% of ransomware attacks go unreported. New TTPs like exfiltration over alternative protocols and financial theft are noted, alongside updated detection strategies focusing on DLP and network egress monitoring, and mitigation via Zero Trust principles.

The Substack data breach, initially reported on February 6, 2026, has new confirmed details. The number of affected users is now precisely stated as 697,313, moving beyond the initial hacker's claim of '700,000 users'. Crucially, the stolen database, containing names, emails, and phone numbers, is actively being sold on the notorious 'Breachforums' hacking platform. This confirms the immediate availability of the data to other malicious actors, significantly increasing the risk of targeted phishing and social engineering attacks against Substack users. The long delay between the October 2025 breach and its February 2026 detection also highlights potential security monitoring gaps.

In addition to the February 2026 Patch Tuesday fixes, Microsoft has commenced a phased rollout of new Secure Boot certificates. These certificates are crucial for maintaining system integrity and are replacing older ones set to expire in June 2026. This proactive measure aims to prevent future boot-up issues and protect against bootkit and rootkit malware, ensuring the continued security of Windows systems. This update is a significant infrastructure change alongside the vulnerability patches.

Further investigation into the Odido data breach, initially reported on February 11, 2026, has clarified key details. The compromised system is now identified as a 'customer contact system' rather than broadly a 'third-party supplier's system'. Crucially, the updated report specifies that the exfiltrated personal information includes customer names, addresses, and phone numbers, but does not mention bank account or passport numbers, which were previously cited as potentially exposed. This suggests a potentially reduced scope of highly sensitive data compromised, mitigating some of the most severe identity theft risks.

The UK's National Cyber Security Centre (NCSC) has issued a 'severe' threat warning to its Critical National Infrastructure (CNI) operators, urging immediate action against disruptive and destructive cyberattacks. This alert, dated February 14, 2026, directly references the December 2025 attack on Polish energy facilities, which also prompted a CISA warning. The NCSC defines 'severe threats' as those capable of halting operations, damaging physical assets, or wiping data. It advises CNI sectors like energy, water, and transport to enhance monitoring, patch systems, enforce strong access controls, implement MFA, and review incident response plans. The NCSC also highlighted a forthcoming Cyber Security and Resilience Bill to enforce these requirements, underscoring the growing international concern and response to such attacks.