Part I: The Supply Chain Threat Landscape in 2025–2026

The Numbers Behind a Surging Threat

For years, the dominant cybersecurity narrative has centered on one scenario: ransomware actors targeting an organization directly, encrypting its data, and demanding payment. That threat remains real and growing. But threat intelligence firm Cyble’s 2025 annual report reveals that the attack surface extends considerably further. One of its fastest-growing vectors is the supply chain attack.

In 2025, supply chain attacks claimed by threat groups surged 93%, climbing from 154 incidents in 2024 to 297. Ransomware attacks rose 52% over the same period, reaching 6,604 incidents — with December 2025 recording 731 attacks, the second-highest monthly total ever. These two trends are not independent.

“As ransomware groups are consistently behind more than half of supply chain attacks, the two attack types have become increasingly linked.” — Cyble, 2025 Threat Landscape Report

The convergence matters operationally. Ransomware groups are no longer simply locking files and demanding payment. They are using trusted vendor relationships to deliver their payloads into environments they could not reach directly. A supply chain attack is increasingly the delivery mechanism for a ransomware event.

• +93% — Supply chain attacks in 2025 vs. 2024, rising from 154 to 297 confirmed incidents
• +52% — Ransomware attacks in 2025 vs. 2024, rising from 4,346 to 6,604 claimed attacks
• 50% — Share of supply chain attacks attributed to ransomware groups
• 55% — Share of all 2025 ransomware attacks targeting U.S.-based organizations
• 100% — Every industry sector tracked by Cyble was hit by a supply chain attack in 2025

How a Supply Chain Attack Operates

A supply chain attack does not target the victim organization directly. Instead, it compromises a third party that the target organization trusts and relies upon — a software vendor, a managed service provider, a cloud integration partner, or a network connectivity provider. Once that third party is compromised, attackers use the access and trust that relationship provides to move into the target environment.

The payload delivered through that trusted channel can be ransomware, a persistent backdoor, a data exfiltration tool, or a combination. The critical point is that because the delivery mechanism is a trusted source, it has often already passed the target’s security checks. Firewalls, endpoint detection tools, and network monitoring are calibrated to flag unknown or suspicious sources, not software updates from a vendor the organization has used for years.

According to Cyble, the sophistication of supply chain attacks in 2025 expanded well beyond traditional package poisoning. Attackers targeted:

• Cloud integrations: Compromising cloud service providers to reach their downstream customers
• SaaS trust relationships: Exploiting OAuth-based integrations between platforms, where a compromised third-party token gives access to a customer’s environment at scale
• Vendor distribution pipelines: Injecting malicious code into software updates or build processes, so legitimate update mechanisms deliver the payload
• Identity providers and package registries: Targeting the upstream services that many organizations depend on to authenticate users or install software dependencies

Salesforce integrations are a concrete 2025 example cited by Cyble: attackers weaponized OAuth-based trust between SaaS platforms, using compromised third-party tokens to gain access to customer environments. The customer’s own Salesforce instance was not breached. The breach came through a connected application they trusted.

The Ransomware Groups Behind the Surge

Cyble documented 57 new ransomware groups, 27 new extortion groups, and more than 350 new ransomware strains in 2025. The landscape continued to evolve rapidly in response to law enforcement disruptions:

• Qilin: Emerged as the dominant ransomware group after RansomHub was reportedly disrupted by rival group Dragonforce. Qilin claimed 17% of all 2025 ransomware victims and logged 190 attacks in December alone.
• Akira and Play: The only groups from 2024’s top five to remain prominent in 2025.
• Sinobi, Devman, Warlock, Gunra: New entrants that have specifically targeted critical infrastructure, including government and energy sectors, at above-average rates.

The U.S. remained the most targeted country at 55% of all attacks. Construction, professional services, manufacturing, healthcare, and IT were the most targeted sectors.

Landmark Supply Chain Incidents

The 2025 surge in supply chain attacks did not emerge from nowhere. The pattern has been building for years. Understanding the progression helps explain why the FBI DCSNet breach, described in Part II, follows a predictable playbook:

SolarWinds Orion (2020) — Malicious code injected into a trusted software update via the vendor’s own build pipeline. Impact: 18,000+ organizations compromised, including multiple U.S. federal agencies. Attackers were resident for months before detection. Attributed by U.S. intelligence to Russia’s SVR.

Kaseya VSA (2021) — Vulnerability in IT management software used by managed service providers. Impact: REvil ransomware pushed to 1,500+ downstream MSP customers in a single cascading attack. Kaseya’s own customers were reached without Kaseya itself being the primary target.

MOVEit Transfer (2023) — Zero-day vulnerability in a widely used managed file transfer tool. Impact: Cl0p ransomware group accessed data from hundreds of organizations simultaneously through a single vendor’s unpatched vulnerability. One of the largest single-event data theft campaigns on record.

XZ Utils backdoor attempt (2024) — Multi-year social engineering of an open-source maintainer to insert a backdoor into a core Linux compression utility. Impact: Detected before widespread exploitation. Demonstrated that state-level actors are willing to invest years in open-source supply chain targeting. Attributed by researchers to a China-linked actor.

Salt Typhoon telecom campaign (2019–2024) — Exploitation of CALEA lawful intercept infrastructure at major U.S. carriers. Impact: Nine U.S. telecoms compromised. Call records of 1M+ users accessed. FBI wiretap data exposed from within carrier systems. Described by U.S. officials as the worst telecom hack in American history.

FBI DCSNet breach (2026) — Vendor ISP exploitation to reach FBI’s internal surveillance network. Impact: Active wiretap targets, FISA data, and law enforcement PII accessed. Formally classified as a FISMA major incident. White House, DHS, and NSA joined the investigation.

The through line across all of these incidents is identical: the attacker did not defeat the target’s own defenses. They compromised someone the target trusted, then used that trust as their entry credential. Each incident informed the next. The FBI breach is not an isolated anomaly. It is the latest iteration of a strategy that has been refined over more than five years.

Part II: The FBI DCSNet Breach — A Supply Chain Attack in Detail

The Target: What DCSNet is and Why It Matters

The Digital Collection System Network (DCSNet) is the FBI’s internal, unclassified infrastructure for managing court-authorized surveillance operations. It provides agents with a centralized, point-and-click interface to conduct and monitor wiretaps across cellular and landline networks, operating over a private fiber-optic backbone separate from the public internet.

The specific module accessed in this breach was DCS-3000, an internal subsystem known as “Red Hook.” Red Hook handles pen register and trap-and-trace surveillance operations: it does not capture the content of communications, but collects the metadata surrounding them. That metadata includes:

• Phone numbers dialed and received: by subjects under active FBI surveillance
• Call routing data and communication timestamps
• Websites visited by internet-connected devices under monitoring
• Personally identifiable information: on active FBI investigation targets
• FISA warrant data and court-authorized wiretap returns

The counterintelligence value of this data is difficult to overstate. A foreign intelligence service that knows who the FBI is currently investigating, which phone numbers are being monitored, and which targets are active can identify its own operatives under surveillance, warn them, alter their behavior, and compromise ongoing operations, all without triggering any formal detection.

“Although no interception of actual call content has been confirmed, the breach of metadata alone could allow a foreign intelligence service to identify undercover assets, expose ongoing criminal investigations, and reveal which of their own operatives the FBI has compromised.” — CPO Magazine

The Attack Vector: Vendor Trust Exploited Again

The breach was not the result of a direct assault on FBI systems. The bureau’s own perimeter defenses were not defeated. According to the FBI’s formal notification to Congress, obtained by Politico, the hackers entered by “leveraging a commercial Internet Service Provider’s vendor infrastructure,” attributing the method to the group’s “sophisticated techniques.” The specific ISP has not been publicly named.

This is the same structural dynamic visible in every incident in the table above. The failure point was not the FBI’s internal security. It was the trust relationship between the bureau and an external vendor, and the fact that vendor’s security posture was insufficient to withstand a state-sponsored intrusion. As Xcitium Threat Labs summarized: “The breach did not require direct access to the FBI’s primary infrastructure. It used an external telecom vendor as the gateway, proving how supply chain access becomes operational access.”

Security researchers have mapped this to two MITRE ATT&CK tactics: Trusted Relationship abuse (T1199) and Supply Chain Compromise (T1195). In plain terms: if you cannot breach the target directly, breach someone the target trusts, then use that trust as your credential.

The Suspected Actor: Salt Typhoon and a Five-Year Campaign

No hacking group has been formally attributed by the FBI, CISA, or the White House as of early April 2026. The investigation remains active. However, investigators and independent researchers have focused attention on Salt Typhoon, a Chinese state-sponsored advanced persistent threat group linked to China’s Ministry of State Security.

That focus is not circumstantial. Salt Typhoon has spent years executing this playbook against this category of target. Between 2019 and 2024, the group infiltrated the CALEA lawful intercept infrastructure of nine U.S. telecommunications companies — AT&T, Verizon, T-Mobile, Lumen, Spectrum, and others — in what U.S. officials described as the worst telecom hack in American history. From within those compromised carrier systems, the group accessed FBI wiretap data, call records covering over one million users, and the private communications of senior government officials and campaign staffers.

The structural connection to the DCSNet breach is direct. CALEA mandated that telecoms build lawful intercept capability into their infrastructure in 1994. That mandate was never accompanied by a corresponding requirement to secure that capability against unauthorized third-party access. Salt Typhoon mapped and compromised that architecture at the carrier level across nearly a decade. The DCSNet breach represents the logical next step: tracing that access back to the FBI systems that receive and process the surveillance data the carriers were built to deliver.

“It was inevitable that foreign hackers would burrow deep into the American communications system the moment the FCC decided to let phone companies write their own cybersecurity rules.” — Sen. Ron Wyden

Breach Timeline

• 2019–2024 — Salt Typhoon establishes CALEA access at U.S. telecoms Group compromises wiretap infrastructure inside nine U.S. carriers. FBI surveillance data was accessible from within compromised systems for up to five years.
• October 2024 — Telecom breach publicly disclosed U.S. officials confirm Salt Typhoon’s access to lawful intercept infrastructure at AT&T, Verizon, and others.
• February 17, 2026 — Anomalous log activity detected FBI analysts detect irregular network activity on DCSNet. Incident response initiated. Date confirmed in FBI’s congressional notification.
• March 4, 2026 — Congress formally notified FBI notifies oversight committees, citing exploitation of a commercial ISP vendor’s infrastructure.
• March 2026 — Multi-front FBI incidents In the same month, per IBTimes UK and Fliegerfaust reporting: disclosure of a 2023 New York field office hack exposing Epstein investigation files, and a breach of FBI Director Kash Patel’s personal email by Iranian-linked group Handala.
• April 1, 2026 — FISMA “Major Incident” declared FBI formally classifies the DCSNet breach under FISMA. White House, DHS, and NSA join the investigation.

Consequences: What “Unclassified” Metadata Exposes

It is tempting to minimize a breach of “unclassified” systems. That framing is misleading. The FISMA “major incident” classification is not a routine designation: former FBI deputy assistant director for cyber Cynthia Kaiser noted that “only a few agencies declare a major cyber incident every year,” and the threshold requires a determination that the breach is likely to cause demonstrable harm to national security, foreign relations, or civil liberties.

The FBI clearly concluded both conditions were met. The specific consequences include:

• Counterintelligence exposure: Adversaries can identify which of their own operatives are under active FBI investigation and take protective action before any arrest or interdiction.
• Operational compromise: Active criminal and counterterrorism cases that relied on surveillance during the breach window must be reviewed. Evidence may face chain-of-custody challenges. Operations may need to be restructured.
• Source exposure: Informants and human intelligence assets who communicated through monitored channels may have been identified to foreign governments.
• Legal consequences: Cases relying on evidence derived from the compromised system face admissibility challenges if the integrity of records is now in question.

Part III: The Recovery Problem — Where CyberSense Capabilities Apply

The supply chain attack scenarios described above share a characteristic that makes traditional recovery approaches inadequate: the attacker was already inside the trusted environment, using legitimate channels, often for an extended period before detection. The DCSNet breach. The SolarWinds compromise. The Salt Typhoon telecom campaign. In each case, by the time the intrusion was identified, the attacker had been present across multiple backup cycles.

This creates a recovery problem that is fundamentally different from restoring after a ransomware detonation event where the moment of impact is known. When dwell time is measured in months or years, the question “which backup is clean?” cannot be answered by looking at the most recent snapshot.

In a long-dwell supply chain attack, the most dangerous assumption an organization can make is that its most recent backup represents a safe restore point. Verification, not assumption, is the foundation of trusted recovery.

The Core Problem: Backups Are Not Automatically Safe

A backup taken during the period of compromise may contain any of the following:

• Dormant malware or backdoors: already embedded in files or system configurations, waiting to reactivate after restoration
• Altered records: modified during the attacker’s dwell period in ways designed to persist through a restore
• Staged exfiltration artifacts: data aggregated or repositioned by the attacker in preparation for extraction
• Valid credentials or access tokens: that remain active and exploitable after the restore completes
• Tampered audit logs: where the attacker has modified records to obscure the timing and scope of their access

Restoring from a compromised backup does not recover from the attack. It re-establishes the conditions that allowed the attack to persist. The organization has spent its recovery window returning to a state that the attacker has already demonstrated it can operate within.

Capability Mapping: Supply Chain and Long-Dwell Scenarios

1. Content-level inspection of backup data
   1. CyberSense inspects data inside backups at the content level, not just file headers or metadata. In a scenario where malware entered through a trusted vendor channel and may have been present across multiple backup cycles, this inspection detects corruption, encryption changes, file entropy anomalies, and embedded malicious code that would be invisible to a standard integrity check. This is the capability that makes “verification, not assumption” operationally real.
2. Anomaly detection across backup generations
   1. By comparing content across successive backup snapshots, CyberSense can identify when data first changed in ways consistent with compromise, even if changes were subtle and gradual rather than sudden. This is directly relevant to the Salt Typhoon playbook, where access was maintained for years and changes accumulated incrementally. The goal is not just to find that something changed, but to find when it first changed.
3. Clean recovery point ID
   1. Rather than restoring to the most recent backup and assuming it is clean, CyberSense identifies the last verified-clean state with evidence behind that determination. For an organization dealing with an unknown dwell period, this replaces guesswork with a defensible, auditable recovery point.
4. Data integrity validation before restores
   1. Restoring from a compromised backup/snapshot reintroduces the attacker’s work into the environment. CyberSense validates that the backup being used for restoration is free of the indicators of compromise identified during the incident.
5. Forensic-grade change reporting
   1. Supply chain breaches create immediate legal and compliance obligations: congressional reporting (as in the FBI case), regulatory notifications, audit trail reconstruction, and, in litigation contexts, chain-of-custody documentation. CyberSense’s detailed change reporting — timestamped, system-by-system, and comparative against prior clean states — directly supports these requirements.

The Long-Dwell Challenge in Detail

The SolarWinds compromise remained undetected for approximately nine months. The Salt Typhoon telecom campaign ran for an estimated five years before detection. In both cases, organizations that relied on standard backup-and-restore procedures faced a fundamental problem: their backup windows were shorter than the attacker’s dwell time.

If your backup retention is 30 days and the attacker has been present for 90 days, every backup in that window is potentially tainted. This is not a theoretical risk. It is the specific operational challenge these attacks are designed to create. By maintaining a persistent, low-noise presence over an extended period, the attacker effectively erases the organization’s ability to restore to a clean state using conventional tools.

CyberSense addresses this directly by treating the backup as a subject of inspection rather than a trusted artifact. The analysis is applied to the content of the data, asking not just “is this file present?” but “has this file changed in ways consistent with compromise, and if so, when did that first occur?” That distinction is the operational gap that content-level backup analysis is designed to close.

Evidence Integrity and Legal Defensibility

A consequence of supply chain breaches that applies broadly across private sector organizations — particularly in regulated industries, financial services, healthcare, and legal services — is the integrity of records created or modified during the breach window. When a system is known to have been compromised, the evidentiary standing of records produced during that period is legitimately in question.

The FBI’s situation, where evidence derived from a compromised surveillance system now faces potential admissibility challenges, has a direct private-sector analogue: financial records, compliance documentation, audit trails, and transactional data that passed through a compromised environment during an extended intrusion may all carry the same uncertainty.

CyberSense’s forensic reporting capability generates a documented, timestamped record of what data changed, when the change occurred, and how it compares to prior verified states. For organizations with legal, regulatory, or audit obligations, this is often a core prerequisite for demonstrating the scope and limits of a breach to regulators, auditors, or courts.

Applicability Beyond the Federal Context

The FBI is an extreme case in terms of target sensitivity and adversary sophistication. But the structural dynamics of the attack are not unique to government. Any organization with the following characteristics faces a version of the same recovery problem:

• Third-party vendor or MSP access to internal networks: where the vendor’s security posture is outside the organization’s direct control
• SaaS platforms connected via OAuth or API integrations: where a compromised token in a connected application can yield access to the organization’s environment
• Software or update pipelines from external providers: where a compromised build or distribution channel reaches internal systems under the guise of a legitimate update
• Regulated data with chain-of-custody or audit trail requirements: where the integrity of records is subject to legal or regulatory scrutiny
• Recovery objectives that cannot absorb a failed restore: where restoring to a compromised state and discovering it only after the fact extends downtime and increases damage

The 2025 data confirms that supply chain attacks are not selective: every industry sector tracked by Cyble was hit. When such an attack occurs, organizations need the capability to identify clean data to recover quickly and confidently.