June 2026 Cyber Threat Brief
June's headline incidents had almost nothing to do with clever code. FortiBleed harvested roughly 80,000 credentials from internet-facing FortiGate firewalls and VPNs across 194 countries, and it needed no zero-day to do it. Attackers used weak passwords, exposed configs, and sessions that were still valid. Around the same time, an 8.3 TB dump of 24 billion records surfaced, most of it infostealer logs, carrying live session cookies and MFA tokens. That combination lets an attacker skip the login entirely and walk in as you. The defenses didn't get bypassed this month. They got used. Every one of those logins was technically legitimate, which is exactly why so much of this activity slid past detection built to look for something broken. That is the throughline worth your time.
Attackers Stopped Breaking In and Started Logging In
When the biggest campaigns of the month run on valid credentials, the edge stops being a wall and starts being a front door with your key already in it. FortiGate firewalls, VPNs, and gateways drove June's largest incidents, and the reason is simple. Those devices sit exposed to the internet, they hold privileged access, and they are usually under-watched. A stolen session cookie or a reused password doesn't look malformed. It looks like you.
So the signal you're hunting for isn't "malicious." It's "unusual for us." Here are the moves that actually change the odds:
- Assume stolen sessions, not just stolen passwords. Shorten session and token lifetimes so a captured cookie expires before it's useful.
- Revoke on exposure. Kill active sessions and API tokens after any credential leak, and rotate privileged credentials from a vault rather than by hand.
- Alert on impossible travel and anomalous logins. A real account from two continents in ten minutes is the tell.
- Watch the edge like production. Inventory every internet-facing appliance, restrict management planes to a jump host, and centralize the logs so someone can actually read them.
If the attacker has your cookie, your MFA already happened. Plan for that, not against it.
The Real Persistence Play Is the Authentication Layer
The intrusion that should keep any utility or co-op operator up at night wasn't loud. Velvet Ant, a China-linked group, lived inside a critical-infrastructure network for close to a decade. They didn't do it with some exotic implant. They backdoored PAM and OpenSSH and moved into the authentication layer itself, which meant they survived password resets and watched every admin action from inside the trust boundary. Most monitoring never looks there.
That's the shift. Attackers are no longer just stealing accounts. They're compromising the systems that verify accounts, which is a place password rotation can't reach.
- Monitor the integrity of PAM and sshd. Alert on unexpected changes to those binaries on your critical hosts.
- Treat identity services as production. Harden and isolate your directory and authentication infrastructure the way you'd protect a control system.
- Deploy file-integrity monitoring on key hosts. A trojanized system binary stays invisible until you're watching for the change itself.
- Don't trust a password reset as a cleanup. If someone owns the auth stack, resets just hand them your new credentials.
In OT, the Save Came From a Person
Then Sage Water Resources in Utah disclosed that a nation-state actor altered the control logic on a PLC at a salt-water disposal facility, part of a broader campaign against U.S. energy and water systems. No malware alert fired. Someone changed a process, and the change looked like a normal operation until you understood what the process was supposed to be doing.
Here is what caught it: an alert operator. A person who knew that facility well enough to know the logic was wrong.
The biggest OT save of the month came from a human who understood their own environment, not from a tool that flagged an anomaly. That is not a feel-good detail. It is the whole argument. A PLC logic change during a maintenance window isn't a virus and won't trip a rule, but it's obvious to someone who knows what normal looks like on that specific system.
- Baseline your control logic. Keep a known-good copy of PLC and HMI logic and flag any deviation loudly.
- Tie response to safety and process impact, not to a malware verdict that may never come.
- Get PLCs and HMIs off the internet. Remove the exposure, and broker remote access through a jump host.
- Write down what normal is. Don't let the Sage Water catch depend on one operator's memory. Give the whole team that reference.
What This Means Going Forward
Every major event this month tells the same story from a different angle. When attackers borrow your valid access instead of breaking your defenses, "malicious" is the wrong thing to look for. The activity looks legitimate because it is legitimate, technically. Catching it takes context, and in an OT environment the context is the whole game. Tools give you the visibility. They can't supply the judgment.
CISA's CI Fortify guidance this month pushed operators toward isolation and recovery, the ability to keep essential services running while cut off from the outside. That's sound advice, and prevention alone no longer meets the bar. But isolation and recovery both start with somebody noticing, and noticing on a valid-looking login is a human skill, not a dashboard feature. That's the Human First case, and June made it without our help. Tools surface information. People supply judgment. How long that judgment takes to arrive is measured in minutes or hours, depending on who answers the phone.
What actually stopped the worst of this month wasn't a tool. It was a person. The operator who knew the PLC logic was off. The analyst who asked why a real account was doing something it never does. When the attack looks legitimate, the people who know their environment are the last control that still works.
June 2026 Monthly Threat Brief
