Cybersecurity developments in June reflected a continued shift toward attacks that target the connective tissue of modern organizations: identities, cloud integrations, operational technologies, and increasingly, AI systems. Rather than relying solely on software vulnerabilities, attackers focused on trusted relationships, credential theft, long-term persistence, and the platforms that enable access across distributed environments.

At the same time, the month highlighted how rapidly the threat landscape is evolving. Nation-state campaigns continued to pursue strategic intelligence collection, industrial organizations experienced operational disruptions, and debates around AI-powered cyber capabilities raised new questions about the future pace of attack and defense. Taken together, these stories illustrate how cybersecurity is becoming increasingly intertwined with the systems that support critical infrastructure, digital services, and day-to-day operations.

Identity Trust Chains Become the New Attack Surface

Klue Breach Highlights the Risks of Delegated Trust

A breach at competitive intelligence platform Klue allowed attackers to steal OAuth tokens used to connect customer environments to Salesforce, enabling unauthorized access to CRM data across multiple organizations, including several cybersecurity firms.

The incident highlights a growing challenge in modern enterprise environments: organizations increasingly rely on trusted integrations between SaaS platforms, cloud services, and third-party applications. Rather than breaching each target individually, attackers can compromise a single trusted connection and use that access to move across multiple environments.

More importantly, the breach demonstrates the danger of relying on implicit trust. As organizations expand digital ecosystems, trust relationships often extend far beyond direct users to include applications, APIs, services, and machine identities. When one trusted component is compromised, the resulting blast radius can be significant.

This is exactly the type of scenario that reinforces the value of a Zero Trust approach. By continuously verifying identities, limiting privileges, and enforcing access controls between users, applications, and services, organizations can reduce their dependence on inherited trust and contain the impact of compromised integrations before they spread across critical systems.

Fortinet Credential Harvesting Campaign Demonstrates Infrastructure-Scale Identity Risk

Researchers disclosed a massive credential harvesting campaign affecting more than 30,000 Fortinet devices across nearly 200 countries. Attackers leveraged known and leaked credentials to gain access to exposed appliances, monitor traffic, harvest additional authentication data, and expand operations across multiple sectors.

The campaign demonstrates how identity compromise can scale globally when authentication infrastructure becomes exposed. Rather than relying on sophisticated exploits, attackers capitalized on weak credential hygiene, exposed management interfaces, and credential reuse to establish persistent access.

This trend aligns with a broader evolution in cyber operations. Identity systems, VPNs, and remote-access infrastructure increasingly serve as the initial access point for both criminal and nation-state actors. As organizations continue expanding remote connectivity, these systems become high-value targets capable of providing broad access to operational environments.

Identity-centric security strategies become particularly important in these scenarios because they reduce reliance on static credentials and traditional trust assumptions. Limiting privileges, continuously validating access requests, and enforcing segmentation help contain compromise even when credentials are exposed.

Critical Infrastructure and Cyber-Physical Risk Continue to Converge

Cyberattack Disrupts Australian Sugar Production

Australia’s second-largest sugar producer, Mackay Sugar, suffered a cyberattack that forced shutdowns at two major sugar mills and disrupted harvesting operations.

Unlike many cyber incidents that primarily involve data theft or financial losses, this attack produced immediate operational consequences. Production interruptions affected industrial processes, supply chains, and agricultural operations, demonstrating how cyber incidents can quickly become business and operational disruptions.

The incident underscores a growing challenge for critical infrastructure operators as IT and OT environments become increasingly interconnected. Greater connectivity can improve efficiency and visibility, but it also creates pathways for attacks that originate in enterprise networks to impact operational systems. Manufacturing, energy, transportation, and food production organizations all face heightened risk as digital transformation efforts continue to blur traditional boundaries between IT and OT.

As these environments converge, it becomes increasingly important to implement controls that prevent IT-based attacks from spreading into operational systems. Network segmentation, identity-based access controls, and Zero Trust architectures can help contain incidents, reduce lateral movement, and limit the operational impact of a compromise before it reaches critical processes.

Nation-State Activity Reflects Long-Term Strategic Positioning

Chinese Espionage Campaigns Demonstrate Persistent Access Objectives

Google researchers disclosed multiple Chinese-linked campaigns targeting government, military, medical research, AI research, cybersecurity, and academic organizations across North America. In several cases, attackers maintained access for extended periods while collecting sensitive research and strategic intelligence.

This type of nation-state persistence is not new. Long-term access and intelligence collection have been hallmarks of state-sponsored cyber operations for years. What is changing is the value of the data being targeted, including AI research, critical infrastructure information, and sensitive intellectual property.

An additional concern is the growing risk of “harvest now, decrypt later” operations, where adversaries collect encrypted data today in anticipation of future quantum computing advances. Organizations responsible for sensitive research, government data, and critical infrastructure should begin evaluating post-quantum cryptography strategies now.

Because determined adversaries may eventually gain access somewhere in the environment, resilience depends on limiting what they can do once inside. Segmentation, least-privilege access, continuous identity verification, and Zero Trust architectures can help prevent a compromised account or device from becoming a pathway to sensitive information or operational systems.

AI Becomes Strategic Cyber Infrastructure

The Mythos Debate Evolves as GLM Makes the Threat More Accessible

Anthropic’s cyber-focused Mythos platform dominated security discussions this month after access to Mythos 5 and Fable 5 was temporarily restricted over national security concerns. While the U.S. government has since restored Mythos 5 access for a limited group of trusted organizations defending critical infrastructure, broader access remains restricted as policymakers continue debating how advanced cybersecurity models should be governed.

Meanwhile, the conversation has already moved beyond Mythos. Researchers found that China’s open-weight GLM-5.2 can match Mythos-level performance in vulnerability discovery. Unlike frontier models operated under provider oversight, open-weight models can be downloaded, modified, and used without centralized controls, allowing attackers to operate in the shadows.

The takeaway is that restricting access to individual models is unlikely to slow the broader trend. AI is compressing the time between vulnerability discovery and exploitation, leaving organizations with less time to patch and respond. 

The silver lining is that Mythos helped accelerate industry recognition of this shift. As AI-powered cyber capabilities become more widely available, organizations are increasingly investing in security fundamentals that remain effective regardless of how quickly threats evolve. Identity-based Zero Trust, least-privilege access, and segmentation reduce blast radius before attacks can spread.

Resilience increasingly depends not on preventing every attack, but on ensuring attackers cannot move laterally, escalate privileges, or disrupt operations after gaining initial access. We explore this shift in more detail in our recent blog, “Beyond Claude Mythos: Securing Critical Systems When the Grace Period Hits Zero.”

AI Expands the Attack Surface Beyond Human Users

Researchers recently found that 64% of analyzed LLM-enabled iOS applications exposed exploitable API credentials, highlighting widespread weaknesses in how AI services are integrated into software. At the same time, security researchers warned that emerging agentic AI worms could eventually identify vulnerabilities, adapt to their environments, and propagate across systems with limited human involvement.

Together, these developments demonstrate that AI introduces new attack surfaces alongside new capabilities. One of the most significant risks associated with agentic AI is credential and secrets exposure. AI agents often require access to API keys, tokens, cloud services, enterprise applications, and configuration data to perform tasks. If those credentials are exposed through compromise, misconfiguration, insecure storage, or excessive permissions, attackers may gain access to critical systems and use those trusted credentials to move laterally across environments.

Organizations that successfully deploy AI at scale will be those that apply the same authentication, authorization, and policy controls used to protect other critical systems. By enforcing strong access controls, limiting privileges, and tightly managing the credentials available to AI agents, organizations can reduce the risk that a compromised model, API key, or service account leads to broader exposure. As with any technology, resilience depends on limiting blast radius when something goes wrong.

Resilience Becomes a Strategic Priority

CISA Embraces Consequence-Based Vulnerability Management

CISA introduced new directives requiring federal agencies to prioritize remediation based on exploitability, exposure, mission impact, and operational consequences rather than relying solely on severity scores. This shift represents one of the most important governance developments of the month.

For years, organizations have struggled under the weight of growing vulnerability backlogs. The new approach acknowledges a reality many defenders already understand: not every vulnerability presents equal risk.

The emphasis is increasingly moving toward consequence-based security. Organizations must prioritize the vulnerabilities most likely to create operational disruption, enable identity compromise, or expose critical systems. This evolution aligns closely with broader resilience strategies focused on reducing operational risk rather than simply maximizing compliance metrics.

Investment Signals Growing Focus on OT Security

Accenture’s majority investment in Dragos, reportedly valuing the company at roughly $3.2 billion, was one of the month’s most significant industrial cybersecurity developments. While not an incident, the deal reflects growing recognition that operational technology and critical infrastructure security have become strategic priorities for enterprises and governments alike.

As industrial environments become more connected, organizations are increasingly investing in technologies that provide visibility, control, and resilience across both IT and OT systems. Identity-centric security plays a critical role in this convergence by helping organizations enforce trust consistently across users, devices, applications, and operational assets.

Looking Ahead

June’s biggest stories reinforced a common reality: attackers increasingly target identities, trusted relationships, and interconnected systems rather than individual devices or networks. From OAuth token theft and credential harvesting to nation-state persistence and AI-driven threat acceleration, the focus continues to shift toward access and control.

As IT, OT, cloud, and AI environments become more connected, resilience will depend less on preventing every attack and more on limiting what attackers can do once they gain access. Segmentation, strong authentication and authorization, least privilege, and Zero Trust architectures remain some of the most effective ways to reduce risk and contain compromise before it impacts critical operations.