Cybersecurity

More European cities move to replace Microsoft software as part of digital sovereignty efforts

Following similar moves by Denmark, the German state of Schleswig-Holstein and the city of Lyon—France’s third-largest city and a major economic centre—has initiated a migration from Microsoft Windows and Office to a suite of open-source alternatives, including Linux, OnlyOffice, NextCloud, and PostgreSQL.

This transition is part of Lyon’s broader strategy to strengthen digital sovereignty and reduce reliance on foreign technology providers. As with other European initiatives, the decision aligns with wider EU discussions about data governance and digital autonomy. Concerns over control of sensitive data and long-term sustainability have contributed to increased interest in open-source solutions.

Although Microsoft has publicly affirmed its commitment to supporting EU customers regardless of political context, some European public authorities continue to explore alternatives that allow for local control over software infrastructure and data hosting.

In line with the European Commission’s 2025 State of the Digital Decade report—which notes that Europe has yet to fully leverage the potential of open-source technologies—Lyon aims to enhance both transparency and control over its digital systems.

Lyon’s migration also supports regional economic development. Its collaboration platform, Territoire Numérique Ouvert (Open Digital Territory), is being co-developed with local digital organisations and will be hosted in regional data centres. The project provides secure, interoperable tools for communication, office productivity, and document collaboration.

The city has begun gradually replacing Windows with Linux and Microsoft Office with OnlyOffice across municipal workstations. OnlyOffice, developed by Latvia-based Ascensio System SIA, is an open-source productivity suite distributed under the GNU Affero General Public License. While it shares a similar open-source ethos with LibreOffice, which was chosen in Demark to replace Microsoft, the two are not directly related.

It is reported that Lyon anticipates cost savings through extended hardware lifespans, a reduction in electronic waste, and improved environmental sustainability. Over half of the public contracts for this project have been awarded to companies based in the Auvergne-Rhône-Alpes region, with all awarded to French firms—highlighting a preference for local procurement.

Training for approximately 10,000 civil servants began in June 2025. The initiative is being monitored as a potential model for other municipalities aiming to enhance digital resilience and reduce dependency on proprietary software ecosystems.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Qantas cyber attack sparks customer alert

Qantas is investigating a major data breach that may have exposed the personal details of up to six million customers.

The breach affected a third-party platform used by the airline’s contact centre to store sensitive data, including names, phone numbers, email addresses, dates of birth and frequent flyer numbers.

The airline discovered unusual activity on 30 June and responded by immediately isolating the affected system. While the full scope of the breach is still being assessed, Qantas expects the volume of stolen data to be significant.

However, it confirmed that no passwords, PINs, credit card details or passport numbers were stored on the compromised platform.

Qantas has informed the Australian Federal Police, the Cyber Security Centre and the Office of the Information Commissioner. CEO Vanessa Hudson apologised to customers and urged anyone concerned to call a dedicated support line. She added that airline operations and safety remain unaffected.

The incident follows recent cyber attacks on Hawaiian Airlines, WestJet and major UK retailers, reportedly linked to a group known as Scattered Spider. The breach adds to a growing list of Australian organisations targeted in 2025, in what privacy authorities describe as a worsening trend.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Researchers track financial cyberattacks in Africa and spot new ransomware group

Cybersecurity researchers have identified a series of cyberattacks targeting African financial institutions since at least July 2023. The campaign, attributed to a threat cluster named CL-CRI-1014 by Palo Alto Networks Unit 42, involves using open-source and publicly available tools to maintain unauthorised access to compromised systems.

According to Unit 42, ‘CL’ stands for ‘cluster’ and ‘CRI’ refers to ‘criminal motivation.’ The threat actor is believed to be operating as an initial access broker (IAB), seeking to obtain entry into networks and sell access to other cybercriminals on underground forums.

Researchers noted that the group employs methods to evade detection by spoofing legitimate software, including copying digital signatures and using application icons from Microsoft Teams, Palo Alto Networks Cortex, and VMware Tools to disguise malicious payloads. Tools deployed include PoshC2 for command-and-control, Chisel for network tunnelling, and Classroom Spy for remote access.

While the initial intrusion vector remains unclear, once access is achieved, the attackers reportedly use MeshCentral Agent and Classroom Spy to control machines, with Chisel deployed to bypass firewalls. PoshC2 is propagated across Windows hosts and persisted through various techniques, including services, scheduled tasks, and startup shortcuts. In some cases, stolen user credentials were used to set up proxies via PoshC2.

Trustwave SpiderLabs has reported the emergence of a new ransomware group named Dire Wolf, which has claimed 16 victims across multiple countries, including the United States, India, and Italy, with primary targets in the technology, manufacturing, and financial sectors.

Dire Wolf ransomware was developed in Golang. It includes disabling system logging, terminating a predefined list of services and applications, and deleting shadow copies to hinder recovery. Although details about the group’s initial access or lateral movement techniques are unknown, Trustwave advises organisations to maintain standard cybersecurity practices and monitor for the techniques observed during the analysis.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Nobitex restores wallet access after major hack

Iran’s biggest crypto exchange, Nobitex, has begun restoring wallet access after a cyberattack that stole over $90 million this month. Wallet reactivation is being carried out in phases, starting with verified users and spot wallets, while other wallets will reopen once identity checks are completed.

Users were urged to update their details promptly, as deposits sent to old wallet addresses now risk permanent loss due to a complete system migration.

Nobitex warned that withdrawal, deposit, and trading services for verified users would resume as soon as security checks allow. Timelines may change depending on technical conditions.

Following the breach, Iran’s central bank mandated domestic exchanges to restrict operating hours from 10 am to 8 pm to improve security.

The pro-Israel hacking group Predatory Sparrow claimed responsibility, highlighting rising regional cyber tensions. Nobitex remains central to Iran’s growing crypto market, but the attack has shaken user trust and raised concerns over the country’s financial cybersecurity.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Europol backs Spain in dismantling crypto crime ring

Spanish law enforcement, supported by Europol and agencies from Estonia, France, and the United States, arrested five individuals on 25 June 2025 linked to a global cryptocurrency investment scam. The operation uncovered a vast fraud network responsible for laundering around €460 million taken from over 5,000 victims worldwide.

The suspects were detained following coordinated raids in Madrid and the Canary Islands. Authorities conducted five property searches in total.

Europol has been assisting with the case since 2023, providing technical expertise, financial crime analysis, and on-site support during the final phase of the investigation.

The group allegedly operated through a vast web of international sales agents facilitating fund collection via cash, wire transfers, and cryptocurrencies.

The criminal operation reportedly maintained a corporate and banking structure based in Hong Kong, using shell companies and various digital accounts under false identities to move illicit funds.

Online fraud remains a critical threat to EU security, and Europol warns that it is rapidly growing in scale and complexity. According to Europol’s latest threat report, the rise of AI-powered deception tools is expected to fuel the spread of cyber-enabled fraud further.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

OpenInfra Summit Europe brings focus on AI and VMware alternatives

The OpenInfra Foundation and its global community will gather at the OpenInfra Summit Europe from 17 to 19 October in Paris-Saclay to explore how open source is reshaping digital infrastructure.

It will be the first summit since the Foundation joined the Linux Foundation, uniting major projects such as Linux, Kubernetes and OpenStack under the OpenInfra Blueprint. The agenda includes a strong focus on digital sovereignty, VMware migration strategies and infrastructure support for AI workloads.

Taking place at École Polytechnique in Palaiseau, the summit arrives at a time when open source software is powering nearly $9 trillion of economic activity.

With over 38% of the global OpenInfra community based in Europe, the event will focus on regional priorities like data control, security, and compliance with new EU regulations such as the Cyber Resilience Act.

Developers, IT leaders and business strategists will explore how projects like Kata Containers, Ceph and RISC-V integrate to support cost-effective, scalable infrastructure.

The summit will also mark OpenStack’s 15th anniversary, with use cases shared by the UN, BMW and nonprofit Restos du Coeur.

Attendees will witness a live VMware migration demo featuring companies like Canonical and Rackspace, highlighting real-world approaches to transitioning away from proprietary platforms. Sessions will dive into topics like CI pipelines, AI-powered infrastructure, and cloud-native operations.

As a community-led event, OpenInfra Summit Europe remains focused on collaboration.

With sponsors including Canonical, Mirantis, Red Hat and others, the gathering offers developers and organisations an opportunity to share best practices, shape open source development, and strengthen the global infrastructure ecosystem.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware attack hits Swiss government data

A ransomware attack on the Swiss non-profit Radix has led to the theft and online publication of sensitive government data. Radix, which carries out projects for various federal offices and public authorities, confirmed that the Sarcoma ransomware group breached its systems on 16 June.

According to the Swiss government, some stolen data has already appeared on the dark web.
Authorities are working with the National Cyber Security Centre (NCSC) to assess which federal offices were impacted and how severely.

While Radix has notified affected individuals, it states there is no evidence that sensitive data from its partner organisations was compromised. However, Sarcoma reportedly leaked 1.3TB of documents online, including financial records, contracts, and private correspondence.

Sarcoma is a relatively new but aggressive cybercrime group that began operating in late 2024. It typically gains access through phishing emails, outdated software vulnerabilities, and supply chain weaknesses.

The group has claimed dozens of victims and is known for publishing stolen data if ransom demands are not met.

However, this marks the second serious incident involving Swiss government data in recent months. In March, the government disclosed that a breach at another third-party provider, Xplain, had exposed tens of thousands of documents containing personal details.

The Swiss authorities are urging continued vigilance as investigations into the Radix breach continue.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Balancing security and usability in digital authentication

A report by the FIDO Alliance revealed that 53% of consumers observed an increase in suspicious messages in 2024, with SMS, emails, and phone calls being the primary vectors.

As digital scams and AI-driven fraud rise, businesses face growing pressure to strengthen authentication methods without compromising user experience.

No clear standard has emerged despite the range of available authentication options—including passkeys, one-time passwords (OTP), multi-factor authentication (MFA), and biometric systems.

Industry experts warn that focusing solely on advanced tools can lead to overlooking basic user needs. Minor authentication hurdles such as CAPTCHA errors have led to customer drop-offs and failed transactions.

Organisations are exploring risk-based, adaptive authentication models that adjust security levels based on user behaviour and context. The systems could eventually replace static logins with continuous, behind-the-scenes verification.

AI complicates the landscape further. As autonomous assistants handle tasks like booking tickets or making purchases, distinguishing legitimate user activity from malicious bots becomes increasingly tricky.

With no universal solution, experts say businesses must offer a flexible range of secure options tailored to user preferences. The challenge remains to find the right balance between security and usability in an evolving threat environment.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ahold Delhaize breach hits 2 million with data theft

A ransomware attack on Dutch retailer Ahold Delhaize resulted in a significant data breach affecting more than 2.2 million individuals across US businesses.

The breach occurred in November 2024 following network disruptions at supermarket chains, including Giant Food, Food Lion, and Stop & Shop.

The Inc Ransom group claimed responsibility in April 2025, stating it exfiltrated around 6 TB of data. The company confirmed that stolen files included employment records containing sensitive personal and financial information, with some data already posted on the dark web.

Affected individuals are now notified and offered two years of free identity protection services. The compromised data includes names, Social Security numbers, contact details, and medical and employment information.

Supermarkets have become a growing target in recent cyber campaigns. In April, UK retailers such as M&S and Harrods were also attacked, while distributor UNFI faced major disruptions earlier this month.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Ransomware victims still paying, Sophos finds

Nearly half of ransomware victims paid the attackers last year, according to Sophos. In its 2025 survey of 3,400 IT pros, 49% admitted to making payments—just below last year’s record.

Ransom amounts dropped significantly, with median payments falling 50% and demand amounts down a third. Yet backup usage also hit a six-year low, used by just 54% of firms for recovery.

Attackers often exploited known vulnerabilities (32%) or unknown security gaps (40%), highlighting persistent weaknesses. Sophos noted many companies now accept ransomware as a business risk.

CISA warned that CVE-2024-54085 in AMI MegaRAC firmware is under active exploitation elsewhere. The bug allows attackers to bypass authenticating remotely.

Varonis flagged abuse of Microsoft’s Direct Send email feature in a phishing campaign affecting over 70 organisations. Disabling it is advised if not essential.

Rapid7 also found critical vulnerabilities in Brother printers. One flaw rated CVSS 9.8, allows password theft and cannot be patched—users must change defaults.

Finally, Google will roll out new Gemini AI features to Android users starting on July 7, even for those with app activity disabled.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!