Security Digest 020 — Audio
Listen to the audio version of this digest, voiced by Brian.
This Week in Brief
Issue 020 covers 11 through 18 June, picking up from issue 019. The week was defined by coordinated breach activity at a scale not seen since MOVEit, a generational shift in Finnish nuclear policy, and a US-Iran ceasefire that reopened the Strait of Hormuz after 3.5 months of conflict.
ShinyHunters exploited a critical zero-day in Oracle PeopleSoft, CVE-2026-35273, breaching more than 100 organisations including the Council of Europe, with the education sector as the primary target band. A separate Fortinet credential-harvesting campaign swept Fortune 500 companies and government agencies across 15 or more countries, with roughly 75,000 devices exposed. In the Nordics, Finland’s parliament voted to lift its prohibition on hosting nuclear weapons, aligning Helsinki with deterrence posture held by several other NATO allies. The US and Iran reached a preliminary ceasefire, with Geneva signing expected. Congress subpoenaed the Epstein estate, the Clinton family, and the DOJ as fresh document batches landed under the 2025 Epstein Files Transparency Act, and Bill Gates testified before the House Oversight Committee in a closed-door session.
The EU AI Act’s general-purpose AI obligations have applied since 2 August 2025; the Commission’s enforcement powers over GPAI providers begin 2 August 2026, 45 days from today.
Security
ShinyHunters / Oracle PeopleSoft CVE-2026-35273
Google’s Mandiant Threat Intelligence Group disclosed on 11 June that ShinyHunters had exploited a critical zero-day in Oracle PeopleSoft enterprise software, CVE-2026-35273, breaching more than 100 organisations. Universities and higher-education institutions were the primary targets. On 15 June, The Register confirmed that the Council of Europe was among the compromised organisations, with HR data included in the exposed records. Oracle issued a warning to PeopleSoft customers after active exploitation was confirmed across multiple sources by mid-week.
Operational read: Any organisation running Oracle PeopleSoft should treat this as actively exploited and apply Oracle’s advisory without delay. Audit authentication logs for anomalous access since 1 June. The Council of Europe confirmation signals that European public institutions are squarely in scope alongside commercial targets.
ShinyHunters — Infinite Campus and MSG Sports
On 17 June, ShinyHunters breached education technology provider Infinite Campus via its Salesforce environment, exposing 137,000 school staff records including emails, names, phone numbers, physical addresses, and support ticket contents (TechRepublic, Cybernews). Infinite Campus software serves approximately 11 million students. On 16 June, after a missed ransom deadline, ShinyHunters published 45 GB of MSG Sports data, including VIP profiles and customer emails tied to the New York Knicks and Madison Square Garden Sports (MSN/Wired). The week’s pattern confirms ShinyHunters operating at industrial scale across education, sports, and international institutions simultaneously.
Operational read: The Infinite Campus compromise via Salesforce underscores third-party SaaS risk. Review Salesforce-integrated platforms, audit connected app permissions, and verify session logs for anomalous access tied to June activity. Ransomware posture should factor in publication alongside encryption.
Fortinet Credential-Harvesting Campaign
Reuters reported on 17 June that a sweeping credential-harvesting campaign against Fortinet firewall and VPN devices had compromised prominent organisations in 15 or more countries, including Fortune 500 companies and government agencies. Detailed reporting cited approximately 75,000 exposed devices. Fortinet confirmed awareness of the campaign and ongoing investigation.
Operational read: Rotate credentials on all Fortinet devices immediately. Audit VPN and firewall logs for credential access events since early June. Perimeter devices at government or financial institutions should be treated as potentially compromised pending a full log review.
Coupang $409M Record Fine
South Korea’s Personal Information Protection Commission fined Coupang 625 billion won ($409.3 million) on 11 June, the largest data breach penalty in the country’s history (Reuters, TechCrunch). The breach affected approximately 37.5 million customer records. The PIPC found weak security controls and delayed reporting at the root, the attack itself carrying no particular sophistication. Coupang is listed on the New York Stock Exchange, and the fine equals roughly 1.4 percent of projected 2025 revenue. The case reinforces that delayed reporting carries its own regulatory liability, independent of the underlying breach.
Novo Nordisk Cyberattack
Novo Nordisk disclosed unauthorised access to a limited number of internal IT systems on 11 June (Reuters). By 16 June, an unnamed hacking group claimed theft of more than 1 terabyte of data including research documents, employee records, and clinical trial details, and attempted a $25 million extortion (Reuters, FiercePharma). Novo Nordisk refused. The group threatened to sell the data, its identity remaining unconfirmed across sources, with an earlier briefing attribution to DarkSide uncorroborated by Reuters or FiercePharma reporting.
Norway and the Nordics
Joint Nordic-Baltic Investigation: Russia’s Northern Flank Buildup
Norwegian, Swedish, and Danish broadcasters together with Estonian outlet Delfi published a joint investigation on 10 and 11 June, drawing on satellite imagery showing Russia expanding military infrastructure across a 1,300-kilometre stretch of the Finnish border (Meduza, Kyiv Independent). New barracks, warehouses, and facilities suggest a potential deployment of up to 80,000 troops, roughly four times prior estimates of around 20,000. A new base under construction near Petrozavodsk is sized for 4,000 to 6,000 troops, with earlier expansions documented at Pechenga and Murmansk. Danish intelligence assessed that Russia could field up to 115,000 troops near NATO borders overall. German Army Chief Lieutenant General Christian Freuding stated on 12 June that NATO-agreed intelligence shows Russia capable of mounting a large-scale attack on NATO territory by 2029.
Finland Lifts Decades-Long Nuclear Weapons Ban
Finland’s parliament voted on 17 June to lift the country’s ban on hosting nuclear weapons on Finnish soil (NYT, BBC). Finland shares an 830-mile border with Russia and joined NATO in 2023, making the vote a direct extension of its post-invasion security realignment. The change aligns Helsinki with the deterrence posture held by several other NATO allies. Russia’s response was immediate and critical.
Norwegian Defence Ministry Accounting Scandal
State Auditor General Karl Eirik Schjøtt-Pedersen declared Forsvarsbygg’s 2025 annual report “unauditable” on 15 June, a significant accountability failure in the defence property division (News in English Norway). Forsvarsbygg ran a budget overrun of nearly NOK 500 million. The director of Forsvarsmateriell, the purchasing unit, was transferred over procurement rule violations and filed a complaint against the transfer. This lands against the backdrop of NOK 1,800 billion in planned military spending through 2036 and a Defence Minister, Tore O Sandvik, now facing sustained public scrutiny.
Royal News: Conviction and Transplant
Marius Borg Høiby, son of Crown Princess Mette-Marit, was convicted of rape and assault on 15 June and sentenced to four years in prison (The Guardian, Reuters, BBC, NPR). Two days later, Crown Princess Mette-Marit received a successful lung transplant after a period on the waiting list for her chronic lung disease (newsinenglish.no, BBC, CNN, Washington Post).
G7 Évian-les-Bains and UK Russia Sanctions
G7 leaders meeting in France on 16 and 17 June agreed to increase military support to Ukraine, including air defence systems and long-range capabilities, with France as primary supplier of additional Patriot missiles as US direct aid declines (Reuters, NPR). Trump told Putin at the summit to “make a deal.” The UK announced new Russia sanctions at the summit, designating Yandex Bank and two additional Russian financial institutions alongside 46 shadow fleet vessels and a covert military procurement network (Reuters, Barents Observer). The trigger was the arrest of Indian captain Ajay Pant, 38, aboard tanker MV Smyrtos in the English Channel for sanctions violations. A separate incident on 17 June saw a Russian warship fire warning shots at a UK-registered yacht near the Isle of Wight (Trade Winds News).
Regulatory and Policy
The EU AI Act’s general-purpose AI obligations have applied since 2 August 2025. What begins on 2 August 2026, 45 days from today, is the Commission’s enforcement powers over GPAI providers, alongside applicability of the high-risk rules. Organisations deploying GPAI systems in the EU that have not completed conformity assessments, finalised model cards, or established an incident reporting pathway are inside the final preparation window before enforcement bites. The one-year adjustment period closes on 2 August.
The EU formally opened its first cluster of accession talks with Ukraine and Moldova on 13 June (Reuters, EuroMaidan Press), ending years of delays and vetoes. The move locks in a European integration trajectory for both countries regardless of how the conflict concludes, carrying policy weight beyond the ceremonial.
Scams and Consumer Protection
FortiGuard Labs research published during the window found that cybercriminals registered more than 13,000 FIFA World Cup 2026-themed domains ahead of the tournament, with approximately 1,154, or 8.8 percent, classified as malicious or suspicious (PCQuest, DQIndia). Attack vectors span ticket-payment phishing, malware via unofficial team and streaming apps, and social media impersonation of national football associations. Norway is participating in the tournament, and Norwegian fans purchasing tickets or booking travel via unofficial channels carry elevated phishing exposure through July.
Epstein
Presumption of innocence applies to all individuals named in this section. The following covers documented, publicly reported developments only.
Subpoenas Fly as Bondi Stonewalls
Congress issued subpoenas to the Epstein estate, the Clinton family, and the DOJ during the window, pressing for the full federal record. Attorney General Pam Bondi refused to answer lawmakers’ questions about the Epstein files at the relevant hearing, and Alan Dershowitz requested the opportunity to testify (whitehouse.gov, NPR, PBS, ABC News, Forbes). The pressure traces back to the Epstein Files Transparency Act, H.R. 4405, which President Trump signed into law on 19 November 2025 to compel full disclosure of federal Epstein-related files after the House and Senate passed it overwhelmingly. That statute is the backdrop forcing this month’s subpoenas, document batches, and testimony into the open.
Bill Gates Testifies Before House Oversight
Bill Gates testified in a closed-door session before the House Oversight Committee on or around 10 June (BBC, Reuters, AP, CNN). Gates stated that Epstein used knowledge of his extramarital affair “as leverage,” described the relationship as “a grave error in judgment,” and said he “never victimized anyone” and had no knowledge of Epstein’s trafficking activities. Melinda French Gates, in separate testimony reported by the same outlets, called Epstein “evil” and described a visceral reaction to recalling her encounters with him.
DOJ New Files and The Guardian on the Norwegian Monarchy
The DOJ released a new document batch on 13 June, Data Set 1 Files, page 9, accessible directly at justice.gov. The release includes references flagged in US outlets as touching on a German missing-person angle (Times of India, Spectrum News).
On 18 June, The Guardian published a commentary piece by Magnus Nome titled “Norway’s monarchy once seemed like a fairytale: recent crises have exposed its dark underbelly,” naming Crown Princess Mette-Marit and Jeffrey Epstein in the same URL and connecting the Marius Borg conviction, her health crisis, and prior Epstein exposure as concurrent pressures on the Norwegian monarchy. The piece arrived the same week as her lung transplant and her son’s sentencing, drawing the threads together in the international press.
Conflicts
US-Iran Preliminary Ceasefire
The United States and Iran agreed a preliminary ceasefire on 14 to 15 June, ending a conflict that began 28 February, roughly 3.5 months earlier (Reuters, AP). Terms: end of hostilities, reopening of the Strait of Hormuz, and US release of $12 billion in frozen Iranian assets over 60 days, ahead of broader negotiations. Iran acknowledged it would “never” pursue a nuclear weapon, per Trump. Iran’s Foreign Minister disputed the exact formulation of that acknowledgment. The ceasefire followed US strikes of 49 Tomahawk missiles on Iranian targets on 10 to 11 June, Iranian closure of the Strait, and Hezbollah involvement in Lebanon.
The economic disruption was substantial. Three Indian merchant navy crew were killed in US strikes near Oman aboard MT Settebello, prompting India to summon the US Chargé d’Affaires. Container shipping rates doubled during the Strait’s closure. India’s May wholesale inflation reached 9.68 percent year-on-year, with Middle East fuel shock cited as the primary driver (Financial Express).
Ukraine Strategic Energy Strikes
Ukraine ran a sustained campaign against Russian energy infrastructure across the week. Strikes using FP-5 Flamingo missiles hit the VNIIR-Progress plant in Cheboksary and refineries in Samara and Vladimir. A mass drone attack on 12 to 13 June targeted Tatarstan and Samara petrochemical facilities, including Nizhnekamskneftekhim and Taneco, causing major fires. Russia claimed to have downed 231 drones. Ukrainian intelligence claimed the Tamanneftegaz sea terminal in Krasnodar was struck on 13 to 14 June. A drone hit Moscow’s oil refinery around 16 June, described by Kyiv as “a just response.” Russian oil output fell to a one-year low. Putin cancelled Russia Day events in Red Square for the first time in 23 years (AP, Mirror, Reuters, Kyiv Independent).
Russia-Ukraine War Passes WWI Duration
The Russia-Ukraine conflict surpassed the length of the First World War, 1,568 days, between 13 and 17 June, reaching day 1,575 (Reuters, AP, CNN). NATO estimates put Russian losses at more than 1.4 million killed and wounded. Russian military recruitment fell approximately 20 percent in Q1 2026 year-on-year despite enlistment offers exceeding $80,000. Ukraine has overhauled its military contract terms: fixed 10 to 24-month engagements, doubled frontline wages to around €5,790 per month, and expanded foreign volunteer recruitment.
By the Numbers
| Figure | Detail |
|---|---|
| $409.3M | Coupang PIPC fine, South Korea’s largest data breach penalty on record |
| ~37.5M | Customer records in Coupang breach |
| 100+ | Organisations breached via CVE-2026-35273 (ShinyHunters / Oracle PeopleSoft) |
| 137,000 | School staff records exposed in Infinite Campus / Salesforce breach |
| 11M | Students served by Infinite Campus |
| 45 GB | MSG Sports data published by ShinyHunters after missed ransom deadline |
| ~75,000 | Fortinet devices exposed in credential-harvesting campaign |
| 15+ | Countries affected by Fortinet campaign |
| 1TB+ | Data claimed stolen in Novo Nordisk breach; $25M extortion attempted |
| ~80,000 | Potential Russian troop deployment along Finnish border (satellite estimate) |
| NOK 500M | Forsvarsbygg budget overrun; 2025 report declared unauditable |
| 45 | Days to EU AI Act GPAI enforcement powers, 2 August 2026 (obligations applied since Aug 2025) |
| $12B | US frozen Iranian assets to be released under ceasefire terms |
| 1,575 | Days of Russia-Ukraine war at window close, surpassing WWI |
| 1.4M+ | NATO estimate: Russian soldiers killed and wounded |
| 13,000+ | FIFA World Cup-themed domains registered; ~1,154 classified malicious or suspicious |
What to Do This Week
- Patch Oracle PeopleSoft immediately. CVE-2026-35273 is under active mass exploitation by ShinyHunters, confirmed by Mandiant and The Register. Audit authentication logs since 1 June and treat the Council of Europe compromise as a scope signal for European public institutions.
- Rotate Fortinet credentials and review perimeter logs. Audit VPN and firewall access logs for credential anomalies across the past 14 days. Institutions with Fortinet at government or financial perimeters should run a full incident review.
- Audit Salesforce-connected platforms. The Infinite Campus breach entered via a Salesforce environment. Review connected app permissions and session logs for any SaaS integrations that touch staff or student data.
- EU AI Act enforcement: 45 days. GPAI obligations have applied since August 2025; the Commission’s enforcement powers begin 2 August 2026. Complete conformity assessments, finalise model cards, and establish incident reporting pathways for any GPAI systems deployed in the EU before then.
- Warn World Cup-bound users. Ticket purchases and travel bookings should go through official FIFA and national FA channels only. Treat all World Cup-themed emails as phishing-probable through July.
- Novo Nordisk supply-chain watch. If your organisation has relationships with Novo Nordisk’s research or procurement infrastructure, monitor for second-stage exposure as the claimed 1TB dataset may begin circulating.
Researched against the local SearXNG instance and cross-checked against named outlets throughout. All stories corroborated by at least two named sources except where marked single-source or contested in the text. Single-source and contested claims are marked. Presumption of innocence applies throughout the Epstein coverage.
Named sources this issue: Reuters, The Register, TechRepublic, Cybernews, SC Media, AP, Google/Mandiant Threat Intelligence Group, The Guardian, BBC, NYT, NPR, PBS, ABC News, CNN, FiercePharma, News in English Norway (newsinenglish.no), Meduza, Kyiv Independent, EuroMaidan Press, Barents Observer, Trade Winds News, PCQuest, DQIndia, whitehouse.gov (Tier 1), justice.gov (Tier 1), GovTrack, Forbes, Financial Express, Mirror, MSN/Wired, Times of India, Spectrum News.
Issue 020, weeks 25 and 26, 18 June 2026