This week in security: Turla hits Romania, 35 GB walks out of Accenture, and 12 million KDDI logins
This week had everything: a nation-state campaign formally condemned by an EU government, a ransomware crew going big-game hunting across European tech, a consulting giant allegedly losing a repository full of keys, and a telecom breach measured in the tens of millions. Here's the week of July 8–15, 2026, region by region — and the thread that ties it together.
A note on sourcing: every incident below was reported by reputable outlets, vendors, or government bodies during the week. Where a claim comes from an attacker's leak site and hasn't been independently verified, we say so.
Romania and the EU: Turla, named and condemned
On July 14, Romania formally condemned hostile cyber operations attributed to groups controlled by Russia's FSB — specifically the long-running espionage actor Turla, active since at least 2004. President Nicușor Dan called the attacks part of "a broader hybrid campaign, meant to undermine the stability of our democracies." Reported targets include government institutions and critical infrastructure; earlier this year, dozens of Romanian military email addresses were compromised, though classified systems were reportedly not reached.
Romania wasn't alone. France reported Russian cyber campaigns affecting roughly ten European countries, the EU's High Representative issued a formal condemnation of Russia's "malicious cyber ecosystem," NATO's North Atlantic Council published its own statement, and Germany and France summoned Russian ambassadors. Espionage against EU institutions is not new — what's notable is how publicly and collectively it was attributed this time.
European tech: D1R goes big-game hunting
A newly tracked ransomware operation calling itself D1R updated its leak site on July 13 with three high-profile names at once: chip designer Arm (UK), engineering giant Bosch (Germany), and design-software maker Synopsys (US). Researchers link the campaign to exploitation of perimeter appliances — a Check Point Security Gateway flaw (CVE-2026-50751) used to bypass VPN authentication, and a Cisco Secure Firewall FMC bug (CVE-2026-20131) used to pivot deeper.
Important caveat: these are attacker claims. Synopsys says it has found no evidence of a breach, and the scale of what was actually taken from any of the three is unverified. But the target selection — semiconductor IP and the software that designs it — says a lot about where extortion economics are heading, and the entry vector is the same story security teams have lived through for three years: the VPN box at the perimeter.
United States: Accenture's 35 GB problem
A threat actor using the handle "888" claimed on a cybercrime forum to have taken roughly 35 GB from Accenture — not customer records, but source code, RSA and SSH keys, Azure personal access tokens, Azure Storage keys, and configuration files, with a screenshot of a private Azure DevOps repository as proof. Accenture said it was "aware of this isolated matter" and had "remediated its source," without confirming what, if anything, left. We wrote a separate deep-dive on why a leak of this shape — keys inside code — is its own category of incident.
Elsewhere in the US: the Conduent healthcare breach grew to more than 62 million affected individuals in updated filings; AssuranceAmerica disclosed nearly 7 million records exposed after a single employee account was compromised; and reporting pointed to a compromise of DHS information-sharing infrastructure. On July 14 the US Treasury sanctioned a VPN provider and two individuals accused of servicing ransomware crews — infrastructure takedowns are increasingly financial, not just technical.
Asia: Japan's telecom breach of the year
Japanese telecom giant KDDI confirmed that attackers accessed the email platform serving five ISPs (including BIGLOBE, NIFTY and JCOM), exposing about 12.2 million email addresses and 7.6 million passwords. The intrusion began on May 16 through a zero-day in a third-party email platform — unknown even to the vendor — and wasn't detected until June 17. Passwords at that scale become credential-stuffing ammunition against every other service where people reused them, which is why the disclosure was paired with a forced reset campaign.
The wider region had a busy week too: ransomware claims were posted against Saudi jewelry manufacturer L'azurde, Hong Kong's Intron Technology, and India's Omax Autos, among others — all leak-site claims at this stage, but a reminder that extortion is fully global.
Also worth your attention
- Developer tools as attack surface: researchers disclosed a zero-click remote-code-execution chain in the Cursor AI code editor, and active attacks abusing an Azure CLI weakness to sidestep MFA and Conditional Access. The tools that hold your credentials are targets themselves.
- AI-operated ransomware: reporting this week described what researchers called the first ransomware intrusion conducted almost entirely by an autonomous AI agent, exploiting a Langflow vulnerability. Whatever the label ends up being, the marginal cost of running an intrusion is falling fast.
The common thread
Strip the names away and the week reduces to three root causes: perimeter appliances with known flaws (D1R's entry path), a zero-day in a trusted third-party platform (KDDI), and long-lived credentials sitting where they could be copied (Accenture's alleged keys-in-code, KDDI's password trove). Nobody broke encryption. They found secrets that were reusable and reused them.
The practical lesson is the same one every week like this teaches: a credential is dangerous in proportion to how long it stays valid and how many places it lives. Prefer short-lived, single-purpose secrets. Rotate what might be exposed. And when you have to hand someone a password or a key, use a channel that expires and self-destructs — not an inbox or a chat log that quietly becomes an archive of everything you ever shared.
