Intelligence Brief · 2024–2025

Five Breaches.
One Answer.

The most damaging cyberattacks of the past two years had different targets, different attackers, and different industries. They shared the same root causes — and the same solution.

£1.9BLargest single incident cost
100M+Patient records exposed
<50msThreatmatic containment time
5→1Tools replaced by Threatmatic
Incident Analysis
01
🏥 Healthcare · Ransomware

Change Healthcare

February 2024 · United States

The ALPHV/BlackCat ransomware group infiltrated Change Healthcare — a processor of 15 billion healthcare transactions annually. After establishing a foothold, they moved laterally across the network, encrypting critical data and locking out clinical systems nationwide.

The attack compromised sensitive data for over 100 million individuals: medical records, prescriptions, and billing information. Change Healthcare ultimately paid a $22 million ransom — while pharmacies across America couldn't process prescriptions for weeks.

Estimated Total Cost
$22M ransom + $870M+ recovery
How Threatmatic Stops This
🔒
QSchannel™ Microsegmentation
Encrypted micro-tunnels eliminate lateral movement. A compromised billing server cannot reach clinical systems.
<50ms Threat Containment
The moment ransomware behaviour is detected, the infected device is isolated before encryption cascades to adjacent systems.
🧠
Identity-Based Access Control
Executable whitelisting at the endpoint means ransomware binaries — even novel ones — are blocked from running on managed devices.
02
📡 Telecoms · Nation-State Espionage

Salt Typhoon

Late 2024 · United States

Chinese state-backed hackers penetrated at least eight major U.S. telecoms — AT&T, Verizon, T-Mobile, and Lumen Technologies among them. For months they operated silently inside carrier infrastructure, siphoning call metadata, geolocation data, and audio recordings.

The Senate Intelligence Committee chair called it "the worst telecom hack in our nation's history." The attackers weren't loud — they were invisible, persistent, and patient.

Impact
8 carriers · Senior government targets · Months undetected
How Threatmatic Stops This
🔍
Continuous Identity Mapping
Every network flow verified on both user and application axes before traffic is permitted — anomalous flows flagged immediately rather than months later.
🛡️
Quantum-Safe Microsegmentation
QSchannel™ controls host-to-host traffic. Even inside a carrier network, persistent access to one node cannot become access to all nodes.
👁️
Observe, Verify and Allow
Nothing moves without verification — eliminating the silent, long-dwell persistence Salt Typhoon depended on.
03
🔑 Enterprise VPN · Zero-Day Exploit

Ivanti VPN Zero-Days

January 2025 · Global

Attackers exploited critical zero-day vulnerabilities in Ivanti's Connect Secure VPN — including an authentication bypass flaw. Emergency alerts went out worldwide as organisations scrambled to patch infrastructure they depended on for remote access.

The deeper problem: organisations had built their entire security perimeter around VPN technology. When the VPN collapsed, so did everything behind it.

Attack Vector
Authentication bypass on perimeter VPN infrastructure
How Threatmatic Stops This
🔄
VPN Elimination
Threatmatic replaces VPNs entirely with a single lightweight agent. There is no VPN to exploit — the attack surface doesn't exist.
🏝️
Pre-IAM Enforcement
Active and enforcing before IAM interfaces are required — no window of exposure. Authentication bypass attacks have no effect when enforcement precedes authentication.
🌐
Resilient by Design
Separated control and data planes — no single point of failure for attackers to target.
04
🏛️ Government · Supply-Chain Breach

U.S. Treasury / BeyondTrust

December 2024 · Washington, D.C.

Chinese hackers exploited vulnerabilities in BeyondTrust's remote support software — a trusted third-party tool with privileged access to Treasury workstations. Using the vendor's own API keys as a master key, they accessed documents linked to senior officials.

Treasury declared it a "major cybersecurity incident." BeyondTrust first detected the intrusion December 2nd and only confirmed the breach six days later.

Exposed
~3,000 documents · Senior government officials
How Threatmatic Stops This
📋
Executable Whitelisting
Restricts what BeyondTrust's software can do on Treasury systems — even with a valid, compromised API key.
🎯
Zero Trust for Vendors
Third-party vendor access scoped to exactly what's needed. A compromised vendor token cannot grant broad network access.
60ms Policy Propagation
Lockdown propagates in 60ms across the entire environment — vs. the six days it took BeyondTrust to confirm the breach.
05
🚗 Manufacturing · Ransomware + Social Engineering

Jaguar Land Rover

August–September 2025 · United Kingdom

A collective combining Scattered Spider, Lapsus$, and ShinyHunters brought Britain's largest automotive manufacturer to its knees via a targeted vishing campaign — stolen credentials opened JLR's network, and weak segmentation did the rest.

All three UK plants halted for five weeks. UK car production fell 27% — the worst since 1952. The Bank of England cited the attack as a factor in slower GDP growth.

Total Economic Impact
£1.9 billion · 5,000+ organisations affected
How Threatmatic Stops This
🔐
Credential Abuse Prevention
Stolen credentials from an unrecognised device are blocked before network entry — vishing campaigns yield useless credentials.
🧱
No Lateral Movement
A compromised HR endpoint cannot reach SAP or production systems. Blast radius contained to the point of entry.
<50ms Isolation
Sub-50ms device isolation turns a potential five-week factory shutdown into a contained single-node incident.
Incident Summary Matrix
Incident
Change Healthcare
$900M+
Lateral movement → ransomware spread
Blocked by microsegmentation
Incident
Salt Typhoon
National security
Silent lateral movement across carrier infrastructure
Blocked by identity mapping
Incident
Ivanti VPN Zero-Days
Global / multi-org
Auth bypass on perimeter VPN
Blocked by VPN elimination
Incident
U.S. Treasury
~3,000 documents
Third-party vendor token compromise
Blocked by vendor Zero Trust
Incident
Jaguar Land Rover
£1.9 billion
Vishing + credential abuse + weak segmentation
Blocked by ZTNA + microsegmentation
The door isn't the problem.
The hallway is.
60msPolicy propagation
<50msThreat containment
~60%Cost vs. legacy stack

Every attack in this report succeeded the same way: a single entry point became a highway. Attackers didn't need to break every control — they needed one gap nobody was watching, then moved freely from there.

Threatmatic's Zero Trust architecture treats that hallway as the battlefield. Microsegmentation eliminates lateral movement. Continuous identity mapping closes the gap between intrusion and detection. And when a threat is identified, containment fires in under 50 milliseconds — before damage can cascade.

Five incidents. Five root causes. One platform that addresses all of them — replacing the fragmented stack of VPNs, firewalls, and cloud gateways that failed each of these organisations with a single, lightweight agent built for the threat landscape we actually face.

Threatmatic
© 2026 Threatmatic · Zero Trust Network Access · threatmatic.ai