Backups are being targeted

Waterfall Security’s 2026 OT Threat Report says publicly recorded cyber breaches with physical consequences fell 25% to 57 incidents in 2025 from 76 in 2024, even as the report flags a deeper shift in attacker objectives across sectors. (industrialcyber.co) Mandiant’s M‑Trends 2026 analysis found adversaries shortening handoff times to minutes and specifically increasing activity against recovery and backup infrastructure in 2025, highlighting faster, more surgical attacker playbooks. (helpnetsecurity.com) Veeam’s 2025 research of 1,300 organizations reports roughly 69% faced cyber-attacks in the prior year, with only 10% of victims recovering more than 90% of data and 57% recovering less than 50%, underlining that backups often failed to deliver full recovery. (veeam.com) Incident responders and research groups documented targeted exploitation and misconfiguration of backup platforms—investigations in 2025 flagged repeated adversary focus on Veeam installations and disclosed critical vulnerabilities in backup products that allowed domain‑level compromise. (cybercentaurs.com) Vendor hardening guidance calls for concrete controls: run backup servers on isolated management VMs, remove backup servers from production domains, restrict console logins to dedicated service accounts, enable MFA on backup consoles, and limit outbound connections to known update endpoints. (nolabnoparty.com) Industry and federal guidance endorse immutable/offline copies and automated restore verification—adopting the 3‑2‑1‑1‑0 rule (three copies, two media types, one offsite, one immutable/offline, zero restore errors) and using tools such as Veeam’s SureBackup for validation; the FBI and CISA explicitly recommend offline backups and routine restore testing in their Nov. 2025/StopRansomware advisories. (samuraj-cz.com)