Hackers shift tactics
Multiple reports show attackers are moving from quick thefts toward maintaining long‑term access inside networks, using zero‑click exploits and living off compromised personal devices to persist. That trend is illustrated by ongoing fallout from the Change Healthcare attack, reports about data exfiltration from Healthdaq, and a CERT‑UA advisory describing persistence techniques. Together these items suggest buyers will press vendors on persistence detection, incident recovery and long‑term containment. (pharmacytimes.com) (bbc.co.uk) (unn.ua)
Hackers used to smash the window, grab the valuables, and run. A growing number now stay inside the building, keep a copy of the keys, and come back whenever they want. (cip.gov.ua) Ukraine’s Computer Emergency Response Team said on April 6, 2026 that attackers in the second half of 2025 were shifting away from one-time data theft and toward “long-term, unauthorised access” inside victim systems. (cip.gov.ua) That kind of access is called persistence. It means the intruder leaves behind a hidden way back in, like a spare key taped under the doormat after the first break-in. (cip.gov.ua) Ukraine’s team says many of these groups now hide behind normal tools already built into Windows, including PowerShell and remote tunnels, so their traffic looks like ordinary office work instead of a burglar alarm. (cip.gov.ua) They are also using other people’s devices as stepping stones. A compromised home laptop or phone can become the attacker’s side door into a company network, which is why “bring your own device” rules now matter far beyond convenience. (unn.ua) The Change Healthcare attack showed what happens when a single foothold sits inside a system that touches huge parts of daily life. UnitedHealth told the Securities and Exchange Commission on February 21, 2024 that an outside threat actor had gained access to some Change Healthcare information technology systems. (sec.gov) Change Healthcare is not a niche software vendor. It sits in the plumbing of American healthcare payments, so when systems were isolated after the intrusion, pharmacies, hospitals, and clinics across the United States felt it almost immediately. (sec.gov) (pharmacytimes.com) The fallout is still moving through courts and regulators more than two years later. An Iowa lawsuit filed on April 2, 2026 says 192.7 million Americans had protected health information stolen in the breach. (hipaajournal.com) A newer case shows the same pattern hitting suppliers instead of giant claims processors. BBC News reported on April 10, 2026 that Healthdaq, a recruitment platform used by health trusts in Northern Ireland, said attackers accessed and extracted data after discovering the breach on March 30. (yahoo.com) Healthdaq’s warning said the stolen material may include names, contact details, qualifications, passport copies, and in some cases health information. That is the kind of file set that helps criminals do more than sell data once; it helps them impersonate real people for months. (yahoo.com) This is why buyers are starting to ask a different question. Not just “Can your security stop the first break-in?” but “If someone gets in anyway, how do you find the spare keys, lock every side door, and prove they are really gone?” (cip.gov.ua) (pharmacytimes.com)
