Cyberattacks turned industrial

Mandiant’s M‑Trends 2026 is grounded in more than 500,000 hours of incident-response investigations and reports the global median dwell time increased to 14 days, up from 11 days the prior year. (cloud.google.com) The report documents a collapse in the initial‑access “hand‑off” window — from a median of more than eight hours in 2022 to just 22 seconds in 2025 — and flags a rise in interactive voice‑phishing to 11% globally (23% for cloud‑related compromises). (security.googlecloudcommunity.com) M‑Trends warns attackers are deliberately targeting backup, virtualization and identity layers to create “recovery denial,” noting campaigns that pre‑stage malware and harvest long‑lived OAuth tokens to pivot into customer environments. (security.googlecloudcommunity.com) Municipal impact has followed: Foster City detected ransomware on March 19 and declared a local state of emergency after most non‑emergency city services were taken offline during the investigation. (cbsnews.com) Transit agencies have been hit too: Los Angeles Metro restricted internal systems after detecting a March 20 breach that disrupted station arrival displays and online TAP card top‑ups, while a group calling itself WorldLeaks claimed 159.9 GB of data exfiltration. (news.moovitapp.com) Global supply‑chain and healthcare vendors have also been targeted — a March 11 attack on medical‑device maker Stryker knocked out global Windows‑connected devices and the attackers claimed roughly 50 terabytes of data seized. (aljazeera.com) Vendor outages are cascading into consumer harm: an attack on Intoxalock beginning March 14 disrupted calibration services for a subset of court‑ordered ignition‑interlock users across 46 states (the company said systems were restored March 22). (breached.company)