Cyber Security Report -February 2026
- Mar 17
- 15 min read
Research by OSINT Monitoring Team, NTT Security Japan K.K
Original Report in Japanese;サイバーセキュリティレポート 2026年01月 | セキュリティナレッジ | NTTセキュリティ・ジャパン株式会社
Table Contents
Cyber attacks targeting the Milan-Cortina Winter Olympics
Real or Scam: Verification of the Emerging Ransomware Group "0APT"
CEO Fraud on the Rise: New Ways to Exploit External Tools and How to Protect Your Organization
Disclaimer
Page Summary
This report selects and summarizes three topics that are considered particularly important among the various information security-related incidents and events that occurred during February 2026 and the changes in the environment surrounding them. The abstract of each topic is as follows.
Chapter 1: Cyber Attacks Targeting the Milan Cortina Winter Olympics
At the Milan Cortina Winter Olympics held in Italy, a series of cyberattacks targeting Games-related infrastructure were confirmed just before the event. The Italian government and relevant agencies responded quickly and succeeded in minimizing the damage.
As for some of the attacks, the pro-Russian hacktivist group "NoName057 (16)" suggested in a post on Telegram that they were carried out in retaliation for the Italian government's support for Ukraine.
The Olympics are events that attract attention from all over the world and have a great political, economic, and social impact. Therefore, it is a great opportunity for hacktivists who want to make their claims and grievances known to the world, to send a message.
Chapter 2: Real or Fraud ~Verification of the Emerging Ransomware Group '0APT'
An emerging ransomware group has emerged calling itself 0APT. In a few days, more than 200 organizations were listed as victims and attracted attention, but several of the organizations named reported no signs of compromise, making the list unreliable.
On the other hand, since some of the ransomware functions owned by the group actually work, it has been pointed out that there is a possibility that it will attract attention, acquire personnel, and carry out attacks in the future, so it should not be underestimated.
It is desirable not to take the cybercriminal's claims at face value, but to determine the legitimacy of the cybercriminals after checking the technical support and verification results of multiple independent sources, as well as checking logs and other investigations to see if there are traces of infringement within the organization.
Chapter 3: "The Rapid Rise of CEO Fraud: New Tactics for Abusing External Tools and How to Protect Your Organization
Since December 2025, the number of detections of CEO fraudulent emails has skyrocketed, with over 10,000 cases per day recorded in January 2026, and the damage in Japan has expanded.
As a new method, it has been confirmed that attackers induce employees of target companies to communicate with external communication tools such as LINE from email.
As the abuse of generative AI and deepfakes is expected to make their methods even more sophisticated, companies are required to upgrade their multi-layered defense systems by continuously reviewing the technical, operational, and educational measures they have been working on so far.
Cyber attacks targeting the Milan-Cortina Winter Olympics
1.1. outline
The Milan Cortina Winter Olympics held in Italy featured a variety of high-profile events, but at the same time, there was also a fierce battle over cyberattacks. Just before the event, a series of cyberattacks targeting Games-related infrastructure and other sources were confirmed in Russia. The Italian government and relevant agencies responded quickly and succeeded in minimizing the damage.[1], [2]
1.2. About the Milan-Cortina Winter Olympics
From February 6 to 22, 2026, the "Milan Cortina 2026 Winter Olympics" were held in Milan, Cortina d'Ampezzo and surrounding areas in northern Italy.[4]
More than 3,500 athletes from 93 countries participated in the tournament and competed for medals.[6]
The International Olympic Committee (IOC) has banned Russian and Belarusian athletes from competing for the national team in response to the invasion of Ukraine that began in 2022. On the other hand, participation as a "neutral player (AIN)" without using the national flag, national anthem, or national uniform is allowed, and 20 people were eligible in this tournament.[7], [8]
1.3. Attack just before the Olympics
On February 4, just before the Olympics, Italian Foreign Minister Tajani, who was visiting Washington, USA, said at a press conference that he had prevented cyberattacks targeting organizations and websites related to the Olympics. The foreign minister also stressed that those attacks were led by Russia.
In this cyberattack, the following things were observed:
Attack method
It seems that a "DDoS attack" was carried out to send a large amount of communication from multiple attack sources at the same time to a specific website or server. Such an attack can overload the website and cause service outages.[11]
Attack target
Italian Ministry of Foreign Affairs
A few days after a press conference in the United States, Foreign Minister Tajani revealed that the websites of about 120 organizations, including the Italian Embassy in Washington, were attacked (some of which may have been related to the Olympics).[12] [13]
Hotels
The websites of hotels near the competition venues in the host cities, such as Cortina d'Ampezzo, were attacked, and some sites were temporarily inaccessible.
Competition related and others
In addition to Olympic officials and other Games-related sites, tourism and transportation infrastructure-related sites were also attacked, making it temporarily difficult to access.
Attacker information
There is a lack of specific information about who and how many groups/individuals are involved in carrying out these attacks. However, some of the attacks were suggested in a post on Telegram that the pro-Russian hacktivist group "NoName057 (16)" carried out it in retaliation for the Italian government's support for Ukraine.
Hacktivists are people who try to show their principles to the public in connection with the execution of cyber attacks, and NoName057 (16) is known for launching DDoS attacks and sending messages against certain countries and organizations when they consider them to be "anti-Russia". This time, in addition to dissatisfaction with the Italian government, it is believed that the intention was to disrupt the high-profile event of the Olympics, influence the international community through the media, and spread his claims.
They began their activities in March 2022, shortly after Russia's military invasion of Ukraine. Since then, it has carried out many attacks targeting NATO member countries and countries that support Ukraine, and the websites of Japanese government agencies and companies have been damaged many times. The group shares targeted information with others through social networking sites such as Telegram, and collectively launches attacks by recruiting supporters.
[14], [15]
1.4 Fake sites for official Olympics shops also appear
Sites for fraudulent purposes, such as those confirmed in the past Olympics, have appeared again this time. The official mascots of the Milan Cortina Winter Olympics and Paralympics, the stoat siblings "Tina" and "Milo", are very popular, and Tina's stuffed toy is out of stock at the official shop.[16]
Scammers who noticed this launched fake sites one after another disguised as official shops.
Fake sites have confirmed multiple cases where their promotional videos and BGM are exactly the same as those of the official shop site, and they use domains similar to the official shop domain "shop.olympics.com". It is also unique in that it appeals to discounts on products.
The goal of such sites is to steal personal information and credit card information from people who want to buy products, or to distribute malware to them. In addition, cases of shipping fake products have also been confirmed.
1.5 Milan-Cortina Winter Olympics securtiy system
At the Olympics, there were concerns that the widespread dispersion of stadiums would increase the number of attack targets and complicate the surveillance system. For this reason, the government mobilized a large number of police officers and military personnel to build a system that could respond immediately at any time, both physically and cyber.
For example, we have established a SOC (Security Operation Center) to monitor systems and networks 24 hours a day, and to detect and analyze abnormalities such as signs of cyber attacks in real time. And in the event of a threatening event, experts and technicians were supposed to intervene immediately.
These efforts were successful, and there was no significant impact on cybersecurity, including during the attack just before the Games.[18], [19]
1.6 Summary
The Olympics are events that attract attention from all over the world and have a great political, economic, and social impact. In addition, these events rely on IT for all aspects such as ticket sales, transportation, accommodation, and live streaming. Therefore, for hacktivists who want to make their claims and grievances known to the world, it is a great opportunity to send a message along with a cyberattack. Still, the Milan Cortina Winter Olympics did not cause serious damage due to the careful security system in place by the host country and related organizations.
Various tensions are swirling in the world. As long as there is international conflict and friction, attempts to appeal political claims through cyberattacks are likely to continue.
References
[1] Source: Euronews "Tajani a Washington: "Sventato attacco hacker della Russia contro l'Italia"
[2] Source: Reuters "Italy foiled Russia-linked cyberattacks on embassies, Olympic sites, minister says"
[3] Source: International Olympic Committee 『Milan Cortina 2026 Winter Olympics Opening Ceremony Athletes' Entrance March: Which country will enter first?
[4] Source: Japanese Olympic Committee "Milan Cortina 2026 Winter Olympics TEAM JAPAN"
[5] Source: International Olympic Committee "Olympic Winter Games Milano Cortina 2026"
[6] Source: International Olympic Committee 『How many countries will participate in the Winter Olympics 2026?』
[7] Source: Jiji.com "Russian AIN athlete wins first medal at the Milan Cortina Olympics, Skimo Men's Sprint"
[8] Source: International Olympic Committee 『Q&A regarding the participation of athletes with a Russian or Belarusian passport in international competitions』
[9] Source: Euronews "Tajani a Washington: "Sventato attacco hacker della Russia contro l'Italia""
[10] Source: Jiji.com "Stopping Russian cyberattacks targeting the Milan-Cortina Winter Olympics, Italy"
[11] Source: Jiji.com "Stopping Russian cyberattacks targeting the Milan-Cortina Winter Olympics, Italy"
[12] Source: ANSA, "Russian-led cyberattacks on embassies and hotels in Cortina foiled says Tajani (3)"
[13] Source: Italian Government - Ministry of Foreign Affairs and International Cooperation 『Tajani inaugurates the "CSIRT" Cyber Room to strengthen the fight against cyber threats at the Foreign Ministry』
[14] Source: National Cyber Security Centre 『Pro-Russia hacktivist activity continues to target UK organisations』
[15] Source: Information Security White Paper 2025, Information Technology Promotion Agency (IPA)
[16] Source: International Olympic Committee "Mascot"
[17] Source: Malwarebytes "Fake shops target Winter Olympics 2026 fans" (If you access from Japan, you may see the Japanese version of the page)
[18] Source: ANSA, "Russian-led cyberattacks on embassies and hotels in Cortina foiled says Tajani (3)"
[19] Source: Italian Government - Ministry of Foreign Affairs and International Cooperation 『Tajani inaugurates the "CSIRT" Cyber Room to strengthen the fight against cyber threats at the Foreign Ministry』
Real or Scam: Verification of the Emerging Ransomware Group "0APT"
2.1. outline
An emerging ransomware group calling itself 0APT (0APT Syndicate) has emerged.[20]
In about a week, the group attracted attention with an unusual momentum, announcing more than 200 organizations as victims of its attacks.[21]
However, after verification by multiple security vendors and others, it has been concluded that the majority of 0APT posts claiming the results of the attack are likely fabricated or grossly exaggerated.[22]
2.2. 0APT and its attack claims
On January 28, 2026, 0APT launched a site on the dark web to expose organizations affected by the group's attacks. The group's name may be a combination of "zero-day," which means an undisclosed vulnerability, and "APT," which refers to state-sponsored attack groups.
It offers RaaS (Ransomware as a service) and is also recruiting "affiliates" who are the perpetrators of ransomware attacks on the exposure site. He also clearly states that the motivation for his activities is money, not political beliefs.[20], [22], [23], [24]
The group showed the speed of development, announcing as many as 71 affected organizations in just three days after its appearance. The majority of the victims were based in the United States, and 0APT claimed to have infringed on a wide range of businesses, including critical infrastructure-related businesses, including transportation and logistics, energy, manufacturing, and healthcare. However, Epworth Healthcare, one of the organizations actually named, announced on February 5 that no trace of the breach could be identified. Later, security vendor GuidePoint Security also reported similar results when several other "victim organizations" conducted investigations and analysis. In light of this, security officials have assessed that the credibility of the victim list posted on the 0APT exposure site is significantly low.
2.3. Technical aspects of 0APT
In general, emerging groups that publish a large number of infringements in a short period of time are often offshoots of existing groups or rebranded (renamed)[24]. However, verification by multiple security vendors and others has shown that the behavior of 0APT is different from this typical pattern.
Evaluation of ransomware itself
The ransomware used by 0APT contains executable files for Windows and Linux, and its ability to encrypt and render unusable data on the targeted systems has been confirmed to work in practice. However, the executable file was created in 2011. The most recent update was also found to be more than three years ago, so it is difficult to say that it is the latest development by an advanced organization.[20], [22]
Evaluation of exposure sites
Most of the files published on the exposé site to blackmail the victim organization are empty dummies, and the actual amount of data available for download is extremely small.[25]However, it seems that there is a speed limit, and if you try to download everything, it will take more than 7,000 days to complete.22 In addition, the source code of the exposing site's admin panel contains a mix of AI-generated scripts and immature web implementations, and within the source code are developer comments that appear to be in Hindi or Urdu.[26]
The group is likely prioritizing the appearance of a threat over the accuracy of site implementation.26
As reports about these verification results spread, the exposure site went offline on February 8. It was revived on February 9, but the organizations listed on it were significantly narrowed down to about 15 large multinational companies.[24]
2.4. Purpose of 0APT
While there are still many uncertainties about 0APT's activities and its authenticity, the following four scenarios have been cited as the group's targets. Each scenario may be a combination of them.
Scenario A: Scamming other criminals
[22], [24]
0APT initially proposed a mechanism to collect 1 Bitcoin (approximately 10.4 million yen: as of February 2026) as a RaaS usage fee. Therefore, it is believed that the main purpose was to defraud other criminals (affiliate applicants) of such costs. In fact, in 2024, another group called "Mogilevich" revealed that they had defrauded several other criminals of $16,000 for access to the admin panel of the non-existent Mogilevich ransomware and $85,000 for sensitive data that they allegedly stole from companies.
[27]
It should be noted that 0APT later changed the rules to allow applicants to apply for affiliate recruitment for free, which may have been due to an attempt to avoid being suspected of being a scam.
Scenario B: Reputation and brand building
[21]
By posting a large number of claims that the organization has been compromised, they may be trying to attract the attention of the media and the security community and gain visibility ahead of them in order to move on to actual attack activities in the future. If the focus is on the actual operation of the group's file-encryption tools, the scenario of organizing affiliates and turning them into full-scale attacks in the future is realistic.
Scenario C: Extortion and payment inducement of companies
[25]
By listing a well-known company on the victim list of the exposing site without actual data, it is also expected that the company's legal and management will be afraid that it may have been compromised, and they will try to extract payments.
Scenario D: Stepping stone into another criminal activity
[24]
In past instances, some groups have moved away from ransomware campaigns after gaining attention and switched to buying and selling data on the dark web or operating other fraudulent services. It is possible that 0APT will follow a similar path.
2.5 Summary
Not only 0APT, cybercriminals often use false or exaggerated claims to attract public attention and establish some kind of criminal activity. Therefore, it is desirable not to take their claims at face value, but to scrutinize technical support and verification results by multiple independent sources, as well as logs, etc., to check whether there are traces of infringement within the organization before judging their legitimacy.
References
[20] Source: Halcyon 『Emerging Ransomware Group: 0Apt』https://www.halcyon.ai/ransomware-alerts/emerging-ransomware-group-0apt
[21] Source: CyberScoop 『0APT ransomware group rises swiftly with bluster, along with genuine threat of attack』https://cyberscoop.com/0apt-ransomware-group-hoax-technical-capabilities/
[22] Source: BankInfoSecurity 『Fake Out: 0APT Data-Leak Ransomware Group Branded a Scam』https://www.bankinfosecurity.com/fake-out-0apt-data-leak-ransomware-group-branded-scam-a-30726
[23] Source: Cyber Daily 『Exclusive: Epworth HealthCare finds no evidence of data breach as hackers allege 920GB stolen in ransomware attack』https://www.cyberdaily.au/security/13181-exclusive-epworth-healthcare-finds-no-evidence-of-data-breach-as-hackers-allege-920-gigabyte-stolen-in-ransomware-attack
[24] Source: GuidePoint Security "GRITREP: 0APT and the Victims Who Weren't"https://www.guidepointsecurity.com/blog/gritrep-0apt-and-the-victims-who-werent/
[25] Source: DataBreach.com 『How 0apt is Using Random Noise to Fake a Ransomware Empire』https://databreach.com/news/44-how-0apt-is-using-random-noise-to-fake-a-ransomware-empire
[26] Source: SOCRadar 『Dark Web Profile: 0APT Ransomware』https://socradar.io/blog/dark-web-profile-0apt-ransomware/
[27] Source: GuidePoint Security "GRIT Ransomware Report: February 2024"https://www.guidepointsecurity.com/blog/grit-ransomware-report-february-2024/
CEO Fraud on the Rise: New Ways to Exploit External Tools and How to Protect Your Organization
3.1. outline
On February 13, 2026, the National Police Agency issued a warning about business email fraud. This is believed to be due to the rapid increase in damage caused by a method called "CEO fraud" since December 2025. As methods become more diverse and sophisticated, companies are required to strengthen measures as soon as possible.[28]
3.2. Tactics and trends of business email fraud and CEO fraud
What is business email fraud/CEO fraud?
Business Email Compromise (BEC) is a type of attack method called "social engineering" that exploits people's psychological gaps, emotions such as trust and fear to steal confidential information and money. The attacker impersonates a real business partner, the company's executives, legal counsel, etc., and sends an email to the target company instructing them to change the transfer destination account, etc., and tries to get the deceived company to transfer money to their own account. [29]
Among these business email scams, "CEO fraud" is a method of impersonating a company's CEO, president, or executive to instruct them to send money.
New modus operandi
In CEO fraud, there is currently a noticeable increase in the number of targets in Japan, which is a method of directing targets to external communication tools such as LINE (hereinafter referred to as "external tools"). The attacker first contacts the target company's employees via email, and after a short exchange, they try to migrate them to an external tool. What is characteristic of the text of the email at this time is that it uses short sentences disguised as greetings or business contacts, rather than direct expressions that indicate remittance instructions or urgency. [30], [31]
The reason behind this approach is that there is a mechanism in which security products determine whether an email is a scam based on the subject line or specific wording contained in the body of the email to be protected (such as "urgent" or "remittance"). Attackers are likely trying to direct the target to an external tool by keeping email interactions with the target to a minimum necessary while avoiding the use of prominent language to avoid falling for this detection logic.
On the other hand, once guided by the external tool, it is difficult for the company to monitor and filter. This makes it easier for attackers to continue the communication leading up to the deception, which may be a preference for using this method.
Number of cases and damage
According to Trend Micro, CEO fraudulent emails began to be confirmed around December 7, 2025, and the number of emails detected per day soared to about 1,000 from around the 15th. Furthermore, on January 5 of this year, more than 10,000 emails were detected. Since then, the number of detections has continued to be high, except for holidays. [31]
3.3. Measures to be taken by companies
In order to avoid falling victim to CEO fraud, it is effective to review the operational flow within the organization, such as formulating rules for the use of external tools and creating groups, and prohibiting the provision of account information via email. [32]
In addition, for important tasks such as remittances, it is easier to detect fraudulent remittance instructions by impersonating them within the company by establishing a third-party verification process such as obtaining approval from a person other than the normal person in charge.
On the technical side, in addition to blocking traditional threats such as fraudulent attachments, suspicious URLs, and spam emails, the implementation of DMARC (Domain-based Message Authentication, Reporting, and Conformance), a mechanism to prevent emails spoofed from the sender's domain, is effective.[33]
In the warning issued by the National Police Agency, in the event of CEO fraud, information should be shared within the company, be careful to guide people to SNS groups, and if they participate, use the SNS reporting function to notify the business operator and leave immediately. [34]
3.4. Summary
Social engineering tactics are becoming more sophisticated, and this is evident in CEO fraud that abuses communication methods such as email and external chat services. The decrease in opportunities for face-to-face check-ins with the spread of telework and the normalization of text-based instructions have also created a situation where organizations are vulnerable to attacks. In addition, with advances in anti-phishing and enhanced login authentication technologies, attackers may be interested in social engineering, which relies on human judgment. [35]
Spoofing using generative AI-based messages and deepfakes has also been confirmed, and it is expected that their accuracy and methods will become even more sophisticated in the future. In light of this situation, companies are required to continuously review initiatives such as technical measures, internal information sharing, use of external tools, operation of remittance-related operations, and employee training to enhance their multi-layered defense system.
References
[28] Source: National Police Agency 『Beware of fraud targeting corporations (fake president fraud)!https://www.npa.go.jp/bureau/safetylife/sos47/new-topics/260213/01.html
[29] Source: National Police Agency 『Beware of Business Email Scams!』
[30] Source: INTERNET Watch "Beware of 'short sentences' that slip through filters! Claiming to be the president and asking Trend Micro about the 'CEO fraud' countermeasures that are causing increasing damage https://internet.watch.impress.co.jp/docs/special/2084254.html
[31] Source: Trend Micro (JP) "Explanation of the 'CEO Fraud' Method of Deceiving the President and Inducing LINE"
[32] Source: LAC WATCH "Is that email really from the president? What is 'CEO fraud' in an email attack targeting a company?"
[33] Source: Trend Micro (JP) "Explaining the 'CEO Fraud' Method of Deceiving the President to LINE"https://www.trendmicro.com/ja_jp/jp-security/26/b/trendnews-20260210-01.html
[34] Source: National Police Agency 『Beware of fraud targeting corporations (fake president fraud)!https://www.npa.go.jp/bureau/safetylife/sos47/new-topics/260213/01.html
[35] Source: Compliance Data Lab Co., Ltd. "'CEO Fraud' is on the Rise - Practical Measures to Prevent Remittances"
Disclaimer
Please note that while we do our best to ensure that the content of this article is accurate, we do not guarantee the content and do not compensate for any damages or losses incurred as a result of the use of this article. If you have any inquiries such as typographical errors, content errors, or other points in the article, please contact us at the following address.
Inquiries
NTT Security Japan Corporation
Professional Services OSINT Monitoring Team
