UMMC ransomware attack enters fourth day with FBI surging resources

The University of Mississippi Medical Center (UMMC), the state's only academic medical center and Level I trauma center, entered its fourth consecutive day offline on February 22 after a ransomware attack detected on February 19. All 35 clinic locations statewide remained closed. Surgeries and chemotherapy appointments were cancelled. Physicians resorted to pen and paper. The EPIC electronic medical record system was offline. On February 22, UMMC confirmed extended clinic closures beyond the initially announced two days. UMMC operates 7 hospitals, 35 clinics, and more than 200 telehealth sites, employing over 10,000 staff and serving more than 70,000 patients annually.

UMMC confirmed it was in contact with the attackers but did not disclose the ransomware group's identity. FBI Special Agent in Charge Robert A. Eikhoff confirmed the FBI was "surging resources, both locally and nationally." DHS was also involved. Mississippi MED-COM, the statewide hospital transfer coordination network, was affected but maintained operations through redundancies. No confirmation of data exfiltration or the specific ransomware variant had been disclosed as of February 22. This was the fourth cyberattack to hit Mississippi hospital systems in three years. The continued shutdown of all outpatient services into a fourth day represents one of the broadest operational impacts from a single healthcare cyberattack in 2026.

Conduent data breach revealed to affect upwards of 25 million Americans

A ransomware attack on government technology contractor Conduent was revealed on February 22 to be far larger than initially reported. The SafePay ransomware group's campaign, which ran from October 2024 through January 2025, compromised data belonging to at least 15.4 million Texas residents and 10.5 million Oregon residents, along with hundreds of thousands more in Delaware, Massachusetts, and New Hampshire. Compromised data included Social Security numbers, dates of birth, medical records, health insurance details, and claims data collected through Conduent's work for state healthcare programs and government services.

Texas Attorney General Ken Paxton called it potentially the largest data breach in U.S. history. Notification letters were going out to millions of individuals. Conduent provides IT services for government health and human services agencies across multiple states, processing benefit payments and managing healthcare data. The breach underscored the systemic risk posed by centralized government contractors handling tens of millions of records with single points of failure.

UAE discloses thwarting AI-powered cyberattacks on national infrastructure

The UAE Cybersecurity Council announced on February 22 that it had successfully thwarted organized cyberattacks described as "terrorist in nature" targeting the country's digital infrastructure and vital sectors. The attacks included network infiltration attempts, ransomware deployment, and systematic phishing campaigns targeting national platforms. Attackers exploited AI technologies to develop sophisticated offensive tools. Mohamed Al Kuwaiti, head of the Cybersecurity Council, noted the UAE faces 90,000 to 200,000 daily breach attempts, with over 70% of cyber threats reportedly state-sponsored. Asia accounted for approximately 66.7% of state-sponsored actor origins. No specific attribution was disclosed. The announcement coincided with the start of Ramadan, a period that typically sees a spike in online fraud campaigns.

Roundcube, BeyondTrust, and Honeywell vulnerabilities under active exploitation

CISA added two actively exploited Roundcube webmail vulnerabilities to its Known Exploited Vulnerabilities catalog, with coverage continuing through February 22. CVE-2025-49113 (CVSS 9.9), a deserialization flaw enabling remote code execution, was weaponized within 48 hours of its June 2025 disclosure. CVE-2025-68461 (CVSS 7.2) was an XSS vulnerability via SVG documents. Federal civilian agencies face a March 13 remediation deadline. Roundcube has been historically targeted by APT28 (Russia) and Winter Vivern. The critical BeyondTrust pre-authentication RCE flaw (CVE-2026-1731, CVSS 9.9) in Remote Support and Privileged Remote Access products continued to be actively exploited in ransomware campaigns, with attackers delivering SparkRAT and VShell payloads across financial services, legal, healthcare, and education sectors in the United States, France, Germany, Australia, and Canada.

CISA also alerted to a critical authentication bypass in Honeywell CCTVs (CVE-2026-1670). Separately, reporting continued on the Chinese state-sponsored group Volt Typhoon maintaining access to U.S. critical infrastructure networks. The concurrent CISA staffing crisis, with the agency at 38% capacity due to the DHS shutdown, meant that proactive vulnerability scanning of federal networks remained halted and stakeholder guidance sharing was paused, creating a window during which threat actors operated with reduced federal oversight.

NPM supply chain attack uses steganography to deliver Pulsar RAT

Veracode Threat Research disclosed a new NPM supply chain attack reported on February 22. A malicious package named "buildrunner-dev," typosquatting the legitimate "buildrunner" package, used steganography to conceal the Pulsar RAT (a Quasar RAT derivative) inside PNG images. The attack chain employed multi-stage obfuscation, AMSI bypasses, process hollowing, TripleDES encryption, and GZip compression. Pulsar RAT capabilities include keylogging, crypto wallet clipping, credential theft, hidden VNC, and command-and-control communication. Per-antivirus evasion logic deployed different attack paths for Malwarebytes and F-Secure users.

BleepingComputer published Kaspersky's analysis of the Arkanix Stealer, a Malware-as-a-Service info-stealer likely developed with large language model assistance. Active from October 2025 for approximately two months before its author shut it down, the stealer targeted 22 browsers, cryptocurrency wallets, VPN credentials (NordVPN, ExpressVPN, ProtonVPN, Mullvad), Telegram, Discord, and system information. The growing use of AI tools in malware development continued to lower the barrier to entry for cybercriminals.

Artemis II launch slips past March as SpaceX sets booster reuse record

NASA announced on February 21, with preparations continuing through February 22, that a helium flow issue in the Interim Cryogenic Propulsion Stage (ICPS) upper stage of the Artemis II Space Launch System required rolling the rocket from Launch Complex 39B back to the Vehicle Assembly Building. This eliminated the March 6 launch window announced just one day earlier. NASA Administrator Jared Isaacman confirmed the rollback "will take the March launch window out of consideration," pushing the first crewed lunar mission since Apollo 17 in 1972 to at least early April. The setback came after a successful second wet dress rehearsal on February 19 that produced no hydrogen leaks.

SpaceX launched its Starlink 6-104 mission at 10:47 PM EST on February 21 (0347 UTC February 22) from Cape Canaveral Space Force Station, deploying 28 Starlink V2 Mini satellites. Booster B1067 completed a record-setting 33rd flight, the highest reuse count for any orbital-class booster in history. The booster landed on droneship "A Shortfall of Gravitas," marking SpaceX's 575th booster landing. This was the company's 22nd Falcon family launch of 2026. The Starlink constellation now exceeds 9,700 satellites with 10 million subscribers.

Golden Dome missile defense advances as Space Force expands electronic warfare

The Golden Dome missile defense program continued to generate developments around the weekend. Defense News reported on February 19 that SpaceX and Blue Origin had abruptly shifted priorities toward lunar development amid Pentagon acceleration of Golden Dome, with SpaceX reportedly in line for a $2 billion contract for a 600-satellite tracking and targeting constellation. Blue Origin was added to the Missile Defense Agency's $151 billion SHIELD indefinite-delivery/indefinite-quantity contract. Canada confirmed on February 18 that "conversations are ongoing" about participating in Golden Dome. On February 20, Boeing opened a new 9,000-square-foot electro-optical infrared sensor production line at its El Segundo, California facility to support 12 Resilient Missile Warning and Tracking satellites for the Space Force.

In electronic warfare, the Space Force was advancing deployment of three satellite jammer systems: the operational Counter Communications System, the Meadowlands compact mobile jammer from L3Harris (32 planned, with the first production unit accepted in late 2025), and the Remote Modular Terminal (24 planned, with 11 initially deployed for testing in 2025). War on the Rocks published a major analysis arguing that GPS denial is now an operational reality, citing Russian electronic warfare disruption of U.S.-supplied JDAM, HIMARS, Excalibur, and GLSDB munitions in Ukraine. Russia's Tobol EW system continued to suppress navigation signals over the Baltic Sea from nodes in Kaliningrad.

Additional cyber and space developments

Taipei's Grand Hotel disclosed on February 22 that it had detected a cyberattack on February 17, during the Lunar New Year holiday. Taiwan's Ministry of Justice Investigation Bureau was investigating given potential national security implications, as the hotel frequently hosts visiting heads of state and dignitaries. A Romanian hacker pleaded guilty to breaching Oregon's Office of Emergency Management, facing up to seven years in prison. A PayPal data breach in which a software error in its Working Capital loan application exposed Social Security numbers for approximately six months was confirmed. Reporting also noted a UK data breach crisis affecting 8.2 million accounts across multiple incidents.