Supply chain attacks emerge as top global cyber threat in 2026

Dubai: Supply chain attacks have overtaken traditional cyber intrusions to become the most significant global cyber threat, according to the newly released High-Tech Crime Trends Report 2026 by Group-IB.

The report warns that cybercrime has shifted from isolated system breaches to ecosystem-wide compromises, where attackers infiltrate trusted vendors, SaaS platforms, open-source software, browser extensions and managed service providers to gain inherited access to hundreds of downstream organisations.

For the Middle East and Africa (MEA), a region witnessing rapid growth in cloud adoption including digital government services and fintech ecosystems, this shift represents a systemic risk that can ripple across entire industries rather than remain confined to a single victim.

Group-IB’s 2025 telemetry shows phishing remains the primary entry point. In MEA, more than 80% of observed phishing activity targeted high-trust sectors, with internet services accounting for 52.49%, financial institutions 28.50%, and logistics 11.20%.

While phishing often begins with individual users, successful credential theft inside major service providers can trigger cascading consequences across customers, partners and interconnected digital ecosystems.

Drawing on intelligence from its Digital Crime Resistance Centers in 11 countries, the report provides detailed case studies, threat actor profiling and predictive insights to help enterprises, governments and law enforcement anticipate emerging risks.

The report highlights how modern attacks increasingly function as interconnected chains. Phishing, identity compromise, malicious browser extensions, SaaS breaches, ransomware and extortion are no longer stand-alone incidents — they are linked stages of a coordinated campaign designed to maximise scale and financial impact.

A key finding is the growing role of Initial Access Brokers (IABs). In 2025 alone, more than 200 cases of publicly advertised corporate access linked to MEA organisations were identified for sale on underground forums. Stolen credentials are increasingly traded to fuel ransomware attacks, espionage and large-scale follow-up operations.

Ransomware activity in MEA was most concentrated in the GCC, which recorded more than 100 reported incidents. Real estate (39 incidents), financial services (25), manufacturing (23), and government and healthcare (21 each) were among the hardest-hit sectors.

The report notes that ransomware operators now function as industrialised supply chains themselves, tightly coordinated networks that target upstream access points to amplify operational disruption and financial damage.

In the GCC alone, five organisations, mainly in IT services and industrial sectors, were identified as victims of supply chain attacks. Because these companies serve broad partner networks, a single compromise can disrupt multiple dependent entities simultaneously.

Some attacks, particularly those involving open-source ecosystems, may remain partially hidden, meaning the true scale of impact could be far larger than currently visible.

“Cybercrime is no longer defined by single breaches. It is defined by cascading failures of trust. Attackers are industrialising supply chain compromise because it delivers scale, speed and stealth. Defenders must stop thinking in terms of isolated systems and start securing trust itself,” said Dmitry Volkov, CEO of Group-IB.

The findings, he noted, underscore the urgent need for organisations across MEA to strengthen identity protection, enhance third-party monitoring and implement robust vendor risk governance as part of their cybersecurity strategies.