COMMENTARY: In 2026, organizations serving or partnering with Fortune 1,000 companies or government agencies should expect to get targeted by advanced persistent threat (APT) actors seeking to island hop through their environments to attack their constituencies.Unlike supply chain attacks which are limited to the exploitation of the application layer to attack any number of targets, island hopping exploits any number of layers within an organization’s technology stack and uses them to launch attacks on particularly high-value customers.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Organizations must recognize that while they may have their own third-party risk management house in order, they themselves are third parties to others and may become the mechanism for attacks on their customers.When a couple goes to Tiffany & Company to buy a wedding ring, they do not fear being mugged because the company recognizes a duty of customer loyalty to protect them. It does so through layered security in the store, trained security personnel and staff protocols, secure store design and fixtures, and incident response processes. The security of the store ensures the safety of its customers. Organizations must implement a digital construct of this duty of loyalty via cyber vigilance for their customer and partner relationships. Businesses must understand that cyber vigilance in mitigating island hopping promises to protect an organization’s brand in 2026 and beyond.Tom Kellermann, vice president of cyber risk, HITRUSTSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
The state of island hopping: What 2025 taught us
The year 2025 brought with it shocking new revelations on how our adversaries use island hopping.Salt Typhoon was the most significant cyber campaign perpetrated against American critical infrastructure in the short history of cybersecurity. While initially publicly disclosed in 2024, numerous profoundly disturbing details of its success continued to surface over the course of 2025. These disclosures revealed the compromises of the majority of U.S. telecommunications giants. The Chinese government campaign was successful in not only accessing details on who U.S. intelligence and law enforcement entities are surveilling, but also in tapping the phones of President Trump, Vice President Vance, and other top U.S. officials.Multiple threat research teams observed evidence the campaign island hopped from the compromised networks of one telecommunications giant to reach devices within the networks of another. This process repeated and repeated. Cisco Talos asserts that this tactic relied on trusted network paths and reused credentials, allowing the actor to traverse multiple providers’ networks without detection.The 2025 breach of F5 certainly also showed how a Chinese-affiliated threat actor compromised a vendor, stole source code and information on undisclosed vulnerabilities, and gained visibility and access into high value F5 customer environments.Unless they implement measures to counter these attacks, attackers will continue their attacks, compromising organizations and using them as a launch point for attacks on their customers and partners.Here are eight cyber vigilance best practices for countering island hopping in 2026:- Monitor, alert, and patch: Notify partners and customers on mysterious and potentially malicious outbound traffic, suspected breaches, and critical vulnerabilities within three days of discovery.
- Implement a segmentation strategy: Divide the network into smaller, isolated zones to limit an attacker's ability to move laterally once they gain access to one part of a system.
- Establish a threat hunt team: Create a dedicated team to conduct weekly proactive searches for behavioral anomalies within the network. If the company can’t hire an in-house team, use a managed detection and response (MDR) firm.
- Prioritize modern application security: Since island hopping attacks often start by exploiting less secure partners in a company's supply chain, it’s crucial to implement application detection response (ADR).
- Conduct proactive attack path mapping: Conduct this from within the company’s environment to external critical partners and customers on an annual basis to best ascertain potential blast radius risks.
- Deploy deception: Implement technology like honeypots and deception grids along critical paths within the environment.
- Certify AI services: Require an AI Security certification for all deployments of AI that emanate from service providers.
- Develop a solid IR plan: Refine incident response plans and crisis communications plans to ensure that a holistic, comprehensive response is aligned and ready across your organization.
