Between April 22 and April 29, 2026, Qilin ransomware operators claimed successful attacks on at least six distinct organizations across industrial and critical infrastructure sectors, according to reporting tracked by DeXpose. Confirmed targets include SEL (a known supplier of power systems components), Heartland Steel Products, Ferguson Timar, B&E Juice, Longwood Engineering Company, Flipo Group, and Inspira (Puerto Rico facility). The clustering of attacks within a single week, combined with public disclosure on gang-operated leak sites, indicates deliberate targeting rather than opportunistic spray-and-pray campaigns.
Qilin's operational tempo has accelerated noticeably since late 2025. The group's focus on industrial manufacturers and equipment suppliers—particularly those tied to energy, materials handling, and engineering—suggests either:
- Intelligence-gathering for supply chain mapping (reconnaissance before larger disruptive operations), or
- Direct extortion targeting companies with high operational disruption sensitivity and compliance-driven payment incentives.
The exposure of operational and employee data from SEL is particularly significant: SEL manufactures protective relays and SCADA controllers used in electrical substations and industrial control systems. Compromised employee credentials or system architecture details could enable follow-on attacks against utility customers downstream.
Qilin has historically shown willingness to follow through on encryption threats when victims refuse payment. Unlike some ransomware groups that abandon leaks after extortion fails, Qilin maintains persistent pressure and public naming—a tactic that compounds reputational damage and regulatory scrutiny for affected organizations.
What matters: Victims in critical infrastructure adjacent sectors (energy equipment supply, industrial automation) should assume their operational security posture has been surveyed by the attackers. Even unencrypted networks may face downstream targeting via customer relationships. Utilities and industrial operators purchasing from hit suppliers should review access logs and credential usage from the affected period.
