Active Exploitation of SolarWinds Serv-U, New China-Nexus Actor Targeting Government, and ICS Vulnerabilities Demand Immediate State Agency Action

<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> State government IT leaders face a convergence of actively exploited vulnerabilities, new social engineering campaigns targeting U.S. government organizations, and a wave of industrial control system advisories affecting utility partners. This week's intelligence confirms that threat actors are actively probing the tools state agencies rely on daily &mdash; SolarWinds Serv-U for file transfer, Chrome browsers across the enterprise, and SCADA systems in partner utilities. A brand-new China-nexus threat actor designated just this week is already confirmed to target government entities. The window for defensive action is narrow. </p> <h2> <strong> What Changed </strong> </h2> <p> The past week brought several developments that shift the operational picture for state IT leadership: </p> <ul> <li> <strong> CVE-2026-28318 (SolarWinds Serv-U) </strong> was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on June 5, confirming active in-the-wild exploitation. This pre-authentication denial-of-service vulnerability affects a file transfer tool widely deployed across state agencies. </li> <li> <strong> UNC6861 </strong> , a newly tracked European-origin threat cluster, is actively deploying NETSUPPORT remote access trojans against U.S. government organizations using "ClickFix" social engineering &mdash; fake CAPTCHA verification prompts that trick users into executing malicious commands. </li> <li> <strong> Five ICS advisories </strong> were published in a single day (June 4), including three affecting Hitachi Energy products deployed in state-adjacent electrical grid infrastructure. </li> <li> <strong> UNC5475 </strong> , a brand-new China-nexus actor designation, appeared in threat intelligence feeds on June 8 with confirmed government targeting. No aliases or detailed TTPs are available yet &mdash; this is an emerging threat requiring close monitoring. </li> <li> <strong> APT42 (Charming Kitten / Mint Sandstorm) </strong> , an Iranian IRGC-IO-linked actor, received updated intelligence confirming ongoing credential harvesting operations against government, energy, and healthcare sectors. </li> <li> <strong> Miasma worm (TeamPCP) </strong> compromised 73 Microsoft GitHub repositories between June 5&ndash;6 via malicious AI coding tool configurations, posing a supply chain risk to state DevOps teams using AI coding assistants. </li> <li> <strong> CVE-2026-10881 (Chrome, CVSS 9.6) </strong> &mdash; a critical sandbox escape vulnerability &mdash; is addressed in Chrome version 149.0.7827.53+. State agencies should verify enterprise-wide deployment of this update. </li> </ul> <p> <strong> Change from prior cycle: </strong> The threat assessment remains at <strong> ELEVATED </strong> (unchanged from June 7). While no single event warrants escalation to HIGH, the combination of confirmed exploitation (Serv-U KEV), active government targeting (UNC6861), and expanding China-nexus actor designations (UNC5475) maintains elevated pressure on state defenses. </p> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Relevance to State Government </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> June 2 </p> </td> <td> <p> CISA/Partners publish ATG hardening guidance for fuel tank monitoring systems </p> </td> <td> <p> State fleet fueling depots, underground storage tank compliance </p> </td> </tr> <tr> <td> <p> June 3 </p> </td> <td> <p> CVE-2026-45247 (Magento/Mirasvit, CVSS 9.8) added to CISA KEV </p> </td> <td> <p> State e-commerce portals using Magento </p> </td> </tr> <tr> <td> <p> June 4 </p> </td> <td> <p> Five ICS advisories published (Hitachi Energy RTU500, MACH HiDraw, ITT600, NAVTOR, B&amp;R PPT30) </p> </td> <td> <p> State utility partners &mdash; power grid substations, SCADA systems </p> </td> </tr> <tr> <td> <p> June 5 </p> </td> <td> <p> CVE-2026-28318 (SolarWinds Serv-U, CVSS 7.5) added to CISA KEV </p> </td> <td> <p> Direct impact &mdash; Serv-U deployed for state file transfer operations </p> </td> </tr> <tr> <td> <p> June 5&ndash;6 </p> </td> <td> <p> Miasma worm (TeamPCP) compromises 73 Microsoft GitHub repositories via malicious AI coding tool configs </p> </td> <td> <p> State DevOps teams using AI coding assistants </p> </td> </tr> <tr> <td> <p> June 7 </p> </td> <td> <p> UNC6861 ClickFix campaign last IOC observed; active against U.S. government </p> </td> <td> <p> Direct targeting of government employees via social engineering </p> </td> </tr> <tr> <td> <p> June 8 </p> </td> <td> <p> UNC5475 (China-nexus) designated &mdash; government targeting confirmed </p> </td> <td> <p> New actor; state agencies likely within collection scope </p> </td> </tr> <tr> <td> <p> June 8 </p> </td> <td> <p> APT42 (Iran/IRGC-IO) intelligence updated &mdash; government credential harvesting active </p> </td> <td> <p> State cloud accounts (M365/Azure) at risk </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. SolarWinds Serv-U Under Active Exploitation (CVE-2026-28318) </strong> </h3> <p> CISA's addition of CVE-2026-28318 to the KEV catalog confirms that attackers are actively exploiting this pre-authentication denial-of-service vulnerability in SolarWinds Serv-U. The vulnerability is triggered by crafted POST requests using Content-Encoding: deflate and affects all versions prior to 15.5.4 Hotfix 1. </p> <p> While classified as denial-of-service, state IT leaders should understand the operational implications: DoS against file transfer infrastructure can serve as a smokescreen for data exfiltration or as a disruption tactic during broader intrusion operations. SolarWinds Serv-U is a known target of nation-state actors &mdash; it was previously exploited by Chinese threat groups for initial access into government networks. </p> <p> <strong> Affected versions: </strong> Serv-U prior to 15.5.4 Hotfix 1 </p> <p> <strong> Exploitation: </strong> Confirmed in-the-wild (CISA KEV) </p> <p> <strong> CVSS: </strong> 7.5 (HIGH) </p> <h3> <strong> 2. UNC6861 ClickFix Campaign &mdash; Social Engineering Targeting Government </strong> </h3> <p> UNC6861 represents a sophisticated social engineering operation specifically targeting U.S. government employees. The attack chain is designed to bypass traditional email security controls: </p> <ol> <li> <strong> Lure: </strong> Victims encounter fake "Verify you are human" CAPTCHA prompts (ClickFix technique) </li> <li> <strong> Execution: </strong> The lure tricks users into running commands that invoke legitimate Windows utilities &mdash; finger.exe, curl, and tar &mdash; to download a portable Python interpreter </li> <li> <strong> Payload: </strong> Base64-encoded in-memory scripts fetch NETSUPPORT RAT from command-and-control infrastructure </li> <li> <strong> Persistence: </strong> Windows Scheduled Tasks maintain access </li> </ol> <p> This technique is particularly dangerous because it uses Living-off-the-Land binaries (LOLBins) that are already present on Windows systems and typically whitelisted by endpoint protection. Traditional antivirus focused on malicious attachments or macros will not detect this chain. </p> <p> <strong> Targeted sectors: </strong> U.S. government, financial services, education, manufacturing, technology </p> <h3> <strong> 3. ICS/OT Vulnerability Wave &mdash; Utility Partner Risk </strong> </h3> <p> Five ICS advisories in 24 hours signal an elevated vulnerability disclosure period for operational technology. Three advisories affect Hitachi Energy products commonly deployed in state-adjacent electrical grid infrastructure: </p> <ul> <li> <strong> Hitachi Energy RTU500 </strong> &mdash; Remote Terminal Units in power grid substations; vulnerabilities could disrupt SCADA communications </li> <li> <strong> Hitachi Energy MACH HiDraw </strong> &mdash; Buffer overflow in substation automation engineering workstations </li> <li> <strong> Hitachi Energy ITT600 Explorer </strong> &mdash; Telecontrol engineering tool vulnerabilities </li> </ul> <p> Additionally, CISA's Automatic Tank Gauge (ATG) hardening guidance highlights that fuel monitoring systems at government fleet depots are frequently internet-exposed with default credentials &mdash; a trivial entry point for attackers. </p> <h3> <strong> 4. Expanding China-Nexus Threat to State Government </strong> </h3> <p> The designation of <strong> UNC5475 </strong> as a new China-nexus actor targeting government &mdash; appearing alongside updates to APT41, APT5, and UNC5221 &mdash; signals expanding Chinese operational capacity against U.S. government targets. Combined with the continued (though currently quiet) presence of <strong> Volt Typhoon </strong> and <strong> Salt Typhoon </strong> in critical infrastructure, state agencies should assume they fall within the collection requirements of multiple independent Chinese cyber units. </p> <p> Volt Typhoon intelligence was last updated approximately three and a half weeks ago (May 15); Salt Typhoon intelligence was last updated approximately twelve days ago (May 27). Operational pauses of this duration historically precede major campaign disclosures. This absence is signal, not safety. </p> <h3> <strong> 5. APT42 (Iran/IRGC-IO) &mdash; Credential Harvesting Against Government Cloud </strong> </h3> <p> APT42, also tracked as Charming Kitten and Mint Sandstorm, is an Iranian actor affiliated with the IRGC Intelligence Organization (IRGC-IO), with updated intelligence confirming active operations against government, energy, healthcare, and education sectors. Their primary TTPs center on: </p> <ul> <li> OAuth consent phishing to steal cloud application tokens </li> <li> Sophisticated spearphishing with credential harvesting landing pages </li> <li> Targeting cloud accounts (M365, Google Workspace) for email collection and persistent access </li> </ul> <p> State agencies with Azure AD/Entra ID environments should treat this as a direct threat to their identity infrastructure. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional KEV additions for FortiClient EMS (CVE-2026-35616) or Cisco UCM (CVE-2026-20230) within 7 days </p> </td> <td> <p> <strong> 70% (HIGH) </strong> </p> </td> <td> <p> <strong> Both vulnerabilities are critical severity, affect government-deployed products, and match KEV addition patterns </strong> </p> </td> </tr> <tr> <td> <p> UNC6861 ClickFix campaign expands with government compliance or IT notification-themed lures </p> </td> <td> <p> <strong> 50% (MODERATE) </strong> </p> </td> <td> <p> Active campaign with confirmed government targeting; social engineering themes typically evolve to match target context </p> </td> </tr> <tr> <td> <p> Volt Typhoon or Salt Typhoon operational pause ends with new campaign disclosure </p> </td> <td> <p> <strong> 30% (LOW-MODERATE) </strong> </p> </td> <td> <p> Extended operational silence historically precedes major public reporting; Volt Typhoon currently at 3+ weeks, Salt Typhoon at ~2 weeks </p> </td> </tr> <tr> <td> <p> Summer ransomware campaign targeting state/local government begins </p> </td> <td> <p> <strong> 40% (MODERATE) </strong> </p> </td> <td> <p> Historical seasonal pattern (budget cycles, reduced staffing); currently quiet but pre-positioning may be underway </p> </td> </tr> <tr> <td> <p> UNC5475 linked to existing Chinese APT infrastructure within 30 days </p> </td> <td> <p> <strong> 60% (MODERATE-HIGH) </strong> </p> </td> <td> <p> New designations frequently merge with or relate to established groups as analysis matures </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <ol> <li> <strong> UNC6861 ClickFix LOLBin Chain (HIGH PRIORITY) </strong> </li> </ol> <table> <thead> <tr> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Approach </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> T1204.001 (User Execution &mdash; Malicious Link) </p> </td> <td> <p> Monitor for browser processes spawning command-line interpreters </p> </td> </tr> <tr> <td> <p> T1218 (System Binary Proxy Execution) </p> </td> <td> <p> Alert on finger.exe execution from any user context &mdash; this binary has near-zero legitimate use in enterprise environments </p> </td> </tr> <tr> <td> <p> T1105 (Ingress Tool Transfer) </p> </td> <td> <p> Detect curl.exe or tar.exe invoked by non-administrator accounts, especially when parent process is a browser </p> </td> </tr> <tr> <td> <p> T1059.006 (Python Execution) </p> </td> <td> <p> Alert on portable Python interpreters (python.exe or pythonw.exe) executing from user-writable directories (AppData, Temp, Downloads) </p> </td> </tr> <tr> <td> <p> T1053.005 (Scheduled Task) </p> </td> <td> <p> Monitor scheduled task creation that references Python interpreters or scripts in non-standard paths </p> </td> </tr> <tr> <td> <p> T1219 (Remote Access Software &mdash; NETSUPPORT) </p> </td> <td> <p> Block or alert on NETSUPPORT Manager network signatures; monitor for client32.exe or associated DLLs </p> </td> </tr> </tbody> </table> <p> <strong> Hunting Hypothesis: </strong> "If UNC6861 is active in our environment, we will see finger.exe &rarr; curl.exe &rarr; tar.exe execution chains within 60 seconds of each other, originating from a browser parent process, followed by scheduled task creation within 5 minutes." </p> <p> <strong> Sigma Rule Logic: </strong> </p> <p> detection: </p> <p> selection_lolbin: </p> <p> Image|endswith: </p> <p> - '\finger.exe' </p> <p> - '\curl.exe' </p> <p> - '\tar.exe' </p> <p> ParentImage|endswith: </p> <p> - '\chrome.exe' </p> <p> - '\msedge.exe' </p> <p> - '\firefox.exe' </p> <p> condition: selection_lolbin </p> <ol start="2"> <li> <strong> SolarWinds Serv-U Exploitation (CVE-2026-28318) </strong> </li> </ol> <table> <thead> <tr> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Approach </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> T1499.004 (Application DoS) </p> </td> <td> <p> Monitor Serv-U service availability; alert on unexpected restarts or resource exhaustion </p> </td> </tr> <tr> <td> <p> T1190 (Exploit Public-Facing Application) </p> </td> <td> <p> <strong> Inspect HTTP POST requests to Serv-U with `Content-Encoding: deflate` headers &mdash; high volume or malformed requests indicate exploitation attempts </strong> </p> </td> </tr> </tbody> </table> <p> <strong> Hunting Hypothesis: </strong> "If CVE-2026-28318 is being exploited against our Serv-U instances, we will see anomalous POST request patterns with deflate encoding, potentially followed by service degradation or unexpected outbound connections from the Serv-U host." </p> <ol start="3"> <li> <strong> APT42 Credential Harvesting </strong> </li> </ol> <table> <thead> <tr> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Approach </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> T1528 (Steal Application Access Token) </p> </td> <td> <p> Monitor Azure AD/Entra ID for suspicious OAuth application consent grants, especially from unfamiliar app IDs </p> </td> </tr> <tr> <td> <p> T1078.004 (Cloud Accounts) </p> </td> <td> <p> Alert on impossible travel, new device enrollments, or MFA bypass events in cloud identity logs </p> </td> </tr> <tr> <td> <p> T1114.002 (Email Collection &mdash; Remote) </p> </td> <td> <p> Monitor for new mail forwarding rules or delegate access grants in Exchange Online </p> </td> </tr> <tr> <td> <p> T1539 (Steal Web Session Cookie) </p> </td> <td> <p> Detect AiTM proxy indicators &mdash; certificate mismatches on authentication pages, unusual redirect chains </p> </td> </tr> </tbody> </table> <ol start="4"> <li> <strong> ICS/OT Monitoring </strong> </li> </ol> <table> <thead> <tr> <th> <p> <strong> ATT&amp;CK Technique </strong> </p> </th> <th> <p> <strong> Detection Approach </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> T1133 (External Remote Services) </p> </td> <td> <p> Scan for internet-exposed ATG systems, RTU management interfaces, and SCADA HMI panels </p> </td> </tr> <tr> <td> <p> T1078.001 (Default Credentials) </p> </td> <td> <p> Audit all OT-adjacent systems for factory-default credentials </p> </td> </tr> <tr> <td> <p> T0855 (Unauthorized Command Message) </p> </td> <td> <p> If OT network monitoring exists, alert on unexpected Modbus/DNP3 commands to RTU500 units </p> </td> </tr> </tbody> </table> <h3> <strong> Investigation Triggers </strong> </h3> <p> Escalate to incident response if any of the following are observed: </p> <ul> <li> finger.exe execution on any endpoint (near-zero false positive rate in enterprise) </li> <li> Portable Python interpreter in user-writable directory with scheduled task persistence </li> <li> Serv-U service crash or restart correlated with high-volume POST requests </li> <li> New OAuth application consent in Azure AD not matching approved application list </li> <li> Outbound connections from OT network segments to internet destinations </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT42 credential harvesting targeting financial sector cloud accounts; UNC6861 social engineering </li> <li> <strong> Priority action: </strong> Audit all OAuth application consents in Azure AD tenant serving treasury/revenue systems. Implement conditional access policies requiring compliant devices for financial application access. </li> <li> <strong> Detection focus: </strong> Monitor for anomalous access patterns to financial databases, especially after-hours token usage or access from new geographic locations (T1078.004) </li> </ul> <h3> <strong> Energy (State Utility Partnerships, Grid Interconnects) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Hitachi Energy RTU500/MACH HiDraw/ITT600 vulnerabilities; Volt Typhoon pre-positioning (currently quiet but historically targets energy) </li> <li> <strong> Priority action: </strong> Request written attestation from utility partners on Hitachi Energy firmware patch status. Verify network segmentation between IT and OT environments at state-utility interconnection points. </li> <li> <strong> Detection focus: </strong> Monitor for reconnaissance against SCADA management interfaces (T1133); alert on any new remote access connections to OT segments </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT42 targeting healthcare for intelligence collection; SNOWLIGHT malware updated with healthcare targeting; ransomware seasonal risk </li> <li> <strong> Priority action: </strong> Verify endpoint protection coverage on all systems processing PHI. Ensure offline backup integrity for Medicaid claims processing systems. </li> <li> <strong> Detection focus: </strong> Monitor for lateral movement from compromised credentials (T1078.004 &rarr; T1021); alert on bulk data access to health records databases </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> UNC6861 ClickFix campaign directly targeting U.S. government; UNC5475 (new China-nexus actor); APT42 credential theft </li> <li> <strong> Priority action: </strong> Issue immediate security awareness alert on ClickFix/fake CAPTCHA lures. Deploy LOLBin detection rules for finger.exe/curl/tar chains. Review all scheduled tasks created in the past 30 days for anomalies. </li> <li> <strong> Detection focus: </strong> Full LOLBin execution chain monitoring (T1218, T1105, T1059.006); Azure AD consent grant monitoring (T1528) </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Airport Authorities, Fleet Operations) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ATG system exposure at fleet fueling depots; ICS vulnerabilities in transportation SCADA; supply chain risk from MSP access </li> <li> <strong> Priority action: </strong> Conduct immediate scan for internet-exposed Automatic Tank Gauge systems at all state fleet fueling locations. Change default credentials on all fuel monitoring equipment. Verify MSP access controls and session logging. </li> <li> <strong> Detection focus: </strong> Monitor for unauthorized access to fleet management systems; alert on new remote access sessions from MSP IP ranges outside maintenance windows (T1133, T1078.001) </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Patch SolarWinds Serv-U </strong> to version 15.5.4 Hotfix 1 to remediate CVE-2026-28318 (CISA KEV, actively exploited). Verify Content-Encoding filtering per SolarWinds Trust Center advisory. </p> </td> </tr> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy ClickFix detection rules </strong> &mdash; alert on finger.exe, curl.exe, or tar.exe execution from browser parent processes. Block NETSUPPORT RAT network signatures at perimeter. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> CISO/CIO </p> </td> <td> <p> <strong> Authorize emergency patching window </strong> for Serv-U and confirm Chrome 149 (v149.0.7827.53+) deployment status across all managed endpoints (remediates CVE-2026-10881, CVSS 9.6 sandbox escape). </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Security Awareness </p> </td> <td> <p> <strong> Issue flash alert to all employees </strong> on ClickFix/fake CAPTCHA social engineering &mdash; "Never run commands from a website claiming to verify you are human." </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Verify Chrome auto-update deployment </strong> &mdash; audit any systems where Chrome version is below 149.0.7827.53. Investigate update failures exceeding 48 hours. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> OT/Infrastructure </p> </td> <td> <p> <strong> Engage utility partners </strong> on Hitachi Energy RTU500 firmware status (ICSA-26-155-04). Request written patch attestation from SCADA vendors. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Audit state fleet fueling infrastructure </strong> for internet-exposed ATG systems. Implement network segmentation per CISA ATG hardening guidance. Rotate all default credentials on tank monitoring systems. </p> </td> </tr> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Review Azure AD audit logs </strong> for suspicious OAuth application consent grants in the past 90 days. Revoke any unrecognized application permissions. </p> </td> </tr> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Assess exposure to CVE-2026-20230 </strong> (Cisco Unified Communications Manager SSRF-to-root) and <strong> CVE-2026-35616 </strong> (FortiClient EMS) &mdash; both likely candidates for near-term KEV addition. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Develop APT42 detection content </strong> &mdash; implement monitoring for OAuth consent phishing, suspicious Azure AD app registrations, anomalous mail forwarding rules, and AiTM proxy indicators. </p> </td> </tr> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Request threat briefing on UNC5475 </strong> from MS-ISAC or CISA regional coordinator. Assess whether state systems match this new China-nexus actor's targeting profile. </p> </td> </tr> <tr> <td> <p> <strong> MODERATE </strong> </p> </td> <td> <p> CISO/IR </p> </td> <td> <p> <strong> Conduct tabletop exercise </strong> simulating a ClickFix-to-RAT compromise scenario &mdash; test detection, containment, and credential reset procedures. </p> </td> </tr> <tr> <td> <p> <strong> STANDARD </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Establish quarterly OT threat briefing cadence with critical infrastructure partners (water, power, transportation) to address the visibility gap in state-adjacent ICS/SCADA environments. </strong> </p> </td> </tr> <tr> <td> <p> <strong> STANDARD </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Evaluate supplementary threat intelligence feeds </strong> (MS-ISAC alerts RSS, Recorded Future, Flashpoint) to address persistent OSINT collection gaps affecting ransomware and legislative monitoring. </p> </td> </tr> </tbody> </table> <h3> <strong> Executive/IR Preparedness </strong> </h3> <ul> <li> <strong> Incident response readiness: </strong> Ensure IR playbooks include scenarios for file transfer infrastructure compromise (Serv-U), RAT deployment via social engineering (NETSUPPORT), and cloud identity compromise (OAuth token theft). Verify that legal counsel and communications teams are briefed on notification requirements for PII-holding systems. </li> <li> <strong> Decision authority: </strong> Pre-authorize emergency patching for any future CISA KEV additions affecting state infrastructure &mdash; the 24-hour response window leaves no room for approval delays. </li> <li> <strong> Partner coordination: </strong> Establish or verify communication channels with utility SCADA operators for coordinated vulnerability response. The five ICS advisories this week demonstrate that state government's risk extends beyond its own network boundary. </li> </ul> <h2> <strong> IOC Blocking Guidance </strong> </h2> <p> The following section provides indicators associated with threats discussed in this report for deployment to perimeter controls, EDR block lists, and SIEM correlation rules. </p> <p> <strong> <em> Note: </em> </strong> <em> Confirmed, sourced IOCs for the UNC6861, APT42, and UNC5475 campaigns discussed in this report are available through </em> <strong> <em> Anomali ThreatStream </em> </strong> <em> Next-Gen and associated partner indicator packages. State agencies with MS-ISAC membership should review the current indicator packages for UNC6861 and APT42 campaigns directly through the MS-ISAC portal. No IOCs are published inline at this time to avoid disseminating unverified indicators. Contact your Anomali account team for curated, validated indicator packages tied to the specific threat actors and CVEs covered in this report. </em> </p> <h2> <strong> Bottom Line </strong> </h2> <p> The threat environment facing state government IT remains at <strong> ELEVATED </strong> &mdash; not because of a single catastrophic event, but because of the simultaneous pressure across multiple attack surfaces: actively exploited file transfer vulnerabilities, social engineering campaigns purpose-built for government targets, expanding Chinese cyber operations against sub-national entities, and a wave of ICS vulnerabilities in utility partner infrastructure. </p> <p> The decisions made this week &mdash; whether to authorize emergency Serv-U patching, whether to deploy ClickFix detection rules, whether to engage utility partners on RTU500 firmware &mdash; will determine whether your agency is positioned ahead of exploitation or responding to an incident. </p> <p> The adversaries targeting state government are not waiting. Neither should we. </p> <h2> <strong> Closing </strong> </h2> <p> <em> Published: June 8, 2026 | Anomali CTI Desk </em> </p> <p> <em> For questions or additional indicator packages, contact your Anomali account team or the MS-ISAC SOC. </em> </p>