China’s Pre-Summit Cyber Offensive Accelerates as RMM Supply Chain Attacks Surge: What State Government CISOs Must Do Now

<p> <strong> Threat Assessment Level: HIGH </strong> </p> <p> <em> Maintained from prior cycle. The convergence of China-nexus prepositioning activity ahead of the 14&ndash;15 May Trump-Xi summit, expanding RMM supply chain weaponization, and two critical vulnerabilities with public exploit code sustains the HIGH threat posture for state government networks. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a threat environment that is intensifying on multiple fronts simultaneously. A newly disclosed Chinese espionage group &mdash; Shadow-Earth-053 &mdash; has compromised government and defense networks across eight countries using the same prepositioning playbook as Volt Typhoon. Three legitimate remote management tools are now being weaponized against the MSP-dependent IT model that most state agencies rely on. And two critical vulnerabilities &mdash; one in the Linux kernel, one in SCADA/HMI software &mdash; have public exploit code available today. </p> <p> This is not a theoretical risk window. The 14&ndash;15 May Trump-Xi summit creates a geopolitical trigger point that historically correlates with intensified Chinese cyber operations. State agencies have approximately two weeks to harden their posture before the highest-probability attack window opens. </p> <h2> <strong> What Changed </strong> </h2> <p> The past 72 hours brought six developments that materially alter the state government threat landscape: </p> <ol> <li> <strong> Shadow-Earth-053 disclosed </strong> &mdash; A new China-nexus group has infiltrated 12+ government and defense networks across Poland, Pakistan, Thailand, Malaysia, India, Myanmar, Sri Lanka, and Taiwan since December 2024. TrendAI researchers explicitly compare it to Volt Typhoon and Salt Typhoon, warning of destructive prepositioning capability. </li> <li> <strong> RMM tool abuse tripled </strong> &mdash; ImmyBot and Action1 join ConnectWise ScreenConnect as phishing-delivered remote access tools. State agencies that whitelist RMM vendor domains for MSP operations are directly exposed. </li> <li> <strong> CVE-2026-31431 &ldquo;Copy Fail&rdquo; </strong> &mdash; A Linux kernel privilege escalation vulnerability (CVSS 7.8) affecting all distributions since 2017 now has a 732-byte public exploit. Any unprivileged user can obtain root. </li> <li> <strong> CVE-2025-69985 FUXA SCADA RCE </strong> &mdash; A CVSS 9.8 authentication bypass in the FUXA web-based SCADA/HMI platform enables unauthenticated remote code execution. Full exploit published on Exploit-DB. </li> <li> <strong> GopherWhisper full toolset revealed </strong> &mdash; ESET published complete technical details on this China-aligned APT that uses Microsoft 365 Outlook, Slack, and Discord APIs for command-and-control against government targets. Directly relevant to any state M365 tenant. </li> <li> <strong> Qilin ransomware BYOVD EDR killer validated </strong> &mdash; Cisco Talos and Europol confirmed a Qilin ransomware module capable of disabling 300+ security products before encryption begins, including major EDR platforms relied upon by state agencies. This capability materially degrades defender advantage and coincides with active Medusa ransomware deployment through compromised MSP infrastructure. </li> </ol> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Relevance to State Gov </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 23 Apr 2026 </p> </td> <td> <p> CISA confirms Volt Typhoon and Flax Typhoon remain pre-positioned in U.S. critical infrastructure </p> </td> <td> <p> Direct threat to state-managed utilities and 911 systems </p> </td> </tr> <tr> <td> <p> 24 Apr 2026 </p> </td> <td> <p> CVE-2025-69985 FUXA SCADA RCE published (CVSS 9.8) </p> </td> <td> <p> State water/wastewater SCADA at risk </p> </td> </tr> <tr> <td> <p> 27&ndash;28 Apr 2026 </p> </td> <td> <p> CVE-2026-32202 Windows NTLM zero-click exploitation confirmed (APT28/Fancy Bear) </p> </td> <td> <p> State Windows domain environments targeted </p> </td> </tr> <tr> <td> <p> 28 Apr 2026 </p> </td> <td> <p> CVE-2024-1708 ConnectWise ScreenConnect added to CISA KEV; Storm-1175 deploying Medusa ransomware via MSPs </p> </td> <td> <p> State MSP supply chain directly threatened </p> </td> </tr> <tr> <td> <p> 28 Apr 2026 </p> </td> <td> <p> Qilin ransomware BYOVD EDR killer validated by Cisco Talos and Europol &mdash; disables 300+ security products </p> </td> <td> <p> State endpoint protection at risk </p> </td> </tr> <tr> <td> <p> 29 Apr 2026 </p> </td> <td> <p> CISA publishes OT Zero Trust guidance </p> </td> <td> <p> Defensive framework for state utilities </p> </td> </tr> <tr> <td> <p> 30 Apr 2026 </p> </td> <td> <p> Shadow-Earth-053 China-nexus group disclosed &mdash; 12+ government networks compromised </p> </td> <td> <p> Pattern matches Volt Typhoon prepositioning </p> </td> </tr> <tr> <td> <p> 30 Apr 2026 </p> </td> <td> <p> ImmyBot and Action1 RMM phishing campaigns documented </p> </td> <td> <p> State MSP tool whitelist exploitable </p> </td> </tr> <tr> <td> <p> 30 Apr 2026 </p> </td> <td> <p> CVE-2026-31431 &ldquo;Copy Fail&rdquo; Linux kernel privesc &mdash; public PoC </p> </td> <td> <p> All state Linux infrastructure affected </p> </td> </tr> <tr> <td> <p> 30 Apr 2026 </p> </td> <td> <p> GopherWhisper full toolset published &mdash; M365 API abuse for C2 </p> </td> <td> <p> State M365 tenant is a viable C2 channel </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. China-Nexus Prepositioning: Five Groups, One Strategy </strong> </h3> <p> The U.S. state government sector now faces <strong> five tracked China-aligned threat groups </strong> with government-targeting prepositioning behavior: </p> <table> <thead> <tr> <th> <p> Group </p> </th> <th> <p> Tooling </p> </th> <th> <p> Primary Targets </p> </th> <th> <p> Status </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> Volt Typhoon </strong> </p> </td> <td> <p> Living-off-the-land </p> </td> <td> <p> U.S. critical infrastructure </p> </td> <td> <p> Active, pre-positioned (CISA confirmed) </p> </td> </tr> <tr> <td> <p> <strong> Flax Typhoon </strong> (Integrity Technology Group) </p> </td> <td> <p> Compromised IoT device networks </p> </td> <td> <p> U.S. infrastructure </p> </td> <td> <p> Active, pre-positioned (CISA confirmed) </p> </td> </tr> <tr> <td> <p> <strong> Salt Typhoon </strong> </p> </td> <td> <p> Telecom-focused implants </p> </td> <td> <p> U.S. telecommunications </p> </td> <td> <p> Active </p> </td> </tr> <tr> <td> <p> <strong> Shadow-Earth-053 </strong> </p> </td> <td> <p> ShadowPad, NoodleRat, Godzilla web shells </p> </td> <td> <p> Government, defense (8 countries) </p> </td> <td> <p> Newly disclosed </p> </td> </tr> <tr> <td> <p> <strong> GopherWhisper </strong> </p> </td> <td> <p> LaxGopher, RatGopher, SSLORDoor, BoxOfFriends </p> </td> <td> <p> Mongolian government (M365 API C2) </p> </td> <td> <p> Full toolset now public </p> </td> </tr> </tbody> </table> <p> Shadow-Earth-053 exploits <strong> ProxyLogon </strong> (CVE-2021-26855/26857/26858/27065) and a newer vulnerability called <strong> React2Shell </strong> (CVE-2025-55182, CVSS 10.0) for initial access. The group deploys <strong> ShadowPad </strong> &mdash; a backdoor shared across the Chinese APT ecosystem since 2019 &mdash; and <strong> NoodleRat </strong> on Linux targets. They use <strong> Godzilla </strong> web shells for persistence and abuse <strong> AnyDesk </strong> for lateral delivery. </p> <p> <strong> The strategic concern: </strong> TrendAI researchers explicitly state that Shadow-Earth-053&rsquo;s behavior mirrors Volt Typhoon&rsquo;s prepositioning doctrine &mdash; compromising networks and maintaining persistent access for potential future destructive operations. The timing ahead of the 14&ndash;15 May Trump-Xi summit is not coincidental; Chinese cyber operations historically intensify around major diplomatic events. </p> <p> <strong> GopherWhisper&rsquo;s M365 abuse </strong> is particularly relevant to state government. The group uses Microsoft Graph API to send C2 commands through Outlook mailboxes, Slack channels, and Discord servers. ESET recovered over 9,000 C2 messages from a single campaign against a Mongolian government institution. Any state agency running M365 should assume this C2 technique could be used against their tenant. </p> <h3> <strong> 2. Critical Vulnerabilities Demanding Immediate Action </strong> </h3> <p> <strong> CVE-2026-31431 &mdash; &ldquo;Copy Fail&rdquo; Linux Kernel Privilege Escalation (CVSS 7.8) </strong> </p> <p> A logic bug in the Linux kernel&rsquo;s authencesn AEAD template allows any unprivileged local user to modify in-memory copies of setuid-root binaries and obtain a root shell. The vulnerability has existed in all Linux distributions since 2017. The proof-of-concept is a 732-byte Python script &mdash; trivial to execute, requiring no specialized tooling. </p> <p> <em> High-risk state assets: </em> Multi-tenant servers, container infrastructure (Kubernetes, Docker), CI/CD runners, shared hosting environments, and any Linux system where non-root users have shell access. </p> <p> <strong> CVE-2025-69985 &mdash; FUXA SCADA/HMI Authentication Bypass + RCE (CVSS 9.8) </strong> </p> <p> FUXA is a web-based SCADA/HMI platform used for industrial process visualization. Versions &le; 1.2.8 contain an authentication bypass that allows unauthenticated attackers to execute arbitrary Node.js code on the server by spoofing the HTTP Referer header to the /api/runscript endpoint. </p> <p> <em> High-risk state assets: </em> Water treatment facilities, wastewater systems, small utility operations, and any OT environment using FUXA for process monitoring. The full exploit is published on Exploit-DB. </p> <h3> <strong> 3. Ransomware Landscape: Qilin&rsquo;s EDR Killer Changes the Game </strong> </h3> <p> While no new state/local government ransomware incident was reported in this cycle, the <strong> Qilin ransomware group&rsquo;s BYOVD-based EDR killer </strong> &mdash; validated by both Cisco Talos and Europol &mdash; represents a qualitative escalation. This module can disable over 300 security products before encryption begins, including major EDR platforms that state agencies rely on. </p> <p> Active ransomware groups with confirmed government targeting updated in the past 72 hours include <strong> Qilin </strong> , <strong> Everest </strong> , and <strong> WorldLeaks </strong> (a newer group). The <strong> Medusa </strong> ransomware continues to be deployed through compromised MSP infrastructure via Storm-1175. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Timeframe </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional China-nexus scanning/exploitation of state Exchange servers and network appliances </p> </td> <td> <p> <strong> &gt;70% </strong> </p> </td> <td> <p> 7&ndash;14 days </p> </td> <td> <p> Pre-summit pattern; Shadow-Earth-053 actively exploiting ProxyLogon; Volt Typhoon confirmed active </p> </td> </tr> <tr> <td> <p> Opportunistic exploitation of FUXA SCADA instances (CVE-2025-69985) </p> </td> <td> <p> <strong> 40&ndash;60% </strong> </p> </td> <td> <p> 7 days </p> </td> <td> <p> Public PoC on Exploit-DB; Shodan-discoverable targets; CVSS 9.8 </p> </td> </tr> <tr> <td> <p> Additional RMM platforms weaponized via phishing (Atera, NinjaRMM, Syncro) </p> </td> <td> <p> <strong> 40&ndash;60% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Clear trend line &mdash; three tools in rapid succession; technique is trivially adaptable </p> </td> </tr> <tr> <td> <p> CVE-2026-31431 &ldquo;Copy Fail&rdquo; weaponized for container escape in cloud environments </p> </td> <td> <p> <strong> 25&ndash;40% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Simple PoC; high-value multi-tenant targets; container escape is a premium capability </p> </td> </tr> <tr> <td> <p> Ransomware incident at a U.S. state or local government agency </p> </td> <td> <p> <strong> 50&ndash;70% </strong> </p> </td> <td> <p> 14 days </p> </td> <td> <p> Qilin/Everest/Medusa actively targeting gov; EDR killer capability reduces defender advantage </p> </td> </tr> <tr> <td> <p> China-nexus destructive operation triggered by summit diplomatic failure </p> </td> <td> <p> <strong> 10&ndash;20% </strong> </p> </td> <td> <p> 15&ndash;30 days </p> </td> <td> <p> Prepositioning confirmed; destructive capability assessed; low probability absent major escalation </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> What to Monitor </p> </th> <th> <p> ATT&amp;CK Technique </p> </th> <th> <p> Detection Approach </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> Unauthorized RMM agent installations </p> </td> <td> <p> T1219 (Remote Access Software) </p> </td> <td> <p> Alert on MSI/EXE installations matching RMM agent patterns (ImmyBot, Action1, ConnectWise) outside approved change windows. Monitor for new services with RMM vendor names. </p> </td> </tr> <tr> <td> <p> <strong> CRITICAL </strong> </p> </td> <td> <p> ProxyLogon exploitation indicators </p> </td> <td> <p> T1190 (Exploit Public-Facing Application) </p> </td> <td> <p> Monitor Exchange Server IIS logs for /owa/auth/ anomalies, unexpected .aspx files in inetpub, and Godzilla web shell signatures. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> M365 OAuth application consent anomalies </p> </td> <td> <p> T1550.001 (Application Access Token) </p> </td> <td> <p> Alert on new OAuth app consents with Mail.Read, Mail.Send, or Files.ReadWrite.All permissions. Monitor Microsoft Graph API call volumes per application. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> Linux privilege escalation attempts </p> </td> <td> <p> T1068 (Exploitation for Privilege Escalation) </p> </td> <td> <p> Monitor for unexpected setuid binary modifications, authencesn kernel module loading, and privilege transitions from unprivileged to root. </p> </td> </tr> <tr> <td> <p> <strong> HIGH </strong> </p> </td> <td> <p> VBS script execution from user downloads </p> </td> <td> <p> T1059.005 (Visual Basic) </p> </td> <td> <p> Alert on cscript.exe or wscript.exe executing .vbs files from Downloads, Temp, or browser cache directories. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> DLL sideloading via Microsoft binaries </p> </td> <td> <p> T1574.002 (DLL Side-Loading) </p> </td> <td> <p> Monitor for OFFCLN.EXE loading unexpected DLLs (OCLEAN.DLL, DWINTL.DLL). Flag any Microsoft-signed binary loading DLLs from non-standard paths. </p> </td> </tr> <tr> <td> <p> <strong> MEDIUM </strong> </p> </td> <td> <p> Outbound connections to cloud collaboration APIs from servers </p> </td> <td> <p> T1071.003 (Mail Protocols), T1567.002 (Exfiltration to Cloud Storage) </p> </td> <td> <p> Servers should not be making API calls to Slack, Discord, or Microsoft Graph unless explicitly authorized. Alert on unexpected outbound to api.slack.com, discord.com/api, graph.microsoft.com from server segments. </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> Hypothesis: </strong> A China-nexus actor has deployed a web shell on an Exchange server via ProxyLogon. </li> </ol> <ul> <li> <strong> Hunt: </strong> Search for .aspx files created after the last patching cycle in Exchange virtual directories. Check for Godzilla web shell signatures (Base64-encoded command execution patterns). Review Exchange HTTP logs for anomalous POST requests to non-standard paths. </li> </ul> <ol> <li> <strong> Hypothesis: </strong> GopherWhisper-style M365 API abuse is occurring in the state tenant. </li> </ol> <ul> <li> <strong> Hunt: </strong> Query Azure AD sign-in logs for OAuth applications with Mail.ReadWrite or Mail.Send permissions that were consented in the last 90 days. Check for high-volume Microsoft Graph API calls from unfamiliar application IDs. Look for mailbox rules forwarding to external addresses. </li> </ul> <ol> <li> <strong> Hypothesis: </strong> CVE-2026-31431 has been exploited on a multi-tenant Linux host. </li> </ol> <ul> <li> <strong> Hunt: </strong> Review auditd logs for unexpected execve calls transitioning from low-privilege UIDs to UID 0. Check for recently modified setuid binaries. Monitor for authencesn references in kernel logs. </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware (Qilin, Medusa) targeting financial processing systems; DPRK-nexus actors (LABYRINTH CHOLLIMA) conducting financially motivated operations </li> <li> <strong> Priority action: </strong> Ensure offline backups of benefits payment databases and tax processing systems are current and tested. Deploy behavioral detection for BYOVD attacks (Qilin&rsquo;s EDR killer targets financial sector security tools). Monitor for XcTRAT indicators on systems processing financial data. </li> <li> <strong> ATT&amp;CK focus: </strong> T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1219 (Remote Access Software) </li> </ul> <h3> <strong> Energy (State-Managed Utilities, Grid Coordination) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> CVE-2025-69985 FUXA SCADA RCE; Volt Typhoon prepositioning in energy infrastructure; Shadow-Earth-053 targeting critical infrastructure </li> <li> <strong> Priority action: </strong> Immediately inventory all FUXA deployments. Isolate any instance running version &le; 1.2.8 from network access. Verify OT network segmentation prevents IT-to-OT lateral movement. Implement CISA&rsquo;s new OT Zero Trust guidance (published 29 April 2026) as a framework for architecture review. </li> <li> <strong> ATT&amp;CK focus: </strong> T1190 (Exploit Public-Facing Application), T1210 (Exploitation of Remote Services), T0855 (Unauthorized Command Message &mdash; ICS) </li> </ul> <h3> <strong> Healthcare (Medicaid Systems, State Health Agencies) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware disrupting benefits processing and patient data systems; RMM tool abuse via healthcare MSPs; Linux privilege escalation on clinical data servers </li> <li> <strong> Priority action: </strong> Verify all MSP-managed healthcare systems use only authorized RMM tools. Patch Linux servers hosting Medicaid/benefits databases against CVE-2026-31431 as highest priority (PHI exposure risk from privilege escalation). Review healthcare MSP contracts for RMM tool specifications. </li> <li> <strong> ATT&amp;CK focus: </strong> T1219 (Remote Access Software), T1068 (Exploitation for Privilege Escalation), T1567 (Exfiltration Over Web Service) </li> </ul> <h3> <strong> Government (Executive Branch Agencies, Law Enforcement, Elections) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> China-nexus espionage (Shadow-Earth-053, Volt Typhoon, GopherWhisper) targeting government networks for intelligence collection and prepositioning; APT28 NTLM credential theft; OAuth/phishing credential compromise </li> <li> <strong> Priority action: </strong> Verify all Exchange Servers are patched against the full ProxyLogon chain (CVE-2021-26855/26857/26858/27065) &mdash; Shadow-Earth-053 is actively exploiting these in 2026. Audit M365 OAuth application consents across all agency tenants. Implement FIDO2/phishing-resistant MFA for all privileged accounts. Brief election infrastructure teams on the heightened China-nexus threat window through mid-May. </li> <li> <strong> ATT&amp;CK focus: </strong> T1190 (Exploit Public-Facing Application), T1505.003 (Web Shell), T1550.001 (Application Access Token), T1003 (OS Credential Dumping) </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Airport Authorities, Port Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Shadow-Earth-053 explicitly targets transportation sector; Volt Typhoon pre-positioned in transportation infrastructure per CISA; supply chain compromise via logistics MSPs </li> <li> <strong> Priority action: </strong> Review network segmentation between IT and operational technology in transportation management systems. Audit all remote access tools used by transportation MSPs and maintenance contractors. Monitor for ShadowPad and NoodleRat indicators on systems managing traffic control, port operations, or aviation coordination. </li> <li> <strong> ATT&amp;CK focus: </strong> T1219 (Remote Access Software), T1071.001 (Web Protocols &mdash; ShadowPad C2), T1036 (Masquerading) </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Action </p> </th> <th> <p> Responsible Team </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Initiate emergency patching of all Linux servers against CVE-2026-31431 &mdash; prioritize multi-tenant hosts, container infrastructure, and CI/CD runners </p> </td> <td> <p> IT Operations </p> </td> </tr> <tr> <td> <p> Verify Exchange Server patch status for ProxyLogon chain (CVE-2021-26855/26857/26858/27065) across all agencies </p> </td> <td> <p> IT Operations </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Action </p> </th> <th> <p> Responsible Team </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Inventory all FUXA SCADA/HMI deployments across state agencies and utility partners; isolate any instance running version &le; 1.2.8 and upgrade </p> </td> <td> <p> OT Security / Utility Coordination </p> </td> </tr> <tr> <td> <p> Compile definitive inventory of authorized RMM platforms and their expected C2 domains; create SOC detection rules for any RMM agent not on the approved list </p> </td> <td> <p> IT Operations / SOC </p> </td> </tr> <tr> <td> <p> Add FABLETIGER/ShadowAgent and LABYRINTH CHOLLIMA/XcTRAT hashes to EDR watchlist (SHA-256, SHA-1, MD5 indicators listed above) </p> </td> <td> <p> SOC / Endpoint Ops </p> </td> </tr> <tr> <td> <p> Review M365 tenant OAuth application consent policies &mdash; require admin consent for all third-party apps; audit existing consented apps for Mail.Read, Mail.Send, Files.ReadWrite permissions </p> </td> <td> <p> Identity &amp; Access Management </p> </td> </tr> <tr> <td> <p> Brief all agency CISOs on the China-nexus pre-summit threat window (through 15 May) with specific indicators and hunting guidance </p> </td> <td> <p> CISO Office </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Action </p> </th> <th> <p> Responsible Team </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Establish standing intelligence watch for China-nexus prepositioning through mid-May summit period; increase monitoring cadence for Exchange, VPN, and network appliance exploitation </p> </td> <td> <p> CISO Office / SOC </p> </td> </tr> <tr> <td> <p> Commission strategic assessment of AI agent identity risks for state IAM &mdash; evaluate whether current policies distinguish human vs.&nbsp;machine identities in Azure AD/Entra ID </p> </td> <td> <p> CISO Office / IAM </p> </td> </tr> <tr> <td> <p> Implement CISA OT Zero Trust guidance as framework for state utility OT architecture review </p> </td> <td> <p> OT Security / CISO Office </p> </td> </tr> <tr> <td> <p> Review and update incident response playbooks for ransomware scenarios involving EDR bypass (Qilin BYOVD technique) &mdash; ensure out-of-band detection and response capabilities exist </p> </td> <td> <p> IR Team / CISO Office </p> </td> </tr> <tr> <td> <p> Evaluate container security posture &mdash; ensure pod security policies prevent privilege escalation and that kernel patching processes cover container host OS </p> </td> <td> <p> Cloud / DevOps </p> </td> </tr> </tbody> </table> <h3> <strong> Executive / IR Preparedness </strong> </h3> <ul> <li> <strong> Brief the Governor&rsquo;s office </strong> on the elevated China-nexus threat posture and the May summit timeline. Frame as: &ldquo;Foreign intelligence services are pre-positioning in government networks ahead of a diplomatic event. We are taking specific hardening actions.&rdquo; </li> <li> <strong> Test ransomware response procedures </strong> &mdash; specifically the scenario where EDR is disabled by a BYOVD attack. Ensure backup restoration procedures work without endpoint security tooling. </li> <li> <strong> Review cyber insurance coverage </strong> for state agencies &mdash; confirm that MSP supply chain compromise and nation-state attacks are covered scenarios. </li> <li> <strong> Establish communication channel </strong> with CISA Region [X] for real-time threat sharing during the May summit window. </li> </ul> <h2> <strong> Bottom Line </strong> </h2> <p> The next two weeks represent a defined threat window for state government networks. The convergence of Chinese prepositioning operations, expanding supply chain attack surfaces, and critical vulnerabilities with public exploits creates a situation where inaction carries measurable risk. </p> <p> The intelligence is clear. The indicators are specific. The timeline is compressed. </p> <p> State IT leaders who act on the immediate recommendations in this bulletin &mdash; blocking unauthorized RMM domains, patching Linux kernels, verifying Exchange Server status, and briefing their teams on the China-nexus threat &mdash; will materially reduce their exposure during the highest-risk period. </p> <p> Those who wait will be responding to incidents instead of preventing them. </p>