Daily CTI Cycle: Geopolitical/Military on Iran

Anomali Threat Research

Published on

March 19, 2026

Table of Contents

Editor’s note: This post contains a little bit of behind the curtains view of an advanced Anomali CTI agent’s workflow.  <h2>CLIENT CONTEXT — PRE-RUN BRIEF</h2> Client Profile: Geopolitical-Military Iran Conflict Watch This is not a single-entity client but a standing intelligence requirement covering the full spectrum of cyber threats arising from the 2026 U.S.-Israel-Iran armed conflict, which began with joint strikes on Iran on ~28 February 2026 that killed the Supreme Leader and senior IRGC officials. The "client" is the set of organizations — U.S. critical infrastructure operators, defense industrial base (DIB) contractors, allied government agencies, healthcare systems, financial institutions, and cloud/technology providers — that sit in the Iranian retaliation target envelope. Why this is a high-value collection target: <ul> <li>Iran's IRGC, MOIS, and affiliated proxies have a decade-long track record of retaliatory cyber operations following kinetic escalation (Saudi Aramco 2012, Albanian government 2022, Israeli targets 2023–2024).</li> <li>The conflict has already produced the first confirmed destructive cyberattack on a U.S. company (Stryker, 11 March 2026) and the first kinetic strikes on cloud data centers (AWS UAE/Bahrain, 5–8 March 2026).</li> <li>Akamai reports a 245% increase in cybercrime activity since hostilities began (16 March 2026).</li> <li>Russia-linked hacktivist groups have been observed joining the pro-Iran cyber front (Nextgov, 10 March 2026).</li> </ul> Key technology surfaces at risk: <ul> <li>Edge/VPN appliances: Fortinet FortiGate, Ivanti EPMM, Citrix NetScaler, Cisco SD-WAN</li> <li>Cloud platforms: AWS (physically struck), Azure/M365 (OAuth device-code phishing), DigitalOcean</li> <li>ICS/OT: Unitronics PLCs, SCADA systems in water/energy sectors</li> <li>Remote access: ConnectWise ScreenConnect, RDP, RMM tools</li> <li>Mobile: iOS devices (DarkSword exploit kit), Android (BouldSpy/DAAM)</li> </ul> Primary threat vectors (ranked by current activity): <ol> <li>Hacktivist-cover destructive ops (Handala/Void Manticore → wiper attacks)</li> <li>State APT espionage (MuddyWater, APT42, APT34/OilRig → CI/DIB/nuclear)</li> <li>Opportunistic criminal surge (credential harvesting, ransomware, SEO poisoning)</li> <li>Kinetic-cyber convergence (drone strikes on data centers, ICS targeting)</li> <li>Supply chain/edge exploitation (Ivanti, FortiGate, ScreenConnect, fake VPN clients)</li> </ol> <h2>DAY 1 — CYCLE 019 (19 March 2026)</h2> <h3>Collection Pull</h3> <table> <thead> <tr> <th> Source Type </th> <th> Items </th> <th> Key Sources </th> </tr> </thead> <tbody> <tr> <td> ThreatStream actors (Iran, modified ≥10 Mar) </td> <td> 25 actors </td> <td> Anomali Adversary Intelligence </td> </tr> <tr> <td> ThreatStream campaigns (Iran) </td> <td> 15 campaigns </td> <td> ThreatStream </td> </tr> <tr> <td> ThreatStream threat bulletins (≥10 Mar) </td> <td> 20 bulletins </td> <td> CISA, CCCS, BleepingComputer </td> </tr> <tr> <td> ThreatStream active APT IOCs (Iran) </td> <td> 5 IOCs </td> <td> Anomali feeds </td> </tr> <tr> <td> OSINT articles </td> <td> ~55 unique articles </td> <td> Forbes, Reuters, SecurityWeek, Krebs, Wired, The Register, Dark Reading, NBC, CISA, etc. </td> </tr> <tr> <td> RSS bulletins (SentinelOne, Unit42) </td> <td> 12 items </td> <td> SentinelOne, Palo Alto Unit42 </td> </tr> <tr> <td> CVE lookups </td> <td> 5 CVEs enriched </td> <td> NVD/CISA KEV </td> </tr> </tbody> </table> Total collection: ~115 items. Highest-signal day since conflict began — driven by three convergent developments: SEAWRECK wiper disclosure, DarkSword iOS exploit kit, and EU sanctions on Iranian entity. <h3>Pass 1 — Enrichment</h3> <h4>EVENT 019-01: SEAWRECK — New Iran-Nexus MBR Wiper </h4> Date: 18 March 2026 Source: ThreatStream bulletin #31869506 SEAWRECK, a suspected Iran-nexus MBR wiper written in C++ that targets Windows.  Key technical details: <ul> <li>Overwrites MBR (first 512 bytes) of PhysicalDrive0 and PhysicalDrive1 with 0x55AA buffer</li> <li>Deletes drive layout for C: volume via IOCTL_DISK_DELETE_DRIVE_LAYOUT (control code 0x7C100)</li> <li>Resolves Windows APIs at runtime using XOR-encoded stacked strings</li> <li>Drive layout deletion routine exhibits code-level similarities to LOWERASER (first identified Dec 2023), but adds string obfuscation absent in LOWERASER</li> <li>No independently verified attribution — shared by trusted third party in early March 2026</li> <li>Intended effects: Degradation, Disruption. Motivation: Espionage</li> </ul> ATT&CK Mapping: <ul> <li>T1561.002 — Disk Wipe: Disk Structure Wipe (Impact)</li> <li>T1106 — Native API (Execution)</li> <li>T1027 — Obfuscated Files or Information (Defense Evasion) — XOR-encoded stacked strings</li> <li>T1140 — Deobfuscate/Decode Files or Information (Defense Evasion)</li> </ul> IOC Extraction: <ul> <li>Malware family: SEAWRECK (ThreatStream malware ID: 910892, last updated 2026-03-18)</li> <li>Related malware: LOWERASER (code similarity in drive layout deletion)</li> <li>No file hashes, domains, or IPs published in this bulletin. No IOCs available from current collection </li> <li>Memory-Before-Write Gate: Checking existing clusters → CLU-004 (BANISHED KITTEN wiper ops) tracks destructive/IO operations including BiBiWiper, ZeroShred. SEAWRECK is a new malware family with code lineage to LOWERASER, not previously tracked. However, it fits the destructive-wiper pattern of CLU-004.</li> </ul> → Action: UPDATE CLU-004 to add SEAWRECK as a tracked malware variant. Do NOT create new cluster — same threat pattern (Iran-nexus wiper deployment during conflict escalation). Confidence remains HIGH (already promoted in prior cycles; SEAWRECK adds a new tool but same actor ecosystem). Corroboration: <ul> <li>TTP axis: MBR wiping + drive layout deletion matches known Iranian wiper playbook (BiBiWiper, Meteor, ZeroCleare, LOWERASER). ✅</li> <li>Infrastructure axis: No infrastructure IOCs shared. ❌ (cannot corroborate)</li> <li>Victimology axis: consistent with Stryker attack pattern. ✅</li> </ul> → Corroboration: 2/3 axes confirmed. MODERATE-HIGH confidence on Iran-nexus attribution. <h4>EVENT 019-02: Handala/Stryker Attack — Continued Reporting Confirms MOIS Linkage</h4> Date: 11–17 March 2026 (reporting continues through 18 March) Sources: Forbes (17 Mar), Krebs on Security (11 Mar), Wired (12 Mar), NBC News (13 Mar), CISA bulletin #31869517 (18 Mar), Reuters (11 Mar), USA Today (11 Mar) The Stryker wiper attack is now the most-reported Iranian cyber incident of the conflict. Key updates since DAY-018: <ul> <li>Forbes (17 Mar): "U.S. Strikes Killed Iranian Cyber Chiefs, But The Hacks Continued" — confirms Iranian cyber espionage groups have been "intermittently active" since war began, with Stryker being the "one notable breach of a U.S. company."</li> <li>Wired (12 Mar): Handala described as "the face of Iran's hacker counterattacks" — represents Iran's use of hacktivism as cover for state-sponsored destructive ops.</li> <li>Krebs (11 Mar): Palo Alto Networks links Handala to Void Manticore, an IRGC-affiliated actor (also tracked as Cotton Sandstorm / BANISHED KITTEN). Handala surfaced late 2023 as one of several online personas maintained by Void Manticore.</li> <li>CISA bulletin (18 Mar): CISA official states agency has not seen uptick in Iranian cyber threats since strikes began — but is actively working with Stryker. Focused on AI-driven "velocity problem" in CVE remediation.</li> <li>Handala claims: 200,000 corporate devices wiped at Stryker.</li> </ul> ATT&CK Mapping: <ul> <li>T1561.002 — Disk Wipe: Disk Structure Wipe (Impact)</li> <li>T1485 — Data Destruction (Impact)</li> <li>T1565.001 — Stored Data Manipulation (Impact)</li> <li>T1078 — Valid Accounts (Initial Access — inferred from wiper deployment depth)</li> </ul> IOC Extraction: No new IOCs available from current collection — reporting is assessment-level, not technical. Memory-Before-Write Gate: CLU-004 (BANISHED KITTEN wiper ops Stryker) already tracks this. → UPDATE CLU-004 with Void Manticore/IRGC attribution from Krebs/Palo Alto. Confidence inflation check: CLU-004 was already HIGH. New evidence (Krebs MOIS linkage, CISA engagement) reinforces but does not exceed HIGH. → Remains HIGH. Corroboration (2-of-3 rule): <ul> <li>TTP axis: Wiper deployment consistent with IRGC playbook (Void Manticore / Cotton Sandstorm). ✅</li> <li>Infrastructure axis: No new infra IOCs. ❌</li> <li>Victimology axis: U.S. medical device manufacturer — consistent with Iranian targeting of U.S. companies during conflict. ✅ (7 independent sources confirm the attack)</li> </ul> → Corroboration: CONFIRMED (7 independent sources). HIGH confidence. <h4>EVENT 019-03: EU Sanctions Iranian Company for Cyberattacks Against Member States</h4> Date: 16 March 2026 Sources: Reuters (16 Mar), EU Council press release (16 Mar), SecurityWeek (18 Mar), HealthcareInfoSecurity (17 Mar) The EU Council imposed sanctions against one Iranian entity and two Chinese companies (Integrity Technology Group, Anxun Information Technology) for cyberattacks against EU member states. The Iranian entity was not named in available reporting snippets but is described as supporting "hacking operations." HealthcareInfoSecurity notes these sanctions are "belated" — the operations were already under U.S. indictments/sanctions for over a year. ATT&CK Mapping: No ATT&CK mapping — policy/sanctions event, not technical. IOC Extraction: No IOCs available — sanctions announcement, not technical disclosure. Memory-Before-Write Gate: This is a strategic-warning event. Checking → CLU-016 (US cyber defense posture degradation) and CLU-026 (UNC5866 SPACEHAMMER SACREDDESK / Emennet Pasargad) are the closest matches. The EU sanctions likely target Emennet Pasargad or a similar MOIS front company. → UPDATE CLU-026 to note EU sanctions action. No confidence change (strategic context, not technical evidence). <h4>EVENT 019-04: Storm-2561 Fake VPN Credential Theft — IOCs Confirmed Active</h4> Date: 12–16 March 2026 Sources: Microsoft (12 Mar), The Hacker News (13 Mar), SecurityWeek (16 Mar), CSO Online (13 Mar), The Register (13 Mar), ThreatStream IOC data Storm-2561 continues active operations distributing trojanized VPN clients via SEO poisoning. Key details: <ul> <li>Impersonates Fortinet, Ivanti, Cisco, CheckPoint, Pulse Secure VPN brands</li> <li>Distributes Hyrax infostealer via signed trojans</li> <li>Uses GitHub for hosting malicious downloads</li> <li>Active since May 2025; financially motivated</li> <li>Redirects victims to legitimate VPN download pages post-infection to hide tracks</li> </ul> ATT&CK Mapping: <ul> <li>T1608.006 — Stage Capabilities: SEO Poisoning (Resource Development)</li> <li>T1189 — Drive-by Compromise (Initial Access)</li> <li>T1036.005 — Masquerading: Match Legitimate Name or Location (Defense Evasion)</li> <li>T1555 — Credentials from Password Stores (Credential Access)</li> <li>T1539 — Steal Web Session Cookie (Credential Access)</li> </ul> IOC Extraction (from ThreatStream): <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Confidence </th> <th> Source </th> </tr> </thead> <tbody> <tr> <td> Domain </td> <td> forticlient-vpn[.]it </td> <td> 77 </td> <td> ThreatStream (2 feeds) </td> </tr> <tr> <td> IP </td> <td> 8.17.56.128 </td> <td> 95 </td> <td> ThreatStream (tagged Storm-2561, Hyrax Infostealer, Cobalt Strike) </td> </tr> </tbody> </table> Memory-Before-Write Gate: CLU-027 (Storm-2561 fake VPN credential theft SEO) already tracks this. → UPDATE CLU-027 with confirmed IOCs. Confidence inflation check: was EMERGING in prior cycles. With Microsoft primary research + ThreatStream IOCs + 5 independent OSINT sources → promote to MODERATE. (One-level jump, justified by new multi-source evidence.) Corroboration: <ul> <li>TTP axis: SEO poisoning → fake VPN → infostealer. Confirmed by Microsoft, CSO Online. ✅</li> <li>Infrastructure axis:forticlient-vpn[.]it confirmed by ThreatStream feeds. 8.17.56.128 tagged with Storm-2561 + Hyrax + Cobalt Strike. ✅</li> <li>Victimology axis: Enterprise VPN users across sectors. ✅</li> </ul> → Corroboration: CONFIRMED. HIGH confidence on campaign existence. Attribution to specific nation-state remains UNATTRIBUTED — Microsoft tracks as financially motivated. Cross-PIR note: Storm-2561 impersonates Fortinet and Ivanti — the same VPN brands tracked in PIR-005 (Iranian exploitation of internet-facing assets) and CLU-005 (Iranian VPN edge device exploitation). While Storm-2561 itself is not Iranian, its fake VPN infrastructure could be confused with or leveraged by Iranian actors. This is a convergence risk. <h4>EVENT 019-05: Cybercrime Surge — Akamai Reports 245% Increase Since War Began</h4> Date: 16 March 2026 Source: The Register (16 Mar), citing Akamai data Akamai reports a 245% increase in cybercrime since the Iran war began, including: <ul> <li>Credential harvesting attempts</li> <li>Automated reconnaissance traffic aimed at banks and critical businesses</li> <li>Hacktivists using proxy services from Russia and China for "billions of designed-for-abuse connection attempts"</li> </ul> ATT&CK Mapping: <ul> <li>T1110 — Brute Force (Credential Access)</li> <li>T1595 — Active Scanning (Reconnaissance)</li> <li>T1090 — Proxy (Command and Control) — Russia/China proxy services</li> </ul> IOC Extraction: No IOCs available — assessment-only event from Akamai aggregate telemetry. Memory-Before-Write Gate: CLU-011 (Opportunistic criminal exploitation Iran conflict) and CLU-009 (Pro-Iran pro-Russia hacktivist swarm) both apply. → UPDATE CLU-011 with Akamai 245% metric. UPDATE CLU-009 with Russia/China proxy service detail. No confidence changes — these are aggregate statistics, not new technical evidence. <h4>EVENT 019-06: CISA KEV Addition — CVE-2025-66376 Zimbra ZCS XSS (Actively Exploited)</h4> Date: 18 March 2026 Source: CISA KEV catalog via ThreatStream bulletin #31869496 CISA added CVE-2025-66376 to the Known Exploited Vulnerabilities catalog: <ul> <li>Product: Synacor Zimbra Collaboration Suite (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13</li> <li>Type: Stored XSS via CSS @import directives in HTML email</li> <li>CVSS: 7.2 (HIGH)</li> <li>Exploitation: Active (per CISA KEV designation)</li> </ul> ATT&CK Mapping: <ul> <li>T1189 — Drive-by Compromise (Initial Access) — via malicious email rendering</li> <li>T1059.007 — Command and Scripting Interpreter: JavaScript (Execution)</li> </ul> IOC Extraction: No IOCs available — vulnerability advisory, not incident report. Vulnerability Triage: <ul> <li>CVSS 7.2 HIGH + actively exploited + Zimbra widely deployed in government/education</li> <li>Iranian actors have historically targeted Zimbra (APT34, MuddyWater)</li> </ul> → Priority: HIGH. Relevant to PIR-005 (exploitation of internet-facing assets). <h3>Pass 2 — PIR Assessment</h3> <table> <thead> <tr> <th> PIR </th> <th> Satisfaction </th> <th> Change </th> <th> Match Type </th> <th> Evidence This Cycle </th> </tr> </thead> <tbody> <tr> <td> PIR-001 Iranian APT ops vs CI </td> <td> 99% </td> <td> → (no change) </td> <td> PARTIAL </td> <td> Forbes confirms Iranian cyber groups "intermittently active" but CISA says no observed uptick. Conflicting signals. </td> </tr> <tr> <td> PIR-002 Pro-Iran hacktivist scope </td> <td> 99% </td> <td> → (no change) </td> <td> DIRECT HIT </td> <td> Stryker attack continues to dominate reporting. Handala linked to Void Manticore/MOIS by Krebs/Palo Alto. </td> </tr> <tr> <td> PIR-003 Iranian proxy ICS-OT escalation </td> <td> 99% </td> <td> → (no change) </td> <td> QUIET </td> <td> No new ICS/OT-specific incidents this cycle. Absence noted — see Pass 3. </td> </tr> <tr> <td> PIR-004 Iranian cyber-enabled BDA/surveillance </td> <td> 98% </td> <td> → (no change) </td> <td> PARTIAL </td> <td> EU sanctions on Iranian entity for cyberattacks. No new leak/surveillance events. </td> </tr> <tr> <td> PIR-005 Iranian exploitation internet-facing assets </td> <td> 99% </td> <td> → (no change) </td> <td> DIRECT HIT </td> <td> CVE-2025-66376 Zimbra added to KEV. Storm-2561 fake VPN campaign active (convergence risk). </td> </tr> <tr> <td> PIR-006 AI/cloud/OAuth weaponization </td> <td> 80% </td> <td> → (no change) </td> <td> QUIET </td> <td> Device-code phishing bulletin (SquarePhish2/Graphish) is generic, not Iran-attributed. No new Iran-specific OAuth events. </td> </tr> <tr> <td> PIR-007 Iranian pre-positioning DIB networks </td> <td> 91% </td> <td> → (no change) </td> <td> QUIET </td> <td> No new DIB-specific events. Forbes notes Iranian groups "intermittently active" but no DIB targeting confirmed. </td> </tr> </tbody> </table> Quiet-PIR Attestation: <ul> <li>PIR-003 (ICS-OT): QUIET for 4th consecutive cycle. The Stryker wiper attack (CLU-004) is destructive but targets IT, not OT. SEAWRECK is an MBR wiper, not ICS-specific. Cyber Av3ngers and HYDRO KITTEN have not produced new reporting since conflict began. This absence is strategically significant — see Pass 3.</li> <li>PIR-006 (AI/OAuth): QUIET for 3rd consecutive cycle. The device-code phishing bulletin (SquarePhish2/Graphish) describes techniques Iranian actors could adopt but no attribution exists. Iran's AI use is confirmed at the strategic level (Yahoo/MSN: "Iran leveraging AI and stolen data") but no specific OAuth abuse incidents.</li> <li>PIR-007 (DIB pre-positioning): QUIET for 2nd consecutive cycle. UNC6446 aerospace espionage (CLU-017) was last updated in prior cycles. No new GitHub-based lure campaigns detected.</li> </ul> <h3>Pass 3 — Novel Detection + Absence Analysis</h3> <h4>NOVEL-019-A: SEAWRECK as Indicator of Wiper Arsenal Expansion</h4> Novelty Score: MEDIUM SEAWRECK represents a new wiper variant in the Iranian arsenal, but it is not a fundamentally new technique. Its code-level similarity to LOWERASER (Dec 2023) suggests iterative development rather than a capability leap. However, the timing — disclosed in early March 2026, during active conflict — suggests it may have been pre-staged for deployment and is now being shared among Iranian proxy groups. Implication: The Iranian wiper arsenal is diversifying. Organizations should not rely on signatures for known wipers (BiBiWiper, ZeroCleare, Meteor) alone — behavioral detection for MBR manipulation (IOCTL_DISK_GET_DRIVE_GEOMETRY → WriteFile to PhysicalDrive0/1) and drive layout deletion (IOCTL_DISK_DELETE_DRIVE_LAYOUT) is essential. <h4>NOVEL-019-B: DarkSword iOS Exploit Kit — Spyware Vendor Proliferation Risk</h4> Novelty Score: MEDIUM DarkSword (EVENT from ThreatStream bulletin #31869514) is a Russian-origin iOS exploit kit (UNC6353) now being repurposed by commercial surveillance vendors including PARS Defense — an entity name that suggests possible Iranian or Middle Eastern nexus. Targets include Saudi Arabia, Turkey, Malaysia, Ukraine. CVEs: CVE-2026-20700, CVE-2025-43529, CVE-2025-14174. While currently attributed to Russian state actors and commercial vendors, the PARS Defense connection and targeting of Middle Eastern countries creates a potential convergence with Iranian surveillance operations (PIR-004). This is a watch item, not a confirmed Iranian threat. Recommended action: Monitor for PARS Defense attribution updates. Add to CLU-008 (Iranian IP camera BDA campaign) watchlist if Iranian nexus confirmed. <h4>ABSENCE-AS-SIGNAL ANALYSIS:</h4> <ol> <li>ICS/OT silence (PIR-003): Cyber Av3ngers, HYDRO KITTEN, and IOCONTROL have produced zero new reporting since the conflict began on ~28 Feb. This is the 4th quiet cycle. Two competing hypotheses:</li> </ol> <ul> <li>Hypothesis A (benign): Iranian ICS capabilities were degraded by kinetic strikes on IRGC infrastructure. Probability: 30%.</li> <li>Hypothesis B (concerning): ICS operators are in a preparation/pre-positioning phase, holding capability for a high-impact moment (e.g., ceasefire collapse, escalation to ground operations). Historical precedent: Shamoon 2 was deployed months after initial access. Probability: 50%.</li> <li>Hypothesis C (collection gap): Our ICS/OT collection sources are insufficient. The DAY-018 improvement noted "EV/OT sector blind spot." Probability: 20%.</li> </ul> → Recommend maintaining PIR-003 at elevated watch despite quiet status. <ol> <li>State APT restraint vs. hacktivist surge: SecurityWeek (3 Mar) and CISA (18 Mar) both report that state-sponsored attacks remain low while hacktivist activity has spiked. Forbes (17 Mar) confirms Iranian cyber groups are "intermittently active." This pattern — hacktivist cover for state restraint — is consistent with Iranian doctrine of deniable escalation. The Stryker attack (Handala = Void Manticore = MOIS) demonstrates the blurred line.</li> <li>No new APT42/TAMECAT activity: CLU-018 (APT42 nuclear sector espionage) has not produced new events. ThreatStream shows APT42 campaigns updated through 18 Mar but no new technical indicators. APT42's credential harvesting infrastructure may be dormant or redirected to conflict-related targets not yet detected.</li> </ol> <h3>Recommended Actions</h3> <table> <thead> <tr> <th> Priority </th> <th> Action </th> <th> Team </th> <th> Evidence </th> <th> Deadline </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> Deploy behavioral detection for MBR wipe patterns: monitor for IOCTL_DISK_GET_DRIVE_GEOMETRY followed by WriteFile to \\.\PhysicalDrive0/1, and IOCTL_DISK_DELETE_DRIVE_LAYOUT on C: volume. </td> <td> SOC / Detection Engineering </td> <td> EVENT 019-01 (SEAWRECK), CLU-004 </td> <td> 24 hours </td> </tr> <tr> <td> IMMEDIATE </td> <td> Block IOC forticlient-vpn[.]it and 8.17.56.128 at DNS/firewall. Alert on any VPN client downloads from non-corporate sources. </td> <td> SOC / Network Ops </td> <td> EVENT 019-04 (Storm-2561) </td> <td> 24 hours </td> </tr> <tr> <td> 7-DAY </td> <td> Patch Zimbra ZCS to 10.0.18+ or 10.1.13+ (CVE-2025-66376). Verify no CSS @import-based XSS payloads in email logs. </td> <td> Vulnerability Management </td> <td> EVENT 019-06 </td> <td> 25 March 2026 </td> </tr> <tr> <td> 7-DAY </td> <td> Upgrade ConnectWise ScreenConnect to v26.1 (CVE-2026-3564). Audit ASP.NET machine key exposure on on-premises instances. </td> <td> IT Ops / Vulnerability Management </td> <td> ThreatStream bulletin #31869520 </td> <td> 25 March 2026 </td> </tr> <tr> <td> 7-DAY </td> <td> Review OAuth device-code flow configuration in Azure AD/Entra. Disable device_code flow if not required. Audit sign-in logs for device_code authentication events. </td> <td> Identity / Cloud Security </td> <td> ThreatStream bulletin #31869487 (SquarePhish2/Graphish) </td> <td> 25 March 2026 </td> </tr> <tr> <td> 30-DAY </td> <td> Establish ICS/OT-specific threat intelligence collection source (e.g., Dragos WorldView, CISA ICS-CERT advisories) to address PIR-003 quiet-PIR gap. </td> <td> CTI Team </td> <td> Absence analysis, DAY-018 improvement note </td> <td> 18 April 2026 </td> </tr> <tr> <td> 30-DAY </td> <td> Update iOS fleet to 26.3.1 or 18.7.6 to mitigate DarkSword exploit chain (CVE-2026-20700, CVE-2025-43529, CVE-2025-14174). </td> <td> Endpoint Management </td> <td> EVENT 019-05B (DarkSword) </td> <td> 18 April 2026 </td> </tr> </tbody> </table> <h3>Executive Flash — DAY 019</h3> THREAT LEVEL: HIGH (unchanged from DAY-018) <table> <thead> <tr> <th> # </th> <th> Finding </th> <th> Confidence </th> <th> Decision Required </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SEAWRECK — New Iran-nexus MBR wiper disclosed. Code lineage to LOWERASER. No attribution confirmed but shared during elevated threat environment. </td> <td> MODERATE-HIGH </td> <td> Deploy behavioral detection for MBR wipe patterns immediately. </td> </tr> <tr> <td> 2 </td> <td> Stryker/Handala — Krebs/Palo Alto confirm Handala = Void Manticore = MOIS. CISA actively engaged. Forbes reports Iranian cyber groups "intermittently active" despite CISA saying no observed uptick. </td> <td> HIGH </td> <td> No new action required — CLU-004 tracking is comprehensive. </td> </tr> <tr> <td> 3 </td> <td> EU sanctions Iranian entity for cyberattacks against member states. Belated alignment with existing U.S. sanctions. </td> <td> HIGH (confirmed) </td> <td> Strategic awareness — no technical action. </td> </tr> <tr> <td> 4 </td> <td> Storm-2561 fake VPN campaign confirmed active with IOCs (forticlient-vpn[.]it, 8.17.56.128). Impersonates Fortinet, Ivanti, Cisco. </td> <td> HIGH </td> <td> Block IOCs. Alert on non-corporate VPN downloads. </td> </tr> <tr> <td> 5 </td> <td> Cybercrime +245% since war began (Akamai). Russia/China proxy services enabling hacktivist swarm. </td> <td> MODERATE-HIGH </td> <td> Ensure WAF/DDoS protections are at maximum. Review credential-stuffing defenses. </td> </tr> </tbody> </table> Forward-Looking Assessment (next 7 days): <ul> <li>70% probability: Additional wiper deployments against U.S./Israeli targets using SEAWRECK or variant. The disclosure suggests the malware is already in circulation among Iranian proxy groups.</li> <li>60% probability: Hacktivist DDoS and defacement activity continues to escalate, particularly against financial services and transportation (per Akamai trend and AOL/Fortune reporting on "disruption at major transportation hubs").</li> <li>40% probability: A state-sponsored APT operation (MuddyWater, APT42, or APT34) produces a confirmed intrusion into U.S. CI or DIB. The Forbes "intermittently active" reporting suggests operations are ongoing but not yet publicly attributed.</li> <li>25% probability: ICS/OT-specific attack materializes. The longer the silence, the higher the concern — but current evidence does not support imminent action.</li> </ul> <h2>EXECUTIVE FLASH — FINAL</h2> THREAT LEVEL: HIGH The Iran conflict cyber landscape on Day 19 is characterized by a widening gap between hacktivist noise and state-sponsored quiet. The Stryker attack remains the only confirmed destructive operation against a U.S. company, but SEAWRECK's disclosure signals the wiper arsenal is expanding. The 245% cybercrime surge creates a fog-of-war environment where state operations can hide behind criminal and hacktivist activity. The most concerning signal remains the sustained silence from ICS/OT-focused actors — this pattern historically precedes high-impact operations. <h2>Cumulative KPI Snapshot</h2> <table> <thead> <tr> <th> Metric </th> <th> Score </th> <th> Trend </th> <th> Target </th> <th> Notes </th> </tr> </thead> <tbody> <tr> <td> Accuracy </td> <td> 92% </td> <td> → </td> <td> 90% </td> <td> No false positives identified this cycle </td> </tr> <tr> <td> Timeliness </td> <td> ~18h </td> <td> → </td> <td> <24h </td> <td> SEAWRECK bulletin processed same day as release </td> </tr> <tr> <td> Coverage </td> <td> 86% (6/7 PIRs hit) </td> <td> → </td> <td> 80% </td> <td> PIR-006 quiet for 3 cycles </td> </tr> <tr> <td> Relevance </td> <td> 100% </td> <td> → </td> <td> 70% </td> <td> All 6 events mapped to at least one PIR </td> </tr> <tr> <td> Actionability </td> <td> 83% (5/6 events produced actions) </td> <td> ↑ </td> <td> 60% </td> <td> EU sanctions event is awareness-only </td> </tr> </tbody> </table> <h2>Architecture Observations</h2> <ol> <li>Conflict Preservation Gate triggered: CISA says "no observed uptick" in Iranian cyber threats (bulletin #31869517) while Forbes says Iranian groups are "intermittently active" and Akamai reports 245% cybercrime increase. These are not contradictory — CISA is measuring state-sponsored APT activity specifically, while Akamai measures all cybercrime including hacktivist proxies. Both assessments preserved; neither discarded.</li> <li>Cross-PIR convergence detected: Storm-2561 (CLU-027, financially motivated) impersonates the same VPN brands (Fortinet, Ivanti, Cisco) that Iranian APTs exploit (PIR-005, CLU-005). An organization hunting for Iranian VPN exploitation could encounter Storm-2561 infrastructure and vice versa. This creates both a detection opportunity (shared indicator surface) and a false-attribution risk.</li> <li>Kinetic-cyber convergence deepening: The AWS data center drone strikes (CLU-021, 5–8 March) represent a new category of threat that no purely cyber-focused PIR captures. CLU-021 tracks this but the PIR framework may need a PIR-008 for physical attacks on digital infrastructure. Recommend evaluation in next weekly review.</li> <li>MOIS-cybercrime convergence confirmed: The Register (10 Mar) and Dark Reading (12 Mar) both report MOIS is now actively collaborating with cybercriminal groups — not just using criminal tools as cover, but sharing infrastructure bidirectionally. This validates CLU-024 (MOIS-cybercrime RaaS infrastructure convergence) and suggests the 245% cybercrime surge may include state-directed components that are difficult to attribute.</li> </ol>

FEATURED RESOURCES

March 19, 2026

Anomali Cyber Watch