<p> <strong> Threat Assessment Level: ELEVATED </strong>
</p>
<p> <em> (Raised from GUARDED. Escalation to HIGH possible within 72 hours if FortiBleed credential exploitation expands to confirmed state government victims or a new ransomware incident materializes against public-sector targets.) </em>
</p>
<h2> <strong> Introduction </strong>
</h2>
<p> State government IT leaders face a convergence of threats this week that demands immediate executive attention. A Russian-speaking criminal crew has compromised credentials for over 86,000 Fortinet firewalls globally — the same platform many state agencies rely on for perimeter defense and VPN access. Simultaneously, Russia's GRU (APT28) has deployed fresh malware tooling targeting government networks, a new ransomware partnership is industrializing supply-chain attacks against developer infrastructure, and Microsoft 365 environments are absorbing 81 million login attacks in a two-week window.
</p>
<p> This is not theoretical. CISA has added a new SharePoint remote code execution vulnerability to its Known Exploited Vulnerabilities catalog with confirmed exploitation against state agency infrastructure. The question for state CIOs and CISOs is not <em> whether </em> these threats are relevant — it's whether your teams can respond fast enough.
</p>
<h2> <strong> What Changed </strong>
</h2>
<ul> <li> <strong> FortiBleed (18 Jun): </strong> CISA and UK NCSC issued emergency guidance after 86,644 Fortinet firewalls were found compromised; credentials already used to deploy INC and Lynx ransomware. </li> <li> <strong> APT28 FrameLoader (3 Jul): </strong> CrowdStrike published fresh IOCs for a new GRU loader malware actively targeting government networks. </li> <li> <strong> Vect + TeamPCP Ransomware Partnership (3 Jul): </strong> FBI FLASH confirmed supply-chain credential theft from CI/CD pipelines now feeds directly into ransomware operations. </li> <li> <strong> SharePoint RCE CVE-2026-45659 (1 Jul): </strong> Added to CISA KEV with confirmed exploitation against state agency infrastructure; CVSS 8.8. </li> <li> <strong> M365 Mass Credential Spray (3 Jul): </strong> 81 million login attempts across 64 organizations in 14 days; some MFA bypasses confirmed. </li> <li> <strong> ICS Advisories (30 Jun): </strong> CISA published 7 simultaneous advisories covering Delta Electronics PLCs and Schneider Electric RTUs in water/wastewater environments. </li> <li> <strong> APT29 Credential Harvesting (26 Jun): </strong> CISA/FBI advisory on senior officials targeted via personal messaging apps. </li> <li> <strong> VOID MANTICORE California Water Breach (12 Jun): </strong> Iranian nation-state actor attributed to breach of California water utility, confirming active targeting of U.S. state critical infrastructure. </li>
</ul>
<h3> <strong> Detailed Timeline </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Significance </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 Jul 2026 </p> </td> <td> <p> CVE-2026-45659 (SharePoint RCE) added to CISA KEV </p> </td> <td> <p> Confirmed exploitation against state agencies; CVSS 8.8 </p> </td> </tr> <tr> <td> <p> 30 Jun 2026 </p> </td> <td> <p> CISA published 7 simultaneous ICS advisories </p> </td> <td> <p> Delta Electronics PLCs and Schneider Electric RTUs in water/wastewater </p> </td> </tr> <tr> <td> <p> 26 Jun 2026 </p> </td> <td> <p> CISA/FBI advisory on APT29 credential harvesting </p> </td> <td> <p> Senior officials targeted via personal messaging apps </p> </td> </tr> <tr> <td> <p> 18 Jun 2026 </p> </td> <td> <p> CISA + UK NCSC emergency FortiBleed guidance </p> </td> <td> <p> 86,644 Fortinet firewalls compromised; credential rotation urged </p> </td> </tr> <tr> <td> <p> 12 Jun 2026 </p> </td> <td> <p> California water utility breach attributed to VOID MANTICORE (IRGC) </p> </td> <td> <p> <strong> Iranian nation-state targeting U.S. state critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> 3 Jul 2026 </p> </td> <td> <p> FBI FLASH + Sophos: Vect + TeamPCP ransomware partnership </p> </td> <td> <p> Supply-chain credential theft now feeds directly into ransomware operations </p> </td> </tr> <tr> <td> <p> 3 Jul 2026 </p> </td> <td> <p> APT28/FANCY BEAR fresh "FrameLoader" malware IOCs published </p> </td> <td> <p> New loader malware attributed to Russia's GRU Unit 26165 </p> </td> </tr> <tr> <td> <p> 3 Jul 2026 </p> </td> <td> <p> 81 million M365 login attacks in 14 days reported </p> </td> <td> <p> Azure CLI password spray campaign bypassing MFA in some cases </p> </td> </tr> </tbody>
</table>
<h2> <strong> Key Threat Analysis </strong>
</h2>
<h3> <strong> 1. FortiBleed: Your Perimeter Is the Supply Chain Now </strong>
</h3>
<p> A Russian-speaking criminal crew has been operating since February 2026, harvesting administrator and VPN credentials from 86,644 Fortinet firewalls across 194 countries — approximately 50% of the internet-facing FortiGate fleet. Their methodology is industrial:
</p>
<ul> <li> <strong> Configuration file exfiltration </strong> from exposed or previously breached devices </li> <li> <strong> SHA-256 hash cracking </strong> on a 45-GPU cluster </li> <li> A bespoke <strong> "FortiGate Sniffer" implant </strong> intercepting SSL VPN authentication in real-time </li> <li> A searchable database of compromised credentials organized by country, industry, and revenue </li>
</ul>
<p> The downstream impact is already confirmed: compromised FortiBleed credentials have been used to deploy <strong> INC </strong> and <strong> Lynx </strong> ransomware against victims.
</p>
<p> <strong> Why this matters for state government: </strong> If any state FortiGate device was running legacy SHA-256 password hashes (pre-FortiOS 7.4.8), those credentials may already be in the attacker's database. The attacker uses valid credentials — there is no exploit signature to detect, no IOC to block. Your firewall becomes the adversary's front door.
</p>
<h3> <strong> 2. APT28/FANCY BEAR: Fresh Government-Targeting Malware </strong>
</h3>
<p> CrowdStrike published high-confidence IOCs on 3 July 2026 for a new loader malware family called <strong> FrameLoader </strong> , attributed to APT28 (Russia's GRU Unit 26165). This actor has a documented history of targeting government networks, election infrastructure, and political organizations.
</p>
<p> <strong> Key IOCs: </strong>
</p>
<ul> <li> SHA-256: 732fc1a6fad524e205764e54b1b1599b43fffe39099218d91e6a9811cefd5a24 </li> <li> MD5: 94ca87772e2dce058ba2aed04a739110 </li> <li> SHA-1: 225a43c6277568cb059a05f207619a9db093b660 </li>
</ul>
<p> This represents fresh tooling — not recycled infrastructure — indicating active operational tempo against government targets.
</p>
<h3> <strong> 3. Vect + TeamPCP: Ransomware Meets Supply-Chain Compromise </strong>
</h3>
<p> The FBI issued a FLASH warning on 3 July 2026 confirming that ransomware group <strong> Vect </strong> has partnered with <strong> TeamPCP </strong> (associated with "The Com" cybercriminal community). TeamPCP specializes in compromising developer tools — Trivy, npm packages, GitHub Actions — and stealing credentials from CI/CD pipelines. Those credentials now feed directly into Vect's ransomware-as-a-service operation.
</p>
<p> <strong> Confirmed malware families: </strong> CanisterWorm, SANDCLOCK, Mini Shai-Hulud, Miasma
</p>
<p> <strong> Key IOCs: </strong>
</p>
<ul> <li> eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb (Mini Shai-Hulud) </li> <li> 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 (Mini Shai-Hulud variant) </li> <li> 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac (supply-chain artifact) </li> <li> 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95 (supply-chain artifact) </li>
</ul>
<p> Any state agency with developers using npm, GitHub Actions, or Trivy in their CI/CD pipelines is in the target set.
</p>
<h3> <strong> 4. CVE-2026-45659: SharePoint Under Active Exploitation </strong>
</h3>
<p> This deserialization-of-untrusted-data vulnerability (CVSS 8.8) allows an authorized attacker to execute arbitrary code on SharePoint servers. CISA added it to the KEV catalog on 1 July 2026 with confirmed exploitation against state agency infrastructure. This is the second SharePoint KEV in recent weeks, following CVE-2025-53770.
</p>
<h3> <strong> 5. Microsoft 365 Mass Credential Spray </strong>
</h3>
<p> A coordinated Azure CLI password spray campaign generated 81 million+ login attempts across 64 organizations in 14 days. Some attacks successfully bypassed MFA. State agencies relying on Microsoft 365 and Entra ID (Azure AD) for employee authentication — particularly service principals and automation accounts that may lack MFA — are directly exposed.
</p>
<h2> <strong> Predictive Analysis </strong>
</h2>
<table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Timeframe </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Ransomware deployment against state/local government using FortiBleed-sourced credentials </p> </td> <td> <p> <strong> HIGH (75-85%) </strong> </p> </td> <td> <p> 7-14 days </p> </td> <td> <p> Confirmed INC/Lynx deployments via FortiBleed; government explicitly in target database </p> </td> </tr> <tr> <td> <p> APT28 FrameLoader used against U.S. state government network </p> </td> <td> <p> <strong> MODERATE (40-55%) </strong> </p> </td> <td> <p> 14-30 days </p> </td> <td> <p> Fresh tooling + historical APT28 government targeting; single-source attribution </p> </td> </tr> <tr> <td> <p> Supply-chain compromise of state CI/CD pipeline via TeamPCP/Vect </p> </td> <td> <p> <strong> MODERATE (35-50%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> FBI-confirmed partnership; state dev teams use npm/GitHub; no confirmed state victim yet </p> </td> </tr> <tr> <td> <p> Second SharePoint zero-day or mass exploitation wave </p> </td> <td> <p> <strong> MODERATE-HIGH (55-65%) </strong> </p> </td> <td> <p> 7-14 days </p> </td> <td> <p> Two SharePoint KEVs in rapid succession indicates active research/exploitation campaign </p> </td> </tr> <tr> <td> <p> <strong> Volt Typhoon / Salt Typhoon re-emergence in state critical infrastructure </strong> </p> </td> <td> <p> <strong> MODERATE (40-50%) </strong> </p> </td> <td> <p> 30-60 days </p> </td> <td> <p> Absence of indicators is anomalous given prior pre-positioning activity; may indicate improved OPSEC </p> </td> </tr> </tbody>
</table>
<h2> <strong> SOC Operational Guidance </strong>
</h2>
<h3> <strong> Detection Priorities </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> ATT&CK Technique </strong> </p> </th> <th> <p> <strong> What to Hunt </strong> </p> </th> <th> <p> <strong> Detection Logic </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> T1078 (Valid Accounts) </p> </td> <td> <p> FortiBleed credential abuse </p> </td> <td> <p> FortiGate admin login from new source IP + config download within 60 min; VPN auth from anomalous geolocation </p> </td> </tr> <tr> <td> <p> T1110.003 (Password Spraying) </p> </td> <td> <p> M365 mass spray </p> </td> <td> <p> >50 failed logins per service principal/hour in Entra ID audit logs; successful auth immediately following spray pattern </p> </td> </tr> <tr> <td> <p> T1133 (External Remote Services) </p> </td> <td> <p> SSL VPN abuse </p> </td> <td> <p> VPN sessions from IPs not in historical baseline; concurrent sessions from same credential at different geolocations </p> </td> </tr> <tr> <td> <p> T1190 (Exploit Public-Facing App) </p> </td> <td> <p> SharePoint exploitation </p> </td> <td> <p> Unexpected process spawning from w3wp.exe on SharePoint servers; deserialization error patterns in ULS logs </p> </td> </tr> <tr> <td> <p> T1195.002 (Supply Chain Compromise) </p> </td> <td> <p> TeamPCP artifacts </p> </td> <td> <p> Unexpected npm package installations; GitHub Actions running from non-pinned references; presence of Mini Shai-Hulud hashes </p> </td> </tr> <tr> <td> <p> T1040 (Network Sniffing) </p> </td> <td> <p> FortiGate Sniffer implant </p> </td> <td> <p> Unexpected processes on FortiGate devices; configuration exports not initiated by known administrators </p> </td> </tr> <tr> <td> <p> T1059.001 (PowerShell) </p> </td> <td> <p> Post-exploitation </p> </td> <td> <p> Encoded PowerShell execution on SharePoint servers; PowerShell downloading from external URLs on endpoints </p> </td> </tr> </tbody>
</table>
<h3> <strong> Hunting Hypotheses </strong>
</h3>
<ol> <li> <strong> "Are our Fortinet credentials already compromised?" </strong> — Query FortiGate logs for admin logins from IP addresses outside your known management subnets in the past 90 days. Cross-reference with any configuration backup/export events. </li> <li> <strong> "Is anyone spraying our Entra ID?" </strong> — Pull Entra ID sign-in logs for the past 14 days. Filter for >10 failed attempts per unique username per hour. Look for service principals with no MFA enforcement. </li> <li> <strong> "Has our CI/CD pipeline been poisoned?" </strong> — Audit npm package-lock.json files across all state repositories for packages not in your approved dependency list. Check GitHub Actions workflow files for uses: references pointing to tags rather than commit SHAs. </li>
</ol>
<h3> <strong> IOC Blocking Table </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Attribution </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 732fc1a6fad524e205764e54b1b1599b43fffe39099218d91e6a9811cefd5a24 </p> </td> <td> <p> APT28 FrameLoader </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 94ca87772e2dce058ba2aed04a739110 </p> </td> <td> <p> APT28 tooling </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> 225a43c6277568cb059a05f207619a9db093b660 </p> </td> <td> <p> APT28 tooling </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> eb6eb4154b03ec73218727dc643d26f4e14dfda2438112926bb5daf37ae8bcdb </p> </td> <td> <p> Mini Shai-Hulud (TeamPCP/Vect) </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 4066781fa830224c8bbcc3aa005a396657f9c8f9016f9a64ad44a9d7f5f45e34 </p> </td> <td> <p> Mini Shai-Hulud variant </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 80a3d2877813968ef847ae73b5eeeb70b9435254e74d7f07d8cf4057f0a710ac </p> </td> <td> <p> TeamPCP supply-chain artifact </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 6f933d00b7d05678eb43c90963a80b8947c4ae6830182f89df31da9f568fea95 </p> </td> <td> <p> TeamPCP supply-chain artifact </p> </td> </tr> </tbody>
</table>
<p> Additional IOCs available via Anomali ThreatStream Next-Gen and partner feeds.
</p>
<h2> <strong> Sector-Specific Defensive Priorities </strong>
</h2>
<h3> <strong> Government (State & Local Agencies) </strong>
</h3>
<ul> <li> <strong> Priority 1: </strong> Emergency Fortinet credential rotation across all agencies. Verify FortiOS version ≥ 7.4.8 (PBKDF2 hashing). Any device on older firmware must be treated as compromised. </li> <li> <strong> Priority 2: </strong> Patch SharePoint for CVE-2026-45659 within CISA BOD 22-01 timelines. On-premises SharePoint farms are the primary target. </li> <li> <strong> Priority 3: </strong> Enforce DMARC p=reject on all state .gov domains. Research shows 17% of U.S. government domains have zero email authentication — this enables every phishing campaign we track. </li> <li> <strong> Priority 4: </strong> Audit Entra ID for service principals without MFA. These are the primary targets of Azure CLI password spray campaigns. </li>
</ul>
<h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong>
</h3>
<ul> <li> <strong> Priority 1: </strong> Monitor for credential-based access to financial systems via VPN. FortiBleed credentials sorted by "revenue" means high-value financial targets are prioritized by attackers. </li> <li> <strong> Priority 2: </strong> Implement conditional access policies requiring compliant devices for access to treasury and payment systems. </li> <li> <strong> Priority 3: </strong> Review wire transfer and payment authorization workflows for susceptibility to business email compromise enabled by weak email authentication. </li>
</ul>
<h3> <strong> Energy (State-Regulated Utilities, Grid Operations) </strong>
</h3>
<ul> <li> <strong> Priority 1: </strong> Apply ICS advisories for Schneider Electric Saitel DP RTUs and Delta Electronics DVP12SE PLCs deployed in state-regulated facilities. </li> <li> <strong> Priority 2: </strong> Hunt for Volt Typhoon pre-positioning indicators (T1078 + T1072) in OT network segments. The absence of recent indicators is anomalous and may indicate improved adversary OPSEC rather than reduced targeting. </li> <li> <strong> Priority 3: </strong> Segment SCADA/ICS networks from enterprise IT. The VOID MANTICORE California water breach demonstrates that nation-states are actively targeting state water infrastructure. </li>
</ul>
<h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong>
</h3>
<ul> <li> <strong> Priority 1: </strong> Healthcare scored second-worst (after government) in global email security research. Enforce DMARC and implement anti-spoofing controls on all health agency domains. </li> <li> <strong> Priority 2: </strong> Ransomware groups explicitly target healthcare for maximum extortion leverage. Ensure offline backups of Medicaid enrollment, EHR, and benefits systems are tested and current. </li> <li> <strong> Priority 3: </strong> Monitor for TeamPCP/Vect supply-chain indicators in any custom healthcare application CI/CD pipelines. </li>
</ul>
<h3> <strong> Aviation & Logistics (State DOT, Transit Authorities) </strong>
</h3>
<ul> <li> <strong> Priority 1: </strong> ICS/SCADA systems in transit and transportation are in the Volt Typhoon target set. Conduct asset inventory of PLCs and RTUs against current CISA ICS advisories. </li> <li> <strong> Priority 2: </strong> Fortinet devices protecting transportation management centers must be prioritized for FortiBleed credential rotation. </li> <li> <strong> Priority 3: </strong> Supply-chain integrity for fleet management and logistics software — audit third-party integrations for indicators of compromise. </li>
</ul>
<h2> <strong> Prioritized Defense Recommendations </strong>
</h2>
<h3> <strong> IMMEDIATE (Within 24 Hours) </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> Verify ALL state FortiGate devices run FortiOS 7.4.8+ with PBKDF2 password hashing. <strong> Rotate every admin and VPN credential. </strong> Kill all active SSL VPN sessions and force re-authentication. Restrict management interfaces to internal-only access. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy EDR blocks for APT28 FrameLoader and TeamPCP/Vect hashes listed in the IOC table above. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> Implement detection for Azure CLI password spray: alert on >50 failed logins per service principal per hour in Entra ID, especially when followed by successful authentication. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> Create behavioral alert: "FortiGate admin login from new source IP + configuration export within 60 minutes." This catches valid-credential attacks that bypass IOC-based detection. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 7-DAY </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> Patch SharePoint for CVE-2026-45659 (CVSS 8.8, CISA KEV). If patching is delayed, deploy WAF rules blocking deserialization payloads on SharePoint endpoints. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> DevOps </p> </td> <td> <p> Audit all npm dependencies and GitHub Actions in state CI/CD pipelines. Pin all Actions to commit SHAs (not version tags). Scan for the 108 malicious packages identified in the TeamPCP/PolinRider campaign. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Operations </p> </td> <td> <p> Enforce DMARC p=reject on all state email domains. Audit SPF, DKIM, and MTA-STS configuration. Any domain at p=none is effectively unprotected against spoofing. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Identity Team </p> </td> <td> <p> Audit all Entra ID service principals and automation accounts for MFA enforcement. Implement conditional access policies requiring phishing-resistant authentication for privileged operations. </p> </td> </tr> </tbody>
</table>
<h3> <strong> 30-DAY (Strategic) </strong>
</h3>
<table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Owner </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission assessment of state Fortinet fleet exposure to FortiBleed. Cross-reference device serial numbers against Fortinet's customer notification list. Evaluate migration to FIDO2/phishing-resistant MFA for all VPN access. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> CISO </p> </td> <td> <p> Initiate architectural review: FortiBleed proves perimeter appliances are a supply-chain dependency, not just a security control. Zero-trust principles must extend to the perimeter devices themselves. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> CIO </p> </td> <td> <p> Fund replacement for degraded open-source intelligence feeds. Legislative and regulatory monitoring (cybersecurity mandates, CISA directives) has been effectively blind for over 130 days — this is a strategic risk. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IR Team </p> </td> <td> <p> Update incident response playbooks to address credential-based initial access where no exploit signature exists. Tabletop exercise: "FortiBleed credentials used to deploy ransomware on state network — how do we detect and contain?" </p> </td> </tr> </tbody>
</table>
<h2> <strong> The Bigger Picture: Three Architectural Shifts </strong>
</h2>
<ol> <li> <strong> Credentials are the new exploit. </strong> Three of this week's five major events target credentials rather than software vulnerabilities. The threat landscape is shifting from "patch faster" to "assume credentials are compromised." Detection must pivot from IOC/signature matching to behavioral anomaly detection on identity systems. </li> <li> <strong> Perimeter appliances are supply-chain dependencies. </strong> FortiBleed demonstrates that your firewall is not just a security control — it's a trust anchor. When that trust is violated at industrial scale, the entire security architecture built on top of it fails silently. Zero-trust cannot stop at the application layer. </li> <li> <strong> Ransomware is industrializing. </strong> The Vect + TeamPCP partnership represents specialization and vertical integration in the criminal ecosystem. One group steals developer credentials through supply-chain attacks; another deploys ransomware using those credentials. State government — with its political visibility, citizen data, and budget constraints — is explicitly in the target set. </li>
</ol>
<h2> <strong> Bottom Line </strong>
</h2>
<p> Five concurrent threat fronts are converging on state government infrastructure simultaneously: FortiBleed credential theft already enabling ransomware deployment, fresh APT28 tooling in active use against government targets, an FBI-confirmed ransomware-supply-chain partnership, a CISA-confirmed SharePoint RCE under active exploitation, and an 81-million-attempt credential spray campaign bypassing MFA. No single control closes all five gaps. The highest-leverage action available today is emergency Fortinet credential rotation — it directly addresses the threat most likely to result in ransomware encryption of state systems within the next two weeks. All other actions in this report should be sequenced behind that priority.
</p>
<h2> <strong> Closing </strong>
</h2>
<p> The window between intelligence and exploitation is narrowing. FortiBleed credentials are already being used for ransomware deployment. APT28 has fresh tooling in the field. A confirmed SharePoint RCE is being exploited against state agencies today.
</p>
<p> The decisions required this week are not comfortable ones. Emergency credential rotation will cause temporary VPN disruption. Patching SharePoint may require maintenance windows. Auditing CI/CD pipelines will consume developer time. But the alternative — discovering your Fortinet credentials in a ransomware operator's database after encryption begins — is categorically worse.
</p>
<p> <strong> Act on the FortiBleed credential rotation today. </strong> Everything else follows from whether your perimeter is still yours.
</p>
<p> <em> Anomali CTI Desk | 3 July 2026 </em>
</p>
<p> <em> For questions or additional IOC feeds, contact your Anomali account team or access indicators directly via ThreatStream Next-Gen. </em>
</p>