Identity Is the New Perimeter — And State Governments Are in the Crosshairs

Public Sector

Published on

April 7, 2026

Table of Contents

Threat Assessment Level: ELEVATED — Trending HIGH Continued from prior assessment (2026-04-06): Level remains ELEVATED — Trending HIGH. No downgrade is warranted. While no new state government victim was confirmed in this cycle, the convergence of active ransomware operations against government targets, a new macOS credential-theft campaign weaponizing AI tool lures, the emergence of a stealer capable of bypassing MFA via server-side session hijacking, ICS/SCADA advisories affecting utility infrastructure, and an escalating pro-Iran hacktivist campaign shifting to destructive operations collectively sustain the upward pressure on the threat level. For state government CIOs and CISOs, the past 72 hours have delivered a clear message: the attack surface is expanding faster than most agencies can patch it. Threat actors — from ransomware syndicates to nation-state espionage groups to ideologically motivated hacktivists — are converging on the same targets: your identity platforms, your perimeter appliances, your ICS/SCADA systems, and increasingly, the AI development tools your teams are adopting. This briefing synthesizes intelligence collected through April 7, 2026, and is designed to give state IT leadership a single, prioritized view of what matters right now and what to do about it. <h2>What Changed (April 3–7, 2026)</h2> <table> <thead> <tr> <th> Development </th> <th> Why It Matters for State Government </th> </tr> </thead> <tbody> <tr> <td> EvilTokens PhaaS + TA416/Mustang Panda OAuth consent phishing targeting government and diplomatic organizations (April 3–6) </td> <td> EvilTokens is deploying 1,000+ domains to attack M365 device-code authentication at industrial scale. Simultaneously, TA416 is abusing OAuth consent flows to deploy PlugX against government targets. Together, these campaigns represent a coordinated assault on identity platforms that MFA alone cannot stop. </td> </tr> <tr> <td> FortiClient EMS CVE-2026-35616 (CVSS 9.8) confirmed actively exploited (April 6) </td> <td> An unauthenticated remote code execution vulnerability in a widely deployed perimeter security appliance is under active exploitation. Any unpatched FortiClient EMS instance is a direct network entry point. </td> </tr> <tr> <td> ClickFix + AMOS Stealer campaign targeting AI tool users (Claude Code, Gemini CLI, Cursor, others) via poisoned Google Ads </td> <td> State developers and data scientists adopting AI tools are now a direct target. AMOS harvests macOS Keychain credentials, browser sessions, and files — a single compromised developer workstation can yield VPN credentials, cloud tokens, and code-signing keys. </td> </tr> <tr> <td> Storm Stealer emerges as a $1,000/month rental toolkit with server-side decryption and Google Refresh Token session hijacking </td> <td> Storm bypasses endpoint detection entirely by exfiltrating encrypted browser data for remote decryption. Its ability to restore authenticated Google/M365 sessions using stolen refresh tokens with geo-matched proxies means MFA alone is no longer sufficient to protect cloud identity. </td> </tr> <tr> <td> SmartApeSG traffic distribution system actively injecting malicious JavaScript into compromised legitimate websites (April 6) </td> <td> Any state employee browsing a compromised site — or any state agency website running vulnerable CMS plugins — is at risk of drive-by compromise. </td> </tr> <tr> <td> Three ICS advisories issued: Siemens SICAM 8, Yokogawa CENTUM VP, Hitachi Energy Ellipse </td> <td> Directly relevant to state-operated water treatment, transportation, and utility SCADA environments. The Yokogawa vulnerability allows attacker login as the PROG user with permission modification capability. </td> </tr> <tr> <td> Operation Epic Fury pro-Iran hacktivist campaign escalates from DDoS to destructive/wiper operations (1,583 verified incidents, 144 financial institutions, 14 countries) </td> <td> While primarily targeting financial services, the campaign's expansion trajectory and involvement of NoName057(16) — which simultaneously targets NATO-aligned government infrastructure — creates direct spillover risk for state government portals and citizen-facing services. </td> </tr> <tr> <td> Ransomware groups remain active against government: DragonForce (last victim April 5), Akira (last victim April 6), Qilin/REVENANT SPIDER (updated April 7) </td> <td> State and local government remains the #1 public-sector ransomware target. No new state victim was confirmed this cycle, but operational tempo has not decreased. </td> </tr> </tbody> </table> <h2>Threat Timeline: March 19 – April 7, 2026</h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actors / Malware </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> Mar 19 </td> <td> DOJ seizure of Iranian cyber infrastructure </td> <td> APT42, CyberAv3ngers, MuddyWater, Handala/Void Manticore </td> <td> Triggered confirmed retaliatory pre-positioning in U.S. critical infrastructure </td> </tr> <tr> <td> Apr 2 </td> <td> CISA publishes three ICS advisories </td> <td> — </td> <td> Siemens SICAM 8, Yokogawa CENTUM VP, Hitachi Energy Ellipse vulnerabilities disclosed </td> </tr> <tr> <td> Apr 3–4 </td> <td> OAuth consent phishing campaigns against government/diplomatic targets </td> <td> TA416/Mustang Panda (China) </td> <td> PlugX deployment via OAuth abuse targeting government organizations </td> </tr> <tr> <td> Apr 5 </td> <td> DragonForce ransomware claims latest government victim </td> <td> DragonForce </td> <td> Continued government-sector targeting </td> </tr> <tr> <td> Apr 6 </td> <td> FortiClient EMS CVE-2026-35616 (CVSS 9.8) confirmed actively exploited </td> <td> Multiple actors </td> <td> Critical perimeter appliance vulnerability under active exploitation </td> </tr> <tr> <td> Apr 6 </td> <td> EvilTokens PhaaS platform deploying 1,000+ domains targeting M365 device-code auth </td> <td> EvilTokens operators </td> <td> Identity platform attack at industrial scale </td> </tr> <tr> <td> Apr 6 </td> <td> SmartApeSG campaign actively injecting JS into compromised websites </td> <td> SmartApeSG TDS, HANEYMANEY, ZPHP </td> <td> Drive-by compromise risk for state employees and state-hosted websites </td> </tr> <tr> <td> Apr 6 </td> <td> Storm Stealer capability analysis published </td> <td> Storm Stealer </td> <td> Server-side credential exfiltration with MFA bypass via session hijacking </td> </tr> <tr> <td> Apr 6 </td> <td> Akira ransomware claims latest victim </td> <td> PUNK SPIDER / Akira </td> <td> Government-targeting ransomware remains operationally active </td> </tr> <tr> <td> Apr 6 </td> <td> CISA adds new entry to Known Exploited Vulnerabilities catalog </td> <td> — </td> <td> Confirmed in-the-wild exploitation requiring federal remediation </td> </tr> <tr> <td> Apr 7 </td> <td> ClickFix + AMOS macOS campaign targeting AI tool users discovered </td> <td> AMOS (Atomic macOS Stealer) </td> <td> Credential theft via fake AI tool documentation pages served through Google Ads </td> </tr> <tr> <td> Feb 28 – Apr 6 </td> <td> Operation Epic Fury escalates to destructive attacks </td> <td> Conquerors Electronic Army, NoName057(16), 313 Team, Anonymous For Justice, Hider_Nex </td> <td> 1,583 incidents across 14 countries; shift from DDoS to wiper operations in April </td> </tr> </tbody> </table> <h2>Key Threat Analysis                     </h2> <h3>1. The Identity Platform Crisis: From Phishing to Platform Compromise</h3> Three distinct campaigns are now converging on the same objective — stealing and replaying authenticated sessions to bypass MFA: <ul> <li>EvilTokens PhaaS (1,000+ domains) targets Microsoft 365 device-code authentication flows at industrial scale</li> <li>TA416/Mustang Panda uses OAuth consent phishing to deploy PlugX through legitimate authentication mechanisms</li> <li>Storm Stealer ($1,000/month rental) exfiltrates encrypted browser data server-side and replays Google Refresh Tokens with geo-matched SOCKS5 proxies to restore authenticated sessions without triggering alerts</li> </ul> The common thread: MFA is necessary but no longer sufficient. Attackers have moved past credential theft to session theft, token replay, and OAuth abuse. For state agencies running Microsoft 365 and Azure AD — which is effectively all of them — this represents a fundamental shift in the threat model. Identity platforms now require the same continuous monitoring, segmentation, and defense-in-depth that network perimeters received a decade ago. Named actors: TA416/Mustang Panda (China), APT42 (IRGC-IO), Kimsuky (DPRK), APT28 (Russia) — all have demonstrated OAuth or token-based attack capabilities against government targets. <h3>2. Ransomware: Sustained Pressure on State and Local Government</h3> The ransomware threat to state government has not diminished. Four groups with confirmed government-targeting activity were updated in intelligence feeds between April 5–7: <table> <thead> <tr> <th> Group </th> <th> Alias </th> <th> Last Confirmed Victim </th> <th> Notable Capability </th> </tr> </thead> <tbody> <tr> <td> Akira </td> <td> PUNK SPIDER </td> <td> April 6, 2026 </td> <td> Dual-extortion; Linux/ESXi variants </td> </tr> <tr> <td> DragonForce </td> <td> — </td> <td> April 5, 2026 </td> <td> Onion-based leak site; aggressive public shaming </td> </tr> <tr> <td> Qilin </td> <td> REVENANT SPIDER </td> <td> Updated April 7, 2026 </td> <td> Targets managed service providers for downstream access </td> </tr> <tr> <td> LockBit </td> <td> BITWISE SPIDER </td> <td> Active </td> <td> Despite law enforcement disruption, affiliate network persists </td> </tr> </tbody> </table> Key concern for state agencies: Qilin/REVENANT SPIDER's targeting of managed service providers (MSPs) is particularly dangerous for state governments that rely on MSPs for specialized agency IT. A single MSP compromise can cascade across multiple agencies simultaneously. <h3>3. ICS/SCADA: Vulnerabilities in State-Operated Critical Infrastructure</h3> Three ICS advisories published April 2 affect systems commonly deployed in state-operated utilities and infrastructure: <table> <thead> <tr> <th> Advisory </th> <th> Product </th> <th> State Gov Relevance </th> <th> Risk </th> </tr> </thead> <tbody> <tr> <td> ICSA-26-092-01 </td> <td> Siemens SICAM 8 </td> <td> Water/wastewater SCADA, energy distribution </td> <td> Denial of service against SICAM A8000 devices </td> </tr> <tr> <td> ICSA-26-092-02 </td> <td> Yokogawa CENTUM VP </td> <td> Process control in water treatment, chemical facilities </td> <td> Attacker can login as PROG user and modify permissions — direct control manipulation </td> </tr> <tr> <td> ICSA-26-092-03 </td> <td> Hitachi Energy Ellipse </td> <td> Utility asset management </td> <td> Jasper Report vulnerability in asset management platform </td> </tr> </tbody> </table> The Yokogawa CENTUM VP vulnerability is the most concerning: it allows an attacker to authenticate as the PROG user and modify system permissions, which maps directly to ICS ATT&CK techniques T0831 (Manipulation of Control) and T0836 (Modify Parameter). For state agencies operating water treatment or chemical processing facilities, this vulnerability should be treated as critical regardless of CVSS score. Continuing threat context: The March 19 DOJ seizure of Iranian cyber infrastructure triggered confirmed retaliatory pre-positioning by CyberAv3ngers (IRGC-CEC) in U.S. critical infrastructure — the same group that compromised Unitronics PLCs in U.S. water systems in late 2023. State water and wastewater utilities remain in the threat crosshairs. <h3>4. ClickFix + AMOS: AI Tool Adoption Creates a New Attack Surface</h3> The ClickFix social engineering technique — which tricks users into copying and executing terminal commands — has been weaponized against users of AI development tools including Claude Code, Grok, n8n, NotebookLM, Gemini CLI, OpenClaw, and Cursor. Attackers purchased Google Ads to serve fake documentation pages that deploy AMOS (Atomic macOS Stealer). AMOS capabilities on a compromised macOS endpoint: <ul> <li>Escalates to root</li> <li>Harvests macOS Keychain passwords (including VPN credentials, SSH keys, certificates)</li> <li>Sweeps browser credentials and session cookies from Chrome, Safari, and Firefox</li> <li>Empties cryptocurrency wallets</li> <li>Collects files from Desktop, Documents, and Downloads</li> <li>Installs a persistent backdoor with WebSocket reverse shell</li> </ul> Why this matters for state government: State IT modernization initiatives are driving rapid adoption of AI tools for code generation, data analysis, and automation. Developers and data scientists are high-privilege users with access to production systems, code repositories, and cloud infrastructure. A single compromised developer workstation can yield credentials that unlock far more than the developer's own accounts. <h3>5. Operation Epic Fury: Pro-Iran Hacktivist Escalation</h3> Between February 28 and April 6, 2026, the pro-Iran hacktivist coalition behind Operation Epic Fury executed 1,583 verified incidents across 14 countries, targeting 144 financial institutions. The critical development: in April, the campaign shifted from DDoS to destructive operations, including potential wiper malware deployment. Key participating groups: <ul> <li>Conquerors Electronic Army — 32 financial sector incidents</li> <li>NoName057(16) — 25 incidents (Russian-affiliated; simultaneously targets NATO government infrastructure)</li> <li>313 Team — 10 incidents (Iraq-based)</li> <li>Anonymous For Justice — 8 destructive attacks debuting April 1</li> <li>Hider_Nex — 10 incidents with geographic expansion into Africa</li> </ul> State government spillover risk: NoName057(16) has a documented history of targeting government web portals in NATO-aligned countries. The group's participation in a pro-Iran coalition that is escalating to destructive operations raises the probability that state government citizen-facing portals could be targeted — particularly during periods of heightened U.S.-Iran tension following the March 19 DOJ seizure. <h2>Predictive Analysis: Most Likely Attack Scenarios (Next 7–14 Days)</h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Ransomware incident at a U.S. state or local government agency (Akira, DragonForce, or Qilin) </td> <td> HIGH (75–85%) </td> <td> Four active groups with confirmed government targeting; operational tempo sustained through April 6–7; MSP supply chain vector amplifies reach </td> </tr> <tr> <td> Session hijacking attack against state M365/Azure AD environment using token replay or OAuth abuse </td> <td> HIGH (70–80%) </td> <td> EvilTokens (1,000+ domains), Storm Stealer (session replay capability), and TA416 OAuth phishing all active simultaneously; state agencies are heavy M365 users </td> </tr> <tr> <td> ClickFix/AMOS credential theft affecting a state government developer or analyst </td> <td> MODERATE (40–55%) </td> <td> Campaign is active and targeting AI tools being adopted by government; Google Ads delivery mechanism bypasses email security controls </td> </tr> <tr> <td> DDoS or defacement of state government web portal by pro-Iran or NoName057(16) hacktivists </td> <td> MODERATE (35–50%) </td> <td> Operation Epic Fury expanding geographically; NoName057(16) has government-targeting history; U.S.-Iran tensions elevated post-DOJ seizure </td> </tr> <tr> <td> Exploitation of unpatched ICS/SCADA system (Siemens SICAM, Yokogawa CENTUM VP) at a state-operated utility </td> <td> LOW-MODERATE (20–35%) </td> <td> Advisories just published; exploitation requires network access to OT environment; but Iranian pre-positioning in U.S. water infrastructure raises the floor </td> </tr> <tr> <td> SmartApeSG drive-by compromise of a state agency website or state employee browsing session </td> <td> MODERATE (35–45%) </td> <td> Campaign actively injecting JS into legitimate sites; state CMS platforms (especially WordPress) are common targets for injection </td> </tr> </tbody> </table> <h2>SOC Operational Guidance            </h2> <h3>Hunt Hypotheses</h3> Hypothesis 1: ClickFix Terminal Command Execution on macOS Endpoints <ul> <li>ATT&CK: T1204.002 (User Execution: Malicious File), T1059.004 (Unix Shell), T1555.001 (Keychain), T1547 (Boot/Logon Autostart)</li> <li>Hunt: Query EDR for curl | bash, curl | sh, or osascript -e executions initiated from browser processes on macOS. Look for new LaunchAgent or LaunchDaemon plist files created within 60 seconds of a browser-spawned shell. Correlate with DNS queries to recently registered domains mimicking AI tool documentation sites.</li> <li>Detection: Alert on any macOS endpoint where a browser process spawns /bin/bash, /bin/zsh, or osascript with network download commands.</li> </ul> Hypothesis 2: M365 Session Token Replay / OAuth Consent Abuse <ul> <li>ATT&CK: T1550.001 (Application Access Token), T1539 (Steal Web Session Cookie), T1528 (Steal Application Access Token)</li> <li>Hunt: In Azure AD sign-in logs, search for authentication events where the same user session appears from two geographically distant IP addresses within a short window (< 2 hours). Look for OAuth application consent grants to unfamiliar application IDs — especially those requesting Mail.Read, Files.Read.All, or User.Read.All scopes. Monitor for device-code authentication flows (grant_type=urn:ietf:params:oauth:grant-type:device_code) from unexpected user populations.</li> <li>Detection: Alert on new OAuth app consent grants, device-code auth from non-mobile users, and impossible-travel sign-in anomalies.</li> </ul> Hypothesis 3: SmartApeSG JavaScript Injection on State Websites <ul> <li>ATT&CK: T1189 (Drive-by Compromise), T1059.007 (JavaScript), T1071.001 (Web Protocols)</li> <li>Hunt: Scan state-managed web properties for unauthorized <script> tags referencing external domains — particularly domains ending in .top or recently registered domains. Review web server access logs for requests to paths containing /realm/ or filenames like session-header.js, rate-effect.php, legacy-validator.js. Monitor DNS logs for state employee endpoints resolving domains associated with SmartApeSG infrastructure.</li> <li>Detection: Web application firewall (WAF) rules to block script injection from known SmartApeSG domains. DNS sinkhole for confirmed malicious domains.</li> </ul> Hypothesis 4: Ransomware Pre-Positioning via MSP Compromise <ul> <li>ATT&CK: T1199 (Trusted Relationship), T1021.001 (Remote Desktop Protocol), T1486 (Data Encrypted for Impact)</li> <li>Hunt: Audit all MSP remote access connections to state networks. Look for RDP, RMM tool (ConnectWise, AnyDesk, TeamViewer), or VPN sessions from MSP IP ranges occurring outside normal maintenance windows. Monitor for lateral movement patterns originating from MSP-connected network segments. Check for new service accounts or scheduled tasks created on systems accessible to MSP personnel.</li> <li>Detection: Enforce just-in-time (JIT) access for MSP connections. Alert on any MSP-origin session that touches systems outside the MSP's contracted scope.</li> </ul> Hypothesis 5: ICS/SCADA Unauthorized Access <ul> <li>ATT&CK: T0831 (Manipulation of Control), T0836 (Modify Parameter), T0855 (Unauthorized Command Message)</li> <li>Hunt: In OT network monitoring, look for authentication attempts to Yokogawa CENTUM VP systems using the PROG account from non-standard workstations. Monitor Siemens SICAM A8000 devices for unusual configuration changes or restart patterns. Review firewall logs for any IT-to-OT traffic that was not explicitly authorized.</li> <li>Detection: Ensure OT network monitoring is capturing authentication events. Alert on any PROG account login from an IP not on the authorized engineering workstation list.</li> </ul> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services (State Treasury, Revenue, Pension Funds)</h3> Operation Epic Fury has directly targeted 144 financial institutions across 14 countries, with the April escalation to destructive/wiper operations representing a step-change in risk. State treasury systems, revenue collection portals, and pension fund management platforms share the same technology stack as commercial financial institutions. <ul> <li>Immediate: Enable enhanced DDoS protection on all citizen-facing financial portals (tax filing, payment processing, benefits disbursement). Validate that anti-DDoS services can absorb volumetric attacks from NoName057(16)'s DDoSia botnet.</li> <li>7-Day: Conduct tabletop exercise simulating a wiper attack against the state's financial management system. Verify that offline backups of financial databases are current and tested.</li> <li>30-Day: Implement network segmentation between citizen-facing financial portals and backend financial management systems. Ensure that a compromised web frontend cannot reach core accounting or ERP systems.</li> </ul> <h3>Energy (State-Operated Utilities, Grid Coordination)</h3> The Siemens SICAM 8 and Hitachi Energy Ellipse advisories directly affect energy distribution and utility asset management. Combined with confirmed Iranian pre-positioning in U.S. critical infrastructure following the March 19 DOJ seizure, state-operated energy infrastructure faces elevated risk. <ul> <li>Immediate: Inventory all Siemens SICAM A8000 and Hitachi Energy Ellipse deployments. Apply vendor mitigations from ICSA-26-092-01 and ICSA-26-092-03 where patches are available.</li> <li>7-Day: Validate IT/OT network segmentation. Confirm that no direct path exists from the corporate network or internet to SICAM or Ellipse management interfaces. Audit firewall rules governing IT-to-OT traffic.</li> <li>30-Day: Deploy passive OT network monitoring (e.g., Claroty, Dragos, Nozomi) if not already in place. Establish baseline behavioral profiles for SCADA communication patterns to enable anomaly detection.</li> </ul> <h3>Healthcare (State Health Agencies, Medicaid Systems, Public Health Labs)</h3> State health agencies manage protected health information (PHI) for millions of residents and operate systems subject to HIPAA. Ransomware groups — particularly Akira and Qilin — have demonstrated willingness to target healthcare organizations, and the Storm Stealer's session hijacking capability threatens cloud-based health information exchanges. <ul> <li>Immediate: Verify that all health agency M365 tenants have Conditional Access policies enforcing compliant-device-only access. Disable legacy authentication protocols (IMAP, POP3, SMTP AUTH) that bypass MFA.</li> <li>7-Day: Audit OAuth application consent grants in health agency Azure AD tenants. Revoke any unfamiliar or overly permissive application registrations. Implement admin-consent-only policies for new OAuth apps.</li> <li>30-Day: Conduct a ransomware readiness assessment for Medicaid management systems and electronic health record (EHR) platforms. Ensure that recovery time objectives (RTOs) for critical health systems are documented and tested.</li> </ul> <h3>Government (Executive Branch Agencies, Elections, Law Enforcement)</h3> State executive branch agencies are the primary target for both nation-state espionage (Mustang Panda/TA416, Kimsuky, APT28) and ransomware. The TA416 OAuth consent phishing campaign (April 3–4) specifically targeted government organizations with PlugX deployment. <ul> <li>Immediate: Push emergency awareness communications to all agency IT staff about the ClickFix social engineering technique — specifically the danger of copying terminal commands from websites. Include screenshots of the fake AI tool documentation pages.</li> <li>7-Day: Review all FortiClient EMS deployments for CVE-2026-35616 (CVSS 9.8) patching status. This vulnerability is confirmed actively exploited and provides unauthenticated remote code execution on a perimeter security appliance.</li> <li>30-Day: Implement phishing-resistant authentication (FIDO2/passkeys) for all privileged accounts (domain admins, Azure AD global admins, security administrators). Token-based attacks (EvilTokens, Storm Stealer, TA416 OAuth abuse) are specifically designed to defeat traditional MFA — only phishing-resistant methods close this gap.</li> </ul> <h3>Aviation / Logistics (State DOT, Airport Authorities, Port Operations)</h3> State departments of transportation, airport authorities, and port operations manage both IT and OT systems. The Yokogawa CENTUM VP vulnerability (ICSA-26-092-02) affects process control systems used in transportation infrastructure, and ransomware groups have historically targeted transportation agencies for their operational urgency. <ul> <li>Immediate: Inventory all Yokogawa CENTUM VP deployments in transportation and port operations. Restrict PROG account access to authorized engineering workstations only. Monitor for any PROG account authentication from unexpected sources.</li> <li>7-Day: Audit remote access pathways to transportation OT networks. Ensure that VPN access to OT segments requires separate credentials from IT network access and is logged independently.</li> <li>30-Day: Develop or update continuity of operations plans (COOP) for a ransomware scenario affecting traffic management, toll collection, or port operations systems. Identify manual fallback procedures for critical transportation functions.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Block all IOCs listed in the IOC Blocking Guidance table above at perimeter firewalls, DNS sinkholes, and endpoint protection platforms. </td> </tr> <tr> <td> IMMEDIATE </td> <td> SOC </td> <td> Create detection rules for ClickFix-style execution: browser process → shell process → network download on macOS endpoints (T1204.002, T1059.004). </td> </tr> <tr> <td> IMMEDIATE </td> <td> Identity/IAM </td> <td> Audit Azure AD sign-in logs for device-code authentication flows (grant_type=device_code) from unexpected users or IP ranges. Investigate any anomalies as potential EvilTokens compromise. </td> </tr> <tr> <td> IMMEDIATE </td> <td> Identity/IAM </td> <td> Review and revoke any OAuth application consent grants created in the last 30 days that request Mail.Read, Files.Read.All, or User.Read.All permissions from unfamiliar application IDs. </td> </tr> <tr> <td> IMMEDIATE </td> <td> Web/AppSec </td> <td> Scan all state-managed websites for unauthorized external JavaScript includes, particularly references to .top domains or paths containing /realm/. </td> </tr> <tr> <td> IMMEDIATE </td> <td> ICS/OT </td> <td> Confirm network isolation of all Yokogawa CENTUM VP and Siemens SICAM A8000 systems. Verify no unauthorized IT-to-OT pathways exist. </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Verify patching status of all FortiClient EMS instances for CVE-2026-35616 (CVSS 9.8, actively exploited). Isolate any unpatched instances from the network until remediation is complete. </td> </tr> <tr> <td> 7-DAY </td> <td> Identity/IAM </td> <td> Implement Conditional Access policies requiring compliant/managed devices for all M365 access. Disable legacy authentication protocols (IMAP, POP3, SMTP AUTH) across all tenants. </td> </tr> <tr> <td> 7-DAY </td> <td> SOC </td> <td> Deploy hunting queries for Storm Stealer session replay indicators: same-user authentication from geographically impossible locations within short time windows; Google Refresh Token usage from non-standard user agents. </td> </tr> <tr> <td> 7-DAY </td> <td> IT Ops </td> <td> Audit all MSP remote access connections. Implement just-in-time (JIT) access controls and ensure MSP sessions are logged, time-limited, and scoped to contracted systems only. </td> </tr> <tr> <td> 7-DAY </td> <td> CISO/IR </td> <td> Conduct a 2-hour tabletop exercise simulating a ransomware attack against a critical agency (e.g., revenue, health, transportation). Test notification chains, backup restoration procedures, and executive communication plans. </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 30-DAY </td> <td> Identity/IAM </td> <td> Deploy FIDO2/passkey authentication for all Tier 0 and Tier 1 privileged accounts (domain admins, Azure AD global admins, security admins, backup admins). This is the only effective countermeasure against token replay and OAuth consent phishing. </td> </tr> <tr> <td> 30-DAY </td> <td> IT Ops/OT </td> <td> Deploy passive OT network monitoring on all state-operated ICS/SCADA networks. Establish behavioral baselines for normal SCADA communication patterns. </td> </tr> <tr> <td> 30-DAY </td> <td> SOC </td> <td> Implement continuous session monitoring for M365 — detect and alert on token refresh anomalies, impossible travel, and session cookie replay. Evaluate Microsoft Entra ID Protection or equivalent ITDR tooling. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO </td> <td> Commission an external assessment of MSP access controls and supply chain risk across all agencies using third-party IT service providers. Prioritize MSPs with administrative access to Active Directory or cloud identity. </td> </tr> <tr> <td> 30-DAY </td> <td> CISO/Legal </td> <td> Review state cybersecurity incident reporting obligations and ensure all agencies have updated incident response plans that reflect current notification timelines and escalation requirements. </td> </tr> <tr> <td> 30-DAY </td> <td> Web/AppSec </td> <td> Implement Content Security Policy (CSP) headers on all state-managed web properties to prevent unauthorized script injection (SmartApeSG and similar TDS campaigns). Audit CMS platforms — especially WordPress — for vulnerable plugins. </td> </tr> </tbody> </table> <h2>Intelligence Collection Note          </h2> Open-source intelligence (OSINT) collection has been degraded for two consecutive cycles. All intelligence in this report is derived from commercial threat intelligence feeds (Anomali ThreatStream Next-Gen) and CISA advisories. This represents a collection gap that may result in delayed detection of emerging threats not yet covered by commercial feeds. The CTI team is actively working to restore full OSINT collection capability. <h2>The Bottom Line                              </h2> The threat landscape facing state government IT is defined by three converging realities: First, identity is the battleground. EvilTokens, Storm Stealer, TA416's OAuth phishing, and ClickFix/AMOS are all different weapons aimed at the same target: your users' authenticated sessions. Patching a firewall won't help when the attacker walks in through a stolen OAuth token. Phishing-resistant authentication (FIDO2/passkeys) for privileged accounts is no longer a roadmap item — it is an operational necessity. Second, the ransomware clock is ticking. Four active ransomware groups are confirmed targeting government. Qilin's focus on MSP compromise means your agency's security is only as strong as your weakest vendor's. If you haven't tested your backup restoration in the last 90 days, you don't have backups — you have hope. Third, the OT threat is no longer theoretical. Three ICS advisories in a single week, combined with confirmed Iranian pre-positioning in U.S. water infrastructure, means state-operated utilities must treat IT/OT segmentation as a life-safety control, not an IT project. The actions in this report are specific, prioritized, and assigned. The threat actors are not waiting. Neither should you.

FEATURED RESOURCES

April 7, 2026

Anomali Cyber Watch

The 48-Hour Window: Iran's Cyber-Kinetic War Machine Reaches Maximum Threat Posture

April 7, 2026

Public Sector

Anomali Cyber Watch

Identity Is the New Perimeter — And State Governments Are in the Crosshairs

April 6, 2026

Anomali Cyber Watch

Iran’s Cyber War Machine Doesn’t Need the Internet to Attack You

Explore All