Ransomware Goes Professional: Code-Signing-as-a-Service, Cloud Identity Persistence, and a Wave of ICS Vulnerabilities Threaten State Government Networks

<p> <strong> Threat Assessment Level: ELEVATED </strong> (unchanged from prior cycle; trending toward HIGH) </p> <p> <em> The ransomware ecosystem is industrializing its supply chain. A shared code-signing service now enables at least five ransomware families to bypass endpoint defenses with validly signed binaries &mdash; while a newly documented AWS persistence technique renders standard incident response containment ineffective. State government IT leaders must act this week. </em> </p> <h2> <strong> Executive Summary </strong> </h2> <p> Today's intelligence reveals three converging threats to state government networks: </p> <ul> <li> <strong> <strong> A Malware-Signing-as-a-Service (MSaaS) ecosystem </strong> is providing valid code-signing certificates to Qilin, Akira, BlackByte, Rhysida, and INC ransomware operators &mdash; all of which have documented government targeting. </strong> </li> </ul> <ul> <li> <strong> AWS federation persistence </strong> allows adversaries to maintain access even after security teams deactivate compromised credentials &mdash; a direct challenge to cloud incident response playbooks. </li> </ul> <ul> <li> <strong> Five ICS/OT advisories in 24 hours </strong> &mdash; including unauthenticated remote code execution in SCADA systems and browser takeover in building automation controllers used in government facilities. </li> </ul> <p> Meanwhile, Russian nation-state actors (APT28 and APT29) remain postured against government targets, and China-nexus ValleyRAT command-and-control infrastructure was confirmed active today. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> Development </p> </th> <th> <p> Why It Matters for State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> signspace[.]cloud MSaaS infrastructure identified serving 5+ ransomware families </p> </td> <td> <p> Signed malware bypasses EDR trust policies; state endpoints may execute ransomware without triggering alerts </p> </td> </tr> <tr> <td> <p> AWS sts:GetFederationToken persistence documented by CrowdStrike </p> </td> <td> <p> Disabling API keys does NOT revoke attacker access &mdash; standard IR playbooks are broken for AWS </p> </td> </tr> <tr> <td> <p> ScadaBR unauthenticated RCE (ICSA-26-139-03) </p> </td> <td> <p> Open-source SCADA system used in smaller utility/building deployments &mdash; no authentication required for exploitation </p> </td> </tr> <tr> <td> <p> Kieback &amp; Peter DDC building controller XSS (ICSA-26-139-05) </p> </td> <td> <p> Browser takeover of building automation management &mdash; directly relevant to state government facilities </p> </td> </tr> <tr> <td> <p> APT28 (GRU) phishing domain registered 2026-05-17 tagged for government targeting </p> </td> <td> <p> Active Russian credential harvesting infrastructure aimed at state government employees </p> </td> </tr> <tr> <td> <p> APT29 (SVR/Midnight Blizzard) ATI-Agent malware indicators refreshed 2026-05-20 </p> </td> <td> <p> Russian intelligence service maintaining active capability against government and defense targets </p> </td> </tr> <tr> <td> <p> ValleyRAT/Winos C2 domains active (China-nexus) </p> </td> <td> <p> Fresh command-and-control infrastructure confirmed beaconing; China-nexus actors continue pre-positioning </p> </td> </tr> <tr> <td> <p> Non-human identity theft flagged as fastest-growing underground category (SpyCloud 2026) </p> </td> <td> <p> AI agents, service accounts, and automation principals are now primary targets &mdash; most state agencies lack NHI governance </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Relevance </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-05-13 </p> </td> <td> <p> Abyss Locker ransomware exploits CVE-2021-20038 (SonicWall SMA 100) with full kill chain including Veeam credential theft </p> </td> <td> <p> VPN appliance exploitation &rarr; ransomware deployment against government </p> </td> </tr> <tr> <td> <p> 2026-05-17 </p> </td> <td> <p> APT28 (GRU) registers phishing domain syd.clarionquestgroup[.]cfd tagged for government targeting </p> </td> <td> <p> Active Russian credential harvesting infrastructure aimed at government </p> </td> </tr> <tr> <td> <p> 2026-05-19 </p> </td> <td> <p> CISA publishes ICS advisories for ScadaBR, Siemens RUGGEDCOM, ABB CoreSense, Kieback &amp; Peter DDC, ZKTeco </p> </td> <td> <p> Batch of critical infrastructure vulnerabilities affecting state facilities </p> </td> </tr> <tr> <td> <p> 2026-05-20 </p> </td> <td> <p> CISA adds 7 vulnerabilities to Known Exploited Vulnerabilities (KEV) catalog &mdash; largest single-day batch in weeks </p> </td> <td> <p> Active exploitation confirmed; emergency patching likely required </p> </td> </tr> <tr> <td> <p> 2026-05-20 </p> </td> <td> <p> APT29 (SVR/Midnight Blizzard) refreshes ATI-Agent malware indicators with government/defense targeting </p> </td> <td> <p> Russian intelligence service maintaining active capability against government </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> MSaaS infrastructure (signspace[.]cloud) identified serving Qilin, Akira, BlackByte, Rhysida, INC ransomware </p> </td> <td> <p> Shared ransomware enabler ecosystem with valid code signatures </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> CrowdStrike documents AWS federation persistence bypassing credential deactivation </p> </td> <td> <p> Cloud IR containment gap affecting any state agency using AWS </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> ValleyRAT/Winos C2 domains zzlkkghnmh[.]cn and 1112.688608[.]xyz confirmed active </p> </td> <td> <p> China-nexus RAT infrastructure operational </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Ransomware Supply Chain Professionalization &mdash; MSaaS </strong> </h3> <p> The discovery of signspace[.]cloud as a shared malware-signing service represents a maturation of the ransomware ecosystem. Rather than each ransomware group independently procuring code-signing certificates, a centralized service now provides this capability to multiple operators simultaneously. </p> <p> <strong> Families served: </strong> Qilin (REVENANT SPIDER/Agenda), Akira, BlackByte, Rhysida, INC </p> <p> <strong> Also distributes: </strong> Lumma Stealer, Vidar infostealer, Oyster backdoor </p> <p> <strong> Infrastructure: </strong> Azure-hosted, abusing legitimate cloud services for certificate procurement </p> <p> <strong> Why this matters: </strong> State government endpoint protection solutions maintain trust lists for signed binaries. When ransomware arrives bearing a valid code signature, initial detection rates drop substantially. This is not a theoretical concern &mdash; Qilin and Akira have both demonstrated government targeting in 2025-2026 campaigns. </p> <p> <strong> Strategic implication: </strong> Blocking one ransomware group no longer eliminates the threat. The signing service persists and serves the next affiliate. Detection must shift upstream to the enabler layer. </p> <h3> <strong> 2. AWS Federation Persistence &mdash; IR Playbook Failure </strong> </h3> <p> CrowdStrike's incident response teams documented adversaries using sts:GetFederationToken to create federated sessions that <strong> survive standard containment actions </strong> . The attack chain: </p> <ul> <li> <strong> Adversary compromises IAM user credentials </strong> </li> </ul> <ul> <li> Calls sts:GetFederationToken to create a federated session </li> </ul> <ul> <li> Federated session inherits all permissions from the base IAM user </li> </ul> <ul> <li> Security team detects compromise and deactivates API keys </li> </ul> <ul> <li> <strong> Federated session remains valid </strong> &mdash; adversary retains full access </li> </ul> <ul> <li> Adversary escalates via AWS Console even without IAM user password </li> </ul> <p> <strong> For state agencies using AWS: </strong> If your incident response playbook relies on credential deactivation as a containment step, it is insufficient. You must attach explicit deny-all policies to compromised users AND revoke all active sessions. </p> <h3> <strong> 3. Identity as the Primary Attack Surface </strong> </h3> <p> Multiple intelligence sources converge on a single conclusion: <strong> identity is now the dominant attack vector. </strong> Key data points: </p> <ul> <li> Identity weaknesses present in ~90% of incident response investigations in 2025 </li> <li> Stolen credentials are the second most common initial access vector (32% of cases) </li> <li> A single cached AWS access key on one endpoint reached 98% of a company's cloud environment </li> <li> Non-human identity theft (AI agents, service accounts) is the fastest-growing category in criminal markets </li> </ul> <p> For state government &mdash; with hybrid Active Directory environments, growing cloud adoption, and expanding AI/automation deployments &mdash; this represents an existential risk to the entire technology stack. </p> <h3> <strong> 4. ICS/OT Vulnerability Surge </strong> </h3> <p> Five ICS advisories in 24 hours affecting systems present in state government facilities: </p> <table> <thead> <tr> <th> <p> Advisory </p> </th> <th> <p> System </p> </th> <th> <p> Impact </p> </th> <th> <p> State Gov Relevance </p> </th> </tr> </thead> <tbody> <tr> <td> <p> ICSA-26-139-03 </p> </td> <td> <p> ScadaBR </p> </td> <td> <p> Unauthenticated RCE </p> </td> <td> <p> Water/wastewater, building management </p> </td> </tr> <tr> <td> <p> ICSA-26-139-02 </p> </td> <td> <p> Siemens RUGGEDCOM APE1808 </p> </td> <td> <p> Buffer overflow (PAN-OS) </p> </td> <td> <p> Industrial network appliances </p> </td> </tr> <tr> <td> <p> ICSA-26-139-01 </p> </td> <td> <p> ABB CoreSense HM/M10 </p> </td> <td> <p> Path traversal </p> </td> <td> <p> Motor monitoring in facilities </p> </td> </tr> <tr> <td> <p> ICSA-26-139-05 </p> </td> <td> <p> Kieback &amp; Peter DDC </p> </td> <td> <p> Browser takeover (XSS) </p> </td> <td> <p> Building automation controllers </p> </td> </tr> <tr> <td> <p> ICSA-26-139-04 </p> </td> <td> <p> ZKTeco CCTV </p> </td> <td> <p> Credential disclosure </p> </td> <td> <p> Physical security cameras </p> </td> </tr> </tbody> </table> <p> The Kieback &amp; Peter DDC advisory is particularly concerning for state government: these building automation controllers manage HVAC, lighting, and access systems in government office buildings. The XSS vulnerability allows an attacker to take over an administrator's browser session &mdash; potentially gaining control of building systems. </p> <h3> <strong> 5. Nation-State Persistent Posture </strong> </h3> <p> <strong> Russia (APT28/Fancy Bear &mdash; GRU): </strong> Phishing infrastructure registered May 17 explicitly tagged for government targeting remains active. APT28's ThreatStream model was updated May 21. </p> <p> <strong> Russia (APT29/COZY BEAR/Midnight Blizzard &mdash; SVR): </strong> ATI-Agent malware indicators refreshed May 20 with confirmed government and defense targeting. </p> <p> <strong> China-nexus (ValleyRAT/Winos): </strong> Two C2 domains confirmed active May 21 (zzlkkghnmh[.]cn, 1112.688608[.]xyz). While ValleyRAT historically targets Chinese-speaking victims, its infrastructure expansion warrants monitoring. </p> <p> <strong> China-nexus (Volt Typhoon/Salt Typhoon): </strong> No new indicators detected &mdash; but for actors known to pre-position in critical infrastructure for months or years before activation, silence is not reassurance. These actors specialize in living-off-the-land techniques that evade traditional detection. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional KEV details require emergency patching of network infrastructure or web application vulnerabilities within 7 days </p> </td> <td> <p> <strong> HIGH (&gt;70%) </strong> </p> </td> <td> <p> 7-CVE batch from May 20 follows recent pattern of network device and web app vulns; state agencies likely run affected products </p> </td> </tr> <tr> <td> <p> CORNFLAKE fake browser update campaign produces IOCs relevant to state employee endpoints this week </p> </td> <td> <p> <strong> MODERATE (40-60%) </strong> </p> </td> <td> <p> Campaign model updated today with government targeting tag; delivery mechanism (fake browser updates) is effective against end users </p> </td> </tr> <tr> <td> <p> MSaaS-signed ransomware (Qilin or Akira) successfully encrypts a U.S. state/local government entity within 30 days </p> </td> <td> <p> <strong> MODERATE (40-60%) </strong> </p> </td> <td> <p> Code-signed binaries reduce detection; both families actively target government; RaaS affiliate model ensures continuous operations </p> </td> </tr> <tr> <td> <p> AWS federation persistence technique used against state government cloud accounts within 60 days </p> </td> <td> <p> <strong> MODERATE (30-50%) </strong> </p> </td> <td> <p> Technique now publicly documented (CrowdStrike); state agencies with IAM users and limited CloudTrail monitoring are exposed </p> </td> </tr> <tr> <td> <p> Volt Typhoon/Salt Typhoon pre-positioned access in state network infrastructure activated in conjunction with geopolitical escalation </p> </td> <td> <p> <strong> LOW but catastrophic (&lt;20%) </strong> </p> </td> <td> <p> Absence of signals does not reduce risk; these actors are designed to remain dormant until strategic activation </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Detection Priorities </strong> </h3> <table> <thead> <tr> <th> <p> ATT&amp;CK Technique </p> </th> <th> <p> What to Monitor </p> </th> <th> <p> Detection Logic </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> T1553.002 </strong> (Code Signing) </p> </td> <td> <p> Execution of binaries signed by unfamiliar or recently-issued certificates </p> </td> <td> <p> Alert on process execution where signer is not in approved publisher list; correlate with signspace[.]cloud DNS queries </p> </td> </tr> <tr> <td> <p> <strong> T1078.004 </strong> (Cloud Accounts) </p> </td> <td> <p> AWS sts:GetFederationToken API calls </p> </td> <td> <p> CloudTrail query: eventName = GetFederationToken &rarr; correlate with subsequent signin.aws.amazon.com/federation requests </p> </td> </tr> <tr> <td> <p> <strong> T1098 </strong> (Account Manipulation) </p> </td> <td> <p> Federated session creation from IAM users without historical baseline </p> </td> <td> <p> Baseline normal federation patterns; alert on first-time federation from any IAM user </p> </td> </tr> <tr> <td> <p> <strong> T1190 </strong> (Exploit Public-Facing App) </p> </td> <td> <p> Exploitation attempts against ScadaBR, SonicWall SMA, building controllers </p> </td> <td> <p> IDS signatures for ScadaBR RCE; monitor for unauthenticated API calls to SCADA management interfaces </p> </td> </tr> <tr> <td> <p> <strong> T1071.001 </strong> (Web Protocols) </p> </td> <td> <p> C2 beaconing to known ValleyRAT/APT28 infrastructure </p> </td> <td> <p> DNS/proxy logs for IOC domains; HTTP beacon pattern analysis for unknown C2 </p> </td> </tr> <tr> <td> <p> <strong> T1189 </strong> (Drive-by Compromise) </p> </td> <td> <p> Fake browser update prompts (CORNFLAKE campaign) </p> </td> <td> <p> Web proxy alerts for known fake-update redirect patterns; user reports of unexpected update prompts </p> </td> </tr> </tbody> </table> <h3> <strong> Hunting Hypotheses </strong> </h3> <ul> <li> <strong> <strong> Hypothesis: MSaaS-signed binaries present on endpoints. </strong> Hunt for recently executed binaries where the code-signing certificate was issued within the last 90 days by a CA not in your baseline. Cross-reference signer thumbprints against threat feeds. </strong> </li> </ul> <ul> <li> <strong> Hypothesis: AWS federation persistence already established. </strong> Query CloudTrail for all GetFederationToken events in the past 90 days. Identify any that were not generated by known automation or expected workflows. Investigate the source IAM user for signs of compromise. </li> </ul> <ul> <li> <strong> Hypothesis: Volt Typhoon living-off-the-land in network edge devices. </strong> Review Fortinet/Palo Alto/Cisco edge device logs for anomalous administrative sessions, unexpected configuration changes, or outbound connections to residential IP ranges (known Volt Typhoon SOHO router infrastructure). </li> </ul> <ul> <li> <strong> Hypothesis: Building automation controllers exposed to internet. </strong> Scan for Kieback &amp; Peter DDC, ScadaBR, and ZKTeco management interfaces accessible from non-management VLANs or the internet. Any exposure is an immediate finding. </li> </ul> <h3> <strong> Blocking Actions </strong> </h3> <p> Block the following at DNS resolvers, web proxies, and EDR: </p> <table> <thead> <tr> <th> <p> Type </p> </th> <th> <p> Value </p> </th> <th> <p> Context </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Domain </p> </td> <td> <p> signspace[.]cloud </p> </td> <td> <p> MSaaS ransomware enabler infrastructure </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> zzlkkghnmh[.]cn </p> </td> <td> <p> ValleyRAT/Winos C2 </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> 1112.688608[.]xyz </p> </td> <td> <p> ValleyRAT/Winos C2 </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> f0a6b89ec7eee83274cd484cea526b970a3ef28038799b0a5774bb33c5793b55 </p> </td> <td> <p> MSaaS-signed malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> f0668ce925f36ff7f3359b0ea47e3fa243af13cd6ad9661dfccc9ff79fb4f1cc </p> </td> <td> <p> MSaaS-signed malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 11af4566539ad3224e968194c7a9ad7b596460d8f6e423fc62d1ea5fc0724326 </p> </td> <td> <p> MSaaS-signed malware sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> d1498ce1ecf8c3ea50dce4b99dd829353ac407cd5fbafe7c1ae02e09ead104b7 </p> </td> <td> <p> ValleyRAT/Winos sample </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 3683d673395b2ef445ea80d604af15a7d05c5d21cdcbbb02fc933298ba9b9862 </p> </td> <td> <p> ValleyRAT/Winos sample </p> </td> </tr> </tbody> </table> <p> <em> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream and partner feeds. </em> </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware (Qilin/Akira) targeting financial data with MSaaS-signed binaries bypassing endpoint trust </li> <li> <strong> Action: </strong> Review code-signing trust policies on systems processing tax/revenue data; ensure offline backups of financial databases are tested and current </li> <li> <strong> Identity focus: </strong> Audit service accounts connecting treasury systems to banking partners; rotate credentials for any account with sts:GetFederationToken permissions </li> </ul> <h3> <strong> Energy (State-Managed Utilities, Grid Coordination) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ScadaBR unauthenticated RCE in SCADA deployments; Volt Typhoon pre-positioning in OT networks </li> <li> <strong> Action: </strong> Immediately identify any ScadaBR instances in utility environments and isolate from network; conduct configuration audit of Fortinet/Palo Alto edge devices at energy facilities for signs of unauthorized access </li> <li> <strong> Hunt priority: </strong> Living-off-the-land binaries (LOLBins) executing on OT network jump hosts </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware encryption of health records (Rhysida has documented healthcare targeting); identity-based access to Medicaid databases </li> <li> <strong> Action: </strong> Verify that Medicaid/HHS systems with citizen PII have network segmentation preventing lateral movement from compromised endpoints; validate that backup systems for health data are not accessible via the same credentials as production </li> <li> <strong> Identity focus: </strong> Non-human identities connecting EHR systems to state portals &mdash; inventory and apply least-privilege </li> </ul> <h3> <strong> Government (Executive Branch Agencies, Administrative Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT28/APT29 credential phishing targeting state employees; CORNFLAKE fake browser update campaign; AWS federation persistence </li> <li> <strong> Action: </strong> Brief agency security liaisons on fake browser update indicators; implement conditional access policies requiring compliant devices for cloud resource access; audit AWS IAM users across all state accounts </li> <li> <strong> Identity focus: </strong> Cached credentials on endpoints &mdash; scan for stored AWS keys, Azure tokens, and service account passwords in user profiles </li> </ul> <h3> <strong> Aviation/Logistics (State DOT, Port Authorities, Airport Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ICS/OT vulnerabilities in transportation management systems; Siemens RUGGEDCOM buffer overflow affecting industrial network appliances </li> <li> <strong> Action: </strong> Identify RUGGEDCOM APE1808 appliances in transportation networks and apply Siemens patches; review network segmentation between IT and OT in traffic management centers </li> <li> <strong> Building systems: </strong> Kieback &amp; Peter DDC controllers managing HVAC/access in transportation facilities &mdash; restrict management interfaces to dedicated management VLAN </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block signspace[.]cloud at all DNS resolvers and web proxies; add all five SHA-256 hashes above to EDR blocklists </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> Block ValleyRAT C2 domains (zzlkkghnmh[.]cn, 1112.688608[.]xyz) and associated hashes at perimeter </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> Cloud/DevOps </p> </td> <td> <p> Audit all AWS IAM users with sts:GetFederationToken permission; attach explicit deny-all policy to any user suspected of compromise &mdash; credential deactivation alone is insufficient </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> Facilities / IT Ops </p> </td> <td> <p> Verify Kieback &amp; Peter DDC building controller management interfaces are not accessible from general network; restrict to isolated management VLAN </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IR Team </p> </td> <td> <p> Update AWS incident response playbook: add "revoke all active sessions" and "attach deny-all policy" steps &mdash; deactivating API keys does NOT contain federation-based persistence </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy CloudTrail detection for GetFederationToken &rarr; signin.aws.amazon.com/federation sequences; alert on any federated session from IAM users without established baseline </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission inventory of all non-human identities (service accounts, AI agents, automation principals) across Azure AD and AWS; flag any with admin-equivalent permissions </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Identify any ScadaBR deployments in water/wastewater or building management systems; if present, isolate from internet immediately (unauthenticated RCE confirmed) </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> SOC </p> </td> <td> <p> Implement code-signing anomaly detection: alert on execution of binaries signed by certificates issued within last 90 days by CAs not in approved baseline </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> Security Awareness </p> </td> <td> <p> Brief agency IT liaisons on CORNFLAKE fake browser update campaign targeting government; provide indicators for user reporting </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> CISO </p> </td> <td> <p> Establish non-human identity (NHI) governance policy covering AI agents, MCP servers, and service principals; include credential rotation schedules and least-privilege enforcement </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Review and restrict code-signing trust policies in endpoint protection platforms; evaluate reducing trusted publisher lists to minimize MSaaS-signed malware risk </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> CISO </p> </td> <td> <p> Establish formal ICS advisory distribution channel to facilities management and maintenance teams &mdash; current advisories are not reaching building system operators </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> CISO/CIO </p> </td> <td> <p> Conduct tabletop exercise simulating ransomware deployment via MSaaS-signed binary that bypasses EDR &mdash; test detection gaps and IR response when initial execution is trusted </p> </td> </tr> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Proactive hunt for Volt Typhoon/Salt Typhoon indicators on all Fortinet, Palo Alto, and Cisco edge devices &mdash; focus on unauthorized admin sessions, unexpected firmware modifications, and outbound connections to residential IP space </p> </td> </tr> </tbody> </table> <h2> <strong> Bottom Line </strong> </h2> <p> The ransomware threat to state government is no longer just about individual criminal groups &mdash; it's about the <strong> ecosystem services </strong> that enable them. When a single infrastructure provides valid code signatures to five ransomware families simultaneously, blocking one group is insufficient. Detection must move upstream. </p> <p> Simultaneously, identity has become the decisive terrain. A single cached credential can unlock 98% of a cloud environment. AWS federation persistence survives your current containment playbooks. Non-human identities &mdash; the service accounts and AI agents proliferating across state systems &mdash; are the fastest-growing target category in criminal markets, and most state agencies have no inventory of them. </p> <p> The ICS/OT advisory pace is not slowing. Building automation controllers, SCADA systems, and industrial network appliances in state facilities have vulnerabilities that facilities teams don't know about because the advisory distribution channel doesn't reach them. </p> <p> <strong> Three decisions for this week: </strong> </p> <ul> <li> <strong> Confirm your AWS incident response playbook addresses federation persistence &mdash; test it </strong> </li> </ul> <ul> <li> Start the non-human identity inventory before your AI deployments outpace your governance </li> </ul> <ul> <li> Get ICS advisories in front of the people who actually manage building systems </li> </ul> <p> The threat level remains ELEVATED. The professionalization of ransomware supply chains and the identity attack surface convergence are pushing toward HIGH. Act now while the window for proactive defense remains open. </p> <p> <em> Published 2026-05-21 | Anomali CTI Desk </em> </p> <p> <em> For IOC feeds and detailed technical indicators, contact your Anomali ThreatStream representative. </em> </p>