All Posts
Anomali Cyber Watch
Public Sector
1
min read

Russian Intelligence Services Actively Scanning Government Networks: What State CISOs Must Do This Week

Published on
July 13, 2026
Table of Contents
<p> <strong> Threat Assessment Level: ELEVATED </strong> </p> <p> Today marks a watershed moment in the attribution of Russian state-sponsored cyber operations against government and critical infrastructure networks. The European Union and United Kingdom jointly sanctioned 24+ individuals and entities tied to Russia's FSB Center 16 &mdash; the intelligence unit behind the Turla hacking group &mdash; while a 12-nation coalition issued an advisory confirming active, global scanning of government routers for exploitation. Simultaneously, Adobe ColdFusion is under active exploitation via a CVSS 10.0 vulnerability, APT28 has produced fresh government-targeting malware, and ransomware groups continue their drumbeat against public sector targets. </p> <p> For state government IT leaders, this is not a theoretical briefing. Your Cisco routers, your legacy ColdFusion portals, and your Joomla-based public websites are in the crosshairs <em> right now </em> . This post breaks down what changed, what's coming, and what your teams need to do today. </p> <h2> <strong> What Changed </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Development </strong> </p> </th> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Why It Matters </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> EU/UK sanction FSB Center 16 (Turla/Berserk Bear) for December 2025 Poland energy grid attack </p> </td> <td> <p> 2026-07-13 </p> </td> <td> <p> <strong> Formal attribution confirms this unit actively targets government networks and critical infrastructure globally </strong> </p> </td> </tr> <tr> <td> <p> 12-nation joint advisory: FSB Center 16 scanning for routers with weak SNMP community strings </p> </td> <td> <p> 2026-07-13 </p> </td> <td> <p> State government network devices are explicitly in the target set &mdash; CVE-2018-0171 (Cisco Smart Install) being exploited </p> </td> </tr> <tr> <td> <p> UK sanctions Lumma Stealer operators </p> </td> <td> <p> 2026-07-13 </p> </td> <td> <p> 2,100+ UK victims in 6 months; credential theft at industrial scale </p> </td> </tr> <tr> <td> <p> APT28 (GRU Unit 26165) &mdash; 4 new government-targeting malware samples ingested </p> </td> <td> <p> 2026-07-12/13 </p> </td> <td> <p> Sustained Russian espionage pressure against government sector </p> </td> </tr> <tr> <td> <p> TA505 activates new government-targeting C2 infrastructure </p> </td> <td> <p> 2026-07-12 </p> </td> <td> <p> Fresh IP (confidence 95) signals imminent phishing/ransomware campaign against government </p> </td> </tr> <tr> <td> <p> CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) &mdash; confirmed active exploitation </p> </td> <td> <p> 2026-07-07 (KEV) </p> </td> <td> <p> Exploited within 2 hours of disclosure; any unpatched ColdFusion portal is compromised or will be </p> </td> </tr> <tr> <td> <p> CVE-2026-48939 (iCagenda for Joomla, CVSS 9.8) &mdash; added to KEV </p> </td> <td> <p> 2026-07-10 </p> </td> <td> <p> Second Joomla extension on KEV in three weeks; systematic exploitation of Joomla ecosystem </p> </td> </tr> <tr> <td> <p> Schneider Electric Easergy MiCOM Px40 advisory (substation protection relays) </p> </td> <td> <p> 2026-07-09 </p> </td> <td> <p> Direct relevance to state-managed electrical infrastructure </p> </td> </tr> <tr> <td> <p> Deadlock, Akira, BITWISE SPIDER, WARLOCK SPIDER &mdash; all updated with government targeting </p> </td> <td> <p> 2026-07-10&ndash;13 </p> </td> <td> <p> Four ransomware operations simultaneously active against government sector </p> </td> </tr> </tbody> </table> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Date </strong> </p> </th> <th> <p> <strong> Event </strong> </p> </th> <th> <p> <strong> Actor/CVE </strong> </p> </th> <th> <p> <strong> Impact </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2025-12-XX </p> </td> <td> <p> Poland energy grid attack (could have cut power to ~500K people) </p> </td> <td> <p> FSB Center 16 / DynoWiper </p> </td> <td> <p> Destructive &mdash; formally attributed Jul 13 </p> </td> </tr> <tr> <td> <p> 2026-06-12 </p> </td> <td> <p> California water utility destructive breach </p> </td> <td> <p> VOID MANTICORE (Iran/IRGC) </p> </td> <td> <p> <strong> Confirmed destructive attack on U.S. critical infrastructure </strong> </p> </td> </tr> <tr> <td> <p> 2026-07-07 </p> </td> <td> <p> ColdFusion CVE-2026-48282 added to CISA KEV; exploitation within 2 hours </p> </td> <td> <p> Unknown actors </p> </td> <td> <p> RCE on citizen-facing portals </p> </td> </tr> <tr> <td> <p> 2026-07-09 </p> </td> <td> <p> Schneider Electric ICS advisories (PowerChute, Easergy MiCOM Px40, OpenPLC) </p> </td> <td> <p> N/A (vendor disclosure) </p> </td> <td> <p> Substation relay and UPS vulnerabilities </p> </td> </tr> <tr> <td> <p> 2026-07-10 </p> </td> <td> <p> iCagenda CVE-2026-48939 added to CISA KEV </p> </td> <td> <p> Unknown actors </p> </td> <td> <p> Unauthenticated RCE via Joomla extension </p> </td> </tr> <tr> <td> <p> 2026-07-10 </p> </td> <td> <p> Akira ransomware actor model updated &mdash; government targeting </p> </td> <td> <p> Akira </p> </td> <td> <p> Active ransomware threat </p> </td> </tr> <tr> <td> <p> 2026-07-12 </p> </td> <td> <p> TA505 new C2 IP activated (government-targeting, confidence 95) </p> </td> <td> <p> TA505 / WARLOCK SPIDER </p> </td> <td> <p> Phishing infrastructure staged for campaign </p> </td> </tr> <tr> <td> <p> 2026-07-12 </p> </td> <td> <p> APT28 &mdash; 4 fresh MD5 samples tagged government/public-services </p> </td> <td> <p> APT28 (GRU Unit 26165) </p> </td> <td> <p> Espionage tooling refresh </p> </td> </tr> <tr> <td> <p> 2026-07-12 </p> </td> <td> <p> Deadlock ransomware updated; BITWISE SPIDER updated Jul 13 </p> </td> <td> <p> Deadlock, BITWISE SPIDER </p> </td> <td> <p> Government-targeting ransomware </p> </td> </tr> <tr> <td> <p> 2026-07-13 </p> </td> <td> <p> EU/UK sanctions + 12-nation advisory on FSB Center 16 router scanning </p> </td> <td> <p> FSB Center 16 (Turla) </p> </td> <td> <p> Active scanning of government routers worldwide </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. FSB Center 16 (Turla / Berserk Bear) &mdash; Active Router Exploitation Campaign </strong> </h3> <p> <strong> What they are: </strong> Russia's FSB 16th Centre, now formally linked to the Turla hacking group (also known as Berserk Bear, Energetic Bear, Crouching Yeti, DragonFly, Ghost Blizzard). This unit has targeted government networks across Europe since 2010 and was responsible for the December 2025 destructive attack on Poland's energy grid using DynoWiper malware. </p> <p> <strong> What they're doing now: </strong> Actively scanning globally for network devices with weak SNMP community strings and exploiting CVE-2018-0171 (Cisco Smart Install, CVSS 9.8). Once inside a router, they exfiltrate configurations via TFTP and establish persistent access for espionage or pre-positioning for destructive operations. </p> <p> <strong> Why state government is at risk: </strong> State agencies operate extensive Cisco networking infrastructure. Many legacy devices still run SNMPv1/v2 with default or weak community strings. Smart Install may remain enabled on switches that were deployed years ago and never hardened. </p> <p> <strong> Techniques: </strong> T1078 (Valid Accounts), T1557 (Adversary-in-the-Middle), T1048 (Exfiltration Over Alternative Protocol), T1485 (Data Destruction) </p> <h3> <strong> 2. APT28 (Fancy Bear / GRU Unit 26165) &mdash; Sustained Government Espionage </strong> </h3> <p> Four new malware samples explicitly tagged for government and public services targeting were ingested this cycle. The samples use Expiro file infector techniques combined with PowerShell-based loaders &mdash; a combination that enables persistence and lateral movement while evading signature-based detection. </p> <p> <strong> Techniques: </strong> T1059 (Command and Scripting Interpreter), T1105 (Ingress Tool Transfer), T1195.002 (Supply Chain Compromise), T1203 (Exploitation for Client Execution), T1204.002 (User Execution: Malicious File), T1553.002 (Subvert Trust Controls: Code Signing) </p> <h3> <strong> 3. TA505 / WARLOCK SPIDER &mdash; Government-Targeting C2 Infrastructure Refresh </strong> </h3> <p> TA505 is a financially motivated, Russia-nexus cybercriminal group historically associated with Clop ransomware, FlawedAmmyy RAT, and ServHelper. A new command-and-control IP was activated on July 12 with explicit government sector targeting at confidence level 95. This group's operational pattern &mdash; infrastructure staging followed by mass phishing campaigns &mdash; suggests an imminent campaign within days. </p> <h3> <strong> 4. Adobe ColdFusion CVE-2026-48282 &mdash; The 2-Hour Exploitation Benchmark </strong> </h3> <p> This CVSS 10.0 path traversal to arbitrary code execution vulnerability was exploited in the wild within 2 hours of public disclosure. It affects ColdFusion 2025.9, 2023.20, and all earlier versions. State government agencies are known to operate legacy ColdFusion applications for citizen-facing portals (benefits applications, permit systems, public records). Any unpatched instance should be presumed compromised. </p> <h3> <strong> 5. Joomla Extension Ecosystem Under Systematic Attack </strong> </h3> <p> Two Joomla extensions are now on CISA's Known Exploited Vulnerabilities catalog: </p> <ul> <li> <strong> CVE-2026-48939 </strong> (iCagenda, CVSS 9.8) &mdash; unauthenticated file upload &rarr; RCE </li> <li> <strong> CVE-2026-48908 </strong> (SP Page Builder, CVSS 9.8) &mdash; unauthenticated file upload &rarr; RCE </li> </ul> <p> State agencies commonly use Joomla for public-facing websites. The pattern of systematic Joomla extension exploitation suggests attackers are specifically targeting this CMS ecosystem. </p> <h3> <strong> 6. Ransomware Convergence on Government </strong> </h3> <p> Four distinct ransomware operations showed fresh activity against the government sector between July 10&ndash;13: </p> <ul> <li> <strong> Deadlock </strong> (updated Jul 12) </li> <li> <strong> Akira </strong> (updated Jul 10) </li> <li> <strong> BITWISE SPIDER </strong> (updated Jul 13) </li> <li> <strong> WARLOCK SPIDER / TA505 </strong> (updated Jul 13) </li> </ul> <p> This convergence, combined with TA505's fresh C2 infrastructure, represents the highest ransomware pressure on state/local government observed in recent cycles. </p> <h3> <strong> 7. ICS/OT Threats &mdash; Schneider Electric Substation Relays </strong> </h3> <p> The Schneider Electric Easergy MiCOM Px40 advisory affects protection relays used in electrical substations. Combined with the formal attribution of FSB Center 16's destructive attack on Poland's energy grid, state agencies managing electrical infrastructure face a dual threat: known vulnerabilities in deployed equipment and a confirmed adversary with destructive intent. </p> <h2> <strong> Predictive Analysis &mdash; Next 7 Days </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Scenario </strong> </p> </th> <th> <p> <strong> Probability </strong> </p> </th> <th> <p> <strong> Basis </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional exploitation attempts against ColdFusion (CVE-2026-48282) and Joomla KEV vulnerabilities on state-hosted web applications </p> </td> <td> <p> <strong> HIGH (&gt;75%) </strong> </p> </td> <td> <p> Active exploitation confirmed; state agencies known to run these platforms; automated scanning is trivial </p> </td> </tr> <tr> <td> <p> FSB Center 16 router scanning yields compromised devices in U.S. government networks </p> </td> <td> <p> <strong> MODERATE (40&ndash;60%) </strong> </p> </td> <td> <p> 12-nation advisory is a leading indicator; scanning is confirmed active; many state devices likely have weak SNMP </p> </td> </tr> <tr> <td> <p> Ransomware group (Akira or Deadlock) claims a U.S. state/local government victim </p> </td> <td> <p> <strong> MODERATE (40&ndash;60%) </strong> </p> </td> <td> <p> Four groups simultaneously active against government; TA505 C2 infrastructure freshly staged; historical tempo supports this </p> </td> </tr> <tr> <td> <p> TA505 launches phishing campaign against government targets using 80.87.206[.]239 infrastructure </p> </td> <td> <p> <strong> MODERATE (40&ndash;60%) </strong> </p> </td> <td> <p> Infrastructure staging pattern historically precedes campaign launch by 3&ndash;7 days </p> </td> </tr> <tr> <td> <p> Direct APT28 intrusion attempt against state government infrastructure </p> </td> <td> <p> <strong> LOW (&lt;25%) </strong> </p> </td> <td> <p> APT28 primarily targets federal/defense; spillover possible but not primary targeting </p> </td> </tr> <tr> <td> <p> Destructive attack on U.S. water/energy infrastructure (VOID MANTICORE or FSB Center 16 pattern) </p> </td> <td> <p> <strong> LOW (&lt;25%) </strong> </p> </td> <td> <p> <strong> Capability confirmed (California water utility Jun 12, Poland grid Dec 2025); but escalation threshold remains high absent geopolitical trigger </strong> </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt for FSB Center 16 Router Compromise ( </strong> <strong> T1557 </strong> <strong> , </strong> <strong> T1048 </strong> <strong> , </strong> <strong> T1078 </strong> <strong> ) </strong> </p> <ul> <li> Query all Cisco device logs for Smart Install protocol activity (TCP/4786) </li> <li> Alert on any TFTP configuration exfiltration from network devices </li> <li> Hunt for SNMP authentication failures followed by successful authentication (brute-force pattern) </li> <li> Baseline SNMP community strings &mdash; any device still on SNMPv1/v2 with "public" or "private" strings is presumed targeted </li> <li> Monitor for unexpected configuration changes on routers/switches (T1601.001 &mdash; Modify System Image) </li> </ul> <p> <strong> Hunt for APT28 Expiro/PowerShell Loaders ( </strong> <strong> T1059.001 </strong> <strong> , </strong> <strong> T1105 </strong> <strong> , </strong> <strong> T1204.002 </strong> <strong> ) </strong> </p> <ul> <li> Deploy hash-based detection for: </li> <ul> <li> 89618515b9522c0ae1914dd8b4147ac5 </li> <li> 5e8bf20650411220c6514dff67f2e2b6 </li> <li> c2b3338ee82496f8c6154f2f560e59b7 </li> <li> 176b0e6caed3ee017e138d5f6454aab7 </li> </ul> <li> Hunt for PowerShell execution with encoded commands spawned from Office applications or PDF readers </li> <li> Alert on powershell.exe with -enc or -encodedcommand flags launched by non-admin users </li> <li> Monitor for file infector behavior: unexpected modification of legitimate executables (Expiro signature) </li> </ul> <p> <strong> Block TA505 C2 Infrastructure ( </strong> <strong> T1071 </strong> <strong> , </strong> <strong> T1571 </strong> <strong> ) </strong> </p> <ul> <li> Block 80.87.206[.]239 at all perimeter firewalls, proxy servers, and DNS sinkholes </li> <li> Hunt historical netflow for any prior connections to this IP </li> <li> Monitor for connections to OVHcloud (ASN 16276) IP ranges from internal systems &mdash; while OVHcloud is legitimate, unusual outbound connections to Russian-geolocated OVHcloud IPs warrant investigation </li> </ul> <p> <strong> Hunt for ColdFusion Exploitation ( </strong> <strong> T1190 </strong> <strong> , </strong> <strong> T1059 </strong> <strong> , </strong> <strong> T1083 </strong> <strong> ) </strong> </p> <ul> <li> If ColdFusion is deployed: review web server logs for path traversal patterns (../, ..%2f, %252e%252e) </li> <li> Alert on new file creation in ColdFusion web roots (webshell deployment) </li> <li> Monitor for cmd.exe or powershell.exe spawned by ColdFusion service processes </li> <li> Check for unexpected outbound connections from ColdFusion servers </li> </ul> <p> <strong> Hunt for Joomla Extension Exploitation ( </strong> <strong> T1190 </strong> <strong> ) </strong> </p> <ul> <li> Review web logs for POST requests to iCagenda or SP Page Builder upload endpoints </li> <li> Alert on new PHP/JSP files created in Joomla upload directories </li> <li> Monitor for web shells: unusual HTTP response sizes from upload directories </li> </ul> <h3> <strong> Hunting Hypotheses </strong> </h3> <ol> <li> <strong> "An attacker has already compromised a router via weak SNMP and is exfiltrating configurations." </strong> &mdash; Search for: TFTP transfers from network devices to unknown destinations; SNMP SET operations from non-management IPs; router configuration files appearing in unexpected locations. </li> <li> <strong> "A ColdFusion portal has been backdoored and is being used for initial access." </strong> &mdash; Search for: new files in ColdFusion directories created after July 7; ColdFusion processes spawning shells; outbound connections from ColdFusion servers to non-standard ports. </li> <li> <strong> "TA505 phishing has already delivered initial access and a beacon is calling home." </strong> &mdash; Search for: DNS queries or connections to 80.87.206[.]239; new scheduled tasks or services created in the last 72 hours; unusual PowerShell or WMI activity on workstations. </li> <li> <strong> "A developer workstation has been infected with Siggen via a poisoned Visual Studio project." </strong> &mdash; Search for: unexpected pre-build commands in .vcxproj or .csproj files; Visual Studio processes making network connections to Steam or GitHub for C2 resolution; modifications to Windows SDK header files. </li> </ol> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Tax Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> TA505 phishing &rarr; Clop ransomware targeting financial data; Lumma Stealer credential harvesting </li> <li> <strong> Priority action: </strong> Enforce phishing-resistant MFA on all treasury and revenue system access; block 80.87.206[.]239; hunt for Lumma Stealer artifacts (browser credential store access, exfiltration to Telegram/Discord) </li> <li> <strong> Monitoring focus: </strong> Unusual bulk data access patterns in tax/revenue databases; credential stuffing against citizen-facing tax portals </li> </ul> <h3> <strong> Energy (State-Managed Utilities, Grid Interconnects) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> FSB Center 16 destructive capability (DynoWiper precedent); Schneider Electric Easergy MiCOM Px40 vulnerability in substation relays </li> <li> <strong> Priority action: </strong> Audit all Schneider Electric protection relays for firmware currency; segment OT networks from IT; validate SNMP hardening on all SCADA-adjacent network devices </li> <li> <strong> Monitoring focus: </strong> Unexpected commands to protection relays; TFTP transfers from OT network segments; any IT-to-OT lateral movement </li> </ul> <h3> <strong> Healthcare (Health &amp; Human Services, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware (Akira, Deadlock) targeting healthcare data for double extortion; ColdFusion exploitation of benefits portals </li> <li> <strong> Priority action: </strong> Confirm ColdFusion patch status on all HHS portals; validate offline backup integrity for Medicaid/benefits databases; ensure incident response playbook covers PHI breach notification timelines </li> <li> <strong> Monitoring focus: </strong> Bulk PII/PHI exfiltration patterns; encryption of database files; lateral movement from DMZ web servers to backend databases </li> </ul> <h3> <strong> Government (Courts, Elections, Public Safety, DMV) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT28 espionage targeting government PII; ransomware disruption of public services; FSB Center 16 router compromise for persistent access </li> <li> <strong> Priority action: </strong> Deploy APT28 IOC hashes across all endpoints; audit Cisco Smart Install on all network devices; ensure elections infrastructure is segmented and monitored independently </li> <li> <strong> Monitoring focus: </strong> Unusual access to voter registration databases; PowerShell execution on domain controllers; configuration changes on network devices outside maintenance windows </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Port Authorities, Transit) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Supply chain compromise via developer tooling (Siggen backdoor); ICS vulnerabilities in transit SCADA systems </li> <li> <strong> Priority action: </strong> Brief development teams on Siggen Visual Studio infection vector; audit OpenPLC deployments in transit control systems; validate network segmentation between corporate IT and operational transit systems </li> <li> <strong> Monitoring focus: </strong> Unexpected modifications to source code repositories; OpenPLC authenticated access from unusual accounts; lateral movement from corporate to OT segments </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Audit ALL Cisco devices for Smart Install feature (TCP/4786) &mdash; disable Smart Install or confirm CVE-2018-0171 patch applied. FSB Center 16 is actively scanning for this globally. </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Confirm Adobe ColdFusion instances patched beyond versions 2025.9/2023.20. CVE-2026-48282 (CVSS 10.0) is actively exploited. Any unpatched portal should be taken offline pending patching. </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> SOC </p> </td> <td> <p> Block IP 80.87.206[.]239 at all perimeter firewalls, proxies, and DNS. TA505 government-targeting C2, confidence 95. </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy hash-based detection for APT28 samples: 89618515b9522c0ae1914dd8b4147ac5, 5e8bf20650411220c6514dff67f2e2b6, c2b3338ee82496f8c6154f2f560e59b7, 176b0e6caed3ee017e138d5f6454aab7 </p> </td> </tr> <tr> <td> <p> IMMEDIATE </p> </td> <td> <p> CISO </p> </td> <td> <p> Brief executive leadership: Russian cyber operations under international sanctions today &mdash; elevated risk of retaliatory or accelerated operations against Western government targets in near term. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 7-DAY </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Migrate ALL network devices from SNMPv1/v2 to SNMPv3 with authentication and encryption. Any device with plaintext community strings is a confirmed FSB Center 16 target. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Inventory all Joomla instances &mdash; identify and patch or decommission any running iCagenda (CVE-2026-48939) or SP Page Builder (CVE-2026-48908). Both are CVSS 9.8, both on KEV, both allow unauthenticated RCE. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> DevOps </p> </td> <td> <p> Brief development teams on Siggen backdoor infection vector &mdash; inspect Visual Studio .vcxproj/.csproj files for unexpected pre-build commands; scan externally-sourced code projects before opening. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> SOC </p> </td> <td> <p> Conduct threat hunt for historical connections to 80.87.206[.]239 and for Smart Install protocol activity (TCP/4786) in netflow data from the past 90 days. </p> </td> </tr> <tr> <td> <p> 7-DAY </p> </td> <td> <p> IR </p> </td> <td> <p> Update ransomware incident response playbook to account for four simultaneously active government-targeting groups (Deadlock, Akira, BITWISE SPIDER, WARLOCK SPIDER). Validate backup restoration procedures. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> <strong> Priority </strong> </p> </th> <th> <p> <strong> Team </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 30-DAY </p> </td> <td> <p> CISO </p> </td> <td> <p> Commission assessment of all Schneider Electric Easergy MiCOM Px40 protection relays in state-managed electrical infrastructure &mdash; confirm firmware patched per ICSA-26-190-03. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> IT Ops </p> </td> <td> <p> Conduct comprehensive Joomla extension audit across all state web properties &mdash; the pattern of systematic Joomla extension exploitation (3 extensions in 3 weeks) indicates broader ecosystem risk beyond the two current KEVs. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Evaluate network architecture for router compromise resilience &mdash; implement out-of-band management for critical network devices; deploy configuration integrity monitoring (detect unauthorized changes). </strong> </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> IR </p> </td> <td> <p> Conduct tabletop exercise simulating simultaneous ransomware attack on citizen services AND router compromise discovery &mdash; test coordination between SOC, IT Ops, and executive leadership under dual-incident pressure. </p> </td> </tr> <tr> <td> <p> 30-DAY </p> </td> <td> <p> CISO </p> </td> <td> <p> Review and update cyber insurance policy coverage in light of nation-state attribution (FSB Center 16, APT28) &mdash; confirm war exclusion clauses do not create coverage gaps for state-sponsored criminal operations. </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <table> <thead> <tr> <th> <p> <strong> Type </strong> </p> </th> <th> <p> <strong> Value </strong> </p> </th> <th> <p> <strong> Attribution </strong> </p> </th> <th> <p> <strong> Action </strong> </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 80.87.206[.]239 </p> </td> <td> <p> TA505 government-targeting C2 (confidence 95) </p> </td> <td> <p> Block at perimeter </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 89618515b9522c0ae1914dd8b4147ac5 </p> </td> <td> <p> APT28 / Expiro loader </p> </td> <td> <p> Alert + investigate </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 5e8bf20650411220c6514dff67f2e2b6 </p> </td> <td> <p> APT28 / PowerShell loader </p> </td> <td> <p> Alert + investigate </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> c2b3338ee82496f8c6154f2f560e59b7 </p> </td> <td> <p> APT28 / PowerShell loader </p> </td> <td> <p> Alert + investigate </p> </td> </tr> <tr> <td> <p> MD5 </p> </td> <td> <p> 176b0e6caed3ee017e138d5f6454aab7 </p> </td> <td> <p> APT28 / PowerShell loader </p> </td> <td> <p> Alert + investigate </p> </td> </tr> </tbody> </table> <p> Additional IOCs for the campaigns discussed in this report are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <h2> <strong> The Bottom Line </strong> </h2> <p> Today's EU/UK sanctions and 12-nation advisory are not just diplomatic signals &mdash; they are intelligence confirmations. FSB Center 16 is actively scanning your routers. APT28 is actively producing malware targeting your sector. TA505 has staged infrastructure for an imminent campaign against government. And four ransomware groups are simultaneously hunting in your space. </p> <p> The sanctions may provoke acceleration, not deterrence. When threat actors are publicly exposed, the historical pattern is intensified operations in the short term &mdash; either to demonstrate capability or to exploit access before it's burned. </p> <p> Your 24-hour priorities are clear: disable Cisco Smart Install, patch ColdFusion, block the TA505 C2 IP, and hunt for APT28 hashes. Your 7-day priority is SNMP hardening across your entire network device fleet. Everything else flows from whether those routers are already compromised. </p> <p> The adversary is not waiting. Neither should you. </p> <p> <em> Anomali CTI Desk | 2026-07-13 | TLP:GREEN </em> </p> <p> <em> This intelligence is derived from ThreatStream Next-Gen, CISA advisories, and allied government joint advisories. Distribution within the government community and peer organizations is encouraged. </em> </p>

FEATURED RESOURCES

July 13, 2026
Anomali Cyber Watch

Iranian Cyber Operations Intensify: New Backdoor, Ransomware Pipelines, and the Silence Before the Storm

Read More
July 13, 2026
Anomali Cyber Watch
Public Sector

Russian Intelligence Services Actively Scanning Government Networks: What State CISOs Must Do This Week

Read More
July 10, 2026
Anomali Cyber Watch

Iranian Cyber Operations Reach Inflection Point: FortiBleed Pipeline Weaponized, Multi-Actor Convergence Accelerates

Read More
Explore All