Russian Intelligence Services and Ransomware Operators Converge on State Government VPN Infrastructure

<p> <strong> Threat Assessment Level: ELEVATED </strong> (unchanged from prior cycle; trending toward HIGH) </p> <p> State government networks face a dangerous convergence: Russian intelligence services are actively building phishing infrastructure targeting government entities while ransomware operators exploit the same VPN appliances that state agencies depend on for remote access. This dual-threat to remote access infrastructure demands immediate action from state IT leadership. </p> <p> The combination of APT28 and APT29 refreshing government-targeting capabilities alongside Abyss Locker ransomware actively exploiting SonicWall VPN vulnerabilities creates a scenario where a single unpatched appliance can serve as the entry point for either espionage or destructive ransomware &mdash; or both in sequence. </p> <h2> <strong> What Changed </strong> </h2> <p> The past week brought five significant developments that directly affect state government networks: </p> <ol> <li> <strong> Abyss Locker Ransomware Reveals Full Attack Playbook Against Government-Relevant Infrastructure </strong> </li> </ol> <p> Incident response analysis published this week documents Abyss Locker's complete attack chain: exploitation of unpatched SonicWall VPN appliances (CVE-2021-20038), followed by targeted credential theft from Veeam backup systems, EDR evasion via Bring-Your-Own-Vulnerable-Driver (BYOVD), and SSH tunneling through ESXi hosts for persistent command-and-control. This playbook maps directly to common state government infrastructure. </p> <ol start="2"> <li> <strong> Russian Intelligence Services Refresh Government-Targeting Infrastructure </strong> </li> </ol> <p> APT28 (Fancy Bear) registered new phishing infrastructure specifically tagged for government targeting, while APT29 (COZY BEAR / Midnight Blizzard) refreshed high-confidence malware indicators associated with their ATI-Agent tooling &mdash; both updated as of May 2026. These are not historical indicators; they represent active operational preparation. </p> <ol start="3"> <li> <strong> CISA Publishes Five ICS Advisories Including Building Automation Controllers </strong> </li> </ol> <p> New vulnerabilities in Kieback &amp; Peter DDC building controllers &mdash; widely deployed in government facilities for HVAC, lighting, and access control &mdash; allow browser takeover attacks. Combined with ongoing Siemens and ABB advisories, state facility OT networks face expanding risk. </p> <ol start="4"> <li> <strong> ClickFix/InstallFix Social Engineering Infrastructure Remains Active </strong> </li> </ol> <p> C2 infrastructure supporting ClickFix/InstallFix campaigns continues to operate, targeting government users with fake browser update prompts and software installation dialogs that bypass traditional email security controls by inducing users to manually execute malicious PowerShell payloads. </p> <ol start="5"> <li> <strong> Supply Chain Threats Expand via npm Ecosystem and VS Code Extensions </strong> </li> </ol> <p> A third wave of the Mini Shai-Hulud npm worm compromised hundreds of packages, and the Nx Console VS Code extension (2.2 million installs) was found compromised &mdash; creating CI/CD pipeline risk for any state agency using Node.js-based development tooling or modern developer environments. </p> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Relevance to State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> May 13 </p> </td> <td> <p> Abyss Locker campaign documented exploiting CVE-2021-20038 </p> </td> <td> <p> SonicWall SMA 100 appliances common in state remote access </p> </td> </tr> <tr> <td> <p> May 15 </p> </td> <td> <p> Salt Typhoon (China) last IOC refresh &mdash; then silence </p> </td> <td> <p> Possible retooling; does NOT indicate reduced risk </p> </td> </tr> <tr> <td> <p> May 17 </p> </td> <td> <p> APT28 phishing domain syd.clarionquestgroup[.]cfd registered </p> </td> <td> <p> Explicitly tagged for government targeting </p> </td> </tr> <tr> <td> <p> May 18 </p> </td> <td> <p> Nx Console VS Code extension compromise (2.2M installs) </p> </td> <td> <p> Supply chain risk to developer environments </p> </td> </tr> <tr> <td> <p> May 19 </p> </td> <td> <p> Mini Shai-Hulud npm worm Wave 3 &mdash; hundreds of packages compromised </p> </td> <td> <p> CI/CD pipeline risk for agencies using Node.js </p> </td> </tr> <tr> <td> <p> May 19 </p> </td> <td> <p> Poland abandons Signal for government comms (Russian APT QR-code attacks) </p> </td> <td> <p> Validates messaging platform risks for state officials </p> </td> </tr> <tr> <td> <p> May 19 </p> </td> <td> <p> CISA publishes 5 ICS advisories (Kieback &amp; Peter, Siemens, ABB, ScadaBR, ZKTeco) </p> </td> <td> <p> Building automation and SCADA in state facilities </p> </td> </tr> <tr> <td> <p> May 20 </p> </td> <td> <p> COZY BEAR (APT29) IOCs refreshed &mdash; government/defense targeting confirmed </p> </td> <td> <p> Active campaign preparation against .gov entities </p> </td> </tr> <tr> <td> <p> May 20 </p> </td> <td> <p> CHATTY SPIDER (Luna Moth) actor profile updated </p> </td> <td> <p> Callback phishing threat to state employees persists </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> Russian Intelligence Services: Dual-Axis Government Targeting </strong> </h3> <p> <strong> APT28 (Fancy Bear / Forest Blizzard) </strong> has established new phishing infrastructure on the domain syd.clarionquestgroup[.]cfd, tagged with government targeting indicators. APT28's established playbook involves credential harvesting via convincing login portals, followed by persistent access to email systems and document repositories. State government email systems (particularly M365 environments) are prime targets. </p> <p> <strong> APT29 (COZY BEAR / Midnight Blizzard) </strong> refreshed malware indicators for their ATI-Agent tooling with explicit government and defense targeting tags. The indicators carry very-high severity ratings and are associated with spearphishing delivery mechanisms. APT29 historically targets government networks for long-term intelligence collection, with particular interest in policy communications and inter-agency coordination. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> <strong> T1566.001 </strong> (Spearphishing Attachment), <strong> T1566.002 </strong> (Spearphishing Link), <strong> T1078 </strong> (Valid Accounts), <strong> T1041 </strong> (Exfiltration Over C2) </p> <h3> <strong> Abyss Locker: The VPN-to-Ransomware Kill Chain </strong> </h3> <p> Abyss Locker represents an immediate, concrete threat to any state agency running unpatched SonicWall SMA 100 appliances. Their documented attack chain: </p> <ul> <li> <strong> <strong> Initial Access: </strong> Exploit CVE-2021-20038 (SonicWall SMA 100 stack-based buffer overflow) </strong> </li> </ul> <ul> <li> <strong> Credential Theft: </strong> Deploy veeam11.ps1 &mdash; a weaponized variant of Veeam credential harvesting scripts that extracts domain credentials stored in Veeam Backup &amp; Replication </li> </ul> <ul> <li> <strong> Defense Evasion: </strong> BYOVD using UpdateDrv.sys (Zemana), ped.sys (Process Explorer), and 3ware.sys to disable EDR </li> </ul> <ul> <li> <strong> Persistence: </strong> Install WMI Helper Agent service with wmihelper.exe </li> </ul> <ul> <li> <strong> Lateral Movement: </strong> SSH tunneling via Chisel through ESXi hosts (ports on 64.95.12[.]57 and 64.95.12[.]70) </li> </ul> <ul> <li> <strong> Exfiltration: </strong> Rclone to AWS S3 and BackBlaze before encryption </li> </ul> <ul> <li> <strong> Impact: </strong> File encryption with .Abyss and .crypt extensions </li> </ul> <p> The targeting of Veeam backup credentials is particularly concerning: successful extraction gives attackers both domain-level access AND the ability to destroy backup integrity before deploying ransomware. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> <strong> T1190 </strong> (Exploit Public-Facing Application), <strong> T1003.002 </strong> (SAM Registry), <strong> T1562.001 </strong> (Disable Security Tools), <strong> T1068 </strong> (BYOVD), <strong> T1572 </strong> (Protocol Tunneling), <strong> T1567.002 </strong> (Exfiltration to Cloud Storage), <strong> T1486 </strong> (Data Encrypted for Impact) </p> <h3> <strong> ClickFix/InstallFix: Social Engineering Targeting Government Users </strong> </h3> <p> The C2 infrastructure at 77.91.97[.]244 (ASN 205775, Georgia) continues to support social engineering campaigns that trick users into executing malicious PowerShell commands. These campaigns use fake browser update prompts and software installation dialogs &mdash; techniques that bypass traditional email security controls because the user manually executes the payload. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> <strong> T1204.002 </strong> (User Execution: Malicious File), <strong> T1059.001 </strong> (PowerShell), <strong> T1548.002 </strong> (Bypass UAC) </p> <h3> <strong> Building Automation: The Expanding OT Attack Surface </strong> </h3> <p> CISA's advisory on Kieback &amp; Peter DDC building controllers reveals browser takeover vulnerabilities in systems commonly deployed in government facilities. These controllers manage HVAC, lighting, and physical access control. When connected to corporate networks (as is common in state facilities), they represent an unmonitored lateral movement path from OT to IT &mdash; or vice versa. </p> <p> This joins a growing pattern: Siemens RUGGEDCOM, ABB CoreSense, and ScadaBR (unauthenticated RCE) advisories all published in the same window. </p> <p> <strong> Key ATT&amp;CK Techniques: </strong> <strong> T1189 </strong> (Drive-by Compromise), <strong> T0831 </strong> (Manipulation of Control), <strong> T0855 </strong> (Unauthorized Command Message) </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability (72h) </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> APT28/APT29 spearphishing campaign against state .gov email addresses </p> </td> <td> <p> <strong> HIGH (70-80%) </strong> </p> </td> <td> <p> Fresh infrastructure + refreshed malware = active campaign preparation </p> </td> </tr> <tr> <td> <p> Abyss Locker expands targeting to state/local government VPN appliances </p> </td> <td> <p> <strong> MODERATE-HIGH (55-65%) </strong> </p> </td> <td> <p> TTP alignment with state infrastructure; sector expansion is typical ransomware maturation </p> </td> </tr> <tr> <td> <p> COZY BEAR credential harvesting campaign against state policy officials </p> </td> <td> <p> <strong> MODERATE (45-55%) </strong> </p> </td> <td> <p> ATI-Agent refresh with gov targeting; APT29 historically targets policy communications </p> </td> </tr> <tr> <td> <p> Supply chain compromise affecting state CI/CD pipelines (npm/GitHub Actions) </p> </td> <td> <p> <strong> MODERATE (40-50%) </strong> </p> </td> <td> <p> Active npm worm campaigns; state agencies increasingly use modern development tooling </p> </td> </tr> <tr> <td> <p> Exploitation of Kieback &amp; Peter DDC controllers in state facilities </p> </td> <td> <p> <strong> LOW (15-25%) </strong> </p> </td> <td> <p> No evidence of active exploitation yet; advisory-only </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Immediate Detection Priorities </strong> </h3> <p> <strong> Hunt Hypothesis 1: SonicWall VPN Exploitation (Abyss Locker Initial Access) </strong> </p> <ul> <li> Monitor SonicWall SMA 100 appliance logs for anomalous authentication patterns, unexpected administrative sessions, or crash/restart events </li> <li> Hunt for: PowerShell execution on systems immediately following VPN authentication from unusual source IPs </li> <li> ATT&amp;CK: <strong> T1190 </strong> , <strong> T1059.001 </strong> </li> <li> Detection: Alert on powershell.exe spawned by VPN-related service processes </li> </ul> <p> <strong> Hunt Hypothesis 2: Veeam Credential Harvesting </strong> </p> <ul> <li> Monitor for: PowerShell scripts accessing Veeam credential stores, execution of scripts matching *Veeam*Cred* naming patterns, or connections to Veeam SQL databases from non-Veeam processes </li> <li> ATT&amp;CK: <strong> T1003.002 </strong> </li> <li> Detection: File creation monitoring for veeam*.ps1 in temp directories; SQL queries against VeeamBackup database from unexpected sources </li> <li> Registry: Alert on HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware being set to 1 </li> </ul> <p> <strong> Hunt Hypothesis 3: BYOVD EDR Evasion </strong> </p> <ul> <li> Monitor for: Loading of known vulnerable drivers (UpdateDrv.sys, ped.sys, 3ware.sys) </li> <li> ATT&amp;CK: <strong> T1068 </strong> , <strong> T1562.001 </strong> </li> <li> Detection: Driver load events (Sysmon Event ID 6) for unsigned or known-vulnerable drivers; EDR agent health monitoring for unexpected termination </li> </ul> <p> <strong> Hunt Hypothesis 4: APT28/APT29 Spearphishing Delivery </strong> </p> <ul> <li> Monitor for: DNS queries or proxy connections to syd.clarionquestgroup[.]cfd </li> <li> Monitor for: Email attachments delivering ATI-Agent (SHA256: 30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73) </li> <li> ATT&amp;CK: <strong> T1566.001 </strong> , <strong> T1566.002 </strong> </li> <li> Detection: Email gateway rules for .cfd TLD domains in links; EDR hash-based blocking </li> </ul> <p> <strong> Hunt Hypothesis 5: ESXi SSH Tunneling (Lateral Movement/C2) </strong> </p> <ul> <li> Monitor for: SSH being enabled on ESXi hosts (normally disabled); outbound connections from ESXi management interfaces to external IPs </li> <li> ATT&amp;CK: <strong> T1572 </strong> , <strong> T1021.004 </strong> </li> <li> Detection: Alert on ESXi SSH service state changes; network monitoring for outbound SSH from hypervisor management VLANs </li> </ul> <h3> <strong> IOC Blocking Table </strong> </h3> <table> <thead> <tr> <th> <p> Type </p> </th> <th> <p> Value </p> </th> <th> <p> Context </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> IPv4 </p> </td> <td> <p> 77.91.97[.]244 </p> </td> <td> <p> ClickFix/InstallFix C2 (ASN 205775, Georgia) </p> </td> <td> <p> Block at firewall + proxy </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]57 </p> </td> <td> <p> Abyss Locker C2 / SSH reverse tunnel </p> </td> <td> <p> Block at firewall </p> </td> </tr> <tr> <td> <p> IPv4 </p> </td> <td> <p> 64.95.12[.]70 </p> </td> <td> <p> Abyss Locker ESXi SSH tunnel </p> </td> <td> <p> Block at firewall </p> </td> </tr> <tr> <td> <p> Domain </p> </td> <td> <p> syd.clarionquestgroup[.]cfd </p> </td> <td> <p> APT28 phishing infrastructure (gov-targeting) </p> </td> <td> <p> Block at DNS + proxy </p> </td> </tr> <tr> <td> <p> SHA-256 </p> </td> <td> <p> 30c69d91247f8a72a69e4d7c4bce3eafba40975e5890c23dc4dbe7c9a11afa73 </p> </td> <td> <p> COZY BEAR ATI-Agent malware </p> </td> <td> <p> Block at EDR + email gateway </p> </td> </tr> <tr> <td> <p> SHA-1 </p> </td> <td> <p> c3d8a548fa0525e1e55aa592e14303fc6964d28d </p> </td> <td> <p> COZY BEAR ATI-Agent (delivery) </p> </td> <td> <p> Block at EDR + email gateway </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> UpdateDrv.sys / ped.sys / 3ware.sys </p> </td> <td> <p> BYOVD drivers (Abyss Locker EDR evasion) </p> </td> <td> <p> Block driver loading via WDAC policy </p> </td> </tr> <tr> <td> <p> File </p> </td> <td> <p> wmihelper.exe </p> </td> <td> <p> Abyss Locker persistence agent </p> </td> <td> <p> Block at EDR </p> </td> </tr> <tr> <td> <p> Registry </p> </td> <td> <p> DisableAntiSpyware = 1 </p> </td> <td> <p> Defender tampering indicator </p> </td> <td> <p> Alert (do not block &mdash; investigate) </p> </td> </tr> </tbody> </table> <p> <em> Additional IOCs available via Anomali ThreatStream. </em> </p> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Abyss Locker ransomware targeting financial data exfiltration before encryption; APT29 targeting fiscal policy communications </li> <li> <strong> Priority action: </strong> Audit VPN access to financial systems (ERP, tax processing, benefits disbursement); ensure Veeam backups of financial databases use isolated service accounts with MFA </li> <li> <strong> Detection focus: </strong> Monitor for Rclone or similar sync tools ( <strong> T1567.002 </strong> ) executing in financial system segments; alert on bulk data access patterns outside business hours </li> </ul> <h3> <strong> Energy (State-Operated Utilities, Grid Coordination) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> ICS/SCADA vulnerabilities (ABB CoreSense, Siemens RUGGEDCOM); Abyss Locker explicitly targets energy/utilities sector </li> <li> <strong> Priority action: </strong> Verify network segmentation between IT and OT; confirm no building automation controllers (Kieback &amp; Peter DDC) bridge IT/OT boundaries; patch or isolate ScadaBR instances </li> <li> <strong> Detection focus: </strong> Monitor for unauthorized connections crossing IT/OT boundaries; alert on new SSH sessions to SCADA management interfaces </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Ransomware targeting PII/PHI for double-extortion; credential theft from health information exchanges </li> <li> <strong> Priority action: </strong> Verify backup integrity for Medicaid claims systems and health registries; ensure Veeam service accounts cannot access clinical data stores directly </li> <li> <strong> Detection focus: </strong> Monitor for bulk PHI access or export; alert on PowerShell execution in healthcare application server segments </li> </ul> <h3> <strong> Government (Executive Agencies, Legislative Systems, Elections) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> APT28 and APT29 credential harvesting targeting policy officials and inter-agency communications; ClickFix social engineering against government employees </li> <li> <strong> Priority action: </strong> Enforce phishing-resistant MFA (FIDO2/hardware keys) for senior officials and policy staff; block .cfd TLD at DNS for all government users; brief staff on ClickFix/fake update social engineering </li> <li> <strong> Detection focus: </strong> Monitor for device code authentication flows ( <strong> T1078 </strong> ); alert on OAuth consent grants to unfamiliar applications; hunt for PowerShell execution following browser processes </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Port Authorities, Transit Systems) </strong> </h3> <ul> <li> <strong> Primary threat: </strong> Supply chain compromise via development tooling (npm worm, VS Code extensions); ICS vulnerabilities in transit SCADA and traffic management </li> <li> <strong> Priority action: </strong> Audit CI/CD pipelines for pinned dependencies; verify no Kieback &amp; Peter DDC controllers manage transit facility access control; segment traffic management systems from corporate IT </li> <li> <strong> Detection focus: </strong> Monitor for unexpected npm package installations in build environments; alert on outbound connections from build servers to unknown domains </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 1 </p> </td> <td> <p> IT Ops / Network </p> </td> <td> <p> <strong> Verify SonicWall SMA 100 patch status against CVE-2021-20038 </strong> across ALL state VPN appliances. This is the #1 confirmed exploitation vector for Abyss Locker ransomware. Any unpatched appliance is an open door. </p> </td> </tr> <tr> <td> <p> 2 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block IOCs </strong> listed in the table above at perimeter firewall, DNS resolver, web proxy, email gateway, and EDR platforms. </p> </td> </tr> <tr> <td> <p> 3 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy COZY BEAR hash detections </strong> &mdash; add SHA-256 30c69d91... and SHA-1 c3d8a548... to all endpoint detection platforms and email attachment scanning. </p> </td> </tr> <tr> <td> <p> 4 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Audit Veeam Backup &amp; Replication service account permissions </strong> &mdash; confirm accounts use least-privilege, cannot be used for interactive logon, and are not domain admin equivalent. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 5 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Enable MFA on Veeam console access </strong> and restrict management interface to jump server only. Monitor for PowerShell scripts matching *Veeam*Cred* patterns. </p> </td> </tr> <tr> <td> <p> 6 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Create detection rules </strong> for APT28 domain syd.clarionquestgroup[.]cfd in DNS and proxy logs. Alert on any resolution attempt. </p> </td> </tr> <tr> <td> <p> 7 </p> </td> <td> <p> Facilities / OT </p> </td> <td> <p> <strong> Inventory all Kieback &amp; Peter DDC building controllers </strong> on state networks. Verify firmware versions and segment from corporate IT pending vendor patch. </p> </td> </tr> <tr> <td> <p> 8 </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Implement BYOVD detection </strong> &mdash; alert on loading of UpdateDrv.sys, ped.sys, or 3ware.sys via Sysmon driver load events or Windows Defender Application Control (WDAC) policies. </p> </td> </tr> <tr> <td> <p> 9 </p> </td> <td> <p> IT Ops </p> </td> <td> <p> <strong> Audit ESXi SSH configuration </strong> &mdash; ensure SSH is disabled by default on all hypervisor hosts; create alerts for SSH service enablement or outbound SSH from management VLANs. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 10 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission red team assessment </strong> of VPN-to-domain-admin attack path, specifically testing Veeam credential harvesting and BYOVD EDR evasion scenarios. </p> </td> </tr> <tr> <td> <p> 11 </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Implement phishing-resistant MFA (FIDO2) </strong> for all senior officials, policy staff, and IT administrators &mdash; APT28/APT29 credential harvesting defeats SMS and app-based MFA. </p> </td> </tr> <tr> <td> <p> 12 </p> </td> <td> <p> CISO / Procurement </p> </td> <td> <p> <strong> Evaluate backup OSINT intelligence source </strong> &mdash; 7-day degradation of primary OSINT collection creates unacceptable corroboration gaps for threat intelligence operations. </p> </td> </tr> <tr> <td> <p> 13 </p> </td> <td> <p> IT Ops / Facilities </p> </td> <td> <p> <strong> Develop OT/IT segmentation plan </strong> for building automation systems &mdash; Kieback &amp; Peter, Siemens, and ABB advisories indicate expanding attack surface that is currently unmonitored. </p> </td> </tr> <tr> <td> <p> 14 </p> </td> <td> <p> CISO / IR </p> </td> <td> <p> <strong> Update incident response playbooks </strong> to include Abyss Locker-specific scenarios: VPN exploitation &rarr; Veeam credential theft &rarr; backup destruction &rarr; ESXi encryption. Tabletop exercise recommended within 30 days. </p> </td> </tr> </tbody> </table> <h2> <strong> The Bottom Line </strong> </h2> <p> State government networks sit at the intersection of two converging threats: nation-state intelligence services building infrastructure to harvest government credentials, and ransomware operators perfecting attack chains against the exact VPN and backup technologies state agencies rely on. </p> <p> The single highest-leverage action available today is confirming that SonicWall VPN appliances are patched against CVE-2021-20038. This one vulnerability is the confirmed entry point for a ransomware group whose entire playbook &mdash; from initial access through backup destruction to encryption &mdash; maps to standard state government infrastructure. </p> <p> The second priority is treating backup infrastructure as a crown jewel. Abyss Locker's targeted Veeam credential harvesting demonstrates that attackers understand backup systems are the last line of defense &mdash; and they are specifically designed to eliminate that defense before striking. </p> <p> Russian intelligence services (APT28 and APT29) refreshing government-targeting infrastructure in the same window adds urgency: a state agency compromised via VPN exploitation today could face ransomware deployment tomorrow AND long-term espionage access simultaneously. </p> <p> <strong> Act now. Verify your VPN patches. Harden your backups. Block the indicators. Brief your teams. </strong> </p> <p> <em> Published 20 May 2026 by Anomali CTI Desk </em> </p>