State Cyber Threat Picture Just Changed

Public Sector

Published on

March 13, 2026

Table of Contents

The convergence of threats facing U.S. state governments this week is unlike anything we've tracked in recent memory. An Iran-linked group just demonstrated it can brick 200,000 devices by weaponizing the same endpoint management tool your agencies rely on every day. A Chinese espionage campaign has been quietly operating inside government and critical infrastructure networks across 40 countries — for nearly a decade. A CVSS 9.9 vulnerability in a popular automation platform is being actively exploited in the wild. And the federal agency states depend on most for cyber support — CISA — is operating at reduced capacity during all of it. This is not a theoretical risk briefing. These are operational realities that demand decisions from state IT leadership this week. <h2> What Changed </h2> Five developments in the past two weeks have materially altered the risk calculus for state government IT: <ol> <li> Microsoft Intune was weaponized as a destructive tool for the first time at scale. The Iran-linked hacktivist group Handala (also tracked as BANISHED KITTEN, UNC5203, Cotton Sandstorm, and Haywire Kitten) compromised Intune administrator credentials at Stryker Corporation — a $20 billion medical device manufacturer — and issued remote wipe commands across the enterprise. The group claims 200,000 devices were rendered inoperable and 50 terabytes of data exfiltrated. Every state agency running Intune for mobile device management has the same exposure. </li> <li> CISA added CVE-2025-68613 to the Known Exploited Vulnerabilities catalog. This is a CVSS 9.9 remote code execution flaw in n8n, an open-source workflow automation platform increasingly adopted by government IT shops. Over 24,700 instances remain internet-exposed, and the Zerobot malware is actively targeting them. </li> <li> CISA itself is operating under a partial DHS shutdown. The acting CISA director has been reassigned. Threat advisory staffing is reduced. The CIRCIA cyber incident reporting rule — which would have established mandatory reporting requirements — is delayed indefinitely. States are increasingly on their own. </li> <li> A nine-year Chinese espionage campaign was disclosed targeting government, telecom, energy, and utilities. Google/Mandiant revealed GRIDTIDE, attributed to China-nexus actor UNC2814, with 53 confirmed victims across 40 countries. The campaign's command-and-control channel — Google Sheets API traffic — evades most standard network monitoring. </li> <li> Trojanized VPN client installers are targeting government workers via search engine poisoning. Microsoft disclosed that threat actor Storm-2561 is distributing digitally signed malicious Ivanti and SonicWall VPN installers that deploy the Bumblebee loader and Hyrax credential stealer. The fake installers bypass application whitelisting controls. </li> </ol> <h2> Threat Timeline: Key Events (26 February – 13 March 2026) </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Severity </th> </tr> </thead> <tbody> <tr> <td> 26 Feb </td> <td> Google/Mandiant reveals GRIDTIDE espionage campaign by China-nexus actor UNC2814 — active since 2017, 53 victims across 40 countries targeting government, telecom, energy, and utilities </td> <td> 🔴 High </td> </tr> <tr> <td> 2 Mar </td> <td> DHS partial shutdown begins; CISA staffing reductions take effect </td> <td> 🟡 Elevated </td> </tr> <tr> <td> 3 Mar </td> <td> SecurityWeek reports Iranian hacktivist activity surging but state-sponsored operations remain below expected levels — a gap that historically closes within 2–4 weeks </td> <td> 🟡 Elevated </td> </tr> <tr> <td> 3 Mar </td> <td> CNBC: "The lead U.S. cyber agency is stretched thin as Iran hacking threat escalates" </td> <td> 🟡 Elevated </td> </tr> <tr> <td> 9–11 Mar </td> <td> Billington Cybersecurity Summit convenes state CISOs; federal attribution/sanctions legislation proposed </td> <td> 🔵 Informational </td> </tr> <tr> <td> 11 Mar </td> <td> Handala claims destructive wiper attack on Stryker Corporation via Microsoft Intune abuse; Stryker files SEC 8-K </td> <td> 🔴 Critical </td> </tr> <tr> <td> 11 Mar </td> <td> CISA adds CVE-2025-68613 (n8n RCE, CVSS 9.9) to KEV; Zerobot malware actively exploiting </td> <td> 🔴 Critical </td> </tr> <tr> <td> 12 Mar </td> <td> Microsoft discloses Storm-2561 campaign distributing trojanized VPN clients (Ivanti, SonicWall) via SEO poisoning, deploying Bumblebee loader and Hyrax credential stealer </td> <td> 🟠 High </td> </tr> </tbody> </table> <h2> Threat Analysis </h2> <h3> 1. Iranian Destructive Operations: Handala and the Intune Threat </h3> What happened: Handala — an Iran-linked hacktivist group with 146 claimed victims since 2024 and government as their second most-targeted sector — compromised Microsoft Intune administrator credentials at Stryker Corporation and used the platform's legitimate remote wipe capability to destroy endpoints at scale. This is not malware. This is the abuse of an authorized management tool, which makes it exceptionally difficult to detect with traditional security controls. Why it matters for state government: Microsoft Intune is the standard MDM platform across most state agencies. A compromised Intune Global Administrator account — obtained through phishing, token theft, or a misconfigured conditional access policy — gives an attacker the ability to wipe every managed device in the environment in minutes. There is no malware to detect. There is no lateral movement to observe. The wipe command is a legitimate platform function. Handala's operational tempo has accelerated dramatically since the Iran conflict began: 15+ claimed operations in March 2026 alone, including attacks on Verifone, Hebrew University, Jerusalem municipal cameras, water infrastructure, and Saudi Aramco. Across the broader Iranian hacktivist ecosystem, 149 DDoS attacks have been recorded across 16 countries. The deeper concern: Handala and similar hacktivist groups are the vanguard. Iran's state-sponsored cyber operators — MuddyWater (STATIC KITTEN), OilRig (APT34), and Charming Kitten (APT42) — have not yet fully engaged against U.S. domestic targets in this conflict cycle. Historical patterns show state-sponsored operations lag hacktivist activity by 2–4 weeks as targeting packages are developed. When they engage, expect targeted spear-phishing, credential harvesting, and potential destructive attacks against OT/SCADA systems — including water treatment, transportation management, and emergency services. Key IOCs: - Handala data leak sites: handala-hack.to (active, behind DDoS-Guard) and .onion mirror - Telegram channel: t.me/HANDALA_HPR2 <h3> 2. GRIDTIDE: A Nine-Year Chinese Espionage Campaign You May Already Be Inside </h3> What happened: Google Threat Intelligence Group and Mandiant disclosed GRIDTIDE , a campaign attributed to China-nexus actor UNC2814 that has been operating since 2017 with at least 53 confirmed victims across 40 countries. The campaign targets energy, government, telecommunications, and utilities — four sectors that map directly to state government responsibilities. The detection problem: GRIDTIDE's backdoor conceals command-and-control traffic within Google Sheets API activity . To your network monitoring tools, this looks like a legitimate user interacting with a Google productivity application. It will pass through web proxies, bypass URL filtering, and generate no alerts in most SIEM configurations. Google has disrupted the operation, but residual access in compromised networks likely persists. Why state government is in the target set: State networks sit at the intersection of government administration, utilities oversight (water/wastewater SCADA), telecom coordination, and energy regulation — all four GRIDTIDE target sectors. The campaign's nine-year operational history means that the absence of known state government victims may reflect detection gaps, not non-targeting. <h3> 3. Critical Vulnerabilities in the State Technology Stack </h3> Multiple critical vulnerabilities are being actively exploited in technologies commonly deployed across state government: <table> <thead> <tr> <th> CVE </th> <th> Product </th> <th> CVSS </th> <th> Status </th> <th> State Government Relevance </th> </tr> </thead> <tbody> <tr> <td> CVE-2025-68613 </td> <td> n8n workflow automation </td> <td> 9.9 </td> <td> CISA KEV; Zerobot actively exploiting; 24,700 instances exposed </td> <td> Adopted by IT shops for helpdesk, data integration, and alert routing automation </td> </tr> <tr> <td> CVE-2025-55182 </td> <td> React Server Components ("React2Shell") </td> <td> 10.0 </td> <td> China-nexus exploitation reported </td> <td> Citizen-facing web portals commonly built on React </td> </tr> <tr> <td> CVE-2025-31324 </td> <td> SAP NetWeaver </td> <td> 10.0 </td> <td> Actively exploited </td> <td> State ERP/financial systems frequently run SAP </td> </tr> <tr> <td> CVE-2025-2783 </td> <td> Google Chrome (sandbox escape) </td> <td> 8.3 </td> <td> Actively exploited </td> <td> Chromium-based browsers standard on state endpoints </td> </tr> <tr> <td> Multiple </td> <td> Fortinet, WatchGuard products </td> <td> Various </td> <td> Actively exploited </td> <td> Common state network edge devices </td> </tr> </tbody> </table> <h3> 4. Trojanized VPN Clients Targeting Government Workers </h3> Microsoft disclosed that threat actor Storm-2561 is using SEO poisoning to place trojanized VPN client installers — specifically mimicking Ivanti and SonicWall products — at the top of search engine results. The attack chain is elegant and dangerous: <ol> <li> Employee searches for "Ivanti VPN client download" or "SonicWall VPN installer" </li> <li> Attacker-controlled site or compromised GitHub repository appears in top results </li> <li> Employee downloads a digitally signed malicious MSI installer (bypasses application whitelisting) </li> <li> Installer sideloads a malicious DLL, deploying the Bumblebee loader and Hyrax credential stealer </li> <li> A fake VPN login dialog captures the employee's real VPN credentials </li> <li> Credentials are exfiltrated; persistence is established via the Windows RunOnce registry key </li> </ol> This is particularly dangerous for state government because VPN client installation is a routine, expected activity — especially for remote and hybrid workers. The digital signing of the malicious installer means it may bypass security controls designed to prevent unauthorized software installation. <h3> 5. Federal Cyber Support Is Degraded at the Worst Possible Time </h3> The partial DHS shutdown has reduced CISA's operational capacity across threat advisories, vulnerability coordination, and state/local support. The CIRCIA cyber incident reporting rule — which would have established mandatory reporting timelines for critical infrastructure operators — is delayed indefinitely. This creates two compounding problems: <ul> <li> Reduced intelligence flow: States that rely on CISA and MS-ISAC for threat indicators, vulnerability alerts, and incident response support will experience gaps. </li> <li> Regulatory uncertainty: The incident reporting framework that state agencies and critical infrastructure operators were preparing to comply with is now in limbo. </li> </ul> Meanwhile, 99 state-level cybersecurity bills were passed in 2025, and a March 2025 Executive Order directed improvements in state and local cyber efficiency. The legislative and policy landscape is shifting rapidly even as federal operational support contracts. <h2> Predictive Analysis: What to Expect in the Next 7–14 Days </h2> <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> Additional Iranian hacktivist attacks (DDoS, defacement) against U.S. government websites and public services </td> <td> 70–80% </td> <td> Handala alone has claimed 15+ operations in March; 149 hacktivist DDoS attacks recorded across 16 countries; state government portals are accessible, high-visibility targets </td> </tr> <tr> <td> Iranian state-sponsored actors (MuddyWater, OilRig, Charming Kitten) begin targeting U.S. government infrastructure directly </td> <td> 40–60% </td> <td> Historical 2–4 week lag behind hacktivist activity; current absence of state-sponsored operations is consistent with targeting development phase </td> </tr> <tr> <td> Ransomware group successfully hits a U.S. state or local government entity </td> <td> 40–60% </td> <td> Connecticut municipalities hit Jan–Feb 2026; Taos County (2TB exfiltrated); Mississippi health system breached Feb 2026; Qilin, Akira, Play, Medusa, and Lynx all actively targeting government </td> </tr> <tr> <td> Discovery of GRIDTIDE-related compromise in U.S. state government networks </td> <td> 25–40% </td> <td> Campaign active since 2017 across 40 countries; Google Sheets C2 evades standard monitoring; absence of known state victims likely reflects detection gaps </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Priorities </h3> Priority 1 — Microsoft Intune Abuse (Handala TTP) - ATT&CK: T1078.004 (Valid Accounts: Cloud Accounts), T1485 (Data Destruction), T1098 (Account Manipulation) - Hunting hypothesis: An attacker who compromises an Intune Global Administrator account will issue bulk device wipe or retire commands. Hunt for: Intune audit logs showing wipeDevice, retireDevice, or deleteDevice actions against more than 10 devices within a 1-hour window; new Intune admin role assignments; Intune admin sign-ins from anomalous locations, IP addresses, or non-compliant devices; conditional access policy modifications that weaken MFA requirements. - Detection rule: Alert on any DeviceManagement audit event where the action is wipeDevice AND the count exceeds your baseline threshold within a rolling 60-minute window. Correlate with Entra ID sign-in logs for the initiating admin account. Priority 2 — Google Sheets C2 (GRIDTIDE TTP) - ATT&CK: T1071.001 (Application Layer Protocol: Web Protocols), T1102.002 (Web Service: Bidirectional Communication) - Hunting hypothesis: A compromised endpoint communicating with GRIDTIDE infrastructure will make high-frequency Google Sheets API calls (sheets.googleapis.com) from a non-browser process or with an anomalous user-agent string. Hunt for: processes other than Chrome/Edge making HTTPS connections to sheets.googleapis.com; Google Sheets API calls with service account credentials from endpoints (not servers); unusually large or frequent read/write operations to Google Sheets from a single endpoint. - Detection rule: Monitor DNS and proxy logs for sheets.googleapis.com requests. Baseline normal volume per endpoint. Alert on endpoints exceeding 2 standard deviations above baseline, particularly outside business hours. Priority 3 — SEO Poisoning / Trojanized Installers (Storm-2561) - ATT&CK: T1608.006 (SEO Poisoning), T1218.007 (Msiexec), T1574.002 (DLL Side-Loading), T1056.002 (GUI Input Capture), T1547.001 (Registry Run Keys) - Hunting hypothesis: An employee who downloads a trojanized VPN installer will execute an MSI that sideloads a malicious DLL, creates a RunOnce persistence key, and presents a fake credential dialog. Hunt for: msiexec.exe executions from user Downloads or Temp directories for packages not in your approved software inventory; new RunOnce registry entries created by non-standard processes; DLL loads from the same directory as a recently installed MSI where the DLL is not signed by the expected vendor; network connections to unknown C2 infrastructure shortly after MSI execution. - IOC monitoring: Block or alert on the Handala infrastructure domains listed above. Monitor for Bumblebee and Hyrax malware signatures in your EDR platform. Priority 4 — n8n Exploitation (CVE-2025-68613) - ATT&CK: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter) - Hunting hypothesis: An attacker exploiting CVE-2025-68613 will send crafted expression payloads to n8n's workflow evaluation endpoint, resulting in arbitrary code execution under the n8n service account. Hunt for: n8n process spawning child processes (especially sh, bash, cmd.exe, powershell.exe); outbound network connections from n8n to known Zerobot C2 infrastructure; n8n webhook endpoints receiving unusual POST payloads. <h3> Prioritized IOCs for Immediate Blocking/Monitoring </h3> <table> <thead> <tr> <th> IOC </th> <th> Type </th> <th> Context </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> handala-hack[.]to </td> <td> Domain </td> <td> Handala data leak site (active) </td> <td> Block at DNS/proxy </td> </tr> <tr> <td> t[.]me/HANDALA_HPR2 </td> <td> URL </td> <td> Handala Telegram channel </td> <td> Monitor for new claims </td> </tr> <tr> <td> 7e851829ee37bc0cf65a268d1d1baa7a </td> <td> MD5 hash </td> <td> Lynx ransomware sample (active, targeting U.S. government) </td> <td> Block in EDR; hunt in endpoint telemetry </td> </tr> <tr> <td> 0e521e0452f113cdf8b5c2fa6580db1f </td> <td> MD5 hash </td> <td> Lynx ransomware sample (active, targeting U.S. government) </td> <td> Block in EDR; hunt in endpoint telemetry </td> </tr> <tr> <td> sheets[.]googleapis[.]com (anomalous patterns) </td> <td> Network behavior </td> <td> GRIDTIDE C2 channel </td> <td> Baseline and alert on anomalies (do NOT block) </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services (Revenue, Taxation, Treasury) </h3> State revenue and taxation systems process millions of taxpayer records containing SSNs, financial data, and banking information — making them prime targets for both ransomware operators seeking maximum extortion leverage and espionage actors seeking bulk PII. <ul> <li> Immediate: Verify SAP NetWeaver patching status for CVE-2025-31324 (CVSS 10.0). State financial systems running SAP are at critical risk. </li> <li> 7-day: Review all API integrations between tax/revenue systems and external services. GRIDTIDE's use of legitimate cloud APIs for C2 means that compromised integrations could exfiltrate financial data through approved channels. </li> <li> 30-day: Conduct a ransomware readiness assessment for tax filing season infrastructure. Ensure offline backups of taxpayer databases are current and tested. </li> </ul> <h3> Energy and Utilities Oversight </h3> State agencies that regulate or operate water/wastewater systems, power grid coordination, and pipeline safety are explicitly in the GRIDTIDE target set and face escalating Iranian threat activity against OT/SCADA environments. <ul> <li> Immediate: Segment SCADA/ICS networks from enterprise IT. Verify that no OT systems are accessible via Intune-managed devices that could be remotely wiped. </li> <li> 7-day: Audit remote access to OT environments. Iranian state-sponsored actors (MuddyWater, OilRig) historically target VPN and remote access infrastructure as initial entry points to OT networks. </li> <li> 30-day: Conduct a joint IT/OT tabletop exercise simulating an Iranian destructive attack on water treatment SCADA systems. Include scenarios for both hacktivist-level disruption (DDoS, defacement of HMI interfaces) and state-sponsored-level destruction (wiper deployment, safety system manipulation). </li> </ul> <h3> Healthcare (Health and Human Services, Medicaid, Public Health) </h3> State health agencies manage Medicaid enrollment, public health surveillance, and vital records — systems that ransomware operators have repeatedly demonstrated willingness to attack. The Medusa ransomware group and Lazarus Group (North Korea) are both actively targeting healthcare. <ul> <li> Immediate: Verify that Medicaid Management Information Systems (MMIS) and Electronic Health Record integrations have current, tested offline backups. </li> <li> 7-day: Review third-party vendor access to health data systems. The Stryker incident (a healthcare supply chain company) demonstrates that medical sector supply chains are actively targeted. </li> <li> 30-day: Assess compliance posture against updated HIPAA Security Rule requirements in light of the CIRCIA delay — state health agencies should not wait for federal reporting mandates to strengthen incident response capabilities. </li> </ul> <h3> Government Administration (Central IT, HR, Legal, Elections) </h3> Central IT services, human resources systems, and election infrastructure represent the core administrative functions that all other agencies depend on. Compromise here has cascading effects across the entire state. <ul> <li> Immediate: Enforce multi-admin approval for Intune high-impact operations. This is the single most important defensive action from this report. Audit all Entra ID Global Administrator and Intune Administrator accounts for MFA enforcement, conditional access compliance, and recent sign-in anomalies. </li> <li> 7-day: Issue a statewide advisory on the Storm-2561 trojanized VPN client campaign. Distribute official VPN client download links through internal portals. Consider blocking MSI execution from user Downloads directories for non-IT staff. </li> <li> 30-day: With election cycles approaching, conduct a focused assessment of election infrastructure isolation from enterprise IT. Ensure that a wiper attack on the enterprise Intune environment cannot cascade to election systems. </li> </ul> <h3> Aviation, Transportation, and Logistics (DOT, DMV, Transit) </h3> State transportation agencies manage traffic management systems, DMV databases, transit operations, and airport coordination — systems that are both operationally critical and contain significant PII. <ul> <li> Immediate: Verify that traffic management and transit SCADA systems are not accessible from Intune-managed endpoints. </li> <li> 7-day: Review DMV system access controls. DMV databases containing driver's license photos, SSNs, and addresses are high-value targets for both criminal and espionage actors. </li> <li> 30-day: Assess DDoS resilience of public-facing DMV and transit portals. Iranian hacktivist groups have demonstrated willingness to target government service portals for maximum public visibility. </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> Immediate (Within 48–72 Hours) </h3> <table> <thead> <tr> <th> # </th> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> Enforce multi-admin approval for all Microsoft Intune destructive operations (remote wipe, bulk retire, compliance policy changes). Audit every Intune admin account for MFA, conditional access, and sign-in anomalies. This is the #1 defensive priority from this report. </td> <td> Identity & Access Management / Endpoint Management </td> </tr> <tr> <td> 2 </td> <td> Inventory and patch all n8n instances to v1.120.4+, v1.121.1+, or v1.122.0+. Include contractor and MSP environments. If patching cannot be completed within 72 hours, restrict n8n to trusted internal users and remove internet exposure. </td> <td> Vulnerability Management / Application Security </td> </tr> <tr> <td> 3 </td> <td> Issue a statewide employee advisory: Do not download VPN clients from search engines. Distribute official Ivanti/SonicWall/Cisco client links via internal IT portal only. </td> <td> Security Operations / Internal Communications </td> </tr> <tr> <td> 4 </td> <td> Deploy Lynx ransomware IOCs (MD5: 7e851829ee37bc0cf65a268d1d1baa7a, 0e521e0452f113cdf8b5c2fa6580db1f) to EDR block lists and conduct a retroactive hunt across endpoint telemetry. </td> <td> SOC / Endpoint Security </td> </tr> </tbody> </table> <h3> 7-Day Actions (By 21 March 2026) </h3> <table> <thead> <tr> <th> # </th> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> 5 </td> <td> Baseline and monitor Google Sheets API traffic from state networks. Deploy detection for anomalous sheets.googleapis.com access patterns (non-browser user agents, high-frequency API calls, after-hours activity). </td> <td> SOC / Network Security </td> </tr> <tr> <td> 6 </td> <td> Verify patching status for CVE-2025-55182 (React Server Components, CVSS 10.0), CVE-2025-2783 (Chrome sandbox escape, CVSS 8.3), and CVE-2025-31324 (SAP NetWeaver, CVSS 10.0). Prioritize internet-facing React applications and SAP systems. </td> <td> Vulnerability Management </td> </tr> <tr> <td> 7 </td> <td> Conduct a tabletop exercise: "Iranian hacktivist wiper attack on state infrastructure via cloud admin compromise." Scenarios should include Intune mass wipe, Entra ID disruption, and Exchange Online defacement. Include the CISO, CIO, agency IT directors, legal counsel, and public communications. </td> <td> CISO Office / Incident Response </td> </tr> <tr> <td> 8 </td> <td> Review and harden conditional access policies in Entra ID. Ensure that administrative actions from non-compliant devices, unfamiliar locations, or without phishing-resistant MFA are blocked — not just challenged. </td> <td> Identity & Access Management </td> </tr> </tbody> </table> <h3> 30-Day Actions (By 13 April 2026) </h3> <table> <thead> <tr> <th> # </th> <th> Action </th> <th> Owner </th> </tr> </thead> <tbody> <tr> <td> 9 </td> <td> Conduct a DDoS resilience assessment for all public-facing state web services (citizen portals, tax filing, benefits enrollment, DMV). Validate CDN and WAF configurations. Iranian hacktivist DDoS campaigns have hit government targets in 16 countries. </td> <td> Network Security / Web Services </td> </tr> <tr> <td> 10 </td> <td> Engage MS-ISAC for an updated threat briefing given CISA's reduced operational capacity. Identify alternative intelligence sources (state ISACs, sector ISACs, commercial threat intelligence). Assess whether current intelligence subscriptions provide adequate coverage for the elevated threat environment. </td> <td> CTI / CISO Office </td> </tr> <tr> <td> 11 </td> <td> Assess the state's whole-of-state cybersecurity posture against the March 2025 Executive Order requirements. Identify county and municipal dependencies that may lack independent cyber defense capability and could serve as pivot points into state networks. </td> <td> CISO Office / Governance </td> </tr> <tr> <td> 12 </td> <td> Review and update the state's cyber incident response plan to account for the CIRCIA delay. Ensure that internal incident reporting timelines, escalation procedures, and communication templates are current — do not wait for federal mandates to formalize what should already be operational. </td> <td> Incident Response / Legal </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> The threat environment facing state government has shifted in five material ways this week. First, a proven attack technique now exists for weaponizing Microsoft Intune — the same platform managing your endpoints — as a mass-destruction tool. Second, a Chinese espionage campaign that has been operating for nine years across government, telecom, and energy networks uses a command-and-control method (Google Sheets) that most state security monitoring will not detect. Third, trojanized VPN client installers are being distributed through search engine poisoning, targeting the routine software downloads your employees perform every day. Fourth, critical vulnerabilities in n8n, SAP NetWeaver, and React Server Components are being actively exploited against internet-facing government systems. Fifth, the federal agency you depend on most for cyber support is operating at reduced capacity during the most active Iranian cyber campaign since 2020. None of these threats require a sophisticated zero-day exploit to succeed against a state government network. They require a compromised admin credential, an unpatched automation tool, or an employee who downloads a VPN client from a search engine instead of an internal portal. The decisions that matter most this week are not about buying new technology. They are about hardening the administrative controls on tools you already have (Intune multi-admin approval), patching what is already exposed (n8n, SAP, React, Chrome), and preparing your people for an incident that is statistically likely within the next 30 days. The window between awareness and action is narrowing. Act on the immediate recommendations within 48 hours.

FEATURED RESOURCES

March 13, 2026

Anomali Cyber Watch