The Cyber Front Intensifies: Iranian Operations Expand Into New Domains as Diplomacy Collapses

Anomali Threat Research

Published on

April 30, 2026

Table of Contents

Threat Assessment Level: HIGH — ESCALATING Two months into the U.S.–Iran conflict, the cyber dimension is no longer a sideshow — it is a primary theater of operations. The collapse of diplomatic negotiations on April 28, combined with the continued U.S. naval blockade of the Strait of Hormuz, has eliminated the last visible off-ramp for de-escalation. Iranian state cyber actors are responding with expanded targeting, unprecedented psychological operations against U.S. military personnel, and firmware-level persistence capabilities that survive standard patching. This is not a drill. If your organization touches U.S. critical infrastructure, defense industrial base supply chains, Gulf-region connectivity, or military support operations, you are in the target set — whether you know it or not. <h2> What Changed This Week </h2> Seven developments from the past seven days fundamentally alter the defensive calculus: <ol> <li> Iran publicly maps Gulf internet infrastructure for destruction. IRGC-affiliated Tasnim News Agency published detailed maps identifying seven undersea internet cables transiting the Strait of Hormuz — infrastructure carrying approximately 30% of Gulf internet capacity. This is an explicit hybrid-warfare signal: “We know where your digital backbone is, and we can reach it.” </li> <li> Handala escalates from data theft to direct psychological warfare against U.S. troops. Following the April 29 publication of personally identifiable information for 2,379 U.S. Marines stationed in Bahrain, the MOIS-linked group sent threatening WhatsApp messages directly to service members at NAVCENT Bahrain on April 28. This is the first confirmed direct-messaging intimidation campaign against active-duty U.S. military personnel by an Iranian cyber group in this conflict. </li> <li> FIRESTARTER backdoor survives Cisco patching. CISA’s Malware Analysis Report (MAR AR26-113A, published April 23) confirmed that a firmware-persistent backdoor on a federal Cisco ASA/FTD Firepower device cannot be removed by standard patching. Full device reimaging is required. This represents either a significant Iranian capability upgrade or third-party (possibly Chinese) exploitation of the conflict as operational cover. </li> <li> Samsung MagicINFO actively exploited; added to CISA KEV. CVE-2024-7399 (CVSS 8.8) was added to the CISA Known Exploited Vulnerabilities catalog on April 24, with Mirai botnet variants confirmed actively exploiting Samsung MagicINFO 9 Server digital signage systems. These devices are common entry points in enterprise and healthcare environments and are frequently overlooked in patch cycles. </li> <li> CISA issues GRASSMARLIN ICS advisory. On April 28, CISA published an advisory for CVE-2026-6807, an XXE vulnerability in NSA’s GRASSMARLIN v3.2.1 OT network mapping tool. Exploitation could expose complete ICS/SCADA topology to adversaries — precisely the type of intelligence that would enable targeted attacks on energy and industrial infrastructure. </li> <li> New Iran-nexus cluster UNC6717 identified targeting Farsi-speaking dissidents. Google TAG reported a newly identified Iran-nexus cluster using malicious LNK files disguised as protest-related content and MSI installers masquerading as VPN clients. This confirms the regime is simultaneously conducting external offensive cyber operations and internal dissident suppression — a dual-front posture consistent with prior conflict escalation patterns. </li> <li> Russian and criminal infrastructure converges on Iranian ASNs. Intelligence collection identified APT28-tagged infrastructure, TA505/Gozi, and Transparent Tribe staging all hosted on Iranian autonomous systems. The convergence on AS213790 in particular suggests either deliberate infrastructure sharing or a permissive hosting environment serving multiple threat actors — complicating attribution and expanding the threat surface on Iranian-hosted networks. </li> </ol> <h2> Conflict & Threat Timeline </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> U.S.–Iran conflict begins (Operation Epic Fury) </td> <td> Kinetic operations commence </td> </tr> <tr> <td> 11 Mar 2026 </td> <td> Handala/Void Manticore wipes 200,000 Stryker endpoints via Intune MDM abuse </td> <td> Largest destructive Iranian cyber operation of the conflict </td> </tr> <tr> <td> 27 Mar 2026 </td> <td> Handala compromises FBI Director’s personal email </td> <td> Demonstrates reach into senior U.S. leadership </td> </tr> <tr> <td> 13 Apr 2026 </td> <td> U.S. initiates naval blockade of Strait of Hormuz </td> <td> Escalation trigger for Iranian retaliation </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> IRGC-linked Tasnim publishes maps of 7 Hormuz undersea cables </td> <td> Signals intent to target telecommunications backbone </td> </tr> <tr> <td> 22 Apr 2026 </td> <td> Iran seizes commercial vessels in Strait of Hormuz </td> <td> Kinetic escalation parallels cyber operations </td> </tr> <tr> <td> 23 Apr 2026 </td> <td> CISA publishes FIRESTARTER MAR — firmware persistence confirmed </td> <td> Patching insufficient; full reimaging required </td> </tr> <tr> <td> 24 Apr 2026 </td> <td> CVE-2024-7399 (Samsung MagicINFO) added to CISA KEV </td> <td> Active exploitation by Mirai botnet variants </td> </tr> <tr> <td> 28 Apr 2026 </td> <td> CISA publishes GRASSMARLIN ICS advisory (CVE-2026-6807) </td> <td> OT network mapping tool vulnerable to data exfiltration </td> </tr> <tr> <td> 28 Apr 2026 </td> <td> Trump administration rejects Iran peace proposal </td> <td> Eliminates diplomatic off-ramp </td> </tr> <tr> <td> 28 Apr 2026 </td> <td> Handala sends threatening WhatsApp messages to U.S. troops in Bahrain </td> <td> First direct PSYOP against individual military personnel </td> </tr> <tr> <td> 29 Apr 2026 </td> <td> Handala publishes PII of 2,379 USMC personnel on Telegram </td> <td> Largest military personnel data exposure of the conflict </td> </tr> </tbody> </table> <h2> Key Threat Analysis </h2> <h3> Iranian State Actors: A Multi-Layered Offensive </h3> The Iranian cyber apparatus is operating across at least six distinct actor groups, spanning both MOIS (Ministry of Intelligence and Security) and IRGC (Islamic Revolutionary Guard Corps) organizational lines: MOIS-Linked Operations: - Handala / Void Manticore — The most aggressive actor of the conflict. Responsible for the Stryker MDM wipe (200K endpoints), FBI Director email compromise, USMC personnel doxxing, and WhatsApp intimidation campaign. Operating at the intersection of destructive attacks, espionage, and psychological operations. - UNC1860 / Scarred Manticore — MOIS access broker providing initial access to other Iranian operators. Maintains persistent footholds in target networks. - APT34 / OilRig — MOIS espionage group with expanding infrastructure footprint. - UNC6717 — Newly identified Iran-nexus cluster targeting Farsi-speaking dissidents with malicious LNK files disguised as protest-related content and MSI installers masquerading as VPN clients. Indicates the regime is simultaneously conducting external cyber operations and internal dissident suppression. IRGC-Linked Operations: - Refined Kitten / APT33 — IRGC aerospace-focused espionage group. Suspected of maintaining dormant access in Defense Industrial Base contractor networks — a 50+ day intelligence gap that represents the single most dangerous blind spot in current collection. - Cyber Av3ngers — IRGC-CEC’s hacktivist brand responsible for the Unitronics PLC campaign. Currently quiet — possibly retooling or operating under a new persona. Hybrid Criminal-State: - Pioneer Kitten / UNC757 — Operating as a ransomware-as-a-service affiliate while simultaneously serving Iranian state intelligence objectives. Blurs the line between criminal and state activity. Foreign Actor Convergence: - APT28 (Russian GRU) — Infrastructure tagged to APT28 has been observed on Iranian ASN 213790 (Limited Network), alongside other malware families. This convergence suggests either shared hosting infrastructure or emerging Russian-Iranian operational coordination. <h3> Critical Vulnerabilities Under Active Exploitation </h3> <table> <thead> <tr> <th> CVE </th> <th> Product </th> <th> CVSS </th> <th> Status </th> <th> Threat Context </th> </tr> </thead> <tbody> <tr> <td> CVE-2025-20333 </td> <td> Cisco ASA/FTD VPN Web Server </td> <td> 9.9 CRITICAL </td> <td> Actively exploited; FIRESTARTER backdoor deployed </td> <td> Federal agency compromised; firmware persistence survives patching </td> </tr> <tr> <td> CVE-2024-7399 </td> <td> Samsung MagicINFO 9 Server </td> <td> 8.8 HIGH </td> <td> KEV-listed 24 Apr; Mirai exploitation confirmed </td> <td> Digital signage systems as network entry point </td> </tr> <tr> <td> CVE-2026-6807 </td> <td> NSA GRASSMARLIN v3.2.1 </td> <td> 5.5 MEDIUM </td> <td> No exploitation observed yet </td> <td> XXE vulnerability in OT network mapping tool — could expose complete ICS topology to adversaries </td> </tr> </tbody> </table> <h3> The FIRESTARTER Problem: When Patching Isn’t Enough </h3> The FIRESTARTER backdoor discovered on a federal Cisco Firepower device represents a paradigm shift. Exploiting CVE-2025-20333 for initial access, the implant achieves firmware-level persistence — meaning it survives standard software updates and patching. CISA’s guidance requires full device reimaging. This capability was previously associated only with the most sophisticated nation-state actors (NSA’s Equation Group, China’s Volt Typhoon). Its appearance in the Iran conflict context — whether Iranian-origin or Chinese opportunistic exploitation — means every organization running Cisco ASA/FTD must treat patching as necessary but insufficient. Firmware integrity verification is now mandatory. <h2> Predictive Analysis: What Comes Next </h2> Based on the current trajectory — diplomatic failure, continued blockade, and escalating Iranian cyber tempo — we assess the following probabilities for the next 7–30 days: <table> <thead> <tr> <th> Probability </th> <th> Scenario </th> <th> Timeframe </th> <th> Basis </th> </tr> </thead> <tbody> <tr> <td> 70% </td> <td> Handala releases additional doxxed U.S. military personnel data, expanding beyond Bahrain to other CENTCOM installations </td> <td> 7 days </td> <td> Pattern established; data likely already exfiltrated; IO campaign is escalating </td> </tr> <tr> <td> 50% </td> <td> Iranian-aligned actors attempt exploitation of CVE-2026-6807 (GRASSMARLIN) once PoC becomes available </td> <td> 30 days </td> <td> OT network maps are exactly what Tasnim’s cable mapping signals interest in </td> </tr> <tr> <td> 40% </td> <td> Cyber Av3ngers or successor brand re-emerges with OT/ICS attack claim </td> <td> 14 days </td> <td> Historical pattern of IRGC-CEC activity timed to diplomatic inflection points </td> </tr> <tr> <td> 35% </td> <td> Physical disruption of at least one Hormuz-transiting undersea cable </td> <td> 30 days </td> <td> Tasnim mapping is a deliberate signal; Iran has demonstrated willingness to escalate kinetically </td> </tr> <tr> <td> 30% </td> <td> MuddyWater (MOIS) launches new campaign after current operational pause </td> <td> 14 days </td> <td> MOIS pauses of 2+ weeks historically precede retooling and new infrastructure deployment </td> </tr> <tr> <td> 25% </td> <td> Dormant Iranian access in DIB contractor networks activates for data destruction or exfiltration </td> <td> 30 days </td> <td> 50+ day quiet period during peak escalation; historical precedent (CISA AA22-320A) </td> </tr> </tbody> </table> <h2> SOC Operational Guidance </h2> <h3> Detection Engineering Priorities </h3> Hunt Hypothesis 1: Cisco Firmware Tampering (FIRESTARTER) - ATT&CK: T1542.004 (Pre-OS Boot: ROMMONkit), T1190 (Exploit Public-Facing Application) - Detection: Compare running firmware hashes against known-good Cisco TAC baselines. Monitor for unexpected reboots of ASA/FTD devices. Alert on any Cisco device that reports successful patch application but exhibits anomalous post-patch behavior (unexpected outbound connections, configuration changes not initiated by administrators). - Hunt query: Identify all Cisco ASA/FTD devices exposed to the internet → cross-reference patch status for CVE-2025-20333 → schedule firmware integrity verification for each. Hunt Hypothesis 2: MDM Abuse for Destructive Operations (Handala Pattern) - ATT&CK: T1531 (Account Access Removal), T1078.004 (Valid Accounts: Cloud Accounts) - Detection: Monitor Microsoft Intune/Entra ID for bulk device wipe commands, especially outside maintenance windows. Alert on new Global Administrator or Intune Administrator role assignments. Detect anomalous conditional access policy modifications. - Hunt query: Review Intune audit logs for device wipe commands issued in the past 90 days → correlate with administrator authentication events → flag any wipe commands from unusual geolocations or new admin accounts. Hunt Hypothesis 3: Iranian VPN Exploitation for DIB Pre-Positioning (PIR-007) - ATT&CK: T1133 (External Remote Services), T1078 (Valid Accounts), T1567.002 (Exfiltration to Cloud Storage) - Detection: Monitor for Rclone or similar cloud sync tools communicating with Wasabi/Backblaze storage. Alert on VPN authentications from Iranian IP ranges or known Fox Kitten infrastructure. Detect GitHub-hosted tooling downloads from corporate endpoints. - Hunt query: Search VPN logs for authentication from AS44208, AS57497, AS213790, AS215930 → correlate with any subsequent lateral movement or data staging activity. Hunt Hypothesis 4: WhatsApp/Messaging-Based Social Engineering - ATT&CK: T1566.002 (Phishing: Spearphishing Link), T1589.002 (Gather Victim Identity Information) - Detection: While WhatsApp content is end-to-end encrypted, monitor for corporate credential phishing links shared via mobile devices. Brief personnel on reporting procedures for threatening messages. Monitor Telegram channels associated with Handala for pre-publication indicators of upcoming data dumps. Hunt Hypothesis 5: OT Network Reconnaissance via GRASSMARLIN Exploitation - ATT&CK: T1005 (Data from Local System), T1059.007 (Command and Scripting Interpreter: XML) - Detection: If GRASSMARLIN is deployed, monitor for unexpected XML file imports or parsing activity. Restrict network access to GRASSMARLIN workstations. Alert on any outbound data transfer from systems hosting GRASSMARLIN session files. <h3> ASN-Level Monitoring </h3> Add the following autonomous systems to enhanced monitoring (not blocking — legitimate traffic may transit these networks, but any C2 beaconing to these ASNs warrants immediate investigation): <ul> <li> AS213790 — Limited Network (Iran) — Multiple APT28-tagged IPs and unknown malware C2 </li> <li> AS57497 — Faraso Samaneh Pasargad (Iran) — Phishing infrastructure </li> <li> AS44208 — Farahoosh Dena (Iran) — Transparent Tribe staging </li> <li> AS215930 — Cipher Operations (Iran) — TA505/Gozi infrastructure </li> </ul> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> The Hormuz undersea cable threat directly impacts Gulf financial systems. If cables carrying 30% of Gulf internet capacity are disrupted, SWIFT messaging, interbank settlement, and trading platform connectivity for GCC institutions will degrade or fail. <ul> <li> Immediate: Verify that disaster recovery and business continuity plans account for Gulf connectivity loss — not just data center failover, but complete loss of submarine cable paths (FLAG, FALCON, Gulf Bridge International). </li> <li> 7-Day: Test failover to satellite or terrestrial backup links for any operations dependent on Gulf-transiting connectivity. </li> <li> 30-Day: Engage with telecommunications providers to understand cable route diversity and single points of failure. </li> <li> Monitor for: BlackNET RAT (195.24.236[.]8) and SmartLoader (213.176.73[.]163) targeting financial sector endpoints — both are commodity malware frequently used as initial access for more sophisticated follow-on operations. </li> </ul> <h3> Energy </h3> Iranian targeting of energy infrastructure is a defining feature of this conflict. The Cyber Av3ngers’ Unitronics PLC campaign established the template; the Hormuz cable mapping suggests expansion from OT/ICS to telecommunications infrastructure that energy SCADA systems depend on. <ul> <li> Immediate: Verify segmentation between IT and OT networks. Confirm that SCADA/RTU systems cannot reach the internet directly. </li> <li> 7-Day: If GRASSMARLIN is used for OT network visualization, restrict XML import functionality and isolate GRASSMARLIN workstations from internet-connected networks until CVE-2026-6807 is patched. </li> <li> 30-Day: Implement CISA/DoD/DOE Zero Trust OT guidance (published 29 April 2026). Deploy unidirectional gateways for SCADA telemetry. Implement OT-specific EDR on Historian servers. </li> <li> Monitor for: Cyber Av3ngers re-emergence or successor brand targeting Unitronics, Honeywell BMS, Yokogawa CENTUM, or Siemens SICAM systems. </li> </ul> <h3> Healthcare </h3> Healthcare organizations face dual risk: commodity malware (BlackNET RAT, SmartLoader) for ransomware delivery, and potential Iranian targeting of healthcare as critical infrastructure during conflict escalation. <ul> <li> Immediate: Verify that Samsung MagicINFO digital signage systems (common in hospital lobbies and wayfinding) are patched for CVE-2024-7399 — active Mirai exploitation confirmed. </li> <li> 7-Day: Review Intune/MDM configurations for healthcare mobile device fleets. The Handala MDM abuse pattern (bulk device wipe via compromised Intune admin) is directly applicable to healthcare organizations managing clinical tablets and mobile workstations. </li> <li> 30-Day: Conduct tabletop exercise for scenario where Iranian actors target healthcare OT (building management systems, HVAC, medical device networks) as retaliatory critical infrastructure attack. </li> <li> Monitor for: Anomalous Entra ID administrative actions, especially new Global Admin assignments or bulk conditional access policy changes. </li> </ul> <h3> Government </h3> Federal, state, and local government entities are confirmed targets. FIRESTARTER was discovered on a federal Cisco Firepower device. Handala has demonstrated the ability to compromise senior officials’ personal communications. <ul> <li> Immediate: All Cisco ASA/FTD devices must undergo firmware integrity verification — not just patch status confirmation. CISA MAR AR26-113A provides specific guidance. </li> <li> 7-Day: Brief all personnel with access to classified or sensitive systems on the Handala WhatsApp/Telegram PSYOP pattern. Establish reporting procedures for threatening messages received on personal devices. </li> <li> 30-Day: Audit personal email security for senior officials. The FBI Director compromise (27 March) demonstrates that personal accounts are a viable attack vector for accessing official communications and contacts. </li> <li> Monitor for: Authentication anomalies on VPN concentrators, especially from Iranian ASN ranges. Any Cisco device exhibiting post-patch behavioral anomalies. </li> </ul> <h3> Aviation & Logistics </h3> The Defense Industrial Base (specifically aerospace and avionics supply chains) faces the highest-consequence risk from dormant Iranian access. APT33/Refined Kitten’s historical focus on aerospace, combined with a 50+ day intelligence gap on DIB pre-positioning, creates an unacceptable blind spot. <ul> <li> Immediate: Review VPN authentication logs for the past 90 days, specifically looking for connections from Iranian IP ranges, Tor exit nodes, or known Fox Kitten/Pioneer Kitten infrastructure. </li> <li> 7-Day: Hunt for Rclone, Wasabi, or Backblaze cloud sync tools on any endpoint with access to controlled unclassified information (CUI) or ITAR-controlled data. Search for GitHub-hosted tooling downloads. </li> <li> 30-Day: Engage DC3 (Defense Counterintelligence and Security Agency Cyber Crime Center) and DIB-ISAC for threat sharing on Iranian pre-positioning indicators specific to aerospace supply chains. </li> <li> Monitor for: Anomali ThreatStream Next-Gen campaign reporting on fake resumes hosted on GitHub targeting aerospace companies (active campaign identified in current collection). Any anomalous data staging or exfiltration patterns from engineering workstations. </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> SOC </td> <td> Block all 8 confirmed Iranian-hosted C2 IPs at perimeter firewalls and add to SIEM correlation rules </td> </tr> <tr> <td> 2 </td> <td> IT Ops / Network </td> <td> Initiate firmware integrity verification on ALL Cisco ASA/FTD devices per CISA MAR AR26-113A — patching alone does not remediate FIRESTARTER </td> </tr> <tr> <td> 3 </td> <td> IT Ops </td> <td> If GRASSMARLIN v3.2.1 is deployed, disable XML import functionality and isolate from network until CVE-2026-6807 patch is available </td> </tr> <tr> <td> 4 </td> <td> SOC </td> <td> Deploy detection rules for bulk Intune device wipe commands and anomalous Entra ID Global Administrator role assignments </td> </tr> <tr> <td> 5 </td> <td> Security Awareness </td> <td> Issue flash advisory to all personnel at CENTCOM-affiliated installations regarding WhatsApp-based threatening messages — establish reporting channel </td> </tr> </tbody> </table> <h3> 7-DAY Actions </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 6 </td> <td> IT Ops </td> <td> Upgrade all Samsung MagicINFO 9 Server instances to version ≥21.1050 (CVE-2024-7399, KEV-listed, active Mirai exploitation) </td> </tr> <tr> <td> 7 </td> <td> CISO / Threat Hunt </td> <td> Commission dedicated threat hunt for Fox Kitten/APT33 dormant access in DIB contractor VPN infrastructure — focus on Rclone/Wasabi exfiltration patterns </td> </tr> <tr> <td> 8 </td> <td> SOC </td> <td> Implement enhanced monitoring for AS213790, AS57497, AS44208, AS215930 — alert on any beaconing to these Iranian ASNs </td> </tr> <tr> <td> 9 </td> <td> IR Team </td> <td> Pre-stage incident response retainers and playbooks for firmware-level compromise scenarios (Cisco ASA/FTD reimaging at scale) </td> </tr> <tr> <td> 10 </td> <td> Executive / Legal </td> <td> Brief board and legal counsel on Handala personnel data exposure — assess notification obligations if employee PII is among leaked data </td> </tr> </tbody> </table> <h3> 30-DAY Actions </h3> <table> <thead> <tr> <th> Priority </th> <th> Owner </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 11 </td> <td> CISO / Business Continuity </td> <td> Develop contingency plan for Gulf undersea cable disruption — identify backup connectivity for operations dependent on FLAG, FALCON, or Gulf Bridge International cables </td> </tr> <tr> <td> 12 </td> <td> IT Ops / OT </td> <td> Adopt CISA/DoD/DOE Zero Trust OT guidance — implement network segmentation, unidirectional gateways, and OT-specific EDR on Historian servers </td> </tr> <tr> <td> 13 </td> <td> CISO </td> <td> Engage DC3 and DIB-ISAC for enhanced threat sharing on Iranian pre-positioning in aerospace supply chains </td> </tr> <tr> <td> 14 </td> <td> Executive </td> <td> Conduct tabletop exercise: “Iranian dormant access activates in DIB network during escalation” — test detection, containment, and communication procedures </td> </tr> <tr> <td> 15 </td> <td> Telecom / Infrastructure </td> <td> Engage submarine cable operators to understand route diversity and pre-position satellite/terrestrial failover for critical communications </td> </tr> </tbody> </table> <h2> The Bottom Line </h2> Sixty-one days into this conflict, we are watching Iranian cyber operations evolve in real time. The pattern is clear and accelerating: Phase 1 (March): Destructive attacks on military systems (Stryker wipe) and intelligence collection (FBI Director compromise). Phase 2 (April): Psychological operations targeting individual service members by name, firmware-level persistence on federal network infrastructure, and explicit signaling of intent to attack telecommunications backbone. Phase 3 (May — anticipated): Activation of dormant access in critical infrastructure and defense industrial base networks, potential physical disruption of undersea cables, and re-emergence of IRGC hacktivist brands with OT/ICS targeting. The diplomatic failure of April 28 removed the last constraint on Iranian escalation. The 50+ day silence on Defense Industrial Base pre-positioning is not reassurance — it is the most dangerous signal in the current intelligence picture. Dormant access exists. The question is not if it will be used, but when and against whom . Every day without a proactive hunt for that access is a day closer to discovering it through incident response rather than threat intelligence. Act now. The adversary already has.

FEATURED RESOURCES

April 30, 2026

Anomali Cyber Watch