<p><strong>Threat Assessment Level: ELEVATED</strong></p>
<p><em>Maintained from the prior cycle. The state government threat environment remains under compounding pressure from active exploitation of enterprise mobile device management infrastructure, sustained software supply chain attacks, a structurally weakened federal cyber support posture, and an escalating Iranian cyber campaign generating thousands of operations against U.S. targets. No single event this cycle warranted escalation to HIGH, but the convergence of these vectors demands sustained vigilance.</em></p>
<h2><strong>Introduction </strong></h2>
<p>State government CISOs and CIOs face a threat environment in early April 2026 that is defined not by a single dramatic breach, but by the simultaneous erosion of multiple defensive layers. Attackers are actively exploiting Ivanti mobile device management platforms used across government agencies. The npm developer ecosystem — the backbone of modern web application development — is under sustained supply chain attack. And the federal agency most responsible for supporting state-level cyber defense, CISA, has absorbed a 34% workforce reduction and a 20% budget cut that will directly diminish the surge capacity, threat intelligence sharing, and election security support that state IT organizations depend on.</p>
<p>Meanwhile, Iranian state-affiliated cyber groups have conducted nearly 5,800 tracked attacks against U.S. and allied interests, and the ransomware groups most focused on government targets — Qilin, Akira, DragonForce, Everest, and Interlock — remain active as tax season approaches.</p>
<p>This is not a future scenario. These are concurrent, active threats. This post breaks down what changed, what it means for your agencies, and what your teams should do this week.</p>
<h2><strong>What Changed </strong></h2>
<p><strong>Ivanti EPMM Under Active Exploitation — Again.</strong> A new campaign exploiting <strong>CVE-2026-1281</strong> and <strong>CVE-2026-1340</strong> in Ivanti Endpoint Manager Mobile (EPMM) was identified targeting government, financial services, transportation, and manufacturing organizations across six countries. Ivanti EPMM has been a serial target: CVE-2023-35078 (CVSS 9.8), CVE-2023-35082 (CVSS 9.8), and CVE-2023-35081 (CVSS 7.2) were all previously added to CISA’s Known Exploited Vulnerabilities catalog. Any state agency using Ivanti for mobile device management should treat this as an active threat to their environment.</p>
<p><strong>CISA Budget Cuts Quantified.</strong> Detailed analysis published on April 1 confirms CISA’s FY2026 budget request of $2.4 billion — down from $3.0 billion in FY2025, a 20% reduction. Staffing drops from 4,021 to 2,649 positions. Specific cuts include 14 positions and $40 million from election security, $45 million from cyber defense education and training, and 35 positions plus $70 million from the National Risk Management Center. By January 2026, 998 departures, layoffs, and transfers had already been confirmed.</p>
<p><strong>Claude Code Source Map Leak Expands Supply Chain Risk.</strong> Community researchers discovered that Anthropic’s Claude Code CLI v2.1.88 shipped with a source map file (cli.js.map) that exposes internal logic, feature flags, and configuration surfaces. While not a breach, this dramatically lowers the cost of building convincing trojanized imitations — directly relevant as the npm ecosystem remains under sustained attack following the Axios supply chain compromise discovered on March 31.</p>
<p><strong>ICS/OT Advisories Continue to Accumulate.</strong> CISA published advisories for WAGO Industrial Managed Switches (unauthenticated remote attacker can achieve full system compromise via hidden CLI function escape) and Anritsu Remote Spectrum Monitors (network-accessible attackers can alter operational settings). State facilities using these devices in building management or operational technology environments are directly exposed.</p>
<p><strong>Living-off-the-Land Dominates the Threat Landscape.</strong> Analysis of 700,000+ high-severity incidents confirms that 84% now abuse legitimate system tools — PowerShell, WMIC, Certutil — rather than deploying custom malware. Up to 95% of access to these risky tools is unnecessary across typical enterprise environments.</p>
<p><strong>Iranian Cyber Operations Escalating.</strong> Intelligence tracking identifies nearly 5,800 cyberattacks from approximately 50 Iran-linked groups targeting U.S. and Israeli interests. The March 19 DOJ seizure of Iranian cyber infrastructure triggered retaliatory operations, including Handala/Void Manticore’s claimed breach of the FBI Director’s personal email on March 27. MuddyWater (MOIS-affiliated) continues parallel espionage operations, and UNC5203 is conducting OT pre-positioning in critical infrastructure.</p>
<p><strong>Ransomware Groups Remain Government-Focused.</strong> Qilin, Akira, DragonForce, Everest, and Interlock all show continued targeting of government and public services. The public release of a proof-of-concept for Citrix NetScaler CVE-2026-3055 (CVSS 9.3) on March 24 provides these groups with a new initial access vector; ransomware weaponization is assessed at 85% probability.</p>
<h2><strong>Threat Timeline </strong></h2>
<table>
<thead>
<tr>
<th>
<p>Date</p>
</th>
<th>
<p>Event</p>
</th>
<th>
<p>Impact</p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>Mar 4, 2026</p>
</td>
<td>
<p>Tycoon2FA MFA-bypass phishing platform taken down</p>
</td>
<td>
<p>Platform has since fully reconstituted; actively targeting Microsoft 365 environments</p>
</td>
</tr>
<tr>
<td>
<p>Mar 10, 2026</p>
</td>
<td>
<p>Last observed Volt Typhoon activity update</p>
</td>
<td>
<p>22-day silence from a China-nexus actor known for pre-positioning in U.S. critical infrastructure</p>
</td>
</tr>
<tr>
<td>
<p>Mar 19, 2026</p>
</td>
<td>
<p>DOJ seizes Iranian cyber infrastructure</p>
</td>
<td>
<p>Triggered retaliatory operations from IRGC-affiliated groups</p>
</td>
</tr>
<tr>
<td>
<p>Mar 24, 2026</p>
</td>
<td>
<p>Public PoC released for CVE-2026-3055 (Citrix NetScaler, CVSS 9.3)</p>
</td>
<td>
<p>Ransomware weaponization by Qilin, Play, and Akira assessed at 85% probability within 7–14 days</p>
</td>
</tr>
<tr>
<td>
<p>Mar 27, 2026</p>
</td>
<td>
<p>Handala/Void Manticore claims breach of FBI Director’s personal email</p>
</td>
<td>
<p>Escalation in Iranian retaliatory cyber operations</p>
</td>
</tr>
<tr>
<td>
<p>Mar 29, 2026</p>
</td>
<td>
<p>DragonForce ransomware group activity update — government targeting confirmed</p>
</td>
<td>
<p>Continued focus on government and public services sector</p>
</td>
</tr>
<tr>
<td>
<p>Mar 31, 2026</p>
</td>
<td>
<p>Axios npm supply chain compromise discovered (trojanized v1.14.1, v0.30.4)</p>
</td>
<td>
<p>Cross-platform RATs deployed; estimated 80% of cloud environments use Axios</p>
</td>
</tr>
<tr>
<td>
<p>Mar 31, 2026</p>
</td>
<td>
<p>Ivanti EPMM campaign intelligence updated — CVE-2026-1281 & CVE-2026-1340</p>
</td>
<td>
<p>Active exploitation against government targets across six countries</p>
</td>
</tr>
<tr>
<td>
<p>Mar 31, 2026</p>
</td>
<td>
<p>Claude Code CLI v2.1.88 source map leak discovered</p>
</td>
<td>
<p>Lowers barrier to building convincing trojanized AI developer tools</p>
</td>
</tr>
<tr>
<td>
<p>Apr 1, 2026</p>
</td>
<td>
<p>CISA FY2026 budget analysis published: −20% funding, −34% staff</p>
</td>
<td>
<p>Reduced federal surge support, threat intelligence sharing, and election security assistance for states</p>
</td>
</tr>
</tbody>
</table>
<h2><strong>Key Threat Analysis </strong></h2>
<h3><strong>1. Ivanti EPMM: The Vulnerability That Keeps Giving</strong></h3>
<p>Ivanti’s Endpoint Manager Mobile has become one of the most persistently exploited products in government IT. The new campaign exploiting <strong>CVE-2026-1281</strong> and <strong>CVE-2026-1340</strong> follows a pattern established by CVE-2023-35078, CVE-2023-35082, CVE-2023-35081, and CVE-2024-7612 — all of which were exploited in the wild against government targets. The threat actor behind the current campaign remains unattributed, but the targeting profile (government, financial services, transportation) and exploitation pattern (unauthenticated API access for initial access, followed by credential harvesting) are consistent with both nation-state and sophisticated criminal operations.</p>
<p>State agencies running Ivanti EPMM for mobile device management should assume they are in the targeting aperture and verify patch status immediately.</p>
<h3><strong>2. The npm Ecosystem Is a Battlefield</strong></h3>
<p>Two events this cycle reinforce that the npm package ecosystem — used by virtually every modern web development team — is under coordinated attack. The <strong>Axios supply chain compromise</strong> (March 31) injected cross-platform remote access trojans into trojanized versions of one of the most widely used HTTP client libraries. The <strong>Claude Code source map leak</strong> (March 31) exposed internal logic that could be used to build convincing trojanized imitations of AI coding assistants.</p>
<p>These are not isolated incidents. They represent a sustained campaign against developer infrastructure. State IT modernization initiatives, citizen portal development teams, and any agency using JavaScript-based applications are exposed.</p>
<h3><strong>3. CISA’s Structural Degradation Changes the Math</strong></h3>
<p>The 34% workforce reduction and 20% budget cut at CISA is not a future risk — it is a present reality. The specific cuts to election security (−$40M), cyber defense training (−$45M), and the National Risk Management Center (−$70M, −35 positions) directly reduce the federal government’s ability to support state defenders during incidents, share threat intelligence, and coordinate sector-wide responses.</p>
<p>For state CISOs, this means: - <strong>Fewer federal resources</strong> available during incident response surge events - <strong>Reduced threat intelligence products</strong> from federal sources - <strong>Diminished election security support</strong> heading into the 2026 election cycle - <strong>Greater reliance on peer networks</strong> (MS-ISAC, state CISO councils) and commercial intelligence</p>
<h3><strong>4. Iranian Cyber Operations: Scale and Escalation</strong></h3>
<p>Intelligence tracking identifies nearly <strong>5,800 cyberattacks from approximately 50 Iran-linked groups</strong> targeting U.S. and Israeli interests. Key actors include:</p>
<ul>
<li><strong>Handala Hack Team / Void Manticore</strong> (IRGC-affiliated): Claimed breach of FBI Director’s personal email in March 2026 in retaliation for DOJ infrastructure seizure. Known for wiper operations and disruptive attacks.</li>
<li><strong>MuddyWater</strong> (MOIS-affiliated): Continues parallel espionage operations focused on government credential harvesting, including exploitation of FortiOS to collect LDAP connection passwords.</li>
<li><strong>UNC5203</strong>: Pre-positioning operations targeting operational technology in critical infrastructure.</li>
</ul>
<p>The convergence of Iranian wiper capability, OT pre-positioning, and reduced federal response capacity represents the highest-consequence scenario for state government networks.</p>
<h3><strong>5. Ransomware Groups Remain Government-Focused</strong></h3>
<p><strong>Qilin</strong>, <strong>Akira</strong>, <strong>DragonForce</strong>, <strong>Everest</strong>, and <strong>Interlock</strong> all show continued targeting of government and public services in their most recent activity updates. No new state or local government victim was confirmed this cycle, but the absence of a new incident during tax season preparation — historically a high-activity period — should not be mistaken for safety. The <strong>Citrix NetScaler CVE-2026-3055</strong> (CVSS 9.3) public proof-of-concept released on March 24 provides these groups with a new initial access vector; ransomware weaponization remains assessed at <strong>85% probability</strong>.</p>
<h3><strong>6. Living-off-the-Land: The Detection Paradigm Shift</strong></h3>
<p>When 84% of high-severity incidents abuse legitimate tools like PowerShell, WMIC, and Certutil, signature-based detection is insufficient. This is not a theoretical concern — the ClickFix social engineering campaigns and Storm-2561 trojanized VPN campaigns actively targeting government networks both leverage living-off-the-land (LOTL) techniques. The finding that 95% of access to these risky tools is unnecessary across typical enterprises suggests that access restriction — not just detection — is the most effective countermeasure.</p>
<h2><strong>Predictive Analysis </strong></h2>
<table>
<thead>
<tr>
<th>
<p>Scenario</p>
</th>
<th>
<p>Probability</p>
</th>
<th>
<p>Timeframe</p>
</th>
<th>
<p>Basis</p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p>CISA adds Ivanti EPMM CVE-2026-1281/1340 to Known Exploited Vulnerabilities catalog</p>
</td>
<td>
<p><strong>70%</strong></p>
</td>
<td>
<p>7 days</p>
</td>
<td>
<p>Active exploitation against government confirmed; follows pattern of prior Ivanti EPMM KEV additions</p>
</td>
</tr>
<tr>
<td>
<p>Tax-season phishing campaigns intensify with ScreenConnect and AiTM lure variants</p>
</td>
<td>
<p><strong>60%</strong></p>
</td>
<td>
<p>7–14 days</p>
</td>
<td>
<p>April 15 deadline approaching; Tycoon2FA platform reconstituted; historical pattern</p>
</td>
</tr>
<tr>
<td>
<p>Ransomware groups weaponize Citrix NetScaler CVE-2026-3055 for initial access</p>
</td>
<td>
<p><strong>85%</strong></p>
</td>
<td>
<p>By mid-April</p>
</td>
<td>
<p>Public PoC available since March 24; Qilin, Play, and Akira have demonstrated rapid CVE adoption</p>
</td>
</tr>
<tr>
<td>
<p>Iran-linked groups shift from intelligence collection to disruptive operations against U.S. targets</p>
</td>
<td>
<p><strong>50%</strong></p>
</td>
<td>
<p>14–30 days</p>
</td>
<td>
<p>Escalatory pattern following DOJ seizure and Handala retaliation; IRGC wiper capability confirmed</p>
</td>
</tr>
<tr>
<td>
<p>Additional malicious npm packages discovered in Axios/Claude Code ecosystem</p>
</td>
<td>
<p><strong>40%</strong></p>
</td>
<td>
<p>7 days</p>
</td>
<td>
<p>Sustained campaign pattern; source map leak lowers barrier to trojanization</p>
</td>
</tr>
<tr>
<td>
<p>Volt Typhoon activity resurfaces targeting network edge devices</p>
</td>
<td>
<p><strong>45%</strong></p>
</td>
<td>
<p>14–30 days</p>
</td>
<td>
<p>22-day silence from a known pre-positioning actor during period of geopolitical distraction</p>
</td>
</tr>
</tbody>
</table>
<h2><strong>SOC Operational Guidance</strong></h2>
<h3><strong>Detection Priorities</strong></h3>
<p><strong>Ivanti EPMM Exploitation (CVE-2026-1281, CVE-2026-1340)</strong> - <strong>ATT&CK:</strong> T1190 (Exploit Public-Facing Application), T1078 (Valid Accounts), T1071.001 (Web Protocols) - <strong>Hunt hypothesis:</strong> If an attacker exploits Ivanti EPMM for initial access, then we should observe anomalous API calls to EPMM management endpoints from non-administrative source IPs, followed by credential harvesting activity. - <strong>Detection:</strong> Monitor Ivanti EPMM access logs for unauthenticated API requests, unexpected administrative account creation, and HTTPS C2 callbacks from MDM server segments. Correlate with Active Directory logs for new service accounts or privilege escalation events originating from MDM infrastructure. - <strong>Block:</strong> If patching cannot be completed within 48 hours, restrict EPMM management interface access to approved administrative IP ranges via firewall rules.</p>
<p><strong>Living-off-the-Land Abuse</strong> - <strong>ATT&CK:</strong> T1059.001 (PowerShell), T1218 (System Binary Proxy Execution — certutil, mshta, regsvr32), T1047 (Windows Management Instrumentation) - <strong>Hunt hypothesis:</strong> If an attacker uses LOTL techniques for lateral movement, then we should observe PowerShell execution with encoded commands, certutil downloading remote payloads, or WMIC process creation from non-IT-administrative user accounts. - <strong>Detection:</strong> Enable PowerShell Script Block Logging (Event ID 4104) and Module Logging. Alert on certutil -urlcache, mshta executing remote content, and wmic process call create from standard user contexts. Baseline legitimate administrative use and alert on deviations. - <strong>Defensive guidance:</strong> Deploy PowerShell Constrained Language Mode via Windows Defender Application Control (WDAC) policies. Remove or restrict access to certutil, mshta, regsvr32, and WMIC for non-administrative users. The Bitdefender analysis indicates 95% of access to these tools is unnecessary.</p>
<p><strong>npm Supply Chain Compromise (Axios RAT, Claude Code Exposure)</strong> - <strong>ATT&CK:</strong> T1195.002 (Compromise Software Supply Chain), T1204.002 (User Execution: Malicious File) - <strong>Hunt hypothesis:</strong> If a developer workstation installed a trojanized npm package, then we should observe unexpected outbound connections from development environments, new scheduled tasks or persistence mechanisms, and anomalous process trees spawned from Node.js processes. - <strong>Detection:</strong> Monitor developer workstations and CI/CD build servers for outbound connections to unknown infrastructure. Audit package-lock.json files for Axios versions 1.14.1 or 0.30.4. Search for cli.js.map files in npm cache directories. Alert on Node.js child processes executing system commands (PowerShell, cmd, bash). - <strong>Block:</strong> Pin all npm packages to verified versions via lockfiles. Block installation of unvetted packages. Consider using a private npm registry that mirrors only approved packages.</p>
<p><strong>Iranian Credential Harvesting (MuddyWater / FortiOS Exploitation)</strong> - <strong>ATT&CK:</strong> T1078 (Valid Accounts), T1556 (Modify Authentication Process), T1110 (Brute Force) - <strong>Hunt hypothesis:</strong> If MuddyWater is harvesting credentials via FortiOS LDAP exploitation, then we should observe unexpected LDAP bind attempts from firewall management interfaces, changes to FortiOS LDAP connector configurations, and credential reuse from previously unseen source IPs. - <strong>Detection:</strong> Audit FortiOS configurations for unauthorized LDAP connector changes. Monitor for LDAP traffic originating from firewall management planes. Alert on VPN authentications from anomalous geolocations or TOR exit nodes. Review FortiCloud logs for unauthorized access.</p>
<p><strong>OT/ICS Network Integrity (WAGO Switch Exploitation)</strong> - <strong>ATT&CK:</strong> T1190 (Exploit Public-Facing Application), T0831 (Manipulation of Control), T0855 (Unauthorized Command Message) - <strong>Hunt hypothesis:</strong> If an attacker exploits the WAGO CLI escape vulnerability, then we should observe CLI sessions from non-OT network segments, unexpected command execution on switch management interfaces, and configuration changes to industrial managed switches. - <strong>Detection:</strong> Monitor network traffic to WAGO switch management interfaces for connections originating outside designated OT management VLANs. Alert on any CLI access from enterprise IT segments. Review switch logs for configuration changes.</p>
<h2><strong>Sector-Specific Defensive Priorities</strong></h2>
<h3><strong>Financial Services (State Treasury, Revenue, Pension Systems)</strong></h3>
<p>State treasury, tax revenue, and pension fund systems process high-value financial transactions and hold sensitive taxpayer data. The Ivanti EPMM exploitation campaign explicitly targets financial services alongside government. Tax season (April 15 deadline) elevates phishing risk against revenue-facing systems.</p>
<ul>
<li><strong>Priority:</strong> Verify Ivanti EPMM patch status on any MDM infrastructure managing mobile devices used by treasury or revenue staff. Audit MFA configurations on financial transaction systems — Tycoon2FA’s reconstituted platform specifically bypasses Microsoft 365 MFA.</li>
<li><strong>Hunt:</strong> Search for anomalous API calls to financial application backends originating from MDM-managed devices. Monitor for AiTM phishing indicators targeting tax processing staff.</li>
<li><strong>Policy:</strong> Enforce transaction approval workflows that require out-of-band verification for transfers above threshold amounts, reducing the impact of credential compromise.</li>
</ul>
<h3><strong>Energy (State Energy Regulatory Agencies, Utility Oversight)</strong></h3>
<p>State energy regulators and agencies with oversight of utility infrastructure face the dual threat of Iranian OT pre-positioning (UNC5203) and the 22-day Volt Typhoon activity gap that may indicate masked Chinese pre-positioning on network edge devices.</p>
<ul>
<li><strong>Priority:</strong> Conduct asset inventory of all OT-adjacent network equipment, including WAGO industrial managed switches. Verify that OT networks are segmented from enterprise IT with enforced ACLs, not just VLANs.</li>
<li><strong>Hunt:</strong> Search for living-off-the-land activity on Fortinet, Cisco, and Citrix edge devices — Volt Typhoon’s signature tradecraft. Look for anomalous administrative sessions, configuration exports, and firmware modifications.</li>
<li><strong>Coordination:</strong> Engage with E-ISAC and regional utility partners to share indicators. Reduced CISA National Risk Management Center capacity (−35 positions, −$70M) means sector coordination must increasingly come from state-level and peer networks.</li>
</ul>
<h3><strong>Healthcare (State Medicaid, Public Health, HHS Systems)</strong></h3>
<p>State Medicaid systems, public health databases, and health and human services platforms hold protected health information (PHI) on millions of residents. Ransomware groups Qilin and Akira have demonstrated willingness to target healthcare-adjacent government systems.</p>
<ul>
<li><strong>Priority:</strong> Ensure Citrix NetScaler deployments (commonly used for remote access to health systems) are patched against CVE-2026-3055 (CVSS 9.3). Public PoC has been available since March 24 — ransomware weaponization is assessed at 85% probability.</li>
<li><strong>Hunt:</strong> Monitor for Citrix exploitation indicators: anomalous SAML token generation, unexpected administrative sessions, and lateral movement from NetScaler gateway segments into health data enclaves.</li>
<li><strong>Resilience:</strong> Validate offline backup integrity for Medicaid claims processing and public health reporting systems. Ransomware actors targeting healthcare-adjacent systems know that patient care dependencies create payment pressure.</li>
</ul>
<h3><strong>Government (Executive Branch Agencies, Election Infrastructure)</strong></h3>
<p>All executive branch agencies face the compounding effect of active Ivanti EPMM exploitation, LOTL technique prevalence, and reduced federal support. Election infrastructure faces specific risk from the $40 million cut to CISA election security programs.</p>
<ul>
<li><strong>Priority:</strong> Deploy PowerShell Constrained Language Mode and WDAC policies across agency workstations. The 84% LOTL finding means that restricting access to legitimate tools is now a higher-value defensive action than deploying additional signature-based detection.</li>
<li><strong>Election security:</strong> Identify alternative sources of election security support — MS-ISAC, EAC, and peer state election security teams — to compensate for reduced CISA capacity. Conduct tabletop exercises for election system incident response that do not assume federal surge support availability.</li>
<li><strong>Supply chain:</strong> Audit all npm-based applications deployed in citizen-facing portals. Verify that Axios library versions in production are not trojanized (v1.14.1 and v0.30.4 are confirmed malicious).</li>
</ul>
<h3><strong>Aviation / Logistics (State DOT, Airport Authorities, Port Systems)</strong></h3>
<p>State departments of transportation, airport authorities, and port systems operate OT environments (traffic management, SCADA, baggage handling) alongside enterprise IT. The Ivanti EPMM campaign explicitly targets transportation, and ICS advisories for WAGO switches and Anritsu spectrum monitors are directly relevant.</p>
<ul>
<li><strong>Priority:</strong> Inventory all Ivanti EPMM deployments managing mobile devices used by field transportation staff. Verify that WAGO industrial switches in traffic management or facility systems are not accessible from enterprise networks.</li>
<li><strong>Hunt:</strong> Monitor for anomalous connections to OT management interfaces from enterprise IT segments. Search for indicators of Anritsu spectrum monitor exploitation if RF monitoring equipment is deployed at airports or ports.</li>
<li><strong>Segmentation:</strong> Validate that IT/OT network segmentation enforces deny-by-default policies, not just VLAN separation. The WAGO CLI escape vulnerability allows unauthenticated full system compromise — network segmentation is the primary control.</li>
</ul>
<h2><strong>Prioritized Defense Recommendations</strong></h2>
<h3><strong>Immediate (Within 48 Hours)</strong></h3>
<table>
<thead>
<tr>
<th>
<p>Team</p>
</th>
<th>
<p>Action</p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p><strong>IT Ops</strong></p>
</td>
<td>
<p>Verify Ivanti EPMM version across all state MDM deployments. If running versions vulnerable to CVE-2026-1281 or CVE-2026-1340, apply vendor patches within 48 hours. Check for indicators of prior exploitation using Ivanti’s published detection guidance.</p>
</td>
</tr>
<tr>
<td>
<p><strong>SOC</strong></p>
</td>
<td>
<p>Add WAGO Industrial Managed Switch models to OT asset inventory and verify network segmentation isolates them from enterprise IT. If CLI access is exposed to any non-OT network segment, implement emergency ACL restrictions.</p>
</td>
</tr>
<tr>
<td>
<p><strong>SOC</strong></p>
</td>
<td>
<p>Ingest the network IOCs listed above into SIEM correlation rules and EDR block lists. Prioritize the two IPv4 indicators (87.251.79[.]48, 149.50.97[.]174) for immediate perimeter blocking. For file hash indicators, query Anomali ThreatStream Next-Gen for the current set.</p>
</td>
</tr>
<tr>
<td>
<p><strong>IT Ops</strong></p>
</td>
<td>
<p>Verify Citrix NetScaler deployments are patched against CVE-2026-3055 (CVSS 9.3). If unpatched, implement Citrix-recommended mitigations and restrict management interface access. Ransomware weaponization is assessed at 85% probability.</p>
</td>
</tr>
</tbody>
</table>
<h3><strong>7-Day Actions</strong></h3>
<table>
<thead>
<tr>
<th>
<p>Team</p>
</th>
<th>
<p>Action</p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p><strong>DevOps</strong></p>
</td>
<td>
<p>Implement npm package pinning policy for all state development environments. Pin @anthropic-ai/claude-code and all AI CLI tools to verified versions via lockfiles. Block installation of unvetted npm packages. Audit for Axios v1.14.1 and v0.30.4 in all production and development environments.</p>
</td>
</tr>
<tr>
<td>
<p><strong>SOC</strong></p>
</td>
<td>
<p>Deploy PowerShell Constrained Language Mode and WDAC policies on Windows workstations to reduce LOTL attack surface. Audit certutil, WMIC, and mshta execution logs for anomalous patterns. Establish behavioral baselines for legitimate administrative use.</p>
</td>
</tr>
<tr>
<td>
<p><strong>CISO</strong></p>
</td>
<td>
<p>Brief agency CIOs on CISA FY2026 budget impact: 34% staff reduction, $600M budget cut, specific reductions to election security, training, and risk management. Identify alternative intelligence-sharing partnerships (MS-ISAC, peer state CISOs, sector ISACs).</p>
</td>
</tr>
<tr>
<td>
<p><strong>SOC</strong></p>
</td>
<td>
<p>Implement enhanced monitoring for tax-season phishing campaigns through April 15. Update email gateway rules for Tycoon2FA indicators. Brief agency staff on ClickFix social engineering techniques and trojanized VPN lures.</p>
</td>
</tr>
</tbody>
</table>
<h3><strong>30-Day Actions</strong></h3>
<table>
<thead>
<tr>
<th>
<p>Team</p>
</th>
<th>
<p>Action</p>
</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<p><strong>CISO</strong></p>
</td>
<td>
<p>Commission internal assessment of LOTL exposure — map all native Windows binaries accessible to standard users, identify unnecessary access (estimated 95% per industry analysis), and develop a phased restriction plan.</p>
</td>
</tr>
<tr>
<td>
<p><strong>IT Ops</strong></p>
</td>
<td>
<p>Conduct proactive threat hunt for Volt Typhoon TTPs on network edge devices (Fortinet, Cisco, Citrix). The 22-day activity gap from a known pre-positioning actor during a period of geopolitical distraction warrants proactive validation. Focus on firmware integrity, configuration exports, and anomalous administrative sessions.</p>
</td>
</tr>
<tr>
<td>
<p><strong>CISO</strong></p>
</td>
<td>
<p>Develop a state-level cyber mutual aid framework with peer states to compensate for reduced CISA surge capacity. Formalize intelligence-sharing agreements and incident response coordination procedures that do not depend on federal support.</p>
</td>
</tr>
<tr>
<td>
<p><strong>IT Ops</strong></p>
</td>
<td>
<p>Audit all citizen-facing web applications for npm supply chain exposure. Establish a private npm registry or approved package mirror for state development teams. Implement software bill of materials (SBOM) requirements for agency application deployments.</p>
</td>
</tr>
<tr>
<td>
<p><strong>IR Team</strong></p>
</td>
<td>
<p>Update incident response playbooks to account for reduced federal support availability. Conduct a tabletop exercise simulating a ransomware incident affecting tax processing systems during peak filing season, with the constraint that CISA surge support is unavailable.</p>
</td>
</tr>
</tbody>
</table>
<h2><strong>Bottom Line </strong></h2>
<p>State government defenders face a threat environment defined by simultaneous pressure across every major attack surface. Ivanti EPMM is under active exploitation. The npm supply chain is compromised. Iranian groups have conducted nearly 5,800 tracked attacks and are escalating retaliatory operations. Ransomware groups are positioned to weaponize a new Citrix NetScaler vulnerability within days. And the federal agency that has historically backstopped state cyber defense has lost a third of its workforce.</p>
<p>No single threat here is unprecedented. What is unprecedented is their convergence at a moment when federal surge capacity is structurally reduced. The 48-hour actions in this report are not optional — they address active exploitation. The 7-day and 30-day actions build the structural resilience that will determine whether your agencies can absorb the next incident without catastrophic impact.</p>
<p>The federal safety net is thinner than it has ever been. State government must act as its own first responder.</p>
<h2><strong>Closing </strong></h2>
<p>The threat environment facing state government IT in April 2026 is defined by convergence: active exploitation of enterprise infrastructure (Ivanti EPMM), a poisoned software supply chain (npm/Axios), emboldened nation-state adversaries (Iran’s 5,800+ tracked attacks, China’s silent pre-positioning), opportunistic ransomware groups eyeing tax season, and a structural reduction in the federal cyber support that state defenders have relied on for a decade.</p>
<p>None of these threats exist in isolation. An Iranian credential harvesting campaign succeeds more easily when MFA is bypassed by Tycoon2FA. A ransomware group moves faster when Citrix NetScaler provides unauthenticated initial access. A supply chain compromise has wider blast radius when developer environments lack package pinning controls. And all of these threats are harder to detect and respond to when CISA has lost a third of its workforce.</p>
<p>The 48-hour actions in this post — patching Ivanti EPMM, verifying OT segmentation, blocking known threat infrastructure, and confirming Citrix NetScaler patch status — are not optional. The 7-day and 30-day actions build the structural resilience that will determine whether your agencies can absorb the next incident without catastrophic impact.</p>
<p>The federal safety net is thinner than it has ever been. State government must act as its own first responder.</p>
FEATURED RESOURCES
Public Sector
Anomali Cyber Watch
