When Hacktivists Start Acting Like Nation-States: The Converging Threats Facing State Government Networks

<p><strong>Threat Assessment Level: ELEVATED &mdash; Trending HIGH</strong></p> <p><em>Changed from ELEVATED (prior cycle, April 7). The threat level remains ELEVATED but continues to trend toward HIGH based on new evidence of Iranian APT exploitation of U.S. critical infrastructure PLCs (CISA AA26-097A), a confirmed pro-Iran hacktivist compromise of a U.S. county government, APT28&rsquo;s global router credential-harvesting campaign, and active exploitation of a CVSS 10.0 vulnerability in an AI development platform. The convergence of state-sponsored, hacktivist, and criminal threats against government infrastructure in a single 24-hour cycle justifies the upward trend.</em></p> <h2><strong>Introduction&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>If you lead IT or cybersecurity for a state agency, the last 48 hours should have your full attention.</p> <p>On April 7, CISA published an urgent advisory warning that Iranian-affiliated threat actors are <strong>actively manipulating programmable logic controllers (PLCs)</strong> at U.S. government facilities, water systems, and energy sites. The same day, we confirmed that a pro-Iran hacktivist group &mdash; one that used to limit itself to website defacements &mdash; had spent <strong>months</strong> inside a U.S. county government&rsquo;s IT infrastructure before exfiltrating two terabytes of data. Meanwhile, Russia&rsquo;s APT28 is compromising routers across 120 countries to steal credentials and bypass multi-factor authentication, and a critical vulnerability in an AI platform that many organizations have deployed is being actively exploited in the wild.</p> <p>These are not theoretical risks. They are confirmed, active operations targeting the exact types of systems that state governments operate. This blog provides the intelligence picture, the specific threats, and &mdash; most importantly &mdash; what your teams should do about them this week.</p> <h2><strong>What Changed (April 7&ndash;8, 2026)&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Development</p> </th> <th> <p>Significance</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>March 19, 2026</strong></p> </td> <td> <p>DOJ seized Iranian cyber infrastructure</p> </td> <td> <p>Triggered confirmed retaliatory pre-positioning in U.S. critical infrastructure by CyberAv3ngers (IRGC-CEC)</p> </td> </tr> <tr> <td> <p><strong>April 1, 2026</strong></p> </td> <td> <p>Handala Hack published St.&nbsp;Joseph County, Indiana breach claim</p> </td> <td> <p>2TB exfiltrated from U.S. county government after months of reconnaissance &mdash; discovered April 8</p> </td> </tr> <tr> <td> <p><strong>April 6, 2026</strong></p> </td> <td> <p>FortiClient EMS CVE-2026-35616 (CVSS 9.8) confirmed under active exploitation</p> </td> <td> <p>EvilTokens PhaaS deploying 1,000+ domains against M365 authentication simultaneously</p> </td> </tr> <tr> <td> <p><strong>April 7, 2026</strong></p> </td> <td> <p>CISA Advisory AA26-097A: Iranian APT exploiting Rockwell Automation PLCs</p> </td> <td> <p>Active exploitation at U.S. government facilities, water/wastewater, and energy sites</p> </td> </tr> <tr> <td> <p><strong>April 7, 2026</strong></p> </td> <td> <p>ClickFix/AMOS macOS credential-theft campaign discovered</p> </td> <td> <p>Poisoned Google Ads targeting AI tool users for credential harvesting</p> </td> </tr> <tr> <td> <p><strong>April 7, 2026</strong></p> </td> <td> <p>OpenSSL CVE-2026-31790 disclosed</p> </td> <td> <p>RSA KEM memory leak affecting OpenSSL 3.0&ndash;3.6; moderate severity</p> </td> </tr> <tr> <td> <p><strong>April 7, 2026</strong></p> </td> <td> <p>Huntress publishes NightSpire ransomware incident analysis</p> </td> <td> <p>New RaaS family using RDP + legitimate tools for access and exfiltration</p> </td> </tr> <tr> <td> <p><strong>April 8, 2026</strong></p> </td> <td> <p>APT28 global router compromise campaign confirmed</p> </td> <td> <p>18,000+ MikroTik/TP-Link devices across ~120 countries; credential theft bypassing 2FA</p> </td> </tr> <tr> <td> <p><strong>April 8, 2026</strong></p> </td> <td> <p>Flowise CVE-2025-59528 (CVSS 10.0) confirmed under active exploitation</p> </td> <td> <p>12,000&ndash;15,000 internet-exposed AI platform instances at risk</p> </td> </tr> </tbody> </table> <h2><strong>Threat 1: Iranian APT Exploitation of Industrial Control Systems</strong></h2> <p><strong>Actors:</strong> Iranian state-sponsored APT (linked to prior IRGC campaigns against Unitronics PLCs) <strong>Advisory:</strong> CISA AA26-097A</p> <p>This is the most operationally significant threat in today&rsquo;s cycle. CISA confirmed that Iranian-affiliated actors are using <strong>Rockwell Automation Studio 5000 Logix Designer</strong> to establish accepted connections to internet-facing Allen-Bradley PLCs at U.S. government facilities, water/wastewater treatment plants, and energy sites. The campaign has been active since at least March 2026.</p> <p>The attackers are not just gaining access &mdash; they are <strong>manipulating HMI/SCADA displays and project files</strong>, meaning operators may not see accurate readings of what physical systems are doing. They deploy <strong>Dropbear SSH</strong> on victim endpoints for persistent remote access.</p> <p><strong>Why this matters for state government:</strong> Many state agencies operate or oversee water treatment facilities, transportation SCADA systems, and energy grid coordination. If any of these systems use Rockwell Automation PLCs with internet connectivity, they are in the target set right now.</p> <p><strong>Key ports to monitor:</strong> 44818, 2222, 102, 22, 502</p> <h2><strong>Threat 2: Handala Hack &mdash; When Hacktivists Become APTs</strong></h2> <p><strong>Actor:</strong> Handala Hack (pro-Iran hacktivist group) <strong>Victim:</strong> St.&nbsp;Joseph County, Indiana (U.S. county government)</p> <p>This incident represents a disturbing evolution. Handala Hack &mdash; previously known for defacement and DDoS operations &mdash; conducted a <strong>months-long reconnaissance campaign</strong> against St.&nbsp;Joseph County&rsquo;s centralized IT infrastructure before achieving full compromise and exfiltrating over 2TB of data. Simultaneously, Handala claimed a separate attack on Israeli defense contractor PSK WIND Technologies.</p> <p>This is not typical hacktivism. The patience, scope, and sophistication of this operation mirror state-sponsored APT tradecraft. It raises a critical question: <strong>is Handala operating independently, or is it a front for Iranian state-sponsored operations?</strong></p> <p>Regardless of the answer, the operational impact is the same. A U.S. county government &mdash; with infrastructure architecturally identical to many state agencies &mdash; was fully compromised by a group that most defenders would have categorized as a low-sophistication nuisance.</p> <p>Handala joins an expanding pro-Iran hacktivist coalition that includes the <strong>Conquerors Electronic Army</strong> and <strong>313 Team</strong>, which collectively executed 1,583 verified incidents across 14 countries under <strong>Operation Epic Fury</strong>, escalating to destructive and wiper operations in April 2026.</p> <p><strong>Actor claim site:</strong>handala-hack[.]tw</p> <h2><strong>Threat 3: APT28 Global Router Compromise</strong></h2> <p><strong>Actor:</strong> APT28 / Fancy Bear / GRU Unit 26165 (Russia)</p> <p>APT28 is conducting a global campaign compromising outdated <strong>MikroTik and TP-Link routers</strong> &mdash; at least 18,000 devices across approximately 120 countries, including the United States. The attackers modify router configurations to redirect traffic to attacker-controlled infrastructure, enabling them to <strong>intercept credentials and access tokens, effectively bypassing two-factor authentication</strong>.</p> <p>Microsoft has notified over 200 organizations and 5,000 consumer devices. The FBI is expected to announce domain seizures. Targets explicitly include <strong>government agencies and law enforcement</strong>.</p> <p><strong>Why this matters for state government:</strong> State networks often include MikroTik or TP-Link devices at field offices, remote facilities, and smaller agency locations where enterprise-grade equipment may not be deployed. A single compromised router can provide APT28 with credential access to the broader state network.</p> <p>This campaign reinforces a finding from prior cycles: <strong>MFA alone is insufficient</strong> against current session-hijacking and token-replay techniques. APT28 is stealing tokens downstream of the authentication event, rendering the second factor irrelevant.</p> <h2><strong>Threat 4: NightSpire Ransomware &mdash; A New RaaS Entrant</strong></h2> <p><strong>Actor:</strong> NightSpire (likely operating as Ransomware-as-a-Service)</p> <p>Huntress published a detailed incident analysis of a NightSpire ransomware deployment observed in late March 2026. NightSpire, first discovered in February 2025, appears to be maturing into a RaaS operation. The affiliate&rsquo;s playbook is notable for its heavy reliance on <strong>legitimate tools</strong>:</p> <table> <thead> <tr> <th> <p>Stage</p> </th> <th> <p>Tool Used</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Initial Access</p> </td> <td> <p>RDP (T1021.001)</p> </td> </tr> <tr> <td> <p>Persistence / Remote Access</p> </td> <td> <p>Chrome Remote Desktop, AnyDesk (T1219)</p> </td> </tr> <tr> <td> <p>Discovery</p> </td> <td> <p>Everything / voidtools (T1083)</p> </td> </tr> <tr> <td> <p>Staging</p> </td> <td> <p>7-Zip (T1560.001)</p> </td> </tr> <tr> <td> <p>Exfiltration</p> </td> <td> <p>MEGASync (T1567.002)</p> </td> </tr> <tr> <td> <p>Impact</p> </td> <td> <p>NightSpire ransomware &mdash; .nspire extension (T1486)</p> </td> </tr> </tbody> </table> <p>The affiliate claimed 2.5TB of data exfiltration. NightSpire&rsquo;s use of tools already present in many enterprise environments makes detection challenging without specific behavioral analytics.</p> <p>State and local government remains a <strong>top-3 targeted vertical</strong> for ransomware. Active ransomware groups with confirmed government targeting that were refreshed in intelligence feeds this cycle include: <strong>DragonForce</strong>, <strong>Qilin</strong>, <strong>Akira</strong>, <strong>CHATTY SPIDER</strong>, <strong>MASKED SPIDER</strong>, and <strong>TRAVELING SPIDER</strong>.</p> <h2><strong>Threat 5: Flowise AI Platform &mdash; CVSS 10.0 Under Active Exploitation</strong></h2> <p><strong>CVE:</strong> CVE-2025-59528 (CVSS 10.0) <strong>Additional CVEs under exploitation:</strong> CVE-2025-8943, CVE-2025-26319</p> <p>Flowise, an open-source AI agent builder, has a critical remote code execution vulnerability in its CustomMCP node that allows arbitrary JavaScript execution via the Function() constructor with full Node.js privileges. VulnCheck confirmed active exploitation from at least one IP address. Between <strong>12,000 and 15,000 Flowise instances</strong> are internet-exposed.</p> <p>This is the second AI/LLM orchestration platform with a confirmed critical RCE this cycle (following Langflow earlier). A pattern is emerging: <strong>AI development platforms are being deployed with minimal security hardening and are becoming a significant new attack surface.</strong></p> <p>State agencies are increasingly adopting AI tools for citizen services, document processing, and internal chatbots. If any agency &mdash; or any vendor serving state agencies &mdash; has deployed Flowise, this requires immediate action. Patched in version 3.0.6; current version is 3.1.1.</p> <h2><strong>Threat 6: OpenSSL Memory Leak (CVE-2026-31790)</strong></h2> <p><strong>CVE:</strong> CVE-2026-31790 (Moderate severity) <strong>Affected versions:</strong> OpenSSL 3.0&ndash;3.6 and their FIPS modules <strong>Not affected:</strong> OpenSSL 1.0.2 and 1.1.1</p> <p>OpenSSL disclosed a flaw in RSA KEM (RSASVE) encapsulation where improper return-value checking in RSA_public_encrypt() causes the system to treat encryption failures as successes. An attacker who supplies an invalid RSA public key can potentially receive <strong>uninitialized memory contents</strong> &mdash; which may contain sensitive data from prior cryptographic operations.</p> <p>While not yet exploited in the wild, this affects a foundational library present across virtually all Linux-based state government web servers and middleware.</p> <p><strong>Patched versions:</strong> 3.0.20, 3.3.7, 3.4.5, 3.5.6, 3.6.2 <strong>Workaround:</strong> Call EVP_PKEY_public_check() or EVP_PKEY_public_check_quick() before EVP_PKEY_encapsulate()</p> <h2><strong>Continuing Threats From Prior Cycles</strong></h2> <p>The following threats from previous reporting periods remain active and relevant:</p> <ul> <li><strong>APT42 (IRGC-IO)</strong>, <strong>MuddyWater (MOIS)</strong>, and <strong>CyberAv3ngers (IRGC-CEC)</strong> continue pre-positioning operations in U.S. critical infrastructure following the March 19 DOJ seizure of Iranian cyber infrastructure</li> <li><strong>TA416 / Mustang Panda (China)</strong> &mdash; fresh IOCs for BobbyCar and CoolClient malware families were refreshed in intelligence feeds on April 8</li> <li><strong>FortiClient EMS CVE-2026-35616</strong> (CVSS 9.8) remains under active exploitation</li> <li><strong>EvilTokens PhaaS</strong> continues deploying 1,000+ domains against M365 authentication</li> <li><strong>Volt Typhoon and Salt Typhoon (China)</strong> &mdash; notably silent this cycle despite escalating U.S.-China trade tensions. This absence is anomalous and may indicate an operational pause before escalation or a shift to undetected infrastructure</li> </ul> <h2><strong>Predictive Analysis: Next 7 Days</strong></h2> <table> <thead> <tr> <th> <p>Scenario</p> </th> <th> <p>Probability</p> </th> <th> <p>Basis</p> </th> </tr> </thead> <tbody> <tr> <td> <p>CISA publishes follow-on IOCs and detection signatures for Iranian PLC campaign (AA26-097A)</p> </td> <td> <p><strong>HIGH (&gt;70%)</strong></p> </td> <td> <p>Standard CISA advisory lifecycle; initial advisory typically followed by detailed IOC release</p> </td> </tr> <tr> <td> <p>Handala or affiliated pro-Iran groups claim additional U.S. government victims</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>St.&nbsp;Joseph County breach was published April 1 but only discovered April 8 &mdash; undisclosed victims likely exist</p> </td> </tr> <tr> <td> <p>Flowise exploitation expands as exploit code circulates</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>CVSS 10.0 with 12K&ndash;15K exposed instances; currently single-source exploitation will likely broaden</p> </td> </tr> <tr> <td> <p>Volt Typhoon or Salt Typhoon activity resurfaces amid U.S.-China tensions</p> </td> <td> <p><strong>LOW-MODERATE (25&ndash;40%)</strong></p> </td> <td> <p>Current silence is anomalous given geopolitical context; may indicate pre-positioning rather than inactivity</p> </td> </tr> <tr> <td> <p>NightSpire ransomware claims a state or local government victim</p> </td> <td> <p><strong>MODERATE (30&ndash;50%)</strong></p> </td> <td> <p>RaaS maturation + government as top-3 ransomware target vertical + RDP-based initial access widely available</p> </td> </tr> <tr> <td> <p>APT28 router campaign leads to confirmed credential compromise at a U.S. government entity</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>18,000+ compromised devices; FBI domain seizures expected, suggesting active investigation of government impact</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <h3><strong>Immediate Hunting Hypotheses</strong></h3> <p><strong>Hypothesis 1: Iranian PLC Manipulation</strong> - <strong>Hunt for:</strong> Connections to Rockwell Automation PLCs (port 44818) from external or unexpected internal IPs; Dropbear SSH installations on OT-adjacent endpoints; Studio 5000 Logix Designer sessions initiated from non-engineering workstations - <strong>ATT&amp;CK techniques:</strong> T1190, T0831, T0836, T0855, T1021.004, T1133 - <strong>Data sources:</strong> OT network flow logs, firewall logs for ports 44818/2222/102/22/502, endpoint detection on engineering workstations</p> <p><strong>Hypothesis 2: NightSpire Affiliate Tooling</strong> - <strong>Hunt for:</strong> Unauthorized installations of Chrome Remote Desktop, AnyDesk, Everything (voidtools[.]com), MEGASync, or WPS Office; RDP sessions from unexpected sources followed by RMM tool deployment; files with .nspire extension; Volume Shadow Copy deletion commands - <strong>ATT&amp;CK techniques:</strong> T1021.001, T1219, T1083, T1560.001, T1567.002, T1486, T1490 - <strong>Data sources:</strong> EDR telemetry (process creation, file writes), RDP authentication logs, outbound connection logs to MEGASync infrastructure</p> <p><strong>Hypothesis 3: APT28 Router Compromise</strong> - <strong>Hunt for:</strong> DNS configuration changes on MikroTik/TP-Link routers; unexpected routing table modifications; traffic redirection to unfamiliar external IPs; authentication token replay (sessions appearing from geographically impossible locations) - <strong>ATT&amp;CK techniques:</strong> T1557, T1539, T1584.008, T1020, T1556 - <strong>Data sources:</strong> Router configuration backups (diff against known-good), NetFlow/sFlow data, SIEM correlation of authentication events with impossible travel</p> <p><strong>Hypothesis 4: Flowise/AI Platform Exploitation</strong> - <strong>Hunt for:</strong> Internet-exposed Flowise instances (Shodan/Censys query or internal asset scan); Node.js child process spawning from Flowise application directories; unexpected outbound connections from AI platform servers - <strong>ATT&amp;CK techniques:</strong> T1190, T1059.007, T1059 - <strong>Data sources:</strong> Web application firewall logs, application server process monitoring, network segmentation logs</p> <h3><strong>Detection Priorities</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Detection Rule</p> </th> <th> <p>ATT&amp;CK ID</p> </th> </tr> </thead> <tbody> <tr> <td> <p>CRITICAL</p> </td> <td> <p>Alert on any external connection to OT/ICS ports (44818, 2222, 102, 502)</p> </td> <td> <p>T1190, T0855</p> </td> </tr> <tr> <td> <p>CRITICAL</p> </td> <td> <p>Alert on Dropbear SSH binary presence on non-Linux-server endpoints</p> </td> <td> <p>T1021.004</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>Alert on unauthorized RMM tools (AnyDesk, Chrome Remote Desktop) on endpoints</p> </td> <td> <p>T1219</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>Alert on MEGASync or similar cloud sync tool outbound connections &gt;1GB</p> </td> <td> <p>T1567.002</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>Alert on router configuration changes outside maintenance windows</p> </td> <td> <p>T1584.008</p> </td> </tr> <tr> <td> <p>HIGH</p> </td> <td> <p>Alert on authentication events with impossible geographic travel</p> </td> <td> <p>T1539, T1556</p> </td> </tr> <tr> <td> <p>MEDIUM</p> </td> <td> <p>Alert on Everything.exe (voidtools) execution on servers</p> </td> <td> <p>T1083</p> </td> </tr> <tr> <td> <p>MEDIUM</p> </td> <td> <p>Alert on .nspire file extension creation</p> </td> <td> <p>T1486</p> </td> </tr> </tbody> </table> <h3><strong>Blocking Guidance</strong></h3> <ul> <li>Block inbound traffic on ports <strong>44818, 2222, 102, 22, 502</strong> from all non-whitelisted external IPs at the perimeter firewall &mdash; particularly for any OT/ICS network segments</li> <li>Block or alert on outbound connections to handala-hack[.]tw</li> <li>Block unauthorized RMM tools via application control policy (Chrome Remote Desktop, AnyDesk) unless explicitly approved</li> <li>Block MEGASync at the proxy/firewall level unless business-justified</li> </ul> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <h3><strong>Financial Services (State Treasury, Revenue, Tax Systems)</strong></h3> <p>State revenue and tax systems process millions of citizen financial records. The <strong>Kaspersky financial threat report</strong> (referenced in this cycle&rsquo;s intelligence) confirms a surge in infostealer activity targeting financial platforms. Combined with <strong>EvilTokens PhaaS</strong> deploying 1,000+ domains against M365 authentication:</p> <ul> <li><strong>Priority:</strong> Harden M365 authentication with conditional access policies requiring compliant devices &mdash; not just MFA, which is being bypassed via token theft (T1539)</li> <li><strong>Priority:</strong> Monitor for anomalous bulk data access patterns in tax/revenue databases, particularly as the April 15 tax deadline approaches</li> <li><strong>Priority:</strong> Ensure all FortiClient EMS instances protecting financial system VPN access are patched against CVE-2026-35616</li> </ul> <h3><strong>Energy (State-Operated or Overseen Utilities)</strong></h3> <p>The CISA AA26-097A advisory directly targets energy sites. States that operate or regulate energy infrastructure face the most acute risk in this cycle.</p> <ul> <li><strong>Priority:</strong> Conduct emergency audit of all Rockwell Automation/Allen-Bradley PLC internet exposure. Verify physical key switches are in RUN (not REMOTE) position</li> <li><strong>Priority:</strong> Implement network segmentation between IT and OT &mdash; if Studio 5000 Logix Designer sessions can be initiated from IT network segments, the architecture is vulnerable</li> <li><strong>Priority:</strong> Deploy OT-specific monitoring (e.g., Dragos, Claroty, Nozomi) if not already in place; IT EDR tools do not provide adequate visibility into PLC manipulation</li> </ul> <h3><strong>Healthcare (State Health Agencies, Medicaid Systems)</strong></h3> <p>State health agencies manage Medicaid data, vital records, and public health surveillance systems &mdash; high-value targets for both ransomware operators and nation-state actors.</p> <ul> <li><strong>Priority:</strong> NightSpire ransomware&rsquo;s RDP-based initial access vector is particularly relevant to healthcare environments where RDP is commonly used for clinical application access. Restrict RDP to jump servers with MFA; disable direct RDP to endpoints</li> <li><strong>Priority:</strong> Audit all AI/chatbot deployments in citizen-facing health portals &mdash; if any use Flowise or similar platforms, patch or isolate immediately</li> <li><strong>Priority:</strong> Ensure offline backups of Medicaid enrollment and vital records databases are current and tested</li> </ul> <h3><strong>Government (Executive Agencies, Public Safety, Courts)</strong></h3> <p>The Handala Hack compromise of St.&nbsp;Joseph County demonstrates that <strong>government IT centralization is both a strength and a single point of failure</strong>. When centralized IT is compromised, every agency function is affected.</p> <ul> <li><strong>Priority:</strong> Review privileged access to centralized IT management systems (Active Directory, SCCM, Azure AD Connect). Implement tiered administration &mdash; Tier 0 (identity), Tier 1 (servers), Tier 2 (workstations) &mdash; with separate credentials for each</li> <li><strong>Priority:</strong> Establish data exfiltration detection thresholds. Handala exfiltrated 2TB &mdash; this volume of outbound data transfer should trigger automated alerts</li> <li><strong>Priority:</strong> Conduct tabletop exercise specifically modeling a hacktivist-to-APT scenario: extended reconnaissance &rarr; full infrastructure compromise &rarr; data exfiltration &rarr; public leak</li> </ul> <h3><strong>Aviation / Logistics (State DOT, Airport Authorities, Port Systems)</strong></h3> <p>State transportation agencies operate SCADA systems for traffic management, bridge controls, and airport infrastructure that share architectural similarities with the water/energy PLCs targeted in CISA AA26-097A.</p> <ul> <li><strong>Priority:</strong> Extend the PLC audit (ports 44818, 2222, 102, 502) to transportation SCADA systems &mdash; traffic signal controllers, bridge SCADA, tunnel ventilation systems</li> <li><strong>Priority:</strong> Audit MikroTik/TP-Link routers at remote transportation facilities (weigh stations, rest areas, field offices) for APT28 compromise indicators</li> <li><strong>Priority:</strong> Review supply chain security for logistics software vendors &mdash; Flowise and similar AI tools are increasingly embedded in logistics optimization platforms</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 24 Hours)</strong></h3> <table> <thead> <tr> <th> <p>Action</p> </th> <th> <p>Responsible Team</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Audit all Rockwell Automation/Allen-Bradley PLC internet exposure. Block inbound traffic on ports 44818, 2222, 102, 22, 502 from non-whitelisted IPs. Verify physical mode switches are in RUN position. Query logs for overseas IP connections to OT segments.</p> </td> <td> <p>OT Security + Network Ops</p> </td> </tr> <tr> <td> <p>Hunt for unauthorized installations of Chrome Remote Desktop, AnyDesk, MEGASync, and Everything (voidtools) across all endpoints. Any unauthorized RMM tool triggers immediate investigation.</p> </td> <td> <p>SOC</p> </td> </tr> <tr> <td> <p>Audit all agency-deployed AI/LLM platforms. If Flowise is present anywhere in the environment (including vendor-managed instances), upgrade to &ge;3.0.6 immediately or remove from internet exposure.</p> </td> <td> <p>IT Operations + Application Owners</p> </td> </tr> <tr> <td> <p>Verify FortiClient EMS instances are patched against CVE-2026-35616 (CVSS 9.8, confirmed active exploitation from prior cycle).</p> </td> <td> <p>IT Operations</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY</strong></h3> <table> <thead> <tr> <th> <p>Action</p> </th> <th> <p>Responsible Team</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Inventory all MikroTik and TP-Link routers across state network infrastructure, including field offices and remote sites. Verify firmware is current. Diff router configurations against known-good baselines to detect unauthorized DNS/routing changes.</p> </td> <td> <p>Network Operations</p> </td> </tr> <tr> <td> <p>Patch OpenSSL to 3.0.20 / 3.3.7 / 3.4.5 / 3.5.6 / 3.6.2 on all Linux web servers and middleware. If immediate patching is not possible, implement EVP_PKEY_public_check() workaround.</p> </td> <td> <p>IT Operations + DevOps</p> </td> </tr> <tr> <td> <p>Develop and deploy detection signatures for bulk data exfiltration patterns (&gt;500GB outbound from government network segments) &mdash; directly informed by Handala&rsquo;s 2TB exfiltration from St.&nbsp;Joseph County.</p> </td> <td> <p>SOC + Detection Engineering</p> </td> </tr> <tr> <td> <p>Review and harden M365 conditional access policies. Require compliant/managed devices for all authentication &mdash; MFA alone is insufficient against current token-theft techniques used by APT28 and EvilTokens PhaaS.</p> </td> <td> <p>Identity &amp; Access Management</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY</strong></h3> <table> <thead> <tr> <th> <p>Action</p> </th> <th> <p>Responsible Team</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Commission a comprehensive inventory of all AI agent and LLM platform deployments across state agencies, including vendor-managed AI tools embedded in SaaS platforms. Evaluate adoption of Microsoft&rsquo;s Agent Governance Toolkit for M365 Copilot and Azure AI workloads.</p> </td> <td> <p>CISO + Agency IT Directors</p> </td> </tr> <tr> <td> <p>Conduct a tabletop exercise modeling the Handala scenario: extended reconnaissance &rarr; centralized IT compromise &rarr; multi-terabyte exfiltration &rarr; public data leak. Test incident response, communication, and recovery procedures.</p> </td> <td> <p>CISO + Incident Response</p> </td> </tr> <tr> <td> <p>Implement or validate OT/IT network segmentation. Ensure engineering workstations with Studio 5000 or equivalent PLC programming tools cannot be reached from general IT network segments.</p> </td> <td> <p>Network Architecture + OT Security</p> </td> </tr> <tr> <td> <p>Proactively research current federal and state cybersecurity legislation in progress. Legislative intelligence has been a blind spot for three consecutive collection cycles &mdash; this gap needs active remediation.</p> </td> <td> <p>CISO + Legislative Liaison</p> </td> </tr> <tr> <td> <p>Evaluate adding dedicated OT/ICS intelligence feeds (ICS-CERT, Dragos WorldView) to the state&rsquo;s threat intelligence program. Current collection is IT-centric and inadequately covers the OT threat landscape highlighted by CISA AA26-097A.</p> </td> <td> <p>CTI Program Manager</p> </td> </tr> </tbody> </table> <h2><strong>The Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>The threat environment facing state government networks is defined by convergence. The lines between hacktivism and state-sponsored operations are dissolving &mdash; Handala&rsquo;s months-long compromise of a U.S. county government proves that. Nation-state actors from Iran, Russia, and China are simultaneously active against government infrastructure through different vectors: PLCs, routers, and identity platforms. Criminal ransomware operators continue to view state and local government as a preferred target. And a new attack surface &mdash; AI platforms deployed without adequate security &mdash; is being actively exploited.</p> <p>The good news: every threat in this report has specific, actionable defensive steps. The PLC audit, the router inventory, the AI platform review, the RMM tool hunt &mdash; these are concrete actions your teams can execute this week.</p> <p>The question is not whether these threats are real. CISA has confirmed them. The question is whether your agency will act on the intelligence before it becomes an incident.</p>