When Russia Hijacks Your Routers and Iran Owns Your PLCs: The Converging Threats State Government CISOs Must Address This Week

Anomali Threat Research

Published on

April 9, 2026

Table of Contents

Threat Assessment Level: ELEVATED — Trending HIGH Upgraded from ELEVATED in the prior cycle. Justification: The convergence of confirmed APT28 mass router compromise for M365 credential theft, a CVSS 9.8 actively exploited Ivanti EPMM vulnerability now on CISA’s KEV catalog targeting government, and the first confirmed use of AI-generated malware in ransomware operations collectively increase the compound risk to state government networks beyond the baseline ELEVATED posture. A single additional direct incident against a state or local government entity would trigger a move to HIGH. <h2>Introduction                            </h2> State government IT leaders face a threat environment this week that is not merely busy — it is converging. Nation-state actors from Russia, Iran, China, and North Korea are simultaneously executing campaigns that target the exact infrastructure stack most state agencies depend on: Microsoft 365 for identity, Ivanti for mobile device management, consumer routers for teleworker connectivity, and third-party vendor platforms for sensitive legal operations. This is not a theoretical exercise. As of April 8, 2026, Russia’s GRU has compromised tens of thousands of home routers to steal your employees’ M365 credentials. CISA has confirmed Iranian IRGC-affiliated actors are manipulating programmable logic controllers at U.S. water systems and energy facilities. A CVSS 9.8 vulnerability in Ivanti’s endpoint management platform — widely deployed across state government — is being actively exploited in the wild with government explicitly in the target set. And in Los Angeles, 7.7 terabytes of law enforcement data walked out the door through a third-party legal discovery tool — a platform identical to those used by state attorneys general and public defenders nationwide. This blog synthesizes the intelligence state CIOs and CISOs need to act on today, with specific defensive guidance, probability-weighted forecasts, and prioritized recommendations organized by urgency. <h2>What Changed: April 7–9, 2026</h2> The past 72 hours brought five developments that materially alter the risk calculus for state government: <table> <thead> <tr> <th> # </th> <th> Development </th> <th> Why It Matters for State Government </th> </tr> </thead> <tbody> <tr> <td> 1 </td> <td> APT28 (GRU Unit 26165) confirmed to have compromised 18,000–40,000 SOHO routers across 120 countries for DNS hijacking and M365 credential theft (NCSC advisory, April 7–8) </td> <td> Every state teleworker on an unmanaged home MikroTik or TP-Link router is a potential credential harvesting victim. APT28 is specifically targeting Outlook/M365 authentication tokens. </td> </tr> <tr> <td> 2 </td> <td> CVE-2026-1340 (Ivanti EPMM) added to CISA KEV — CVSS 9.8 unauthenticated RCE, actively exploited (April 8) </td> <td> Ivanti EPMM is the mobile device management platform for many state agencies. This is an unauthenticated remote code execution flaw — no credentials needed. Government is explicitly listed in the target set. </td> </tr> <tr> <td> 3 </td> <td> Chrome 147 released patching two CRITICAL WebML RCE flaws — CVE-2026-5858 (heap buffer overflow) and CVE-2026-5859 (integer overflow), plus 55 additional vulnerabilities (April 7–8) </td> <td> Chrome is the dominant browser across state government endpoints. These are drive-by-capable — a user visiting a malicious page is sufficient for code execution. </td> </tr> <tr> <td> 4 </td> <td> LAPD breach via third-party legal discovery platform — 7.7TB / 337,000+ files exfiltrated including witness identities, medical records, and unredacted criminal complaints (confirmed April 9) </td> <td> State AG offices, public defenders, and law enforcement agencies use identical e-discovery and document transfer platforms. This is a supply chain risk with a direct state government parallel. </td> </tr> <tr> <td> 5 </td> <td> AI-generated malware (Slopoly) confirmed in production ransomware operations — IBM X-Force attributes to Hive0163 (March 2026, reported April 8–9) </td> <td> The first verified instance of AI-generated malware deployed in a real ransomware intrusion. This lowers the barrier for custom, polymorphic malware that evades signature-based detection. </td> </tr> </tbody> </table> Continuing from prior cycles (not dropped — these remain active threats): <ul> <li>Iranian IRGC actors (CyberAv3ngers/IRGC-CEC) continue PLC manipulation at U.S. critical infrastructure per CISA Advisory AA26-097A (April 7). Rockwell Automation PLCs at water systems and energy sites are confirmed targets, with Dropbear SSH used for persistence.</li> <li>Handala Hack (pro-Iran hacktivist) breach claim against St. Joseph County, Indiana — 2TB exfiltrated — remains unresolved since discovery on April 8.</li> <li>CVE-2025-59528 (Flowise AI platform, CVSS 10.0) remains under active exploitation across 12,000–15,000 exposed instances.</li> <li>APT42 (IRGC-IO) and MuddyWater (MOIS) continue pre-positioning operations following the March 19 DOJ seizure of Iranian cyber infrastructure.</li> <li>ClickFix social engineering campaigns targeting government are confirmed active this cycle, deploying NETSUPPORT RAT via PowerShell lures; the AMOS stealer variant has evolved to bypass macOS Terminal warnings by pivoting to Script Editor.</li> </ul> <h2>Threat Timeline: March 19 – April 9, 2026</h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Actor / Source </th> <th> Impact </th> </tr> </thead> <tbody> <tr> <td> Mar 19 </td> <td> DOJ seizes Iranian cyber infrastructure </td> <td> U.S. DOJ </td> <td> Disrupts IRGC-IO/MOIS operations; triggers retaliatory pre-positioning </td> </tr> <tr> <td> Mar 2026 </td> <td> Hive0163 deploys AI-generated “Slopoly” malware in ransomware operation </td> <td> Hive0163 / IBM X-Force </td> <td> First confirmed AI-generated malware in production ransomware </td> </tr> <tr> <td> Apr 1 </td> <td> Handala Hack claims breach of St. Joseph County, IN (2TB exfiltrated) </td> <td> Handala Hack (pro-Iran) </td> <td> State/local government data exfiltration precedent </td> </tr> <tr> <td> Apr 7 </td> <td> CISA Advisory AA26-097A: Iranian actors exploit PLCs at U.S. critical infrastructure </td> <td> CyberAv3ngers (IRGC-CEC) / CISA </td> <td> Water, energy, government facilities confirmed targets </td> </tr> <tr> <td> Apr 7 </td> <td> CISA ICS Advisory: Mitsubishi GENESIS64 / ICONICS vulnerabilities </td> <td> CISA </td> <td> ICS/SCADA exposure for state-operated facilities </td> </tr> <tr> <td> Apr 7–8 </td> <td> NCSC advisory: APT28 compromises 18,000–40,000 SOHO routers for DNS hijacking </td> <td> APT28 / GRU Unit 26165 </td> <td> M365 credential theft via AiTM across 120 countries </td> </tr> <tr> <td> Apr 7–8 </td> <td> Chrome 147 released: 2 CRITICAL + 15 HIGH severity patches </td> <td> Google </td> <td> Drive-by RCE risk for unpatched browsers </td> </tr> <tr> <td> Apr 7 </td> <td> Firefox ESR 140.9.1 patches CVE-2026-5731 (CVSS 9.8) and CVE-2026-5732 (CVSS 8.8) </td> <td> Mozilla </td> <td> Memory safety and integer overflow in government-deployed browsers </td> </tr> <tr> <td> Apr 8 </td> <td> CISA adds CVE-2026-1340 (Ivanti EPMM) to KEV — actively exploited </td> <td> CISA / Ivanti </td> <td> Unauthenticated RCE in government MDM platform </td> </tr> <tr> <td> Apr 8–9 </td> <td> ClickFix campaigns confirmed targeting government with NETSUPPORT RAT </td> <td> Financial-gain actors </td> <td> Social engineering → remote access tool deployment </td> </tr> <tr> <td> Apr 8–9 </td> <td> AMOS Stealer shifts from Terminal to Script Editor to bypass macOS warnings </td> <td> ClickFix operators </td> <td> macOS security control evasion </td> </tr> <tr> <td> Apr 9 </td> <td> LAPD breach via third-party legal discovery tool confirmed (7.7TB) </td> <td> Unknown actor </td> <td> Government vendor supply chain data exfiltration </td> </tr> <tr> <td> Apr 8–9 </td> <td> Axios npm supply chain attack attributed to UNC1069 (DPRK-linked) </td> <td> UNC1069 / DPRK </td> <td> Developer supply chain compromise </td> </tr> <tr> <td> Ongoing </td> <td> OCEANBUFFALO/Pagoda APT IOCs targeting government (confidence 90) </td> <td> OCEANBUFFALO </td> <td> Government-targeted espionage malware </td> </tr> </tbody> </table> <h2>Key Threat Analysis                       </h2> <h3>1. APT28’s Router Hijacking Campaign: Your Teleworkers Are the Attack Surface</h3> Actor: APT28 (Fancy Bear / GRU Unit 26165 — Russian military intelligence) This is not a theoretical vulnerability — it is an active, confirmed operation at massive scale. APT28 has compromised an estimated 18,000 to 40,000 consumer-grade MikroTik and TP-Link routers across approximately 120 countries. The operation uses DNS hijacking to redirect victims’ web traffic through attacker-controlled infrastructure, enabling adversary-in-the-middle (AiTM) interception of passwords and authentication tokens. The specific targeting of Microsoft Outlook and M365 credentials makes this directly relevant to every state agency running Microsoft 365. Why this matters for state government: State employees working from home — and there are tens of thousands of them — connect through consumer routers that the state IT organization does not manage, cannot patch, and likely cannot even inventory. APT28 is exploiting this exact gap. A compromised home router silently redirects DNS queries, allowing the attacker to present convincing login pages and intercept MFA tokens in real time. The employee sees nothing unusual. The attacker gets a valid session token. Corroboration: Six independent sources (NCSC, TechCrunch, Ars Technica, The Hacker News, Tom’s Hardware, and additional OSINT) confirm the operation’s scope, TTPs, and targeting. This is a high-confidence assessment. <h3>2. CVE-2026-1340: Ivanti EPMM Under Active Exploitation — Government in the Crosshairs</h3> CVSS: 9.8 CRITICAL | Status: CISA Known Exploited Vulnerability (KEV) | Exploitation: Active, in the wild Ivanti Endpoint Manager Mobile (EPMM) is the mobile device management platform that many state agencies rely on to manage smartphones, tablets, and mobile access to state systems. CVE-2026-1340 is an unauthenticated code injection vulnerability — meaning an attacker needs no credentials whatsoever to achieve remote code execution on the EPMM server. Campaign intelligence from threat feeds confirms that actors of unknown motivation are actively exploiting both CVE-2026-1281 and CVE-2026-1340 for initial access, with government explicitly listed among the targeted sectors alongside automotive, commercial, financial services, manufacturing, and transportation across six countries. For state agencies running Ivanti EPMM, this is a patch-now situation. CISA’s Binding Operational Directive 22-01 requires remediation by the specified due date. If patching cannot be completed within 48 hours, isolate the EPMM instance from internet-facing access immediately. <h3>3. Iranian Threat Complex: From PLCs to Hacktivism</h3> Three distinct Iranian threat actors are conducting operations relevant to state government: <table> <thead> <tr> <th> Actor </th> <th> Affiliation </th> <th> Current Activity </th> <th> Target </th> </tr> </thead> <tbody> <tr> <td> CyberAv3ngers </td> <td> IRGC Cyber-Electronic Command (CEC) </td> <td> Active PLC manipulation at U.S. facilities; Dropbear SSH persistence (CISA AA26-097A) </td> <td> Water/wastewater, energy, government SCADA </td> </tr> <tr> <td> APT42 </td> <td> IRGC Intelligence Organization (IO) </td> <td> Pre-positioning operations post-DOJ infrastructure seizure (Mar 19) </td> <td> Government, policy, diplomatic targets </td> </tr> <tr> <td> MuddyWater </td> <td> Ministry of Intelligence and Security (MOIS) </td> <td> Pre-positioning operations post-DOJ infrastructure seizure </td> <td> Government, telecommunications </td> </tr> <tr> <td> Handala Hack </td> <td> Pro-Iran hacktivist </td> <td> Claimed 2TB breach of St. Joseph County, IN (Apr 1, discovered Apr 8) </td> <td> U.S. state/local government </td> </tr> </tbody> </table> The March 19 DOJ seizure of Iranian cyber infrastructure has not degraded these actors — it has accelerated their pre-positioning. CyberAv3ngers’ confirmed manipulation of Rockwell Automation PLCs at water systems is particularly concerning for state agencies that operate water treatment, wastewater, and transportation SCADA systems. <h3>4. Ransomware Landscape: AI-Generated Malware Enters the Arena</h3> The ransomware threat to state and local government remains acute, with five groups actively targeting the sector: <ul> <li>Akira — Hit School Health Corporation (education-adjacent) on April 7</li> <li>DragonForce — Active in threat feeds targeting government</li> <li>Qilin — Active in threat feeds targeting government</li> <li>NightSpire — Active in threat feeds targeting government</li> <li>Hive0163 — Deployed Slopoly, the first confirmed AI-generated malware used in a production ransomware operation</li> </ul> The Slopoly development deserves special attention. IBM X-Force confirmed that Hive0163 used multiple backdoors in sequence during an intrusion before introducing Slopoly late in the kill chain — suggesting the group was testing AI-assisted tooling in a live environment. If AI-generated malware becomes standard practice, it means: <ul> <li>Polymorphic variants generated on demand, defeating signature-based detection</li> <li>Lower skill barriers for ransomware affiliates to produce custom tooling</li> <li>Faster iteration — new variants can be generated in minutes, not days</li> </ul> This is a strategic inflection point, not a one-off curiosity. <h3>5. Supply Chain: Three Vectors, Three Threat Actors</h3> <table> <thead> <tr> <th> Vector </th> <th> Actor </th> <th> Detail </th> </tr> </thead> <tbody> <tr> <td> Third-party legal platform </td> <td> Unknown </td> <td> LAPD breach: 7.7TB exfiltrated via vendor-managed e-discovery tool. State AG offices and law enforcement use identical platforms. </td> </tr> <tr> <td> npm package (Axios) </td> <td> UNC1069 (DPRK-linked) </td> <td> Compromised widely-used npm package for developer supply chain attack. State agencies with custom web applications using Axios are exposed. </td> </tr> <tr> <td> Open source community (Slack) </td> <td> Unknown </td> <td> Linux Foundation leader impersonated in Slack to deliver malware to open source developers. OpenSSF issued high-severity advisory. </td> </tr> </tbody> </table> <h3>6. ClickFix Social Engineering: Now Targeting Government</h3> Two active campaigns confirmed this cycle use the ClickFix social engineering technique to target government and commercial sectors: <ul> <li>One campaign deploys NETSUPPORT remote access tool via ClickFix lures and PowerShell scripts</li> <li>The AMOS (Atomic Stealer) campaign has evolved to bypass Apple’s macOS Terminal security warnings by shifting execution to Script Editor</li> </ul> ClickFix tricks users into copying and pasting malicious commands — a technique that bypasses traditional email security controls because the user initiates the execution themselves. <h2>Predictive Analysis: What Comes Next</h2> Based on current intelligence, actor behavior patterns, and the active threat landscape: <table> <thead> <tr> <th> Probability </th> <th> Prediction (7-day horizon) </th> </tr> </thead> <tbody> <tr> <td> 70% </td> <td> NCSC releases specific IOCs and detection guidance for the APT28 router hijacking campaign, enabling creation of targeted detection rules </td> </tr> <tr> <td> 65% </td> <td> CVE-2026-1340 (Ivanti EPMM) exploitation expands in scope; additional government victims are identified as scanning activity increases </td> </tr> <tr> <td> 60% </td> <td> Additional Chrome zero-day or in-the-wild exploitation of CVE-2026-5858/5859 is reported before enterprise patching reaches saturation </td> </tr> <tr> <td> 55% </td> <td> ClickFix campaigns targeting government intensify — two active campaigns with government targeting confirmed this cycle, and the technique continues to evolve to evade controls </td> </tr> <tr> <td> 50% </td> <td> Iranian threat actors (CyberAv3ngers or affiliated groups) conduct additional ICS/SCADA operations at U.S. critical infrastructure in retaliation for the March 19 DOJ action </td> </tr> <tr> <td> 40% </td> <td> A U.S. state or local government entity is publicly reported as a ransomware victim within 7 days, given the current activity level of Akira, DragonForce, Qilin, NightSpire, and Hive0163 </td> </tr> <tr> <td> 30% </td> <td> AI-generated malware (Slopoly or similar) is identified in a second, independent ransomware operation — confirming the technique is spreading beyond Hive0163 </td> </tr> </tbody> </table> <h2>SOC Operational Guidance               </h2> <h3>Detection Priorities</h3> Priority 1 — APT28 DNS Hijacking / AiTM Credential Theft <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Guidance </th> </tr> </thead> <tbody> <tr> <td> T1584.008 — Compromise Infrastructure: Network Devices </td> <td> Monitor for DNS configuration changes on network edge devices, particularly MikroTik and TP-Link routers. Alert on DNS server changes to non-authorized resolvers. </td> </tr> <tr> <td> T1557.001 — Adversary-in-the-Middle </td> <td> Monitor for TLS certificate anomalies on M365/Outlook login flows. Detect mismatched certificate authorities for login.microsoftonline.com and outlook.office365.com. </td> </tr> <tr> <td> T1539 — Steal Web Session Cookie </td> <td> Hunt for impossible travel or anomalous session token reuse in Azure AD/Entra ID sign-in logs. Look for sessions originating from unexpected geographies within minutes of legitimate logins. </td> </tr> <tr> <td> T1078.004 — Valid Accounts: Cloud Accounts </td> <td> Alert on M365 logins from IP ranges associated with known VPN/proxy services, particularly those geolocated in Eastern Europe or Central Asia. </td> </tr> </tbody> </table> Hunting Hypothesis:If APT28 is intercepting M365 tokens via DNS hijacking on home routers, we should see anomalous Azure AD sign-in events where the same user authenticates from both their normal ISP and an unexpected IP within a short time window, or where conditional access policies are bypassed by replayed session tokens. Priority 2 — Ivanti EPMM Exploitation (CVE-2026-1340) <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Guidance </th> </tr> </thead> <tbody> <tr> <td> T1190 — Exploit Public-Facing Application </td> <td> Monitor Ivanti EPMM server logs for unauthenticated API calls with code injection patterns. Alert on unexpected child processes spawned by the EPMM web service. </td> </tr> <tr> <td> T1059 — Command and Scripting Interpreter </td> <td> Post-exploitation will likely involve command execution. Monitor for cmd.exe, powershell.exe, or bash spawned by the Ivanti EPMM process. </td> </tr> </tbody> </table> Hunting Hypothesis:If CVE-2026-1340 is being exploited against our EPMM instance, we should see unauthenticated HTTP requests to the EPMM API containing injection payloads, followed by anomalous process creation on the EPMM server. Priority 3 — ClickFix Social Engineering → NETSUPPORT / AMOS <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Guidance </th> </tr> </thead> <tbody> <tr> <td> T1059.001 — PowerShell </td> <td> Alert on PowerShell execution initiated from browser processes or clipboard paste operations. Look for encoded commands or download cradles. </td> </tr> <tr> <td> T1059.005 — Visual Basic / Script Editor </td> <td> On macOS endpoints, monitor for osascript or Script Editor launching shell commands. The AMOS campaign has pivoted from Terminal to Script Editor. </td> </tr> <tr> <td> T1219 — Remote Access Software </td> <td> Detect NETSUPPORT RAT installation artifacts: client32.exe, NSM.LIC, connections to NETSUPPORT C2 infrastructure. </td> </tr> <tr> <td> T1566.002 — Spearphishing Link </td> <td> Monitor for users navigating to Cloudflare Pages or Squarespace-hosted domains that serve ClickFix lures. </td> </tr> </tbody> </table> Hunting Hypothesis:If ClickFix is targeting state employees, we should see browser-initiated PowerShell or Script Editor execution, potentially preceded by visits to newly registered domains on Cloudflare Pages or similar hosting platforms. Priority 4 — Iranian ICS/SCADA Operations <table> <thead> <tr> <th> ATT&CK Technique </th> <th> Detection Guidance </th> </tr> </thead> <tbody> <tr> <td> T0839 — Module Firmware (ICS) </td> <td> Monitor for unauthorized firmware changes on Rockwell Automation PLCs at water, wastewater, and energy facilities. </td> </tr> <tr> <td> T0859 — Valid Accounts (ICS) </td> <td> Detect SSH connections (particularly Dropbear SSH) to OT/ICS network segments from unexpected sources. </td> </tr> <tr> <td> T1021.004 — Remote Services: SSH </td> <td> Alert on SSH sessions to PLC management interfaces, especially from internet-facing IP ranges or jump hosts not in the approved access list. </td> </tr> </tbody> </table> <h2>Sector-Specific Defensive Priorities</h2> <h3>Financial Services (State Treasury, Revenue, Tax Systems)</h3> <ul> <li>Primary threat: APT28 AiTM credential theft targeting M365 accounts that access financial systems and taxpayer PII</li> <li>Action: Enforce phishing-resistant MFA (FIDO2/hardware keys) for all accounts with access to treasury, revenue, and tax processing systems. Conditional access policies should require compliant devices and block legacy authentication protocols.</li> <li>Secondary threat: ClickFix → NETSUPPORT campaigns targeting government financial operations</li> <li>Action: Restrict PowerShell execution to constrained language mode on endpoints in financial processing environments. Block NETSUPPORT RAT artifacts at the endpoint and network level.</li> </ul> <h3>Energy (State-Operated Utilities, Grid Coordination)</h3> <ul> <li>Primary threat: CyberAv3ngers (IRGC-CEC) PLC manipulation at energy facilities — confirmed active per CISA AA26-097A</li> <li>Action: Audit all Rockwell Automation PLC firmware versions at state-operated energy facilities. Verify no unauthorized SSH services (particularly Dropbear SSH) are running on OT network segments. Implement network segmentation between IT and OT with unidirectional gateways where feasible.</li> <li>Secondary threat: Mitsubishi GENESIS64 / ICONICS ICS vulnerabilities (CISA ICS advisory, April 7)</li> <li>Action: Inventory all Mitsubishi/ICONICS deployments and apply vendor patches per CISA guidance.</li> </ul> <h3>Healthcare (State Medicaid, Public Health, HHS Systems)</h3> <ul> <li>Primary threat: Ransomware — Akira hit School Health Corporation (April 7); healthcare remains the most targeted sector for ransomware nationally</li> <li>Action: Verify offline backup integrity for Medicaid claims processing, electronic health records, and public health surveillance systems. Test restoration procedures. Ensure incident response retainer is current and covers healthcare-specific regulatory requirements (HIPAA breach notification).</li> <li>Secondary threat: Third-party vendor compromise — the LAPD breach pattern applies to health information exchanges and claims processing vendors</li> <li>Action: Audit third-party data sharing agreements for healthcare vendors. Require SOC 2 Type II attestation and verify MFA enforcement on all vendor access to state health data.</li> </ul> <h3>Government (Executive Agencies, Legislature, Judiciary)</h3> <ul> <li>Primary threat: Ivanti EPMM CVE-2026-1340 — unauthenticated RCE on the MDM platform managing agency mobile devices</li> <li>Action: Patch immediately. If patching is delayed, isolate EPMM from internet-facing access. Audit EPMM logs for indicators of prior exploitation.</li> <li>Secondary threat: APT28 credential theft via home router DNS hijacking — state teleworkers are directly exposed</li> <li>Action: Enforce conditional access policies requiring compliant/managed devices for M365 access. Evaluate SASE/ZTNA solutions to tunnel remote worker traffic through state-controlled infrastructure, bypassing compromised home routers.</li> <li>Tertiary threat: Handala Hack and similar hacktivist groups targeting county/municipal government — St. Joseph County, IN breach is a direct precedent</li> <li>Action: Issue advisory to county and municipal IT partners about hacktivist targeting. Verify that interconnected local government networks are segmented from state systems.</li> </ul> <h3>Aviation / Logistics (State DOT, Airport Authorities, Port Operations)</h3> <ul> <li>Primary threat: Nation-state espionage — China-nexus actors are actively exploiting BeyondTrust (CVE-2026-1731, CVSS 9.8) targeting aerospace and government</li> <li>Action: Inventory all BeyondTrust Remote Support and Privileged Remote Access instances across DOT and transportation agencies. Verify patched against CVE-2026-1731. Restrict remote access tool usage to approved, patched versions only.</li> <li>Secondary threat: Supply chain compromise via npm/developer tools — state agencies with custom logistics or fleet management applications built on Node.js are exposed to the Axios npm attack (UNC1069/DPRK)</li> <li>Action: Audit package-lock.json files for Axios dependencies. Pin all npm packages to specific versions and verify integrity hashes. Implement software composition analysis (SCA) in CI/CD pipelines.</li> </ul> <h2>Prioritized Defense Recommendations</h2> <h3>IMMEDIATE (Within 24 Hours)</h3> <table> <thead> <tr> <th> Priority </th> <th> Responsible Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🔴 </td> <td> IT Operations </td> <td> Patch Ivanti EPMM to remediate CVE-2026-1340 (CVSS 9.8, CISA KEV, actively exploited, government targeted). Verify all EPMM instances across agencies. If patching is delayed beyond 48 hours, isolate EPMM from internet-facing access. </td> </tr> <tr> <td> 🔴 </td> <td> IT Operations </td> <td> Push Chrome 147.0.7727.55+ to all managed endpoints to remediate CVE-2026-5858 and CVE-2026-5859 (Critical WebML RCE). Verify auto-update is functioning across all agencies. </td> </tr> <tr> <td> 🔴 </td> <td> IT Operations </td> <td> Push Firefox ESR 140.9.1+ and Thunderbird 140.9.1+ to remediate CVE-2026-5731 (CVSS 9.8 memory safety) and CVE-2026-5732 (CVSS 8.8 integer overflow). </td> </tr> <tr> <td> 🔴 </td> <td> SOC </td> <td> Create detection rules for DNS configuration changes on MikroTik and TP-Link routers visible in state network telemetry and VPN logs. Alert on DNS redirects to non-authorized resolvers. Monitor Azure AD sign-in logs for impossible travel and session token replay indicative of APT28 AiTM. </td> </tr> </tbody> </table> <h3>7-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Responsible Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟠 </td> <td> Identity/SOC </td> <td> Audit Azure AD/Entra ID conditional access policies to enforce token binding, require compliant devices, and detect session token replay. APT28’s router DNS hijacking enables AiTM token theft against M365. Evaluate phishing-resistant MFA (FIDO2) for privileged accounts. </td> </tr> <tr> <td> 🟠 </td> <td> IT Operations </td> <td> Inventory and patch all BeyondTrust Remote Support and Privileged Remote Access instances against CVE-2026-1731 (CVSS 9.8). China-nexus actors are actively exploiting this for government and aerospace targeting. </td> </tr> <tr> <td> 🟠 </td> <td> CISO / Legal </td> <td> Audit third-party e-discovery and legal document transfer platforms used by the Attorney General’s office, public defenders, and state law enforcement. The LAPD breach (7.7TB via vendor tool) is a direct precedent. Require vendor SOC 2 attestation, enforce MFA on all vendor access, and verify data-at-rest encryption. </td> </tr> <tr> <td> 🟠 </td> <td> IT Operations (macOS) </td> <td> Block Script Editor execution via MDM policy on state-managed macOS devices. The AMOS/ClickFix campaign now bypasses Terminal warnings by pivoting to Script Editor. Also restrict osascript execution to approved processes. </td> </tr> <tr> <td> 🟠 </td> <td> ICS/OT Security </td> <td> Audit Rockwell Automation PLC firmware at state-operated water, wastewater, and energy facilities per CISA Advisory AA26-097A. Verify no unauthorized SSH services (Dropbear SSH) are present on OT segments. Review and tighten IT/OT network segmentation. </td> </tr> </tbody> </table> <h3>30-DAY</h3> <table> <thead> <tr> <th> Priority </th> <th> Responsible Team </th> <th> Action </th> </tr> </thead> <tbody> <tr> <td> 🟡 </td> <td> CISO </td> <td> Commission a SOHO/remote worker router security assessment. APT28’s compromise of 18,000–40,000 consumer routers for credential theft means state teleworkers on unmanaged home networks are exposed at scale. Evaluate SASE/ZTNA architectures to route remote worker traffic through state-controlled infrastructure, eliminating dependence on home router DNS integrity. </td> </tr> <tr> <td> 🟡 </td> <td> CISO </td> <td> Develop an AI-generated malware detection strategy. IBM X-Force’s Slopoly finding confirms ransomware operators are using AI to generate custom malware. Evaluate behavioral EDR rules, sandbox detonation capabilities, and ML-based detection models that do not rely on static signatures. </td> </tr> <tr> <td> 🟡 </td> <td> CISO / Procurement </td> <td> Establish a third-party vendor cybersecurity assessment program for all vendors handling sensitive state data — particularly legal, healthcare, and financial processing vendors. Require SOC 2 Type II, penetration testing results, and incident notification SLAs in all contracts. </td> </tr> <tr> <td> 🟡 </td> <td> CISO / CIO </td> <td> Brief the Governor’s office and agency heads on the converging nation-state threat landscape. The simultaneous pressure from Russia (credential theft), Iran (ICS manipulation), China (remote access tool exploitation), and DPRK (supply chain compromise) represents a compound risk that may require additional budget allocation for identity security, OT segmentation, and remote workforce protection. </td> </tr> <tr> <td> 🟡 </td> <td> IR / CISO </td> <td> Update the state incident response plan to address AI-generated malware scenarios and third-party vendor breach scenarios. Tabletop exercise recommendation: simulate a ransomware incident where the malware evades signature-based detection (Slopoly scenario) combined with a simultaneous vendor data breach (LAPD scenario). </td> </tr> </tbody> </table> <h2>What We’re Watching But Haven’t Seen — And Why That Matters</h2> Intelligence analysis is not only about what appeared this week — it is also about what should have appeared but didn’t: <ul> <li>Volt Typhoon / Salt Typhoon (China): No new reporting on Chinese pre-positioning in U.S. critical infrastructure this cycle, despite the active China-nexus BeyondTrust exploitation campaign. Given heightened U.S.-China tensions, the silence on these actors is notable and may indicate operational security improvements rather than reduced activity. We are actively monitoring.</li> <li>Direct ransomware hit on a state or local government entity: Despite five active ransomware groups targeting government, no new state/local victim was publicly reported this cycle. This may indicate a pre-positioning phase rather than a lull. Do not reduce defensive posture.</li> <li>Cybersecurity legislation: No new state or federal cybersecurity legislation was captured this cycle — the fourth consecutive cycle without legislative intelligence. This is a collection gap, not an absence of legislative activity. State legislatures are in session and cybersecurity bills are moving. State CISOs should independently monitor NCSL cybersecurity policy trackers and their own legislature’s bill tracking systems for compliance-impacting developments.</li> </ul> <h2>Bottom Line                                  </h2> The threat environment facing state government this week is defined by convergence — not any single threat, but the simultaneous pressure across identity infrastructure (APT28 credential theft), endpoint management (Ivanti EPMM exploitation), operational technology (Iranian PLC manipulation), the software supply chain (npm compromise, vendor platform breaches), and the browser attack surface (Chrome and Firefox critical vulnerabilities). No single defensive action addresses this compound risk. The recommendations above are sequenced by urgency because time is the variable state CISOs control. The Ivanti EPMM patch and Chrome/Firefox updates are the highest-leverage actions available today — they close confirmed, actively exploited attack paths against government targets. The 7-day actions (conditional access hardening, BeyondTrust patching, vendor audits) address the next tier of confirmed threats. The 30-day actions (SASE/ZTNA evaluation, AI malware strategy, vendor assessment program) build structural resilience against the threat landscape that is forming. The adversaries are not waiting. Neither should we.

FEATURED RESOURCES

April 9, 2026

Anomali Cyber Watch

Iran’s Cyber War Machine Isn’t Slowing Down — Six Weeks in, Critical Infrastructure Is Under Active Attack

April 9, 2026

Anomali Cyber Watch

Public Sector

When Russia Hijacks Your Routers and Iran Owns Your PLCs: The Converging Threats State Government CISOs Must Address This Week

April 8, 2026

Anomali Cyber Watch

Iran’s Cyber War Didn’t Stop With the Ceasefire — It Just Went Underground

Explore All