When the Ceasefire Holds but the Hackers Don’t: Iran’s Cyber War Enters Its Ninth Week

Anomali Threat Research

Published on

April 28, 2026

Table of Contents

Threat Assessment Level: HIGH Nine weeks into the most significant U.S.–Iran military confrontation since 1979, a kinetic ceasefire declared around April 16 has done nothing to slow Iranian cyber operations. Federal agencies have been compromised. Russian intelligence infrastructure is converging with Iranian hosting. Emergency services, digital signage systems, and tens of thousands of home routers have become the new frontlines. And the most dangerous signal in our intelligence picture isn’t what we’re seeing — it’s what we’re not. <h2> What Changed This Week                  </h2> The period ending April 28, 2026 — Day 59 of the conflict that began with Operation Epic Fury on February 28 — delivered five developments that should be on every CISO’s radar: <ol> <li> CISA confirmed a federal agency was compromised via FIRESTARTER, a firmware-persistent backdoor on Cisco ASA/FTD firewalls that survives device updates . Traditional patching is not sufficient — full memory forensics and reimaging are required. </li> <li> Russian-Iranian infrastructure convergence deepened. APT28 (Russian GRU) Operation Masquerade compromised 18,000+ SOHO routers to steal Microsoft 365 OAuth tokens — and three high-confidence command-and-control IPs sit on Iranian ASN 213790. This is not coincidence; it’s cooperation. </li> <li> Five ICS advisories dropped in a single day , including vulnerabilities in IP camera systems that Iranian actors have used for battlefield damage assessment, and a critical flaw in Intrado 911 Emergency Gateway systems — a new category of critical infrastructure now in the crosshairs. </li> <li> Samsung MagicINFO CVE-2024-7399 added to CISA KEV with active exploitation confirmed. This CVSS 8.8 flaw in digital signage infrastructure present in government buildings, airports, hospitals, and military facilities enables arbitrary file write as system authority — both a network pivot point and an information operations defacement vector. </li> <li> 48 days of silence on defense industrial base pre-positioning — the longest intelligence gap on the single most consequential targeting vector during an active conflict. Absence of evidence is not evidence of absence. </li> </ol> <h2> Conflict & Cyber Timeline                       </h2> <table> <thead> <tr> <th> Date </th> <th> Event </th> <th> Significance </th> </tr> </thead> <tbody> <tr> <td> 28 Feb 2026 </td> <td> Operation Epic Fury begins — U.S.–Iran kinetic conflict starts </td> <td> Triggers full-spectrum Iranian cyber mobilization </td> </tr> <tr> <td> 11 Mar </td> <td> Handala (Void Manticore) wiper attack hits Stryker — 200,000 endpoints </td> <td> Largest destructive cyber operation of the conflict </td> </tr> <tr> <td> 7 Apr </td> <td> CISA Advisory AA26-097A — Iranian actors exploiting PLCs in water/energy </td> <td> Confirms ICS/OT targeting at scale </td> </tr> <tr> <td> 7 Apr </td> <td> FBI Operation Masquerade — court-authorized takedown of APT28 router botnet </td> <td> 18,000+ TP-Link/MikroTik routers compromised for OAuth theft </td> </tr> <tr> <td> ~16 Apr </td> <td> Kinetic ceasefire declared </td> <td> Cyber operations continue unabated per NYT reporting </td> </tr> <tr> <td> 23 Apr </td> <td> CISA publishes FIRESTARTER MAR (AR26-113A) </td> <td> FCEB agency compromise confirmed; persistence survives firmware updates </td> </tr> <tr> <td> 23 Apr </td> <td> Five ICS advisories: IP cameras, 911 gateway, GNSS receivers </td> <td> Expands known Iranian-relevant attack surface </td> </tr> <tr> <td> 24 Apr </td> <td> CVE-2024-7399 added to CISA KEV — Samsung MagicINFO 9 Server </td> <td> Active exploitation confirmed; digital signage in government/military facilities at risk </td> </tr> <tr> <td> 24–26 Apr </td> <td> APT28 expands to three IPs on Iranian ASN 213790 </td> <td> Russian-Iranian cyber infrastructure sharing confirmed at high confidence </td> </tr> <tr> <td> 27 Apr </td> <td> CSIS publishes comprehensive analysis of Iranian cyber threat to U.S. CI </td> <td> Confirms threat picture at most acute level since conflict began </td> </tr> <tr> <td> 28 Apr </td> <td> UNC3890 (Imperial Kitten) and UNC757 (Pioneer Kitten) profiles updated </td> <td> Active operations or infrastructure changes during ceasefire </td> </tr> </tbody> </table> <h2> The Threat Actors: A Full Roster              </h2> The Iranian cyber apparatus operating during this conflict spans both of Iran’s primary intelligence organizations, augmented by hacktivist proxies and an unprecedented Russian partnership. <h3> IRGC-Affiliated Actors </h3> <ul> <li> APT33 (Elfin/Refined Kitten) — Aerospace and energy sector targeting </li> <li> APT35 (Charming Kitten/Phosphorus) — Credential theft and social engineering campaigns </li> <li> APT42 (IRGC-IO) — Surveillance and espionage operations </li> <li> Cyber Av3ngers — ICS/OT destruction, demonstrated Unitronics PLC exploitation (IOCONTROL malware) </li> <li> Fox Kitten — VPN exploitation specialist, known for Citrix/Fortinet/Ivanti access brokering </li> <li> UNC1549/Imperial Kitten — Aerospace and defense industrial base targeting via malicious GitHub repositories (resumed April 22–23) </li> <li> UNC3890 (Imperial Kitten/Yellowliderc) — Chemical, energy, healthcare, and manufacturing targeting; profile updated April 28 </li> <li> Cotton Sandstorm (Emennet Pasargad/BANISHED KITTEN) — Influence operations; profile updated April 27 but no new campaigns detected (notable silence) </li> <li> Handala/Void Manticore — Destructive wiper operations; responsible for the Stryker attack (200K endpoints, March 11) </li> </ul> <h3> MOIS-Directed Actors </h3> <ul> <li> APT34 (OilRig) — Infrastructure expansion confirmed during ceasefire </li> <li> MuddyWater (TEMP.Zagros) — Infrastructure expansion confirmed during ceasefire </li> <li> UNC1860 (Scarred Manticore) — Persistent access operations </li> </ul> <h3> State-Criminal Hybrids </h3> <ul> <li> UNC757/Pioneer Kitten (Lemon Sandstorm/Parisite) — Profile updated April 27; targets 11 countries across financial services, government, healthcare, energy, and education; known for VPN exploitation and ransomware-as-a-service handoffs (Pay2Key) </li> </ul> <h3> Russian Convergence </h3> <ul> <li> APT28 (Fancy Bear/GRU Unit 26165) — Operating from Iranian ASN 213790 with three confirmed IPs; OAuth token theft technique directly transferable to Iranian actors </li> </ul> <h2> Deep Dive: FIRESTARTER — The Backdoor That Survives Your Patches </h2> CISA’s Malware Analysis Report AR26-113A, published April 23, is the most consequential technical disclosure of this conflict cycle. FIRESTARTER is a backdoor targeting Cisco ASA and Cisco FTD firewalls — the perimeter devices that millions of organizations trust as their first line of defense. What makes FIRESTARTER exceptional: <ul> <li> Firmware persistence : The implant survives device updates and reboots. Cisco tracks the actor as UAT-4356 (also Storm-1849) and acknowledges the group “appears to be government-backed” while declining specific nation-state attribution. </li> <li> Confirmed federal compromise : A U.S. Federal Civilian Executive Branch (FCEB) agency was compromised. </li> <li> Remediation requires reimaging : Patching alone is insufficient. Organizations must perform memory forensics using CISA-provided YARA rules, followed by full device reimaging if indicators are found. </li> </ul> Relevant ATT&CK Techniques: - T1190 — Exploit Public-Facing Application - T1542.004 — Pre-OS Boot: ROMMONkit (persistence through updates) - T1556 — Modify Authentication Process - T1071 — Application Layer Protocol (C2) Bottom line for CISOs: If your organization runs Cisco ASA or FTD devices, assume compromise until proven otherwise. Memory analysis — not just patching — is the only way to confirm clean status. <h2> Deep Dive: Operation Masquerade and Russian-Iranian Infrastructure Sharing </h2> On April 7, the FBI executed court-authorized Operation Masquerade against APT28’s compromise of 18,000+ TP-Link and MikroTik SOHO routers . The technique is elegant and devastating: <ol> <li> Exploit SNMP v2 default credentials on SOHO routers </li> <li> Rewrite DNS settings to redirect Microsoft OAuth endpoints to transparent proxies </li> <li> Capture OAuth access and refresh tokens after MFA completion </li> <li> Use stolen tokens (valid 60–90 days on default M365 settings) for persistent cloud access </li> </ol> The Iran-conflict dimension: Three high-confidence APT28-attributed IPs are hosted on Iranian ASN 213790 (“Limited Network”) : <table> <thead> <tr> <th> IOC </th> <th> ASN </th> <th> Confidence </th> <th> Tags </th> </tr> </thead> <tbody> <tr> <td> 185.93.89[.]147 </td> <td> 213790 </td> <td> 91 </td> <td> APT28, mirage </td> </tr> <tr> <td> 192.253.248[.]180 </td> <td> 213790 </td> <td> 90 </td> <td> APT28, retail/telecom targeting </td> </tr> <tr> <td> 185.93.89[.]43 </td> <td> 213790 </td> <td> 93 </td> <td> APT28, command injection </td> </tr> </tbody> </table> An additional IP on a separate Iranian ASN was also identified: <table> <thead> <tr> <th> IOC </th> <th> ASN </th> <th> Confidence </th> <th> Tags </th> </tr> </thead> <tbody> <tr> <td> 176.46.152[.]46 </td> <td> 44208 (Farahoosh Dena) </td> <td> 91 </td> <td> Transparent-Tribe, amadey/obliquerat </td> </tr> </tbody> </table> Why this matters: The OAuth proxy technique requires zero malware and bypasses MFA. It relies only on SNMP access to commodity routers — a capability well within Iranian actor tradecraft. Cyber Av3ngers have already demonstrated IoT/embedded device exploitation. If Iranian actors adopt this technique (and the shared ASN infrastructure suggests they may already be doing so), every M365 tenant accessible via a network with SOHO routers becomes a target. Relevant ATT&CK Techniques: - T1557/T1557.002 — Adversary-in-the-Middle / ARP Cache Poisoning (DNS redirect variant) - T1528 — Steal Application Access Token (OAuth) - T1584.004 — Compromise Infrastructure: Server - T1078.004 — Valid Accounts: Cloud Accounts <h2> Deep Dive: ICS/OT Attack Surface Expansion </h2> Five ICS advisories published on April 23 expand the attack surface relevant to Iranian operations: <table> <thead> <tr> <th> Advisory </th> <th> Product </th> <th> Impact </th> <th> Iran Relevance </th> </tr> </thead> <tbody> <tr> <td> ICSA-26-113-05 </td> <td> Hangzhou Xiongmai XM530 IP Camera </td> <td> Authentication bypass, remote access </td> <td> HIGH — Iranian actors use IP cameras for battlefield damage assessment surveillance </td> </tr> <tr> <td> ICSA-26-113-03 </td> <td> Milesight Cameras </td> <td> Device crash or RCE </td> <td> HIGH — Same BDA surveillance vector </td> </tr> <tr> <td> ICSA-26-113-06 </td> <td> Intrado 911 Emergency Gateway </td> <td> Read/modify/delete files </td> <td> CRITICAL — 911 disruption is a logical escalation target for Iranian proxies </td> </tr> <tr> <td> ICSA-26-113-02 </td> <td> Carlson Software VASCO-B GNSS Receiver </td> <td> Alter critical system functions </td> <td> MODERATE — Positioning/navigation disruption </td> </tr> <tr> <td> ICSA-26-113-01 </td> <td> Yadea T5 Electric Bicycle </td> <td> Remote unlock/start </td> <td> LOW — Limited strategic relevance </td> </tr> </tbody> </table> The Intrado 911 Emergency Gateway vulnerability introduces an entirely new critical infrastructure category into the Iranian threat matrix. Disrupting emergency dispatch during a conflict — or as a coercive signal during ceasefire negotiations — would be a high-impact, low-technical-barrier operation for groups like Cyber Av3ngers or Ababil of Minab. Additionally, CVE-2024-7399 (CVSS 8.8) was added to CISA’s Known Exploited Vulnerabilities catalog on April 24. This Samsung MagicINFO 9 Server vulnerability allows arbitrary file write as system authority. Samsung MagicINFO manages digital signage in government buildings, airports, hospitals, and military facilities — making it both a network pivot point and a defacement vector (ATT&CK T1491.002) for Iranian information operations. <h2> The Silence That Should Keep You Up at Night </h2> Intelligence analysis isn’t just about what you find — it’s about what you don’t find. Four critical absences define this cycle: <ol> <li> No wiper deployments in 48 days. The Handala/Void Manticore wiper campaign that devastated Stryker on March 11 (200,000 endpoints) has produced no confirmed follow-on attacks. This is the longest operational pause since the conflict began. Possible explanations: operational pause matching the kinetic ceasefire, a shift to pre-positioning for the next wave, or a collection gap. None of these should be comforting. </li> <li> No Cyber Av3ngers/IOCONTROL activity in 21 days. The PLC exploitation advisory (AA26-097A) was published April 7 with no follow-on incidents. For a group with demonstrated capability against Unitronics PLCs, silence during a ceasefire may indicate pre-positioning rather than cessation. </li> <li> No defense industrial base pre-positioning detected in 48 days. This is the single most concerning gap. Iranian actors — UNC757/Pioneer Kitten, UNC1549/Imperial Kitten — have documented aerospace and DIB targeting capabilities. A GitHub-based fake resume lure campaign targeting aerospace developers remains active in threat intelligence feeds. The absence of detected pre-positioning during the most acute U.S.–Iran conflict in decades does not mean it isn’t happening. It means we can’t see it. </li> <li> Cotton Sandstorm (Emennet Pasargad) has gone quiet. This IRGC-affiliated influence operations actor was updated in threat intelligence platforms on April 27 but no new campaigns surfaced. Given their role in targeting U.S. elections and infrastructure with disinformation, silence during ceasefire negotiations is notable. </li> </ol> <h2> Predictive Analysis: What Comes Next </h2> Based on the current intelligence picture — sustained cyber operations through a fragile ceasefire, the USS Tripoli seizure signaling escalation risk, and confirmed pre-positioned access in federal networks — we assess the following: <table> <thead> <tr> <th> Scenario </th> <th> Probability </th> <th> Timeframe </th> <th> Trigger </th> </tr> </thead> <tbody> <tr> <td> Iranian cyber operations intensify if ceasefire collapses or USS Tripoli situation escalates; pre-positioned access (FIRESTARTER, dormant web shells, VPN footholds) activated within hours </td> <td> 70% </td> <td> 72 hours of trigger event </td> <td> Kinetic resumption or hostage crisis escalation </td> </tr> <tr> <td> Handala/Void Manticore conducts follow-on destructive wiper operation </td> <td> 50% </td> <td> Within 2 weeks </td> <td> 48-day gap is the longest pause since conflict began; next target likely non-U.S. allied nation or private sector </td> </tr> <tr> <td> Iranian actors adopt APT28’s OAuth proxy technique against U.S. government M365 tenants, leveraging existing SOHO router access or shared Iranian ASN infrastructure </td> <td> 40% </td> <td> 30 days </td> <td> Technique is zero-malware, MFA-bypassing, and within demonstrated Iranian capability </td> </tr> <tr> <td> Cyber Av3ngers or proxy group targets 911/emergency dispatch infrastructure </td> <td> 25% </td> <td> 30–60 days </td> <td> Intrado vulnerability disclosure + demonstrated ICS targeting capability </td> </tr> <tr> <td> Large-scale DIB data exfiltration discovered retroactively </td> <td> 35% </td> <td> Discovery within 60 days </td> <td> 48-day blind spot suggests access may already exist undetected </td> </tr> </tbody> </table> <h2> SOC Operational Guidance                       </h2> <h3> Priority Hunts </h3> Hunt 1: FIRESTARTER Persistence on Cisco ASA/FTD - Hypothesis: Cisco ASA/FTD devices in your environment may harbor FIRESTARTER implants that survived recent firmware updates. - ATT&CK: T1542.004 (Pre-OS Boot: ROMMONkit), T1556 (Modify Authentication Process) - Action: Perform memory analysis via core dumps on all Cisco ASA/FTD appliances using CISA YARA rules from MAR AR26-113A. Prioritize any device that received firmware updates since January 2026 — FIRESTARTER persists through updates, so a “patched” device may still be compromised. - Detection: Monitor for unexpected outbound connections from firewall management interfaces; alert on authentication process modifications or unauthorized ROMMON changes. Hunt 2: OAuth Token Theft via DNS Hijack - Hypothesis: SOHO routers in your network perimeter or remote worker environments have been compromised to redirect Microsoft OAuth endpoints to transparent proxies. - ATT&CK: T1557.002 (ARP Cache Poisoning — DNS redirect variant), T1528 (Steal Application Access Token), T1078.004 (Valid Accounts: Cloud Accounts) - Action: Audit DNS settings on all TP-Link and MikroTik routers. Query Entra ID sign-in logs for OAuth token issuances from unexpected geographic origins — particularly Iranian ASN ranges (213790, 44208). Review M365 Unified Audit Logs for refresh token usage patterns inconsistent with user behavior. - Detection: Alert on login.microsoftonline[.]com or login.live[.]com resolution to non-Microsoft IP ranges. Monitor for OAuth token issuance where the network path includes known-compromised ASNs. Hunt 3: IOCONTROL C2 Beaconing in OT Networks - Hypothesis: Cyber Av3ngers may have pre-positioned IOCONTROL malware on Unitronics or Modicon PLCs in water/energy environments, with C2 channels dormant during the ceasefire. - ATT&CK: T1071 (Application Layer Protocol), T1190 (Exploit Public-Facing Application) - Action: Monitor Modbus/TCP (port 502) and DNP3 (port 20000) traffic from SCADA networks for anomalous outbound connections. Cross-reference with IOCs from CISA AA26-097A. - Detection: Baseline normal PLC communication patterns; alert on any PLC-initiated outbound connection to internet-routable IP addresses. Hunt 4: DIB Pre-Positioning (Highest Priority Gap) - Hypothesis: Iranian actors (UNC757/Pioneer Kitten, UNC1549/Imperial Kitten) have established dormant access in defense industrial base networks via VPN exploitation or developer-targeted social engineering. - ATT&CK: T1190 (Exploit Public-Facing Application), T1133 (External Remote Services), T1078 (Valid Accounts) - Action: Search for Rclone and Wasabi exfiltration patterns in VPN and proxy logs. Scan for dormant web shells on internet-facing Citrix, Fortinet, and Ivanti appliances. Check developer workstations for artifacts from GitHub-hosted fake resume lure campaigns. - Detection: Alert on Rclone process execution, Wasabi S3 endpoint connections, and new SSH keys added to Citrix/Fortinet management interfaces. <h3> Blocking Guidance </h3> Implement blocks for the following verified IOCs at your perimeter, DNS, and SIEM: <table> <thead> <tr> <th> Type </th> <th> Value </th> <th> Context </th> </tr> </thead> <tbody> <tr> <td> IPv4 </td> <td> 185.93.89[.]147 </td> <td> APT28 C2 on Iranian ASN 213790 (confidence 91) </td> </tr> <tr> <td> IPv4 </td> <td> 192.253.248[.]180 </td> <td> APT28 C2 on Iranian ASN 213790 (confidence 90) </td> </tr> <tr> <td> IPv4 </td> <td> 185.93.89[.]43 </td> <td> APT28 C2 on Iranian ASN 213790 (confidence 93) </td> </tr> <tr> <td> IPv4 </td> <td> 176.46.152[.]46 </td> <td> Transparent-Tribe on Iranian ASN 44208 (confidence 91) </td> </tr> </tbody> </table> Additional IOCs for the campaigns discussed in this report — including FIRESTARTER indicators, IOCONTROL C2 infrastructure, and Pioneer Kitten VPN exploitation artifacts — are available through Anomali ThreatStream Next-Gen and partner feeds. CISA MAR AR26-113A contains YARA rules and additional indicators for FIRESTARTER that should be operationalized immediately. <h3> Key Detection Rules to Deploy </h3> <table> <thead> <tr> <th> Rule </th> <th> ATT&CK </th> <th> Data Source </th> </tr> </thead> <tbody> <tr> <td> Cisco ASA/FTD unexpected outbound from mgmt interface </td> <td> T1071, T1542.004 </td> <td> Firewall logs, NetFlow </td> </tr> <tr> <td> SNMP v2 authentication on SOHO routers from non-management IPs </td> <td> T1557.002 </td> <td> Network monitoring </td> </tr> <tr> <td> OAuth token issuance from Iranian ASN ranges </td> <td> T1528, T1078.004 </td> <td> Entra ID sign-in logs </td> </tr> <tr> <td> DNS resolution of Microsoft OAuth endpoints to non-Microsoft IPs </td> <td> T1557.002 </td> <td> DNS logs, Sysmon Event ID 22 </td> </tr> <tr> <td> Rclone process execution or Wasabi S3 endpoint connections </td> <td> T1567.002 </td> <td> EDR, proxy logs </td> </tr> <tr> <td> PLC-initiated outbound internet connections on ports 502/20000 </td> <td> T1071 </td> <td> OT network monitoring </td> </tr> <tr> <td> Samsung MagicINFO arbitrary file write attempts </td> <td> T1190, T1059 </td> <td> Application logs, EDR </td> </tr> <tr> <td> IP camera firmware update or config change from non-management source </td> <td> T1190, T1110.003 </td> <td> Network monitoring, device logs </td> </tr> </tbody> </table> <h2> Sector-Specific Defensive Priorities </h2> <h3> Financial Services </h3> Iranian actor UNC757/Pioneer Kitten explicitly targets financial services across 11 countries and has a documented history of ransomware-as-a-service handoffs (Pay2Key). The APT28 OAuth token theft technique is directly relevant to financial institutions with large M365 deployments and remote workforces using SOHO routers. <ul> <li> Priority: Audit all M365 refresh token lifetimes; reduce to 24-hour maximum for privileged accounts. Deploy Conditional Access policies requiring compliant devices for financial system access. </li> <li> Priority: Hunt for Rclone/Wasabi exfiltration patterns in DLP logs — Pioneer Kitten’s preferred data staging method. </li> <li> Priority: Verify that SWIFT and core banking systems are network-segmented from any environment accessible via VPN or SOHO router paths. </li> </ul> <h3> Energy </h3> Energy is a primary target for both IRGC-affiliated actors (Cyber Av3ngers targeting PLCs, APT33 targeting energy infrastructure) and MOIS actors (APT34/OilRig with deep energy sector expertise, UNC3890 updated April 28 with energy targeting). CISA AA26-097A specifically warns of PLC exploitation in energy environments. <ul> <li> Priority: Immediately audit all Unitronics and Modicon PLCs for default credentials and unauthorized configuration changes. Deploy monitoring on Modbus/TCP (502) and DNP3 (20000) for anomalous traffic. </li> <li> Priority: Segment OT networks from IT with unidirectional gateways where possible. Ensure no SCADA system has a direct internet-routable path. </li> <li> Priority: Inventory all IP cameras (especially Xiongmai XM530 and Milesight models) on facility networks; these are documented Iranian BDA collection vectors. Isolate on dedicated VLANs. </li> </ul> <h3> Healthcare </h3> UNC3890 (updated April 28) and UNC757/Pioneer Kitten both explicitly target healthcare. The Stryker wiper attack (March 11, 200K endpoints) demonstrated that Iranian actors will conduct destructive operations against healthcare-adjacent targets without hesitation. <ul> <li> Priority: Ensure offline, immutable backups of electronic health record systems and medical device management platforms. Test restoration procedures. </li> <li> Priority: Audit all Citrix, Fortinet, and Ivanti VPN appliances for Pioneer Kitten exploitation indicators — this actor brokers initial access to ransomware operators. </li> <li> Priority: Review Samsung MagicINFO deployments in hospital digital signage systems; patch to version 21.1050+ immediately (CVE-2024-7399). </li> </ul> <h3> Government (Federal, State, Local) </h3> The FIRESTARTER FCEB compromise is a direct hit on this sector. CISA’s MAR confirms that a federal agency’s Cisco ASA device was backdoored with firmware-persistent malware. The Intrado 911 Emergency Gateway vulnerability (ICSA-26-113-06) threatens state and local emergency services. <ul> <li> Priority: Execute CISA YARA-based memory analysis on every Cisco ASA/FTD device in the environment. Do not rely on firmware updates alone — FIRESTARTER survives them. </li> <li> Priority: Coordinate with 911/PSAP operators on Intrado EGW vulnerability remediation. Assess whether emergency dispatch systems are accessible from internet-facing networks. </li> <li> Priority: Disable SNMP v2 on all network equipment. The APT28 OAuth technique exploits default SNMP credentials on commodity routers — government telework environments with SOHO routers are directly exposed. </li> <li> Priority: Revoke and reissue all M365 OAuth refresh tokens for government tenants; implement 24-hour token lifetime policies. </li> </ul> <h3> Aviation & Logistics </h3> UNC1549/Imperial Kitten resumed aerospace and defense industrial base targeting via malicious GitHub repositories on April 22–23. UNC757/Pioneer Kitten targets 11 countries with known aerospace interest. The 48-day intelligence gap on DIB pre-positioning is most consequential for this sector. <ul> <li> Priority: Brief all software developers and engineers on the GitHub fake resume lure campaign — verify all coding challenge repositories before execution on any corporate or development system. </li> <li> Priority: Conduct targeted threat hunt for dormant web shells on internet-facing Citrix/Fortinet/Ivanti appliances. Pioneer Kitten’s primary initial access method is VPN exploitation. </li> <li> Priority: Audit all GitHub repository access from corporate networks; alert on cloning of repositories from unknown or recently created accounts. </li> <li> Priority: Review supply chain access — Iranian actors have demonstrated MSP/supply-chain targeting (ConnectWise campaigns, April 20–25). Verify that third-party remote access tools are inventoried and monitored. </li> </ul> <h2> Prioritized Defense Recommendations </h2> <h3> IMMEDIATE (Within 24 Hours) </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Block APT28 C2 IPs at perimeter: 185.93.89[.]147, 192.253.248[.]180, 185.93.89[.]43, 176.46.152[.]46. Hunt for historical connections in firewall logs since January 2026. </td> <td> SOC </td> <td> Russian-Iranian infrastructure convergence; OAuth token theft campaign </td> </tr> <tr> <td> Perform memory analysis on ALL Cisco ASA/FTD devices using CISA YARA rules from AR26-113A. Prioritize devices updated since January 2026. </td> <td> SOC / Network Ops </td> <td> FIRESTARTER persists through firmware updates; FCEB agency confirmed compromised </td> </tr> <tr> <td> Disable SNMP v2 on all TP-Link and MikroTik SOHO routers. Verify DHCP DNS settings point to known-good resolvers. Upgrade to SNMP v3 with authentication if monitoring is required. </td> <td> IT Ops </td> <td> APT28 OAuth proxy technique exploits default SNMP credentials; technique transferable to Iranian actors </td> </tr> <tr> <td> Brief executive leadership and IR team on ceasefire fragility: the USS Tripoli seizure signals potential kinetic resumption, which would trigger activation of pre-positioned cyber access within hours. </td> <td> CISO </td> <td> 70% probability of cyber intensification if ceasefire collapses </td> </tr> </tbody> </table> <h3> 7-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Deploy Entra ID Conditional Access policy requiring re-authentication every 24 hours for sensitive access. Revoke all M365 refresh tokens for tenants accessible via SOHO router networks. Audit OAuth token issuance logs for anomalous geographic origins since January 2026. </td> <td> SOC / Identity Team </td> <td> OAuth tokens valid 60–90 days on default settings; APT28 technique bypasses MFA </td> </tr> <tr> <td> Patch Samsung MagicINFO 9 Server to version 21.1050+ on all digital signage systems. Inventory all MagicINFO deployments in government, military, airport, and hospital facilities. </td> <td> IT Ops </td> <td> CVE-2024-7399 (CVSS 8.8) actively exploited; digital signage is both pivot point and defacement vector </td> </tr> <tr> <td> Inventory all Xiongmai XM530 and Milesight IP cameras. Apply firmware updates per ICSA-26-113-05 and ICSA-26-113-03. Segment camera VLANs from corporate networks with ACLs blocking lateral movement. </td> <td> IT Ops / Physical Security </td> <td> Iranian actors use IP cameras for BDA surveillance collection </td> </tr> <tr> <td> Create detection rules for IOCONTROL C2 beaconing on Modbus/TCP (port 502) and DNP3 (port 20000) from water/energy SCADA networks. Cross-reference with CISA AA26-097A indicators. </td> <td> SOC / OT Security </td> <td> Cyber Av3ngers PLC exploitation capability; 21-day silence may indicate pre-positioning </td> </tr> <tr> <td> Tabletop exercise: simulate ceasefire collapse scenario with cyber activation of pre-positioned access across edge devices, cloud tenants, and OT networks simultaneously. </td> <td> CISO / IR Team </td> <td> Validate IR playbooks against the specific threat picture; identify coordination gaps </td> </tr> </tbody> </table> <h3> 30-DAY </h3> <table> <thead> <tr> <th> Action </th> <th> Owner </th> <th> Rationale </th> </tr> </thead> <tbody> <tr> <td> Commission dedicated threat hunt for DIB pre-positioning: (a) Rclone/Wasabi exfiltration patterns, (b) dormant web shells on internet-facing servers, (c) GitHub fake resume lure artifacts on developer workstations, (d) UNC757/Pioneer Kitten VPN exploitation indicators on Citrix/Fortinet/Ivanti appliances. </td> <td> CISO / Threat Hunt Team </td> <td> 48-day blind spot on DIB pre-positioning during active conflict is the highest-risk intelligence gap </td> </tr> <tr> <td> Evaluate adding 911/PSAP and emergency dispatch infrastructure to critical asset inventory. Coordinate with emergency services partners on Intrado EGW vulnerability remediation (ICSA-26-113-06). </td> <td> CISO / GRC </td> <td> New critical infrastructure category in Iranian threat matrix; logical escalation target </td> </tr> <tr> <td> Conduct full edge device audit: every Cisco ASA/FTD, Citrix ADC, Fortinet FortiGate, and Ivanti Connect Secure appliance should undergo memory forensics — not just patch verification. Establish quarterly memory analysis cadence. </td> <td> IT Ops / Security Engineering </td> <td> FIRESTARTER’s persistence-through-update capability invalidates patch-and-forget remediation for the entire edge device fleet </td> </tr> <tr> <td> Review and harden all MSP/supply-chain remote access: inventory ConnectWise, TeamViewer, AnyDesk, and similar tools; enforce MFA and session recording; restrict to named IP ranges where possible. </td> <td> IT Ops / Vendor Management </td> <td> Iranian-backed supply-chain targeting activity observed against MSP infrastructure (ConnectWise) in late April </td> </tr> </tbody> </table> <h2> The Bottom Line                               </h2> We are in Quadrant 2 of this conflict: kinetic pause, cyber active. Every major intelligence source confirms that Iranian cyber operations have not stood down despite the ceasefire. The seizure of USS Tripoli and U.S. Marines signals that the kinetic pause itself is fragile. The Iranian attack model during this conflict has been consistent: stolen credentials and legitimate tooling abuse over custom malware . This makes identity security — OAuth token management, MFA enforcement, credential hygiene, and Conditional Access policies — the single most important defensive investment you can make right now. But the technical threat is only half the picture. The 48-day silence on defense industrial base pre-positioning is not reassuring — it is alarming. Iranian pre-positioning is designed to be invisible until activation. If the ceasefire collapses, the access is already there. The question is whether you’ll find it before it’s used. Don’t wait for the next Stryker. Hunt now.

FEATURED RESOURCES

April 28, 2026

Anomali Cyber Watch