When Three Nation-States Come Knocking: A Critical Week for State Government Cybersecurity

<p> <strong> Threat Assessment Level: HIGH </strong> </p> <p> <em> Elevated from ELEVATED (prior assessment, 28 April 2026). Justification: Two new CISA Known Exploited Vulnerabilities (KEV) entries directly targeting state government infrastructure; confirmed APT28 exploitation of a zero-click Windows credential theft vulnerability; Qilin ransomware's EDR-killing capability promoted to high confidence with multi-source validation; and new Sandworm persistence tradecraft specifically designed to evade standard government network defenses. </em> </p> <h2> <strong> Introduction </strong> </h2> <p> State government IT leaders face a convergence of threats this week that demands immediate executive attention. Russia's APT28 is actively exploiting a Windows vulnerability that steals credentials without any user interaction. China-linked operators are weaponizing a remote management tool &mdash; ConnectWise ScreenConnect &mdash; that many state agencies and their managed service providers rely on daily. Russia's Sandworm group has unveiled a new persistence technique that tunnels through Tor to maintain hidden access to government networks. And the Qilin ransomware operation has deployed a capability that can disable more than 300 endpoint security products. </p> <p> This is not a theoretical risk briefing. These are active campaigns, confirmed by CISA, Microsoft, Cisco Talos, and Europol &mdash; all converging in the same operational window. If your agency has unpatched Windows systems, ConnectWise ScreenConnect deployments, or relies solely on endpoint detection and response (EDR) as your last line of defense, you are exposed right now. </p> <h2> <strong> What Changed </strong> </h2> <p> The past 72 hours brought a sharp escalation in both the volume and severity of threats relevant to state government networks: </p> <ul> <li> <strong> 27&ndash;28 April: </strong> Microsoft confirmed active exploitation of <strong> CVE-2026-32202 </strong> , a Windows Shell vulnerability enabling zero-click NTLM credential theft. CISA added it to the KEV catalog on 28 April. <strong> APT28 (Fancy Bear) </strong> , Russia's GRU-affiliated threat actor, is the confirmed operator. </li> <li> <strong> 28 April: </strong> CISA simultaneously added <strong> CVE-2024-1708 </strong> , a ConnectWise ScreenConnect path traversal flaw, to the KEV catalog. Microsoft attributed exploitation to <strong> Storm-1175 </strong> (China-linked), which is deploying <strong> Medusa ransomware </strong> through compromised MSP infrastructure. The federal patch deadline is <strong> 12 May 2026 </strong> . </li> <li> <strong> 28 April: </strong> CISA published ICS Advisory ICSA-26-118-01 for <strong> CVE-2026-6807 </strong> , an XML External Entity (XXE) vulnerability in <strong> NSA GRASSMARLIN v3.2.1 </strong> , an open-source ICS/OT network mapping tool used by some state agencies for critical infrastructure visibility. </li> <li> <strong> Late April: </strong> 360 Advanced Threat Research Institute published analysis of <strong> Sandworm (APT44) </strong> deploying dual-layer SSH-over-Tor tunnels for persistent hidden access to government and energy networks &mdash; a significant evolution in Russian persistence tradecraft. </li> <li> <strong> April 2026: </strong> Cisco Talos published detailed analysis of <strong> Qilin ransomware's </strong> EDR killer module &mdash; a trojanized DLL using Bring Your Own Vulnerable Driver (BYOVD) techniques to terminate <strong> 300+ endpoint security products </strong> before encrypting systems. </li> <li> <strong> Ongoing: </strong> An active phishing campaign spoofing IRS taxpayer alerts is delivering <strong> ConnectWise ScreenConnect RAT </strong> to U.S. targets, creating a second distinct attack vector through the same remote access tool. </li> <li> <strong> Ongoing: </strong> <strong> CVE-2026-42208 </strong> (CVSS 9.3), a pre-authentication SQL injection in <strong> LiteLLM </strong> AI proxy software, was weaponized within 36 hours of disclosure. State agencies piloting AI tools using LiteLLM-style proxies face credential exposure across multiple cloud AI providers. </li> <li> <strong> 23 April: </strong> CISA confirmed <strong> Volt Typhoon </strong> and <strong> Flax Typhoon </strong> (China/PLA-MSS and Integrity Technology Group/MSS) pre-positioning in U.S. critical infrastructure remains active and unresolved &mdash; Chinese actors may already hold persistent access to state network infrastructure. </li> </ul> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Actor / Source </p> </th> <th> <p> Impact to State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Dec 2025 &ndash; Present </p> </td> <td> <p> APT28 campaign exploiting NTLM credential theft via LNK files </p> </td> <td> <p> APT28 / Fancy Bear (Russia/GRU) </p> </td> <td> <p> Zero-click credential theft on all unpatched Windows systems </p> </td> </tr> <tr> <td> <p> Feb 2026 </p> </td> <td> <p> Microsoft patches CVE-2026-21510 (incomplete fix) </p> </td> <td> <p> Microsoft </p> </td> <td> <p> Patch proved insufficient; residual vulnerability remained </p> </td> </tr> <tr> <td> <p> 2 Apr 2026 </p> </td> <td> <p> Cisco Talos publishes Qilin EDR killer analysis </p> </td> <td> <p> Qilin / WARLOCK SPIDER </p> </td> <td> <p> EDR products across state agencies can be disabled pre-encryption </p> </td> </tr> <tr> <td> <p> 6 Apr 2026 </p> </td> <td> <p> Security Arsenal confirms Qilin BYOVD technique </p> </td> <td> <p> Independent corroboration </p> </td> <td> <p> High-confidence threat to endpoint protection </p> </td> </tr> <tr> <td> <p> 7 Apr 2026 </p> </td> <td> <p> CISA Iranian PLC advisory (aa26-097a) issued </p> </td> <td> <p> CISA </p> </td> <td> <p> State-managed water/wastewater SCADA systems at risk </p> </td> </tr> <tr> <td> <p> 23 Apr 2026 </p> </td> <td> <p> CISA joint advisory: Volt Typhoon &amp; Flax Typhoon pre-positioning </p> </td> <td> <p> China / PLA-MSS </p> </td> <td> <p> Confirmed Chinese pre-positioning in U.S. critical infrastructure </p> </td> </tr> <tr> <td> <p> 24 Apr 2026 </p> </td> <td> <p> CISA adds CVE-2024-7399 (Samsung MagicINFO) to KEV </p> </td> <td> <p> CISA </p> </td> <td> <p> Digital signage and display systems in government facilities </p> </td> </tr> <tr> <td> <p> 24 Apr 2026 </p> </td> <td> <p> Mandiant publishes UNC6692 SNOW malware framework analysis </p> </td> <td> <p> UNC6692 </p> </td> <td> <p> Senior employees targeted via Microsoft Teams impersonation </p> </td> </tr> <tr> <td> <p> 27 Apr 2026 </p> </td> <td> <p> Microsoft confirms active exploitation of CVE-2026-32202 </p> </td> <td> <p> APT28 (Russia/GRU) </p> </td> <td> <p> All unpatched Windows endpoints exposed </p> </td> </tr> <tr> <td> <p> 28 Apr 2026 </p> </td> <td> <p> CISA adds CVE-2026-32202 and CVE-2024-1708 to KEV </p> </td> <td> <p> CISA </p> </td> <td> <p> Emergency patching required; federal deadline 12 May </p> </td> </tr> <tr> <td> <p> 28 Apr 2026 </p> </td> <td> <p> CISA ICS Advisory for GRASSMARLIN CVE-2026-6807 </p> </td> <td> <p> CISA </p> </td> <td> <p> OT network mapping tool compromised </p> </td> </tr> <tr> <td> <p> Late Apr 2026 </p> </td> <td> <p> Sandworm SSH-over-Tor persistence campaign published </p> </td> <td> <p> Sandworm / APT44 (Russia/GRU) </p> </td> <td> <p> New evasion technique targeting government networks </p> </td> </tr> <tr> <td> <p> Apr 2026 </p> </td> <td> <p> Europol IOCTA 2026: 22% increase in ransomware leak-site posts </p> </td> <td> <p> Europol </p> </td> <td> <p> 2,638 victims posted in Q1 2026; government in target set </p> </td> </tr> <tr> <td> <p> Apr 2026 </p> </td> <td> <p> LiteLLM CVE-2026-42208 exploited within 36 hours </p> </td> <td> <p> Unknown </p> </td> <td> <p> AI proxy infrastructure exposing cloud API keys </p> </td> </tr> <tr> <td> <p> Ongoing </p> </td> <td> <p> IRS-spoofing ConnectWise RAT phishing campaign </p> </td> <td> <p> Unknown (criminal) </p> </td> <td> <p> State employees targeted with tax-themed lures </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. APT28 Zero-Click NTLM Credential Theft (CVE-2026-32202) </strong> </h3> <p> <strong> Actor: </strong> APT28 / Fancy Bear / Forest Blizzard &mdash; Russia's GRU Unit 26165 </p> <p> This is the most immediately dangerous threat in today's landscape. CVE-2026-32202 is an incomplete patch for CVE-2026-21510 (February 2026). The attack is devastatingly simple: a malicious .LNK shortcut file containing a UNC path is delivered via spearphishing. When a user merely <em> browses to the folder </em> containing the file &mdash; no click required &mdash; Windows automatically attempts NTLM authentication to the attacker-controlled server, transmitting the user's credential hash. </p> <p> For state government environments, this is particularly dangerous because: </p> <ul> <li> <strong> NTLM remains widely deployed </strong> in legacy state applications, inter-agency authentication, and older Active Directory configurations </li> <li> <strong> Domain-joined Windows endpoints </strong> are the standard across state agencies </li> <li> <strong> The attack requires zero user interaction </strong> beyond navigating to a folder &mdash; no macro, no executable, no "Enable Content" prompt </li> </ul> <p> APT28 has been running this campaign against government targets since December 2025, initially focused on Ukraine and EU governments. The technique is trivial to replicate once understood, meaning secondary actors will adopt it rapidly. </p> <p> <strong> Key CVEs: </strong> CVE-2026-32202, CVE-2026-21510, CVE-2026-21513 </p> <h3> <strong> 2. ConnectWise ScreenConnect: Two Attack Vectors, One Tool </strong> </h3> <p> <strong> Actors: </strong> Storm-1175 (China-linked) deploying Medusa ransomware; unknown criminal operators running IRS phishing </p> <p> ConnectWise ScreenConnect appeared in <strong> two separate threat streams </strong> on the same day &mdash; a rare and concerning convergence: </p> <p> <strong> Vector 1 &mdash; Nation-State Ransomware: </strong> CISA added CVE-2024-1708 (path traversal, CVSS 8.4) to the KEV catalog. This vulnerability chains with CVE-2024-1709 (authentication bypass, CVSS 10.0). Microsoft attributed exploitation to Storm-1175, a China-based group deploying Medusa ransomware through compromised ScreenConnect instances. For state agencies that rely on MSPs using ConnectWise, this is a direct supply chain threat. </p> <p> <strong> Vector 2 &mdash; Phishing RAT Delivery: </strong> A separate campaign uses IRS taxpayer alert lures ("IRS Taxpayer Alert: alert notice," "IRS Taxpayer Alert: submission notice") to deliver ScreenConnect client MSI installers. Because ScreenConnect is a legitimate remote management tool, it may be whitelisted in many state environments &mdash; creating a critical detection blind spot. </p> <p> <strong> Key CVEs: </strong> CVE-2024-1708, CVE-2024-1709 </p> <h3> <strong> 3. Sandworm's SSH-over-Tor Persistence &mdash; A New Evasion Paradigm </strong> </h3> <p> <strong> Actor: </strong> Sandworm / APT44 / FROZENBARENTS &mdash; Russia's GRU Unit 74455 </p> <p> Sandworm has deployed a sophisticated persistence mechanism that chains SSH tunneling with Tor onion routing and obfs4 traffic shaping. The attack begins with a spearphishing ZIP containing a malicious LNK file. Once executed, the malware: </p> <ul> <li> Installs persistence via <strong> scheduled tasks masquerading as legitimate applications </strong> (OperaGX, Dropbox, Safari, OBS Studio) </li> <li> Maps critical internal ports &mdash; <strong> SMB (445) and RDP (3389) </strong> &mdash; to .onion addresses </li> <li> Uses <strong> obfs4 pluggable transports </strong> to make Tor traffic appear as normal HTTPS </li> </ul> <p> This technique defeats signature-based detection, protocol-based detection, and most standard firewall configurations. The targets documented so far are government agencies, energy companies, and diplomatic departments. </p> <h3> <strong> 4. Qilin Ransomware EDR Killer &mdash; Your Endpoint Protection May Not Protect You </strong> </h3> <p> <strong> Actor: </strong> Qilin / WARLOCK SPIDER (Ransomware-as-a-Service) </p> <p> Cisco Talos and Security Arsenal independently confirmed that Qilin ransomware deploys a trojanized msimg32.dll that uses BYOVD (Bring Your Own Vulnerable Driver) techniques to <strong> terminate more than 300 EDR and antivirus products </strong> before beginning encryption. This includes major vendors that state agencies commonly deploy. </p> <p> Combined with Europol's IOCTA 2026 report documenting a <strong> 22% increase in ransomware leak-site postings </strong> (2,638 victims in Q1 2026 alone) and government explicitly listed in Qilin's target set, this represents a material escalation in ransomware capability against state networks. </p> <p> Additional ransomware groups actively targeting government: <strong> Nightspire, Rhysida, Play, APT73, Medusa, LockBit5. </strong> </p> <h3> <strong> 5. AI Infrastructure as a New Attack Surface (CVE-2026-42208) </strong> </h3> <p> State agencies increasingly deploying AI proxy tools like LiteLLM to centralize access to large language model APIs. CVE-2026-42208 (CVSS 9.3) is a <strong> pre-authentication SQL injection </strong> that was exploited in the wild within 36 hours of disclosure. Attacker IPs 65.111.27[.]132 and 65.111.25[.]67 were observed conducting exploitation. </p> <p> The critical risk: LiteLLM-style proxies aggregate API keys for multiple cloud AI providers (OpenAI, Anthropic, AWS Bedrock) in a single database. A single SQL injection exposes credentials across all connected services simultaneously &mdash; a credential concentration risk that most state agencies have not yet accounted for in their security architectures. </p> <h3> <strong> 6. Persistent Nation-State Pre-Positioning </strong> </h3> <p> The CISA joint advisory from 23 April confirming <strong> Volt Typhoon </strong> and <strong> Flax Typhoon </strong> (China/PLA-MSS and Integrity Technology Group/MSS) pre-positioning in U.S. critical infrastructure remains active and unresolved. An <strong> Iranian espionage campaign </strong> with escalation risk to U.S. state targets (CISA advisory aa26-097a, 7 April) continues, particularly threatening state-managed water and wastewater systems. </p> <p> <strong> Notable absence: </strong> Salt Typhoon activity was expected following the 23 April advisory on China-nexus compromised device networks but has not been observed. This silence should not be interpreted as safety &mdash; it may indicate operational security improvements by the actor or gaps in current collection. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Timeframe </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional actors beyond APT28 exploit CVE-2026-32202 for NTLM credential theft </p> </td> <td> <p> <strong> HIGH (&gt;70%) </strong> </p> </td> <td> <p> 7&ndash;14 days </p> </td> <td> <p> Technique is trivial (LNK + UNC path); PoC is effectively public through the advisory details </p> </td> </tr> <tr> <td> <p> Qilin or affiliated ransomware operators target a U.S. state/local government entity using the EDR killer chain </p> </td> <td> <p> <strong> MODERATE (40&ndash;60%) </strong> </p> </td> <td> <p> 14&ndash;30 days </p> </td> <td> <p> 22% increase in leak-site activity; government in target set; EDR killer removes primary defensive barrier </p> </td> </tr> <tr> <td> <p> SLSH alliance (Scattered Spider + ShinyHunters + LAPSUS$) attempts social engineering against a government IT helpdesk </p> </td> <td> <p> <strong> MODERATE (40&ndash;60%) </strong> </p> </td> <td> <p> 30 days </p> </td> <td> <p> Europol-documented alliance formation (Aug 2025); SIM swapping and insider recruitment TTPs align with helpdesk targeting </p> </td> </tr> <tr> <td> <p> Secondary actors weaponize ConnectWise ScreenConnect CVE chain for ransomware delivery via MSPs </p> </td> <td> <p> <strong> MODERATE-HIGH (50&ndash;70%) </strong> </p> </td> <td> <p> 7&ndash;21 days </p> </td> <td> <p> KEV listing confirms active exploitation; MSP supply chain is a proven ransomware delivery mechanism </p> </td> </tr> <tr> <td> <p> Sandworm SSH-over-Tor technique observed targeting U.S. state government specifically </p> </td> <td> <p> <strong> LOW (&lt;30%) </strong> </p> </td> <td> <p> 30&ndash;60 days </p> </td> <td> <p> Current targeting focused on Eastern European/diplomatic targets; U.S. state government not yet in observed victimology </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Priority Detection Rules </strong> </h3> <ol> <li> <strong> NTLM Credential Exfiltration (CVE-2026-32202) </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attackers are delivering LNK files with embedded UNC paths to coerce NTLM authentication to external servers. </li> <li> <strong> ATT&amp;CK Techniques: </strong> T1187 (Forced Authentication), T1003.001 (LSASS Memory), T1557.001 (LLMNR/NBT-NS Poisoning), T1566.001 (Spearphishing Attachment), T1204.002 (Malicious File) </li> <li> <strong> Detection: </strong> Monitor for outbound SMB (TCP 445) and NTLM authentication attempts to external IP addresses. Alert on any .LNK file creation in email attachment directories or user Downloads folders containing UNC paths (\\&lt;external-IP&gt;\). Monitor Windows Security Event ID 4648 (logon with explicit credentials) for anomalous target servers. </li> <li> <strong> Block: </strong> Outbound SMB (TCP 445) at the perimeter firewall immediately. Enable SMB signing on all domain controllers. </li> </ul> <ol start="2"> <li> <strong> Unauthorized ConnectWise ScreenConnect Installations </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attackers are delivering ScreenConnect MSI installers via phishing or exploiting unpatched ScreenConnect servers to deploy ransomware. </li> <li> <strong> ATT&amp;CK Techniques: </strong> T1219 (Remote Access Software), T1190 (Exploit Public-Facing Application), T1566.002 (Spearphishing Link), T1105 (Ingress Tool Transfer) </li> <li> <strong> Detection: </strong> Alert on any ScreenConnect.ClientSetup.msi installation where the relay hostname does not match your authorized ConnectWise instance list. Specifically, flag connections to instance-udzn2c-relay[.]screenconnect[.]com &mdash; this is a confirmed malicious relay. Monitor for msiexec.exe spawning ScreenConnect processes outside of approved change windows. </li> <li> <strong> Block: </strong> Domains certifysubmited[.]com and onlinepaperfile[.]com at web proxy and email gateway. </li> </ul> <ol start="3"> <li> <strong> Sandworm SSH-over-Tor Persistence </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attackers are establishing persistent SSH tunnels through Tor, masquerading as legitimate applications, to maintain covert access to government networks. </li> <li> <strong> ATT&amp;CK Techniques: </strong> T1053.005 (Scheduled Task), T1036.005 (Masquerading), T1572 (Protocol Tunneling), T1090.003 (Multi-hop Proxy), T1021.001 (Remote Services: RDP), T1021.002 (Remote Services: SMB) </li> <li> <strong> Detection: </strong> Search for scheduled tasks named OperagxRepairTask or DropboxRepairTask. Hunt for executables named operagx.exe, dropbox.exe, safari.exe, or obsstudio.exe running from AppData directories. Monitor for SSH processes listening on non-standard ports (e.g., localhost:20321). Detect Tor bootstrap DNS queries and connections to known Tor directory authorities. </li> <li> <strong> Investigate: </strong> Any outbound connections on port 443 from servers that do not normally make HTTPS connections &mdash; obfs4 traffic shaping makes Tor look like HTTPS. </li> </ul> <ol start="4"> <li> <strong> Qilin EDR Killer (BYOVD) </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Ransomware operators are loading vulnerable kernel drivers to terminate endpoint security products before encrypting systems. </li> <li> <strong> ATT&amp;CK Techniques: </strong> T1562.001 (Disable or Modify Tools), T1574.001 (DLL Search Order Hijacking), T1068 (Exploitation for Privilege Escalation), T1486 (Data Encrypted for Impact) </li> <li> <strong> Detection: </strong> Monitor for loading of known vulnerable drivers (cross-reference with the LOLDrivers project). Alert on msimg32.dll loaded from non-standard paths. Detect mass termination of security service processes. Implement tamper protection and monitor for EDR agent heartbeat failures &mdash; a sudden loss of EDR telemetry from multiple endpoints is itself an indicator. </li> <li> <strong> Resilience: </strong> Ensure logging flows to a cloud-based or network-isolated SIEM that cannot be disabled by endpoint-level attacks. </li> </ul> <ol start="5"> <li> <strong> LiteLLM SQL Injection (CVE-2026-42208) </strong> </li> </ol> <ul> <li> <strong> Hunt Hypothesis: </strong> Attackers are exploiting pre-authentication SQL injection in AI proxy tools to extract cloud provider API keys. </li> <li> <strong> Detection: </strong> Monitor for connections from 65.111.27[.]132 and 65.111.25[.]67. Review web application logs for LiteLLM instances for SQL injection patterns. Audit API key usage across cloud AI providers for anomalous consumption or access from unexpected IP ranges. </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (State Treasury, Revenue, Benefits Systems) </strong> </h3> <p> State treasury and revenue systems process millions of financial transactions and hold taxpayer PII &mdash; making them prime targets for both ransomware (data extortion) and credential theft (fraud). </p> <ul> <li> <strong> Priority 1: </strong> The IRS-themed ConnectWise RAT phishing campaign directly targets tax-related workflows. Revenue and benefits agency staff should receive immediate targeted awareness alerts about IRS-spoofing emails with subject lines containing "IRS Taxpayer Alert." </li> <li> <strong> Priority 2: </strong> CVE-2026-32202 NTLM credential theft is especially dangerous for financial systems that still use NTLM for inter-application authentication. Audit NTLM dependencies in treasury and ERP systems and enforce SMB signing immediately. </li> <li> <strong> Priority 3: </strong> Qilin and Medusa ransomware both target financial data for double extortion. Verify that financial system backups are immutable, offline, and tested for restoration within your RTO. </li> </ul> <h3> <strong> Energy (State-Managed Utilities, Grid Coordination) </strong> </h3> <p> State energy agencies coordinating with utilities and managing grid infrastructure face threats from both Sandworm (Russia) and Iranian actors. </p> <ul> <li> <strong> Priority 1: </strong> Sandworm's SSH-over-Tor persistence campaign explicitly targets energy companies. Implement outbound connection allowlisting on OT network segments &mdash; no server in an energy control environment should initiate arbitrary outbound connections. </li> <li> <strong> Priority 2: </strong> If your OT team uses GRASSMARLIN v3.2.1 for ICS network mapping, restrict network access to the tool immediately and monitor for XXE exploitation attempts (CVE-2026-6807). Consider isolating GRASSMARLIN to an air-gapped analysis workstation. </li> <li> <strong> Priority 3: </strong> The CISA Iranian PLC advisory (aa26-097a, 7 April) remains active. Verify that all programmable logic controllers in state-managed water treatment and power distribution systems have default credentials changed and are not exposed to the internet. </li> </ul> <h3> <strong> Healthcare (State Health Agencies, Medicaid Systems) </strong> </h3> <p> State health agencies managing Medicaid, public health surveillance, and hospital coordination are high-value ransomware targets due to the sensitivity of health data and operational urgency. </p> <ul> <li> <strong> Priority 1: </strong> Qilin's EDR killer capability is particularly threatening to healthcare environments where endpoint protection is often the primary security control. Implement network-level detection (NDR) as a backup detection layer and ensure SIEM logging is isolated from endpoint compromise. </li> <li> <strong> Priority 2: </strong> The SLSH alliance (Scattered Spider + ShinyHunters + LAPSUS$) has documented healthcare targeting. Brief IT helpdesk staff on social engineering tactics including SIM swapping, callback phishing, and insider recruitment attempts. </li> <li> <strong> Priority 3: </strong> Medusa ransomware (deployed via ConnectWise by Storm-1175) has historically targeted healthcare. Verify that any MSP providing services to health agencies has patched ConnectWise ScreenConnect to version 23.9.8 or later. </li> </ul> <h3> <strong> Government (Executive Agencies, Legislative Systems, Elections) </strong> </h3> <p> Core state government systems &mdash; identity management, email, Active Directory, legislative platforms &mdash; are the primary targets for nation-state espionage and the backbone that all other sectors depend on. </p> <ul> <li> <strong> Priority 1: </strong> CVE-2026-32202 emergency patching is non-negotiable. Every unpatched Windows endpoint in the state enterprise is a zero-click credential theft target for APT28. Prioritize domain controllers, privileged access workstations, and systems with access to sensitive data stores. </li> <li> <strong> Priority 2: </strong> Begin a 30-day NTLM deprecation assessment. CVE-2026-32202 is the third NTLM-related credential theft vector in 12 months. Identify all services and applications still requiring NTLM and develop a migration roadmap to Kerberos or certificate-based authentication. </li> <li> <strong> Priority 3: </strong> Volt Typhoon and Flax Typhoon pre-positioning (confirmed 23 April) means Chinese actors may already have persistent access to state network infrastructure. Conduct a focused hunt for anomalous network tunneling, living-off-the-land binaries (LOLBins), and dormant scheduled tasks on network appliances and edge devices. </li> </ul> <h3> <strong> Aviation / Logistics (State DOT, Airports, Port Authorities) </strong> </h3> <p> State departments of transportation, airport authorities, and port operations manage both IT and OT systems critical to public safety and commerce. </p> <ul> <li> <strong> Priority 1: </strong> ConnectWise ScreenConnect is widely used by MSPs supporting transportation and logistics IT. Verify all MSP-managed ScreenConnect instances are patched against CVE-2024-1708/CVE-2024-1709 &mdash; this is a direct supply chain entry point for Medusa ransomware. </li> <li> <strong> Priority 2: </strong> OT systems in transportation (traffic management, bridge controls, port SCADA) should be assessed against the Sandworm SSH-over-Tor persistence technique. Implement network segmentation that prevents any OT system from initiating outbound connections to the internet. </li> <li> <strong> Priority 3: </strong> GitHub Enterprise is increasingly used for transportation system DevOps. CVE-2026-3854 (RCE via push option injection) should be patched on any GitHub Enterprise Server instance supporting transportation or logistics applications. </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> Immediate (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Responsible Team </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> IMMEDIATE </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Apply April 2026 Patch Tuesday update to ALL Windows endpoints </strong> to remediate CVE-2026-32202 zero-click NTLM credential theft. APT28 is actively exploiting this vulnerability against government targets. Prioritize domain controllers and privileged access workstations. </p> </td> </tr> <tr> <td> <p> <strong> IMMEDIATE </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Verify all ConnectWise ScreenConnect instances are updated to version 23.9.8 or later </strong> to remediate CVE-2024-1708 and CVE-2024-1709. Contact all MSPs providing services to state agencies to confirm their patch status. CISA KEV deadline: 12 May 2026. </p> </td> </tr> <tr> <td> <p> <strong> IMMEDIATE </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block domains </strong> <strong> certifysubmited[.]com </strong> <strong> , </strong> <strong> onlinepaperfile[.]com </strong> <strong> , and </strong> <strong> instance-udzn2c-relay[.]screenconnect[.]com </strong> at web proxy, DNS sinkhole, and email gateway. These are confirmed malicious infrastructure for the IRS-themed ConnectWise RAT campaign. </p> </td> </tr> <tr> <td> <p> <strong> IMMEDIATE </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Block outbound SMB (TCP 445) at the perimeter firewall </strong> to prevent NTLM hash exfiltration via CVE-2026-32202. This should be a permanent rule &mdash; there is no legitimate reason for outbound SMB to the internet. </p> </td> </tr> <tr> <td> <p> <strong> IMMEDIATE </strong> </p> </td> <td> <p> IT Operations </p> </td> <td> <p> <strong> Inventory all LiteLLM proxy instances. </strong> If running versions 1.81.16 through 1.83.6, update to 1.83.7 immediately and rotate ALL stored LLM provider API keys (OpenAI, Anthropic, AWS Bedrock, Azure OpenAI). </p> </td> </tr> </tbody> </table> <h3> <strong> 7-Day Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Responsible Team </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 7-DAY </strong> </p> </td> <td> <p> SOC / Identity </p> </td> <td> <p> <strong> Audit NTLM usage across the enterprise. </strong> Enable SMB signing on all domain controllers. Identify services still requiring NTLMv1 and begin migration planning. </p> </td> </tr> <tr> <td> <p> <strong> 7-DAY </strong> </p> </td> <td> <p> DevOps </p> </td> <td> <p> <strong> Update GitHub Enterprise Server </strong> to version 3.14.25, 3.15.20, 3.16.16, 3.17.13, 3.18.7, or 3.19.4+ to remediate CVE-2026-3854 (RCE via push option injection). </p> </td> </tr> <tr> <td> <p> <strong> 7-DAY </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy detection rules for Sandworm persistence indicators: </strong> scheduled tasks named OperagxRepairTask or DropboxRepairTask; SSH processes running from AppData directories; executables named operagx.exe, dropbox.exe, safari.exe, or obsstudio.exe in non-standard paths. </p> </td> </tr> <tr> <td> <p> <strong> 7-DAY </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Implement EDR heartbeat monitoring. </strong> Configure alerts for any endpoint that stops reporting EDR telemetry for more than 15 minutes. Mass EDR agent failure is a primary indicator of Qilin's BYOVD EDR killer. </p> </td> </tr> <tr> <td> <p> <strong> 7-DAY </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> <strong> Deploy Sigma detection rule for unauthorized ScreenConnect MSI installations. </strong> Alert on any ScreenConnect.ClientSetup.msi execution where the relay hostname does not match the agency's authorized ConnectWise instance list. </p> </td> </tr> <tr> <td> <p> <strong> 7-DAY </strong> </p> </td> <td> <p> IT Operations / OT </p> </td> <td> <p> <strong> Assess GRASSMARLIN deployment. </strong> If v3.2.1 is in use, restrict network access to the tool and move to an air-gapped analysis workstation until a patched version is available (CVE-2026-6807). </p> </td> </tr> </tbody> </table> <h3> <strong> 30-Day Actions </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Responsible Team </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 30-DAY </strong> </p> </td> <td> <p> CISO / Identity </p> </td> <td> <p> <strong> Develop an NTLM deprecation roadmap. </strong> CVE-2026-32202 is the third NTLM credential theft vector in 12 months. Plan migration of remaining NTLM-dependent services to Kerberos or certificate-based authentication. Present timeline and resource requirements to CIO. </p> </td> </tr> <tr> <td> <p> <strong> 30-DAY </strong> </p> </td> <td> <p> CISO / SOC </p> </td> <td> <p> <strong> Implement defense-in-depth beyond EDR. </strong> Qilin's ability to disable 300+ EDR products means endpoint detection alone is insufficient. Deploy or enhance network detection and response (NDR), ensure SIEM logging flows to a cloud-based or network-isolated platform that cannot be disabled by endpoint compromise, and implement identity-based anomaly detection. </p> </td> </tr> <tr> <td> <p> <strong> 30-DAY </strong> </p> </td> <td> <p> CISO / IT Operations </p> </td> <td> <p> <strong> Conduct MSP security assessment. </strong> ConnectWise ScreenConnect appearing in both a nation-state ransomware campaign and a phishing campaign on the same day demonstrates that MSP remote access tools are simultaneously defensive assets and attack surfaces. Require all MSPs to demonstrate patch compliance, MFA enforcement, and session logging for remote access tools. </p> </td> </tr> <tr> <td> <p> <strong> 30-DAY </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Establish AI infrastructure security standards. </strong> As state agencies pilot AI tools, require that all LLM API keys be stored in dedicated secrets management platforms (HashiCorp Vault, AWS Secrets Manager) rather than in proxy application databases. Include AI gateway/proxy tools in vulnerability management scope. </p> </td> </tr> <tr> <td> <p> <strong> 30-DAY </strong> </p> </td> <td> <p> CISO / IR </p> </td> <td> <p> <strong> Update incident response playbooks </strong> to account for EDR-blind scenarios (Qilin BYOVD), SSH-over-Tor persistence (Sandworm), and MSP supply chain compromise (ConnectWise/Medusa). Conduct a tabletop exercise simulating a ransomware attack that begins with EDR termination. </p> </td> </tr> <tr> <td> <p> <strong> 30-DAY </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> <strong> Commission a focused threat hunt </strong> for Volt Typhoon and Flax Typhoon pre-positioning indicators across state network infrastructure. Focus on network edge devices (firewalls, VPN concentrators, routers), dormant scheduled tasks, and anomalous living-off-the-land binary usage. </p> </td> </tr> </tbody> </table> <h2> <strong> Bottom Line </strong> </h2> <p> The threat level for state government networks has been raised to <strong> HIGH </strong> . This is not a drill and not a forecast &mdash; these are active campaigns by confirmed nation-state actors and sophisticated ransomware operators targeting the exact technologies and architectures that state agencies depend on. </p> <p> Three things make this week different: </p> <p> <strong> First </strong> , the convergence. Russia (APT28, Sandworm), China (Storm-1175, Volt Typhoon, Flax Typhoon), Iran, and multiple ransomware operations are all active simultaneously against government targets. This is not coordinated, but the cumulative effect is the same &mdash; defenders must respond on multiple fronts at once. </p> <p> <strong> Second </strong> , the erosion of defensive assumptions. Qilin can kill your EDR. Sandworm can tunnel through your firewall. APT28 can steal credentials without a click. ConnectWise &mdash; a tool you trust &mdash; is being weaponized by both nation-states and criminals. Each of these individually challenges a layer of defense that many state agencies treat as reliable. </p> <p> <strong> Third </strong> , the speed. CVE-2026-42208 was weaponized within 36 hours. CVE-2026-32202 went from patch to KEV in days. The window between disclosure and exploitation is collapsing, and state government patch cycles must accelerate to match. </p> <p> The recommendations in this brief are specific, prioritized, and actionable. The immediate items &mdash; patching CVE-2026-32202, securing ConnectWise ScreenConnect, blocking confirmed malicious infrastructure, and stopping outbound SMB &mdash; should be authorized today. The 30-day items &mdash; NTLM deprecation, defense-in-depth beyond EDR, MSP security assessments &mdash; are the structural changes that will determine whether your agency is resilient against the next wave. </p> <p> The adversaries are not waiting. Neither should we. </p>