When Trust Becomes the Attack Surface: What State Government CISOs Need to Know This Week

<p><strong>Threat Assessment Level: ELEVATED &mdash; Trending HIGH</strong></p> <p><em>Elevated from baseline ELEVATED due to a convergence of actively exploited zero-days with imminent federal patching deadlines, confirmed nation-state operations against U.S. government infrastructure, and a new class of phishing that bypasses multi-factor authentication at scale.</em></p> <h2><strong>Executive Summary&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>This week marks a turning point in the threat landscape facing state government IT. Three developments demand immediate leadership attention: a critical vulnerability in Fortinet&rsquo;s endpoint management platform carries a <strong>federal patching deadline of April 16</strong> &mdash; two days from now. The FBI and NSA publicly confirmed they disrupted a <strong>Russian military intelligence (GRU) operation</strong> that hijacked home routers to steal government Microsoft 365 credentials. And Microsoft&rsquo;s own security team confirmed that a <strong>phishing-as-a-service kit called EvilTokens</strong> is compromising organizational M365 accounts at scale &mdash; completely bypassing MFA.</p> <p>These are not theoretical risks. They are confirmed, active operations targeting the exact technology stack most state agencies rely on: Microsoft 365, Fortinet endpoint management, and consumer-grade routers used by remote workers.</p> <p>Meanwhile, Iranian intelligence operatives are pioneering a new operational model &mdash; renting Russian criminal infrastructure and using blockchain technology to hide their command-and-control servers. And a fake AI tool installer impersonating Anthropic&rsquo;s Claude is delivering Chinese-linked espionage malware to anyone who downloads it.</p> <p>The common thread: <strong>attackers are exploiting trusted infrastructure</strong> &mdash; legitimate cloud services, signed software binaries, and standard authentication flows. Reputation-based defenses alone are no longer sufficient.</p> <h2><strong>What Changed This Week&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <table> <thead> <tr> <th> <p>Date</p> </th> <th> <p>Event</p> </th> <th> <p>Why It Matters for State Government</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>Apr 7</strong></p> </td> <td> <p>CISA Advisory AA26-097A confirms <strong>CyberAv3ngers (IRGC-CEC)</strong> actively manipulating PLCs at U.S. water and energy facilities</p> </td> <td> <p>State agencies overseeing water treatment and utilities are directly in scope</p> </td> </tr> <tr> <td> <p><strong>Apr 7</strong></p> </td> <td> <p>NSA/FBI announce <strong>Operation Masquerade</strong> &mdash; disruption of GRU SOHO router DNS hijack network</p> </td> <td> <p>Confirms Russian military intelligence was intercepting M365 credentials via compromised home routers; any state teleworker with an unpatched consumer router was in the blast radius</p> </td> </tr> <tr> <td> <p><strong>Apr 6&ndash;8</strong></p> </td> <td> <p>Microsoft confirms <strong>EvilTokens</strong> device-code phishing campaign is &ldquo;widespread&rdquo;</p> </td> <td> <p>Bypasses MFA entirely; targets M365 organizational accounts &mdash; the primary productivity platform for most state agencies</p> </td> </tr> <tr> <td> <p><strong>Apr 10</strong></p> </td> <td> <p>JUMPSEC reveals <strong>MuddyWater (Iranian MOIS)</strong> deployed <strong>ChainShell</strong> &mdash; blockchain-based C2 via Russian criminal infrastructure</p> </td> <td> <p>First confirmed nation-state use of blockchain C2; signals Iran-Russia cyber convergence that complicates attribution</p> </td> </tr> <tr> <td> <p><strong>Apr 13</strong></p> </td> <td> <p>CISA adds <strong>7 vulnerabilities</strong> to Known Exploited Vulnerabilities catalog, including <strong>CVE-2026-21643</strong> (FortiClientEMS, CVSS 9.1)</p> </td> <td> <p><strong>Patch deadline: April 16.</strong> Unauthenticated SQL injection leading to remote code execution. If your agency uses FortiClientEMS, this is a compliance and security emergency</p> </td> </tr> <tr> <td> <p><strong>Apr 13</strong></p> </td> <td> <p>Emsisoft publishes 2025 ransomware statistics: <strong>8,835 claimed victims (+46% YoY)</strong>, 141 active groups</p> </td> <td> <p><strong>Qilin</strong> (#1, 1,029 victims), <strong>Akira</strong> (#2, 640 victims), <strong>DragonForce</strong>, <strong>Medusa</strong>, and <strong>BianLian</strong> all actively targeting government</p> </td> </tr> <tr> <td> <p><strong>Apr 14</strong></p> </td> <td> <p>Malwarebytes discovers fake <strong>Claude AI installer</strong> delivering <strong>PlugX</strong> espionage RAT via DLL sideloading</p> </td> <td> <p>Exploits organizational demand for AI tools; C2 to Alibaba Cloud infrastructure &mdash; historically associated with Chinese state-sponsored espionage</p> </td> </tr> </tbody> </table> <h2><strong>Threat Analysis&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <h3><strong>1. The 48-Hour Clock: FortiClientEMS CVE-2026-21643</strong></h3> <p><strong>CVE-2026-21643</strong> is an unauthenticated SQL injection vulnerability in Fortinet&rsquo;s FortiClientEMS &mdash; the centralized management console for FortiClient endpoint agents. It carries a CVSS score of <strong>9.1</strong> and allows remote code execution over HTTP without any credentials.</p> <p>CISA added this to the Known Exploited Vulnerabilities (KEV) catalog on April 13 with a <strong>remediation deadline of April 16, 2026</strong>. This is not a theoretical risk &mdash; it is being actively exploited in the wild, and CISA has tagged government as a target sector.</p> <p>For state agencies using FortiClientEMS for endpoint management, this vulnerability gives an attacker unauthenticated access to the system that manages every endpoint in your environment. Exploitation is trivial &mdash; SQL injection over HTTP &mdash; and the consequences are catastrophic: full remote code execution on the management server, with potential lateral movement to every managed endpoint.</p> <p><strong>ATT&amp;CK Technique:</strong> T1190 (Exploit Public-Facing Application)</p> <p>Also added to the KEV catalog in the same batch: - <strong>CVE-2026-34621</strong> &mdash; Adobe Acrobat/Reader Prototype Pollution &rarr; arbitrary code execution (CVSS 8.6, deadline April 27) - <strong>CVE-2023-21529</strong> &mdash; Microsoft Exchange Server Deserialization - <strong>CVE-2023-36424</strong> &mdash; Microsoft Windows Out-of-Bounds Read privilege escalation - <strong>CVE-2025-60710</strong> &mdash; Microsoft Windows Link Following privilege escalation - <strong>CVE-2012-1854</strong> &mdash; Microsoft VBA DLL Hijacking - <strong>CVE-2020-9715</strong> &mdash; Adobe Acrobat Use-After-Free</p> <h3><strong>2. EvilTokens: The MFA Bypass That&rsquo;s Already Inside Your Tenant</strong></h3> <p>Microsoft&rsquo;s Defender Security Research team confirmed on April 6 that a &ldquo;widespread phishing campaign leveraging the device code authentication flow&rdquo; is actively compromising M365 organizational accounts. Independent analysis from Sekoia and reporting from BleepingComputer corroborate that the <strong>EvilTokens</strong> phishing-as-a-service kit is being sold in underground forums and is in active use.</p> <p><strong>Why this is different from normal phishing:</strong> Device-code phishing doesn&rsquo;t steal passwords. It abuses Microsoft&rsquo;s legitimate device-code authentication flow &mdash; the same flow used when you sign into a smart TV or IoT device. The victim enters a code on a legitimate Microsoft login page, and the attacker captures the resulting OAuth token. <strong>MFA is completed by the victim on the real Microsoft site.</strong> The attacker never needs the password or the second factor.</p> <p>This means your conditional access policies, your MFA deployment, and your anti-phishing training are all structurally bypassed. The only effective countermeasure is to <strong>block the device-code authentication flow</strong> in Azure AD/Entra ID conditional access policies for all accounts except explicitly approved service principals.</p> <p><strong>ATT&amp;CK Techniques:</strong> T1528 (Steal Application Access Token), T1078.004 (Valid Accounts: Cloud Accounts), T1114.002 (Remote Email Collection)</p> <h3><strong>3. Operation Masquerade: GRU Was Hijacking Home Routers to Steal Government Credentials</strong></h3> <p>On April 7&ndash;8, the DOJ, FBI, and NSA jointly announced a court-authorized operation to neutralize a <strong>GRU (Russian military intelligence, APT28)</strong> network of compromised SOHO routers. The operation &mdash; dubbed &ldquo;Operation Masquerade&rdquo; &mdash; revealed that GRU operators had compromised consumer-grade routers (Ubiquiti, ASUS, and similar brands) used by government employees working from home, then manipulated DNS settings to redirect Microsoft 365 authentication traffic through attacker-controlled infrastructure.</p> <p>The FBI sent commands to compromised routers to collect forensic data and reset DNS configurations. While the disruption is positive, the disclosure confirms a worst-case scenario: <strong>a foreign military intelligence service was actively intercepting government M365 credentials by compromising the home network equipment of remote workers.</strong></p> <p>State agencies with telework programs should assume that any employee using an unpatched consumer router may have been in the blast radius. DNS settings on all SOHO routers in remote/telework environments should be verified immediately.</p> <p><strong>ATT&amp;CK Techniques:</strong> T1584.008 (Compromise Infrastructure: Network Devices), T1557.002 (Adversary-in-the-Middle: DNS), T1078 (Valid Accounts)</p> <h3><strong>4. MuddyWater&rsquo;s ChainShell: Iran Rents Russian Criminal Infrastructure, Hides C2 on the Blockchain</strong></h3> <p>JUMPSEC published research on April 10 revealing that <strong>MuddyWater</strong> &mdash; an Iranian group linked to the Ministry of Intelligence and Security (MOIS) &mdash; has adopted a Russian malware-as-a-service platform to deploy a Node.js-based agent called <strong>ChainShell</strong>. The agent uses Ethereum smart contracts to store and retrieve its command-and-control address, making takedowns extremely difficult.</p> <p>Five independent sources confirmed this within four days. The campaign currently targets Israel, but MuddyWater has historically targeted U.S. government entities, and the operational model is scalable.</p> <p><strong>Why this matters strategically:</strong> This is the first confirmed case of a nation-state actor renting criminal infrastructure and using blockchain for C2 resilience. It represents a convergence of the nation-state and cybercriminal ecosystems that fundamentally complicates attribution and defense. If this model proliferates &mdash; and there is every reason to expect it will &mdash; defenders will face blended threats that don&rsquo;t fit clean &ldquo;nation-state&rdquo; or &ldquo;criminal&rdquo; categories.</p> <p><strong>ATT&amp;CK Techniques:</strong> T1102.002 (Web Service: Bidirectional Communication), T1583.006 (Acquire Infrastructure: Web Services), T1059.007 (JavaScript)</p> <h3><strong>5. Fake Claude AI Installer Delivers PlugX Espionage Malware</strong></h3> <p>Malwarebytes discovered a fake website impersonating Anthropic&rsquo;s Claude AI service that distributes the <strong>PlugX</strong> remote access trojan &mdash; a malware family historically associated with Chinese state-sponsored espionage. The attack uses a ZIP archive containing an MSI installer that deploys a classic DLL sideloading chain: a signed G DATA updater binary (NOVUpdate.exe) loads a malicious DLL (avk.dll), which decrypts an encrypted payload. C2 communication is established to <strong>8.217.190.58</strong> (Alibaba Cloud) over HTTPS within 22 seconds of execution.</p> <p>As state agencies evaluate and adopt AI tools, employees searching for AI software become targets. This attack doesn&rsquo;t exploit a software vulnerability &mdash; it exploits <strong>organizational demand for AI tools</strong> combined with the absence of an approved software policy.</p> <p><strong>ATT&amp;CK Techniques:</strong> T1574.002 (DLL Side-Loading), T1036.005 (Masquerading), T1547.001 (Registry Run Keys / Startup Folder)</p> <h3><strong>6. Ransomware Landscape: 46% Growth, Government Remains a Top Target</strong></h3> <p>Emsisoft&rsquo;s 2025 annual report documents <strong>8,835 claimed ransomware victims</strong> &mdash; a 46% increase year-over-year &mdash; across <strong>141 active ransomware groups</strong>. The top groups actively targeting government:</p> <table> <thead> <tr> <th> <p>Group</p> </th> <th> <p>2025 Claimed Victims</p> </th> <th> <p>Government Targeting</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>Qilin</strong></p> </td> <td> <p>1,029</p> </td> <td> <p>Active &mdash; confirmed state/local government victims</p> </td> </tr> <tr> <td> <p><strong>Akira</strong></p> </td> <td> <p>640</p> </td> <td> <p>Active &mdash; government and education sectors</p> </td> </tr> <tr> <td> <p><strong>DragonForce</strong></p> </td> <td> <p>Active</p> </td> <td> <p>Confirmed government targeting</p> </td> </tr> <tr> <td> <p><strong>Medusa</strong></p> </td> <td> <p>Active</p> </td> <td> <p>Confirmed government targeting</p> </td> </tr> <tr> <td> <p><strong>BianLian</strong></p> </td> <td> <p>Active</p> </td> <td> <p>Data exfiltration focus; government sector</p> </td> </tr> <tr> <td> <p><strong>Hellcat</strong></p> </td> <td> <p>Active</p> </td> <td> <p>Emerging; government sector observed</p> </td> </tr> </tbody> </table> <p>No new state or local government ransomware incident was reported in the past 24 hours, but given the statistical trajectory (+46% YoY with government as a priority target), this is a matter of when, not if.</p> <h3><strong>7. CyberAv3ngers: Iranian IRGC-CEC Actively Manipulating U.S. Water and Energy PLCs</strong></h3> <p>CISA Advisory AA26-097A (April 7) confirmed that <strong>CyberAv3ngers</strong> &mdash; attributed to Iran&rsquo;s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC) &mdash; are actively manipulating Rockwell Automation programmable logic controllers (PLCs) at U.S. water treatment and energy facilities. The group uses Dropbear SSH for persistence on compromised OT devices.</p> <p>State agencies with oversight of water utilities, energy infrastructure, or transportation SCADA systems should treat this as a confirmed, active threat to the systems they regulate or operate.</p> <h2><strong>Predictive Analysis: What Comes Next</strong></h2> <table> <thead> <tr> <th> <p>Scenario</p> </th> <th> <p>Probability</p> </th> <th> <p>Timeframe</p> </th> <th> <p>Basis</p> </th> </tr> </thead> <tbody> <tr> <td> <p>Accelerated exploitation of CVE-2026-21643 (FortiClientEMS) before April 16 deadline</p> </td> <td> <p><strong>HIGH (&gt;70%)</strong></p> </td> <td> <p>48 hours</p> </td> <td> <p>Threat actors historically accelerate exploitation after CISA KEV addition; SQLi exploitation is trivial</p> </td> </tr> <tr> <td> <p>EvilTokens-based business email compromise attempts against state finance and procurement staff</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>7 days</p> </td> <td> <p>PhaaS model lowers barrier for less-sophisticated actors; state finance offices are high-value BEC targets</p> </td> </tr> <tr> <td> <p>Additional AI-themed social engineering campaigns using ChatGPT, Copilot, or Gemini branding</p> </td> <td> <p><strong>MODERATE (40&ndash;60%)</strong></p> </td> <td> <p>14 days</p> </td> <td> <p>The Claude/PlugX template is easily replicated; AI tool adoption is accelerating across government</p> </td> </tr> <tr> <td> <p>MuddyWater ChainShell campaign expanding beyond Israel to U.S. targets</p> </td> <td> <p><strong>LOW-MODERATE (20&ndash;40%)</strong></p> </td> <td> <p>30 days</p> </td> <td> <p>Blockchain C2 infrastructure is resilient and the Russian MaaS model is scalable; MuddyWater has historical U.S. targeting</p> </td> </tr> <tr> <td> <p>Volt Typhoon / Salt Typhoon pre-positioning activity surfacing in state government networks</p> </td> <td> <p><strong>LOW-MODERATE (20&ndash;40%)</strong></p> </td> <td> <p>30 days</p> </td> <td> <p>BeyondTrust CVE-2026-1731 China-nexus campaign is active; absence of Volt/Salt Typhoon reporting is notable given geopolitical tensions</p> </td> </tr> <tr> <td> <p>Ransomware incident affecting a U.S. state or local government entity</p> </td> <td> <p><strong>HIGH (&gt;70%)</strong></p> </td> <td> <p>30 days</p> </td> <td> <p>46% YoY growth, 141 active groups, government is a confirmed priority target sector</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <h3><strong>Detection Priorities</strong></h3> <ol> <li><strong> Device-Code Phishing (EvilTokens)</strong> - <strong>Hunt Hypothesis:</strong> Adversaries are using device-code phishing to obtain OAuth tokens for M365 accounts, bypassing MFA. Look for anomalous device-code authentication events followed by mail forwarding rule creation or unusual mailbox access patterns. - <strong>What to Monitor:</strong> - Azure AD sign-in logs: filter for authenticationProtocol = deviceCode &mdash; any device-code authentication from a user account (not a service principal) should be investigated - Token refresh events from geolocations inconsistent with the user&rsquo;s normal pattern (T1528) - New inbox rules or mail forwarding rules created within 24 hours of a device-code authentication event (T1114.002) - OAuth application consent grants from unfamiliar applications (T1550.001) - <strong>Detection Logic:</strong> Alert on DeviceCodeAuthentication events in Azure AD where the requesting application is not in your approved service principal list. Correlate with New-InboxRule or Set-Mailbox PowerShell commands within a 4-hour window.</li> <li><strong> PlugX DLL Sideloading via Fake AI Installers</strong> - <strong>Hunt Hypothesis:</strong> Users downloading AI tools from unofficial sources may execute trojanized installers that deploy PlugX via DLL sideloading. Look for signed binaries loading unexpected DLLs from user-writable directories. - <strong>What to Monitor:</strong> - wscript.exe spawning NOVUpdate.exe or any process loading avk.dll (T1574.002) - Any executable running from %APPDATA%\WindowsUpdate\ &mdash; this is not a legitimate Windows Update path (T1547.001) - Outbound HTTPS connections to <strong>8.217.190[.]58</strong> (Alibaba Cloud) (T1071.001) - MSI installer execution from user Downloads folders followed by DLL loads from non-standard paths (T1036.005) - VBScript execution followed by self-deletion (~del.vbs.bat pattern) (T1070.004) - <strong>Blocking Action:</strong> Block C2 IP <strong>8.217.190[.]58</strong> at the firewall and proxy. Add NOVUpdate.exe + avk.dll combination to endpoint detection rules.</li> <li><strong> SOHO Router DNS Manipulation (APT28/GRU)</strong> - <strong>Hunt Hypothesis:</strong> Compromised home routers are redirecting DNS queries for Microsoft authentication endpoints to attacker-controlled infrastructure. Look for M365 authentication anomalies from remote workers. - <strong>What to Monitor:</strong> - Azure AD sign-in logs showing authentication from IP addresses that don&rsquo;t match the user&rsquo;s known ISP or VPN exit point (T1557.002) - Certificate warnings or TLS errors on Microsoft authentication endpoints reported by users (T1557) - DNS resolution for login.microsoftonline.com and login.windows.net returning unexpected IP addresses (T1584.008) - <strong>Investigation Guidance:</strong> For any suspicious remote authentication, ask the user to run nslookup login.microsoftonline.com from their home network and compare results against known Microsoft IP ranges. Discrepancies indicate DNS manipulation.</li> <li><strong> FortiClientEMS Exploitation</strong> - <strong>Hunt Hypothesis:</strong> Unauthenticated attackers are exploiting SQL injection in FortiClientEMS to achieve remote code execution on the management server. - <strong>What to Monitor:</strong> - FortiClientEMS server logs for unusual SQL error messages or unexpected database queries (T1190) - New processes spawned by the FortiClientEMS service account (T1059) - Outbound connections from the FortiClientEMS server to unfamiliar IP addresses - Any lateral movement originating from the FortiClientEMS server to managed endpoints - <strong>Immediate Action:</strong> If patching cannot be completed before April 16, restrict network access to the FortiClientEMS management interface to authorized administrator IP addresses only.</li> <li><strong> AWS Federation Persistence</strong> - <strong>Hunt Hypothesis:</strong> Adversaries with compromised AWS IAM credentials are using sts:GetFederationToken to create federated sessions that survive credential deactivation. - <strong>What to Monitor:</strong> - CloudTrail events for sts:GetFederationToken API calls &mdash; these should be rare in most environments (T1078.004) - Federated session activity continuing after the parent IAM user&rsquo;s access keys have been deactivated - Unusual AssumeRole or GetSessionToken calls from unfamiliar source IPs - <strong>IR Playbook Update:</strong> Standard containment (deactivating API keys) is <strong>insufficient</strong>. Attach an explicit deny-all IAM policy to compromised users to invalidate all active sessions, including federated ones.</li> </ol> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <h3><strong>Financial Services (State Revenue, Treasury, Procurement)</strong></h3> <p>State revenue agencies, treasury offices, and procurement divisions handle high-value financial transactions that make them prime targets for business email compromise following EvilTokens credential theft.</p> <ul> <li><strong>Priority Threat:</strong> EvilTokens device-code phishing &rarr; M365 account takeover &rarr; BEC targeting payment workflows</li> <li><strong>Action:</strong> Implement conditional access policies requiring compliant/managed devices for all financial system access. Enable &ldquo;risky sign-in&rdquo; alerts in Azure AD Identity Protection. Review and harden approval workflows for wire transfers and vendor payment changes &mdash; require out-of-band confirmation for any payment modification initiated via email.</li> <li><strong>Detection Focus:</strong> Monitor for new inbox rules, mail forwarding, and delegate access changes on finance staff mailboxes (T1114.002, T1098.002).</li> </ul> <h3><strong>Energy (State Utility Oversight, Public Power Authorities)</strong></h3> <p>CISA Advisory AA26-097A confirms CyberAv3ngers (IRGC-CEC) are actively manipulating PLCs at U.S. water and energy facilities. State agencies regulating or operating energy infrastructure face direct risk.</p> <ul> <li><strong>Priority Threat:</strong> CyberAv3ngers PLC manipulation via Dropbear SSH; ICS advisories for Siemens Industrial Edge and Contemporary Controls BASC 20T</li> <li><strong>Action:</strong> Audit all internet-facing OT/ICS management interfaces. Verify that Rockwell Automation PLCs are segmented from IT networks with monitored jump servers. Ensure Dropbear SSH is not running on any OT devices &mdash; if found, treat as a confirmed compromise indicator. Apply Siemens and Contemporary Controls ICS patches per CISA advisories.</li> <li><strong>Detection Focus:</strong> Monitor for SSH connections to PLC management interfaces from non-authorized IP addresses. Alert on any firmware changes to PLCs outside scheduled maintenance windows.</li> </ul> <h3><strong>Healthcare (Medicaid, State Health Agencies, Public Health Labs)</strong></h3> <p>Healthcare IT vendors are a confirmed supply chain risk vector, and ransomware groups (Qilin, Akira) actively target healthcare. State Medicaid systems and public health infrastructure contain protected health information (PHI) that carries both regulatory and operational risk.</p> <ul> <li><strong>Priority Threat:</strong> Ransomware (Qilin, Akira) targeting healthcare; supply chain compromise via healthcare IT vendors; credential theft via EvilTokens</li> <li><strong>Action:</strong> Verify that Medicaid claims processing systems and EHR platforms have offline backup and recovery procedures tested within the last 90 days. Audit third-party healthcare IT vendor access &mdash; ensure vendor VPN accounts use MFA and are scoped to minimum necessary access. Review BAA (Business Associate Agreement) breach notification requirements.</li> <li><strong>Detection Focus:</strong> Monitor for unusual data exfiltration patterns from Medicaid databases (T1041). Alert on bulk record access outside normal business hours.</li> </ul> <h3><strong>Government (Executive Agencies, Legislature, Courts, Elections)</strong></h3> <p>State government agencies are the primary target for every threat in this report &mdash; from nation-state espionage (APT28, MuddyWater, PlugX) to ransomware (Qilin, Akira, DragonForce) to credential theft (EvilTokens).</p> <ul> <li><strong>Priority Threat:</strong> EvilTokens M365 credential theft; FortiClientEMS CVE-2026-21643 exploitation; APT28 SOHO router DNS hijacking; ransomware</li> <li><strong>Action:</strong> Enforce conditional access policies blocking device-code authentication in Azure AD. Patch FortiClientEMS before April 16. Issue guidance to all remote workers to update home router firmware and verify DNS settings. Ensure all agencies &mdash; including small boards and commissions with limited IT resources &mdash; are covered by centralized endpoint detection.</li> <li><strong>Detection Focus:</strong> Prioritize Azure AD sign-in anomalies, FortiClientEMS server integrity monitoring, and ransomware precursor activity (T1486 precursors: mass file enumeration, shadow copy deletion, credential dumping).</li> </ul> <h3><strong>Aviation / Logistics (State DOT, Port Authorities, Airport Operations)</strong></h3> <p>State departments of transportation, port authorities, and airport operations manage SCADA and operational technology systems that intersect with the same ICS threat landscape as energy and water.</p> <ul> <li><strong>Priority Threat:</strong> CyberAv3ngers ICS targeting (transferable TTPs to transportation SCADA); ransomware disrupting logistics operations; supply chain compromise</li> <li><strong>Action:</strong> Audit all SCADA and traffic management systems for internet-facing management interfaces. Segment OT networks from IT networks with monitored boundary controls. Ensure transportation management systems have manual fallback procedures for ransomware scenarios. Review vendor remote access to traffic control and port management systems.</li> <li><strong>Detection Focus:</strong> Monitor for unauthorized access to SCADA HMI (Human-Machine Interface) systems. Alert on any configuration changes to traffic management or port operations systems outside change windows.</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <h3><strong>IMMEDIATE (Within 48 Hours)</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>CRITICAL</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Patch FortiClientEMS</strong> to the latest version addressing CVE-2026-21643 (CVSS 9.1) before the CISA deadline of <strong>April 16, 2026</strong>. This is an unauthenticated SQL injection leading to remote code execution. If patching is not possible within 48 hours, restrict network access to the FortiClientEMS management interface to authorized administrator IPs only.</p> </td> </tr> <tr> <td> <p><strong>CRITICAL</strong></p> </td> <td> <p>Identity / Cloud Ops</p> </td> <td> <p><strong>Block device-code authentication flow</strong> in Azure AD / Entra ID conditional access policies for all user accounts. Exempt only explicitly approved service principals. EvilTokens PhaaS is actively compromising M365 accounts at scale and bypasses MFA entirely. This is a configuration change &mdash; no patching required &mdash; and can be deployed same-day.</p> </td> </tr> <tr> <td> <p><strong>CRITICAL</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Issue emergency guidance to all remote/telework employees</strong>: update home router firmware, change default admin credentials, and verify DNS settings (should point to agency-approved DNS servers, not unknown addresses). This addresses the confirmed GRU SOHO router DNS hijack operation (Operation Masquerade).</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Block C2 IP 8.217.190[.]58</strong> at all firewalls, proxies, and EDR platforms. Block execution of Bid-Packet-INV-Document.js via application control policies. These are confirmed indicators from the fake Claude AI / PlugX espionage campaign.</p> </td> </tr> </tbody> </table> <h3><strong>7-DAY</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Patch Adobe Acrobat/Reader</strong> for CVE-2026-34621 (Prototype Pollution, CVSS 8.6) and CVE-2020-9715 (Use-After-Free). CISA KEV deadline: April 27.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Audit all NGINX deployments</strong> for WebDAV module (ngx_http_dav_module) with COPY/MOVE methods combined with alias directives. If present, upgrade to NGINX 1.28.3+ or 1.29.7+ to address CVE-2026-27654 (buffer overflow).</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>IT Operations</p> </td> <td> <p><strong>Patch Microsoft Exchange Server</strong> for CVE-2023-21529 (deserialization) and <strong>Microsoft Windows</strong> for CVE-2023-36424 and CVE-2025-60710. All added to CISA KEV on April 13.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Create detection rules</strong> for PlugX DLL sideloading: alert on any process loading avk.dll from %APPDATA%\WindowsUpdate\, and on wscript.exe spawning NOVUpdate.exe. Deploy across all endpoint detection platforms.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC + Cloud Ops</p> </td> <td> <p><strong>Audit AWS IAM policies</strong> for sts:GetFederationToken permissions. Update incident response playbooks: when containing a compromised AWS IAM user, attach an explicit deny-all policy rather than only deactivating API keys. Federated sessions survive key deactivation.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>SOC</p> </td> <td> <p><strong>Build EvilTokens detection playbook</strong>: monitor Azure AD sign-in logs for deviceCode authentication protocol events from user accounts; correlate with inbox rule changes and mail forwarding within a 4-hour window; alert on OAuth consent grants from unfamiliar applications.</p> </td> </tr> </tbody> </table> <h3><strong>30-DAY</strong></h3> <table> <thead> <tr> <th> <p>Priority</p> </th> <th> <p>Responsible Team</p> </th> <th> <p>Action</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>CISO / Policy</p> </td> <td> <p><strong>Publish an internal policy</strong> prohibiting download of AI tools from unofficial sources. Establish an approved AI tool list with verified download URLs distributed to all agencies. Brief all staff on the fake Claude AI / PlugX campaign as a concrete example.</p> </td> </tr> <tr> <td> <p><strong>HIGH</strong></p> </td> <td> <p>CISO / IT Operations</p> </td> <td> <p><strong>Conduct a zero-trust architecture assessment</strong> focused on the &ldquo;trust surface&rdquo; &mdash; legitimate cloud services, signed binaries, and standard authentication flows being abused by attackers. Three of this week&rsquo;s five major events exploited trusted infrastructure. Reputation-based defenses are structurally inadequate.</p> </td> </tr> <tr> <td> <p><strong>MODERATE</strong></p> </td> <td> <p>CISO / OT Security</p> </td> <td> <p><strong>Commission an OT/ICS security assessment</strong> for all state-operated or state-regulated water treatment, energy, and transportation SCADA systems. Verify network segmentation, audit remote access, and confirm that Rockwell Automation PLCs are not internet-accessible. Reference CISA Advisory AA26-097A.</p> </td> </tr> <tr> <td> <p><strong>MODERATE</strong></p> </td> <td> <p>HR / Recruiting</p> </td> <td> <p><strong>Brief recruiting and hiring teams</strong> on North Korean (DPRK) fake interview tactics. DPRK operatives use fake coding challenges and interview repositories to deliver malware (INVISIBLEFERRET). All coding challenge repositories should be verified before execution on state devices.</p> </td> </tr> <tr> <td> <p><strong>MODERATE</strong></p> </td> <td> <p>CISO / Governance</p> </td> <td> <p><strong>Review cybersecurity legislative tracking processes.</strong> Active state legislative sessions are underway, but intelligence collection on new cybersecurity legislation has produced no results for three consecutive weeks &mdash; likely a monitoring gap, not an absence of legislative activity. Manually check the NCSL Cybersecurity Legislation Tracker and ensure automated monitoring is functioning.</p> </td> </tr> </tbody> </table> <h3><strong>Executive / IR Preparedness</strong></h3> <table> <thead> <tr> <th> <p>Action</p> </th> <th> <p>Owner</p> </th> <th> <p>Timeframe</p> </th> </tr> </thead> <tbody> <tr> <td> <p><strong>Approve emergency patching window</strong> for FortiClientEMS before April 16 CISA deadline</p> </td> <td> <p>CIO / CISO</p> </td> <td> <p>Immediate</p> </td> </tr> <tr> <td> <p><strong>Approve Azure AD conditional access policy change</strong> to block device-code authentication</p> </td> <td> <p>CISO / Identity Team</p> </td> <td> <p>Immediate</p> </td> </tr> <tr> <td> <p><strong>Tabletop exercise</strong>: Ransomware scenario targeting a mid-size state agency with limited IT staff</p> </td> <td> <p>CISO / IR Team</p> </td> <td> <p>30 days</p> </td> </tr> <tr> <td> <p><strong>Review cyber insurance policy</strong> for coverage of nation-state attacks and supply chain compromise</p> </td> <td> <p>CISO / Legal / Risk</p> </td> <td> <p>30 days</p> </td> </tr> <tr> <td> <p><strong>Brief the Governor&rsquo;s office / legislative leadership</strong> on the GRU router operation and its implications for state telework security</p> </td> <td> <p>CISO / CIO</p> </td> <td> <p>7 days</p> </td> </tr> </tbody> </table> <h2><strong>The Bigger Picture: Three Structural Shifts</strong></h2> <ol> <li><strong> Trust is the new attack surface.</strong> Three of this week&rsquo;s five major events exploit trusted infrastructure: Microsoft&rsquo;s own device-code authentication flow (EvilTokens), signed G DATA software binaries (PlugX), and legitimate home networking equipment (GRU router hijacking). Attackers are not breaking through your defenses &mdash; they are walking through your front door using your own keys. This demands a fundamental shift from reputation-based security (&ldquo;is this IP/domain/binary known-bad?&rdquo;) to behavior-based security (&ldquo;is this action consistent with what this user/system normally does?&rdquo;).</li> <li><strong> Nation-state and criminal ecosystems are converging.</strong> MuddyWater &mdash; an Iranian MOIS intelligence service &mdash; is now renting infrastructure from Russian cybercriminals and using blockchain to hide its operations. This is not an isolated case; it is the future of the threat landscape. The clean categories of &ldquo;nation-state threat&rdquo; and &ldquo;criminal threat&rdquo; that inform our risk frameworks and budget justifications are dissolving. Defense strategies must account for adversaries that combine state-level sophistication with criminal-level infrastructure resilience.</li> <li><strong> AI adoption creates a new social engineering vector.</strong> The fake Claude AI installer delivering PlugX is a harbinger. As state agencies race to adopt AI tools &mdash; often without formal procurement processes or approved software lists &mdash; every employee searching for &ldquo;download Claude&rdquo; or &ldquo;install Copilot&rdquo; becomes a potential entry point for espionage malware. This is not a technology problem; it is a policy and governance problem that requires an immediate organizational response.</li> </ol> <h2><strong>Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>The threat environment facing state government IT is defined by speed and convergence. A critical Fortinet vulnerability has a 48-hour patching deadline. A phishing kit that bypasses MFA is confirmed active at scale against the exact platform your agencies use every day. A foreign military intelligence service was caught hijacking the home routers of government workers. And the lines between nation-state espionage, criminal ransomware, and supply chain social engineering are blurring beyond recognition.</p> <p>The actions outlined in this report are specific, prioritized, and time-bound. The FortiClientEMS patch and the Azure AD conditional access change are the two highest-leverage actions available right now &mdash; both can be executed today, and both materially reduce your exposure to confirmed, active threats.</p> <p>The adversaries are not waiting. Neither should we.</p>