When Two Nation States Strike at Once: Why State Government CISOs Must Act This Week

<table> <tbody> <tr> <td> <p><strong>Threat Assessment Level: HIGH</strong></p> <p><em>(Elevated from ELEVATED in the prior cycle of March 21, 2026. The escalation is driven by the convergence of Iranian cyber retaliation risk following the expiration of a U.S. ultimatum, confirmed Russian intelligence operations against government officials' messaging apps, and an expanding supply chain attack surface - all occurring during a period of reduced federal cybersecurity support to state and local governments.)</em></p> </td> </tr> </tbody> </table> <h2><strong>Introduction&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>State government IT leaders face a threat environment this week that is qualitatively different from anything in recent memory. For the first time in years, two major nation-state adversaries - Iran and Russia - are simultaneously conducting active cyber operations against U.S. government targets, while the federal agencies that state governments depend on for support are themselves under strain.</p> <p>This is not a theoretical warning. The FBI and CISA have confirmed that thousands of government officials' Signal and WhatsApp accounts have already been compromised by Russian intelligence. Iran's MOIS-affiliated Handala group has already wiped approximately 80,000 endpoints at a U.S. corporation. And a supply-chain attack affecting the widely used Trivy vulnerability scanner has metastasized from GitHub to Docker Hub to npm - potentially poisoning CI/CD pipelines across the public sector.</p> <p>State CIOs and CISOs cannot wait for federal guidance that may arrive late or not at all. This blog distills the intelligence your teams need to act - today.</p> <h2><strong>What Changed&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <p>Since our last assessment on March 21, six developments have shifted the threat landscape:</p> <ol> <li><strong>Iran ultimatum expired (March 22).</strong> President Trump's 48-hour ultimatum threatening strikes on Iranian power plants expired without resolution. The U.S.-Israel military campaign against Iran, ongoing since February 28, has already provoked destructive cyber retaliation. The FBI seized Handala's leak infrastructure on March 21, but the underlying MOIS capability is intact. Iran has explicitly threatened retaliatory attacks on U.S. energy and water infrastructure.</li> <li><strong>DarkSword iOS exploit chain disclosed (March 22).</strong> Google's Threat Intelligence Group revealed a full-chain JavaScript-based iOS exploit kit - dubbed DarkSword - that chains six vulnerabilities (including three zero-days) to achieve kernel-level access on iPhones running iOS 26.0 through 26.3. Critically, one of the actors using DarkSword is <strong>PARS Defense</strong>, an Iranian commercial surveillance vendor. Apple released an emergency patch (iOS 26.3.1).</li> <li><strong>Trivy supply chain compromise expanded.</strong> What began as a GitHub Actions compromise has now spread to Docker Hub (compromised images 0.69.4-0.69.6) and npm (47 packages infected by a self-propagating malware called CanisterWorm that uses blockchain-based command-and-control). Any state agency DevOps team running Trivy in CI/CD pipelines may be affected.</li> <li><strong>CISA issued eight ICS advisories</strong> affecting Schneider Electric and Automated Logic systems - the exact building management and power monitoring platforms deployed in state government facilities across the country.</li> <li><strong>Russian intelligence confirmed compromising Signal and WhatsApp at scale (March 20).</strong> An FBI/CISA joint advisory confirmed that Russian Intelligence Services have compromised thousands of accounts belonging to current and former U.S. government officials, military personnel, and political figures. The techniques exploit the "linked devices" feature to silently mirror communications, bypassing end-to-end encryption entirely.</li> <li><strong>Ransomware pressure intensifies: Cisco FMC zero-day and Foster City emergency (March 20-22).</strong> The Interlock ransomware group has been exploiting CVE-2026-20131 (Cisco FMC, CVSS 10.0) as a zero-day since January 26. CISA issued an emergency patch directive on March 20. Separately, Foster City, California declared a state of emergency on March 22 after a ransomware attack paralyzed municipal systems - with no group yet claiming responsibility, raising the possibility of a wiper operation disguised as ransomware.</li> </ol> <h2><strong>Conflict and Threat Timeline&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</strong></h2> <table> <tbody> <tr> <td> <p><strong>Date</strong></p> </td> <td> <p><strong>Event</strong></p> </td> <td> <p><strong>Impact to State Government</strong></p> </td> </tr> <tr> <td> <p><strong>Feb 28</strong></p> </td> <td> <p>U.S.-Israel military campaign against Iran begins</p> </td> <td> <p>Initiates retaliatory cyber risk cycle against all U.S. government entities</p> </td> </tr> <tr> <td> <p><strong>Mar 6</strong></p> </td> <td> <p>Last observed MuddyWater/Dindoor espionage activity</p> </td> <td> <p>MOIS espionage actor goes silent - 16+ days of anomalous quiet</p> </td> </tr> <tr> <td> <p><strong>Mar 11</strong></p> </td> <td> <p>Handala (Void Manticore) wipes ~80,000 Stryker endpoints via Microsoft Intune</p> </td> <td> <p>Demonstrates MOIS capability to weaponize endpoint management platforms</p> </td> </tr> <tr> <td> <p><strong>Mar 19</strong></p> </td> <td> <p>CISA warns on endpoint management security</p> </td> <td> <p>Direct response to Intune abuse; relevant to any state agency using SCCM/Intune</p> </td> </tr> <tr> <td> <p><strong>Mar 19-20</strong></p> </td> <td> <p>CISA publishes 8 ICS advisories (Schneider, Automated Logic)</p> </td> <td> <p>Affects building management and power monitoring in state facilities</p> </td> </tr> <tr> <td> <p><strong>Mar 20</strong></p> </td> <td> <p>CISA emergency directive: patch CVE-2026-20131 (Cisco FMC, CVSS 10.0) within 3 days</p> </td> <td> <p>Interlock ransomware exploited this as a zero-day since Jan 26</p> </td> </tr> <tr> <td> <p><strong>Mar 20</strong></p> </td> <td> <p>FBI/CISA joint advisory: Russian intelligence compromising Signal/WhatsApp</p> </td> <td> <p>Thousands of government officials' accounts already breached</p> </td> </tr> <tr> <td> <p><strong>Mar 20</strong></p> </td> <td> <p>Foster City, CA declares state of emergency after ransomware attack</p> </td> <td> <p>Municipal government paralyzed; no group has claimed responsibility</p> </td> </tr> <tr> <td> <p><strong>Mar 21</strong></p> </td> <td> <p>FBI seizes Handala leak site infrastructure</p> </td> <td> <p>Disrupts but does not eliminate MOIS destructive capability</p> </td> </tr> <tr> <td> <p><strong>Mar 22</strong></p> </td> <td> <p>Trump's 48-hour Iran ultimatum expires</p> </td> <td> <p>Cyber retaliation risk reaches maximum</p> </td> </tr> <tr> <td> <p><strong>Mar 22</strong></p> </td> <td> <p>Google GTIG discloses DarkSword iOS exploit chain; Apple patches iOS 26.3.1</p> </td> <td> <p>Iranian-linked actors (PARS Defense) have full iPhone compromise capability</p> </td> </tr> <tr> <td> <p><strong>Mar 22</strong></p> </td> <td> <p>Trivy compromise expands to Docker Hub and npm (CanisterWorm)</p> </td> <td> <p>Supply chain blast radius widens significantly</p> </td> </tr> </tbody> </table> <h2><strong>Key Threat Analysis&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p><strong>Iranian Destructive Operations: Handala, MuddyWater, and DarkSword</strong></p> <p>Three distinct Iranian threat actors - Handala and MuddyWater linked to Iran's Ministry of Intelligence and Security (MOIS), and PARS Defense an Iranian commercial surveillance vendor - present simultaneous risks to state government:</p> <p><strong>Handala (also tracked as UNC5203 / Void Manticore)</strong> conducted the most consequential destructive cyber operation against a U.S. target in years when it weaponized Microsoft Intune's legitimate remote wipe capability to destroy approximately 80,000 endpoints at Stryker Corporation on March 11. No traditional malware was deployed - the attack abused valid administrative credentials and a trusted management platform. The FBI seized Handala's infrastructure on March 21, but the group's operators and TTPs remain active.</p> <p><strong>MuddyWater (TEMP.Zagros)</strong> is a separate MOIS-affiliated espionage group that was last observed deploying the Dindoor backdoor against U.S. networks on March 6. Their 16-day silence during an active military conflict is anomalous and concerning. When espionage actors go quiet during escalation, it often signals preparation for coordinated operations rather than cessation of activity.</p> <p><strong>PARS Defense</strong> is an Iranian commercial surveillance vendor newly identified as a user of the DarkSword iOS exploit chain. DarkSword delivers three post-exploitation payloads - GHOSTBLADE (data mining), GHOSTKNIFE (modular backdoor), and GHOSTSABER (persistent backdoor with binary module support). While current targeting has been observed in Saudi Arabia, Turkey, Malaysia, and Ukraine, the availability of full iPhone compromise capability to Iranian-linked actors during active U.S.-Iran hostilities creates a direct surveillance risk for state governors, attorneys general, legislative leaders, and senior IT officials who carry iPhones.</p> <p><strong>Key CVEs:</strong> CVE-2025-31277, CVE-2025-43529, CVE-2025-43520 (DarkSword chain - patched in iOS 26.3.1)</p> <p><strong>Russian Intelligence: Messaging App Compromise at Scale</strong></p> <p>The FBI/CISA joint advisory (PSA260320) issued March 20 confirms that Russian Intelligence Services have compromised thousands of Signal and WhatsApp accounts belonging to current and former U.S. government officials, military personnel, political figures, and journalists. Dutch intelligence services independently corroborated the campaign.</p> <p>The techniques are deceptively simple:</p> <ul> <li>Fake "Signal Security Support Bot" messages requesting verification codes</li> <li>Malicious QR codes that exploit the "linked devices" feature to silently pair an attacker's device to the victim's account</li> <li>Group invitation links that actually authorize new device pairing</li> </ul> <p>Once a device is linked, the attacker receives a real-time copy of every message sent and received - without triggering any notification to the victim. This bypasses end-to-end encryption entirely because the attacker's device is treated as a legitimate endpoint.</p> <p><strong>State government relevance is direct.</strong> Senior officials routinely use Signal and WhatsApp for informal policy discussions, legislative coordination, and crisis communications. Any state employee who has received an unusual message requesting a code, asking them to scan a QR code, or inviting them to a new group should be treated as potentially compromised.</p> <p><strong>Ransomware: Interlock, Foster City, and the Cisco FMC Gateway</strong></p> <p>The <strong>Interlock</strong> ransomware group has been exploiting CVE-2026-20131 - a CVSS 10.0 unauthenticated remote code execution vulnerability in Cisco Firepower Management Center - as a zero-day since January 26, 2026. That is 53 days of exploitation before a patch existed. CISA issued an emergency directive on March 20 requiring federal agencies to patch within three days. State agencies running Cisco FMC that have not yet patched are operating with an unacceptable level of risk.</p> <p>Meanwhile, <strong>Foster City, California</strong> declared a state of emergency on March 20 after a ransomware attack paralyzed municipal systems. Notably, no ransomware group has claimed responsibility - unusual given that most groups claim victims within 48-72 hours. This absence raises the possibility that the attack may be a wiper operation disguised as ransomware, which would be consistent with Iranian TTPs observed in the Handala/Stryker incident.</p> <p>Additional ransomware groups actively targeting government in March 2026 include <strong>Qilin</strong> (updated March 22), <strong>Akira</strong>, <strong>Play</strong>, and <strong>Medusa</strong>.</p> <p><strong>Key CVEs:</strong></p> <ul> <li>CVE-2026-20131 (Cisco FMC, CVSS 10.0 - actively exploited by Interlock)</li> <li>CVE-2026-20127 (Cisco SD-WAN Manager, CVSS 10.0 - actively exploited)</li> </ul> <p><strong>Supply Chain: Trivy, ConnectWise, and the Expanding Blast Radius</strong></p> <p>The compromise of the <strong>Trivy</strong> open-source vulnerability scanner - maintained by Aqua Security - has expanded from its initial GitHub Actions footprint into Docker Hub and npm:</p> <ul> <li><strong>Docker Hub:</strong> Compromised images tagged 0.69.4, 0.69.5, and 0.69.6 were pushed without corresponding GitHub releases. The latest tag currently points to the compromised 0.69.6 image.</li> <li><strong>GitHub Actions:</strong> 75 tags were force-pushed, exposing CI/CD secrets across all downstream consumers.</li> <li><strong>npm:</strong> A self-propagating malware called <strong>CanisterWorm</strong> has infected 47 npm packages using a novel Internet Computer Protocol (ICP) blockchain-based command-and-control mechanism that resists traditional domain seizure or IP blocking.</li> </ul> <p>Separately, <strong>ConnectWise ScreenConnect</strong> - the remote support tool used by many managed service providers (MSPs) serving state agencies - disclosed CVE-2026-3564 (CVSS 9.0), its second critical vulnerability in under a year. Given that MSPs are a primary IT delivery mechanism for many state agencies, this represents a direct supply chain risk.</p> <p><strong>Key CVEs:</strong></p> <ul> <li>CVE-2026-3564 (ConnectWise ScreenConnect, CVSS 9.0)</li> <li>CVE-2026-20963 (Microsoft SharePoint, CVSS 8.8 - actively exploited deserialization RCE, added to CISA KEV)</li> </ul> <p><strong>Critical Infrastructure: ICS/OT Advisories Hitting State Facilities</strong></p> <p>CISA published eight ICS advisories on March 19-20 affecting systems commonly deployed in state government buildings and infrastructure:</p> <table> <tbody> <tr> <td> <p><strong>System</strong></p> </td> <td> <p><strong>Vendor</strong></p> </td> <td> <p><strong>Risk</strong></p> </td> <td> <p><strong>State Government Exposure</strong></p> </td> </tr> <tr> <td> <p><strong>WebCTRL Premium Server</strong></p> </td> <td> <p>Automated Logic</p> </td> <td> <p>Communication interception/modification</p> </td> <td> <p>HIGH - manages HVAC and building management in state facilities</p> </td> </tr> <tr> <td> <p><strong>EcoStruxure PME/EPO</strong></p> </td> <td> <p>Schneider Electric</p> </td> <td> <p>Power monitoring compromise</p> </td> <td> <p>HIGH - monitors power in state data centers</p> </td> </tr> <tr> <td> <p><strong>EcoStruxure Automation Expert</strong></p> </td> <td> <p>Schneider Electric</p> </td> <td> <p>Industrial automation vulnerability</p> </td> <td> <p>MODERATE</p> </td> </tr> <tr> <td> <p><strong>Modicon M241/M251/M262</strong></p> </td> <td> <p>Schneider Electric</p> </td> <td> <p>Denial of service</p> </td> <td> <p>MODERATE - PLCs in water/wastewater systems</p> </td> </tr> <tr> <td> <p><strong>Modicon M241/M251/M258/LMC058</strong></p> </td> <td> <p>Schneider Electric</p> </td> <td> <p>XSS/open redirect - account compromise</p> </td> <td> <p>MODERATE - PLCs in water/wastewater systems</p> </td> </tr> </tbody> </table> <p>These advisories take on heightened significance given Iran's explicit threats against U.S. energy and water infrastructure and the documented MOIS pre-positioning against OT/SCADA systems.</p> <h2><strong>Predictive Analysis: What Comes Next</strong></h2> <table> <tbody> <tr> <td> <p><strong>Scenario</strong></p> </td> <td> <p><strong>Probability</strong></p> </td> <td> <p><strong>Timeframe</strong></p> </td> <td> <p><strong>Basis</strong></p> </td> </tr> <tr> <td> <p>Iranian cyber retaliatory operations against U.S. critical infrastructure (water, energy, government endpoints)</p> </td> <td> <p><strong>&gt;70%</strong></p> </td> <td> <p>7-14 days</p> </td> <td> <p>Military escalation, ultimatum expiration, demonstrated MOIS capability (Stryker), explicit Iranian threats</p> </td> </tr> <tr> <td> <p>Additional Trivy/CanisterWorm supply chain fallout as npm propagation continues</p> </td> <td> <p><strong>&gt;70%</strong></p> </td> <td> <p>7-14 days</p> </td> <td> <p>Self-propagating mechanism confirmed; 47 packages already infected; blockchain C2 resists takedown</p> </td> </tr> <tr> <td> <p>Foster City ransomware attribution emerges - potentially revealing Iranian wiper-as-ransomware</p> </td> <td> <p><strong>40-60%</strong></p> </td> <td> <p>7-14 days</p> </td> <td> <p>Unusual absence of claim; timing aligns with Iran escalation; wiper-as-ransomware is documented Iranian TTP</p> </td> </tr> <tr> <td> <p>DarkSword iOS targeting expands to U.S./NATO government officials</p> </td> <td> <p><strong>40-60%</strong></p> </td> <td> <p>14-30 days</p> </td> <td> <p>Iranian-linked actors already using the kit; U.S. officials are high-value intelligence targets during military operations</p> </td> </tr> <tr> <td> <p>Chinese APT (Volt Typhoon / Salt Typhoon) exploitation of U.S. distraction with Iran to advance infrastructure pre-positioning</p> </td> <td> <p><strong>20-40%</strong></p> </td> <td> <p>30-60 days</p> </td> <td> <p>Historical pattern of opportunistic Chinese operations during U.S. crises; current absence of reporting may indicate improved OPSEC</p> </td> </tr> <tr> <td> <p>MuddyWater resurfaces with coordinated MOIS operation alongside Handala</p> </td> <td> <p><strong>40-60%</strong></p> </td> <td> <p>7-21 days</p> </td> <td> <p>16+ day silence during escalation is anomalous; MOIS coordinates across affiliated groups</p> </td> </tr> </tbody> </table> <h2><strong>SOC Operational Guidance</strong></h2> <p><strong>Priority Detection and Blocking</strong></p> <p><strong>Block immediately at DNS and firewall layers:</strong></p> <table> <tbody> <tr> <td> <p><strong>IOC Type</strong></p> </td> <td> <p><strong>Value</strong></p> </td> <td> <p><strong>Context</strong></p> </td> </tr> <tr> <td> <p>Domain</p> </td> <td> <p>snapshare[.]chat</p> </td> <td> <p>DarkSword iOS exploit delivery</p> </td> </tr> <tr> <td> <p>Domain</p> </td> <td> <p>static.cdncounter[.]net</p> </td> <td> <p>DarkSword C2 infrastructure</p> </td> </tr> <tr> <td> <p>Domain</p> </td> <td> <p>sahibndn[.]io</p> </td> <td> <p>DarkSword C2 infrastructure</p> </td> </tr> <tr> <td> <p>Domain</p> </td> <td> <p>e5.malaymoil[.]com</p> </td> <td> <p>DarkSword C2 infrastructure</p> </td> </tr> <tr> <td> <p>Domain</p> </td> <td> <p>sqwas.shapelie[.]com</p> </td> <td> <p>DarkSword C2 infrastructure</p> </td> </tr> <tr> <td> <p>Domain</p> </td> <td> <p>scan.aquasecurtiy[.]org</p> </td> <td> <p>Trivy supply chain typosquatted C2</p> </td> </tr> <tr> <td> <p>IPv4</p> </td> <td> <p>62.72.21[.]10</p> </td> <td> <p>DarkSword C2</p> </td> </tr> <tr> <td> <p>IPv4</p> </td> <td> <p>72.60.98[.]48</p> </td> <td> <p>DarkSword C2</p> </td> </tr> </tbody> </table> <p><strong>Hunting Hypotheses</strong></p> <p><strong>Hunt 1 - Signal/WhatsApp Device Linking Abuse (ATT&amp;CK: T1566.003, T1539)</strong></p> <ul> <li>Search email and messaging logs for messages containing "Signal Security Support," "verify your account," or QR code image attachments from unknown senders.</li> <li>Audit Signal linked devices on executive and senior leadership phones. Any device linked after February 1, 2026 that the user does not recognize should be treated as a compromise indicator.</li> <li>Monitor for anomalous authentication patterns to messaging web clients from state network IP ranges.</li> </ul> <p><strong>Hunt 2 - Endpoint Management Weaponization (ATT&amp;CK: T1078, T1485)</strong></p> <ul> <li>If your agency uses Microsoft Intune, SCCM, or any endpoint management platform: audit all remote wipe commands issued in the past 30 days. Any mass wipe command not correlated to a documented IT ticket is a critical finding.</li> <li>Review administrative account access to endpoint management consoles for anomalous login times, locations, or MFA bypass.</li> <li>Alert on any new Global Administrator or Intune Administrator role assignments in Azure AD.</li> </ul> <p><strong>Hunt 3 - Trivy/Supply Chain Compromise (ATT&amp;CK: T1195.002, T1552.001)</strong></p> <ul> <li>Search container registries for any pull of aquasec/trivy:0.69.4, aquasec/trivy:0.69.5, or aquasec/trivy:0.69.6. If found, treat all CI/CD secrets in those pipelines as compromised.</li> <li>Search DNS logs for resolution of scan.aquasecurtiy[.]org (note the typo - "securtiy" not "security").</li> <li>Audit npm dependency trees for unexpected new packages added after March 18.</li> </ul> <p><strong>Hunt 4 - MuddyWater/Dindoor Backdoor (ATT&amp;CK: T1071.001, T1105)</strong></p> <ul> <li>Proactively search for Dindoor backdoor indicators across state network telemetry. Cross-reference known MuddyWater infrastructure with Handala/Void Manticore IOCs - both are MOIS-affiliated and may share infrastructure.</li> <li>Monitor for anomalous PowerShell execution patterns consistent with MuddyWater's documented use of living-off-the-land techniques.</li> </ul> <p><strong>Hunt 5 - Cisco FMC/SD-WAN Exploitation (ATT&amp;CK: T1190)</strong></p> <ul> <li>If Cisco FMC or SD-WAN Manager is deployed, review logs for unauthenticated access attempts or anomalous API calls predating the March 20 patch. Interlock exploited CVE-2026-20131 as a zero-day since January 26 - compromise may predate patching.</li> <li>Search for indicators of Interlock ransomware staging: unusual scheduled tasks, lateral movement via RDP, or data staging in temporary directories.</li> </ul> <p><strong>MFA Bypass Awareness (ATT&amp;CK: T1557, T1539)</strong></p> <p>Multiple independent sources this cycle confirm that adversary-in-the-middle (AiTM) session token theft is now routinely bypassing push-notification and SMS-based MFA. The Tycoon2FA phishing-as-a-service platform was recently disrupted, but the technique is commoditized across multiple platforms. SOC teams should:</p> <ul> <li>Monitor for impossible-travel alerts on M365 accounts even when MFA was successfully completed.</li> <li>Alert on new inbox rules or mail forwarding rules created shortly after authentication events.</li> <li>Treat any session token replay from a new IP/device as a high-priority investigation.</li> </ul> <h2><strong>Sector-Specific Defensive Priorities</strong></h2> <p><strong>State and Local Government (Primary Audience)</strong></p> <ul> <li><strong>Patch CVE-2026-20131 (Cisco FMC) and CVE-2026-20127 (Cisco SD-WAN) immediately.</strong> The CISA deadline has passed. Non-compliance is not a risk acceptance decision - it is an exposure.</li> <li><strong>Issue a statewide advisory on Signal/WhatsApp phishing</strong> to all elected officials, agency heads, and senior staff. Provide step-by-step instructions for auditing linked devices.</li> <li><strong>Mandate iOS 26.3.1 update</strong> for all state-issued and BYOD iPhones used by senior officials. Enable Lockdown Mode for the Governor's office, Attorney General, and legislative leadership.</li> <li><strong>Audit endpoint management platforms</strong> (Intune, SCCM) for unauthorized administrative actions. The Handala/Stryker attack demonstrated that these platforms can be weaponized without deploying any malware.</li> <li><strong>Assess CISA service degradation impact.</strong> Identify which federal services your state relies on - vulnerability scanning, Albert network sensors, incident response surge capacity, election security support - and develop compensating controls before the 2026 midterm cycle intensifies.</li> </ul> <p><strong>Financial Services</strong></p> <ul> <li><strong>Prioritize SharePoint patching</strong> (CVE-2026-20963, CVSS 8.8). Financial institutions with SharePoint-based document management for regulatory filings and client data are directly exposed to this actively exploited deserialization RCE.</li> <li><strong>Audit MSP/ScreenConnect access.</strong> Financial services firms using ConnectWise ScreenConnect for vendor remote support should upgrade to version 26.1+ immediately (CVE-2026-3564, CVSS 9.0) and audit session logs for unauthorized access.</li> <li><strong>Monitor for AiTM phishing targeting treasury and wire transfer functions.</strong> MFA bypass techniques are being used to compromise financial accounts and initiate fraudulent transactions.</li> </ul> <p><strong>Energy</strong></p> <ul> <li><strong>Treat Iran OT threats as imminent.</strong> Energy utilities - particularly those with Schneider Electric EcoStruxure PME/EPO or Modicon PLCs - should verify ICS advisory patches (ICSA-26-078-01 through -04) and review OT network segmentation.</li> <li><strong>Pre-position OT isolation procedures.</strong> If a destructive attack is detected, the ability to rapidly isolate SCADA/OT networks from IT networks is the difference between a cybersecurity incident and a safety incident.</li> <li><strong>Monitor for pre-positioning indicators</strong> on network edge devices (routers, firewalls, VPN concentrators) consistent with both Iranian and Chinese (Volt Typhoon) TTPs.</li> </ul> <p><strong>Healthcare</strong></p> <ul> <li><strong>Ransomware preparedness is paramount.</strong> Healthcare remains a top ransomware target for Qilin, Akira, and Medusa. Ensure offline backups of electronic health records and clinical systems are current and tested.</li> <li><strong>Audit Intune/SCCM configurations.</strong> Healthcare organizations that use Microsoft Intune for mobile device management should implement the same hardening controls recommended after the Stryker incident - restrict remote wipe permissions, require multi-person approval for mass actions, and monitor for anomalous administrative commands.</li> <li><strong>Patch ConnectWise ScreenConnect</strong> if used by biomedical engineering or IT support vendors for remote maintenance of clinical systems.</li> </ul> <p><strong>Aviation and Logistics</strong></p> <ul> <li><strong>Supply chain integrity is the priority.</strong> Aviation and logistics organizations with CI/CD pipelines should audit for Trivy usage and pin to version 0.69.3 or earlier. Any pipeline that executed versions 0.69.4-0.69.6 should have all secrets rotated.</li> <li><strong>Monitor for GOOTLOADER SEO poisoning</strong> targeting procurement and logistics search terms. GOOTLOADER campaigns have re-emerged targeting government and are known to deliver Cobalt Strike and ransomware payloads via poisoned search results for shipping documents, customs forms, and logistics contracts.</li> <li><strong>Review OT security for airport and port facility management systems</strong>, particularly Automated Logic WebCTRL (ICSA-26-078-08) used in building management.</li> </ul> <h2><strong>Prioritized Defense Recommendations</strong></h2> <p><strong>Immediate (Within 24 Hours)</strong></p> <table> <tbody> <tr> <td> <p><strong>Priority</strong></p> </td> <td> <p><strong>Responsible Team</strong></p> </td> <td> <p><strong>Action</strong></p> </td> </tr> <tr> <td> <p>IMMEDIATE</p> </td> <td> <p>SOC</p> </td> <td> <p>Block DarkSword domains (snapshare[.]chat, static.cdncounter[.]net, sahibndn[.]io, e5.malaymoil[.]com, sqwas.shapelie[.]com), C2 IPs (62.72.21[.]10, 72.60.98[.]48), and Trivy C2 (scan.aquasecurtiy[.]org) at DNS and firewall layers.</p> </td> </tr> <tr> <td> <p>IMMEDIATE</p> </td> <td> <p>IT Operations</p> </td> <td> <p>Confirm Cisco FMC is patched against CVE-2026-20131 (CVSS 10.0). CISA deadline was March 23. If unpatched, escalate to CISO as a critical finding.</p> </td> </tr> <tr> <td> <p>IMMEDIATE</p> </td> <td> <p>IT Operations</p> </td> <td> <p>Confirm Cisco SD-WAN Manager patched against CVE-2026-20127 (CVSS 10.0) and related actively exploited SD-WAN flaws.</p> </td> </tr> <tr> <td> <p>IMMEDIATE</p> </td> <td> <p>IT Operations</p> </td> <td> <p>Confirm SharePoint Server patched against CVE-2026-20963 (CVSS 8.8, actively exploited deserialization RCE).</p> </td> </tr> <tr> <td> <p>IMMEDIATE</p> </td> <td> <p>CISO / Executive Office</p> </td> <td> <p>Issue advisory to all senior leadership and elected officials: update personal and state-issued iPhones to iOS 26.3.1 immediately. Enable Lockdown Mode for highest-risk individuals (Governor, AG, legislative leadership).</p> </td> </tr> <tr> <td> <p>IMMEDIATE</p> </td> <td> <p>CISO / Communications</p> </td> <td> <p>Issue statewide advisory: Signal and WhatsApp support will never request verification codes via in-app messages. Do not scan QR codes or click links from unknown contacts. All employees should review Signal linked devices and remove any unrecognized entries.</p> </td> </tr> </tbody> </table> <p><strong>7-Day Actions</strong></p> <table> <tbody> <tr> <td> <p><strong>Priority</strong></p> </td> <td> <p><strong>Responsible Team</strong></p> </td> <td> <p><strong>Action</strong></p> </td> </tr> <tr> <td> <p>7-DAY</p> </td> <td> <p>DevOps</p> </td> <td> <p>Audit all CI/CD pipelines for Trivy usage. Pin to version 0.69.3 or earlier. If versions 0.69.4-0.69.6 were executed, treat all pipeline secrets as compromised and rotate immediately. Audit npm dependencies for CanisterWorm indicators.</p> </td> </tr> <tr> <td> <p>7-DAY</p> </td> <td> <p>IT Operations</p> </td> <td> <p>Upgrade ConnectWise ScreenConnect to version 26.1+ to remediate CVE-2026-3564 (CVSS 9.0). Audit ScreenConnect server logs for unauthorized access.</p> </td> </tr> <tr> <td> <p>7-DAY</p> </td> <td> <p>IT Operations (Facilities/OT)</p> </td> <td> <p>Verify Automated Logic WebCTRL Premium Server patched per ICSA-26-078-08. Audit Schneider Electric EcoStruxure PME/EPO installations per ICSA-26-078-04. These systems manage HVAC and power monitoring in state buildings.</p> </td> </tr> <tr> <td> <p>7-DAY</p> </td> <td> <p>SOC</p> </td> <td> <p>Conduct proactive threat hunt for MuddyWater/Dindoor backdoor indicators. Cross-reference with Handala/Void Manticore infrastructure. Sixteen days of silence from an MOIS-affiliated actor during military escalation warrants active investigation.</p> </td> </tr> <tr> <td> <p>7-DAY</p> </td> <td> <p>SOC</p> </td> <td> <p>Implement detection for Azure Monitor alert callback phishing - monitor for emails from Azure Monitor containing phone numbers or callback requests impersonating Microsoft Security Team.</p> </td> </tr> </tbody> </table> <p><strong>30-Day Actions</strong></p> <table> <tbody> <tr> <td> <p><strong>Priority</strong></p> </td> <td> <p><strong>Responsible Team</strong></p> </td> <td> <p><strong>Action</strong></p> </td> </tr> <tr> <td> <p>30-DAY</p> </td> <td> <p>CISO</p> </td> <td> <p>Commission assessment of state election infrastructure security posture given CISA workforce reductions. Identify which CISA services are degraded and develop compensating controls before the 2026 midterm cycle.</p> </td> </tr> <tr> <td> <p>30-DAY</p> </td> <td> <p>CISO / IR Team</p> </td> <td> <p>Develop an Iran cyber retaliation response playbook covering: (1) wiper incident response for endpoint management abuse (Intune/SCCM), (2) OT/SCADA isolation procedures for water and power systems, (3) crisis communication plan for a destructive attack scenario. Conduct a tabletop exercise within 30 days.</p> </td> </tr> <tr> <td> <p>30-DAY</p> </td> <td> <p>IT Operations / IAM</p> </td> <td> <p>Evaluate FIDO2/passkey deployment for state employee Microsoft 365 accounts. Push-notification and SMS-based MFA is being routinely bypassed by adversary-in-the-middle attacks. Phishing-resistant authentication is no longer optional - it is an operational necessity.</p> </td> </tr> <tr> <td> <p>30-DAY</p> </td> <td> <p>CISO</p> </td> <td> <p>Review and update MSP/vendor access controls. The ConnectWise ScreenConnect vulnerability (second critical CVE in under a year) and the Trivy supply chain compromise demonstrate that vendor trust must be continuously verified, not assumed.</p> </td> </tr> </tbody> </table> <h2><strong>The Structural Challenge: States Are Increasingly on Their Own</strong></h2> <p>One factor that makes this threat convergence particularly dangerous is the degradation of federal cybersecurity support. CISA workforce reductions, the lapse of key information-sharing authorities, and the hollowing out of election security programs mean that state governments cannot rely on the same level of federal incident response surge capacity, vulnerability scanning, or threat intelligence sharing that existed even six months ago.</p> <p>This is not a political observation - it is an operational reality that must inform resource allocation decisions. State CISOs should be having direct conversations with their governors and legislative leadership about:</p> <ul> <li><strong>Funding for compensating controls</strong> to replace degraded federal services</li> <li><strong>Interstate information-sharing agreements</strong> to fill intelligence gaps</li> <li><strong>Incident response retainer contracts</strong> with private-sector firms to ensure surge capacity exists when - not if - a significant incident occurs</li> <li><strong>Election security readiness</strong> independent of federal support, given the approaching 2026 midterm cycle</li> </ul> <h2><strong>Bottom Line&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;</strong></h2> <p>The intelligence picture is unambiguous. Iranian MOIS-affiliated actors have demonstrated the capability and intent to conduct destructive operations against U.S. targets. Russian intelligence is actively harvesting government officials' private communications. Supply chain attacks are expanding faster than most organizations can audit their dependencies. And the federal safety net that state governments have historically relied upon is thinner than it has been in a decade.</p> <p>The actions outlined in this report are not aspirational - they are the minimum defensive posture for the current threat environment. The Cisco FMC patch deadline has passed. The iOS emergency update is available now. The Signal linked-device audit takes five minutes per phone.</p> <p>Every day of delay is a day your adversaries are already using.</p>