When Your Mobile Device Manager Becomes the Attacker's Backdoor: Urgent Threats Facing State Government Networks

<p> <strong> Threat Assessment Level: ELEVATED </strong> <em> (trending toward HIGH) </em> </p> <p> The convergence of actively exploited mobile device management vulnerabilities, fresh Russian state-sponsored malware with destructive capabilities, and a sustained acceleration in CISA's Known Exploited Vulnerabilities catalog demands immediate attention from state government IT leadership. This briefing covers what changed in the last 48 hours and what your teams need to do today. </p> <h2> <strong> What Changed </strong> </h2> <p> The past 72 hours have delivered a cluster of developments that collectively raise the risk profile for state government networks: </p> <ul> <li> <strong> Ivanti EPMM under active exploitation </strong> &mdash; Two new vulnerabilities (CVE-2026-1281 and CVE-2026-1340) in Ivanti Endpoint Manager Mobile are being actively exploited against government targets. For agencies using Ivanti EPMM to manage state employee mobile devices, this is a same-day patching priority. </li> <li> <strong> APT28 (Fancy Bear/GRU) deploys fresh backdoor with destructive capability </strong> &mdash; A new malware sample attributed to Russia's GRU Unit 26165 now includes data destruction functionality (MITRE ATT&amp;CK <strong> T1485 </strong> ), a departure from their traditional espionage-only mission. Government and financial services are confirmed targets. </li> <li> <strong> Nine CISA KEVs in 48 hours </strong> &mdash; CISA added nine vulnerabilities to the Known Exploited Vulnerabilities catalog between May 20&ndash;21, signaling an acceleration in real-world exploitation activity. </li> <li> <strong> Five ICS/SCADA advisories </strong> &mdash; ABB B&amp;R Automation (three advisories), Hitachi Energy GMS600, and ABB Terra AC Wallbox all received critical advisories on May 21, relevant to building automation and energy grid management in state facilities. </li> <li> <strong> GOOTLOADER re-emerges targeting government </strong> &mdash; The SEO-poisoning malware loader, which tricks users into downloading malicious JavaScript files disguised as legal documents, confirmed renewed operations against government entities. </li> <li> <strong> APT43 credential harvesting campaign updated </strong> &mdash; North Korean operators continue rapport-building social engineering campaigns aimed at stealing credentials from government personnel. </li> <li> <strong> OAuth device-code-flow abuse documented </strong> &mdash; Phishing attacks exploiting OAuth authorization flows to bypass traditional email security controls and steal persistent access tokens represent an active and growing threat to government M365 tenants. </li> </ul> <h2> <strong> Threat Timeline </strong> </h2> <table> <thead> <tr> <th> <p> Date </p> </th> <th> <p> Event </p> </th> <th> <p> Relevance to State Government </p> </th> </tr> </thead> <tbody> <tr> <td> <p> 2026-05-15 (est.) </p> </td> <td> <p> Ivanti EPMM exploitation campaign begins </p> </td> <td> <p> MDM servers managing state employee devices at risk </p> </td> </tr> <tr> <td> <p> 2026-05-17 </p> </td> <td> <p> APT28 registers government-targeted phishing domain </p> </td> <td> <p> Credential theft infrastructure targeting .gov </p> </td> </tr> <tr> <td> <p> 2026-05-19 </p> </td> <td> <p> Five ICS/OT advisories published (ScadaBR, Kieback &amp; Peter DDC) </p> </td> <td> <p> Building automation and SCADA systems in state facilities </p> </td> </tr> <tr> <td> <p> 2026-05-19 </p> </td> <td> <p> APT28 fresh backdoor sample created </p> </td> <td> <p> New destructive capability added to government-targeting toolkit </p> </td> </tr> <tr> <td> <p> 2026-05-20 </p> </td> <td> <p> CISA adds 7 vulnerabilities to KEV catalog </p> </td> <td> <p> Accelerating exploitation tempo </p> </td> </tr> <tr> <td> <p> 2026-05-20 </p> </td> <td> <p> APT29 (Midnight Blizzard) refreshes ATI-Agent indicators </p> </td> <td> <p> SVR operations remain active against government </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> Ivanti EPMM campaign confirmed actively exploiting government </p> </td> <td> <p> Direct threat to state MDM infrastructure </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> GOOTLOADER operations re-emerge targeting government </p> </td> <td> <p> SEO poisoning delivering malicious JavaScript to gov users </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> CISA adds 2 additional KEVs (9 total in 48h) </p> </td> <td> <p> Patch backlog pressure increasing </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> ABB B&amp;R triple advisory + Hitachi Energy GMS600 </p> </td> <td> <p> Industrial control systems in state-adjacent facilities </p> </td> </tr> <tr> <td> <p> 2026-05-21 </p> </td> <td> <p> APT28 backdoor sample updated in threat feeds </p> </td> <td> <p> Active campaign refinement underway </p> </td> </tr> </tbody> </table> <h2> <strong> Key Threat Analysis </strong> </h2> <h3> <strong> 1. Ivanti EPMM: Your MDM Is a Domain Controller for Mobile Devices </strong> </h3> <p> <strong> CVE-2026-1281 </strong> and <strong> CVE-2026-1340 </strong> are being actively exploited against government organizations across multiple countries. The campaign, tracked since May 21, targets automotive, commercial, financial services, government, manufacturing, and transportation sectors. </p> <p> <strong> Why this matters for state government: </strong> Ivanti EPMM (formerly MobileIron) manages mobile device policies, application deployment, and security configurations for enrolled devices. An attacker who compromises the EPMM server gains the ability to: </p> <ul> <li> Deploy malicious configuration profiles to every enrolled state employee phone </li> <li> Intercept or suppress multi-factor authentication push notifications </li> <li> Track the physical location of state officials in real time </li> <li> Execute a mass device wipe as a destructive action </li> </ul> <p> This is not a theoretical risk. Norway's government was compromised through Ivanti vulnerabilities (CVE-2023-35078) in 2023. The pattern is recurring with new CVEs. </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1190 </strong> (Exploit Public-Facing Application), <strong> T1078 </strong> (Valid Accounts), <strong> T1071.001 </strong> (Web Protocols for C2) </p> <h3> <strong> 2. APT28's Destructive Evolution </strong> </h3> <p> A fresh APT28 malware sample surfaced on May 21 with behavioral signatures indicating: </p> <ul> <li> Process injection ( <strong> T1055.002 </strong> ) </li> <li> Keylogging ( <strong> T1056.001 </strong> ) </li> <li> Registry modification ( <strong> T1112 </strong> ) </li> <li> Security tool disabling ( <strong> T1562.001 </strong> ) </li> <li> Sandbox/debugger evasion ( <strong> T1497.002 </strong> , <strong> T1622 </strong> ) </li> <li> <strong> Data destruction (T1485) </strong> &mdash; <em> This is new for APT28 </em> </li> </ul> <p> Historically, destructive operations against government networks were the domain of GRU's Sandworm unit (APT44), responsible for NotPetya and Ukrainian grid attacks. APT28 (GRU Unit 26165) traditionally focused on espionage and credential theft. The inclusion of data destruction capability suggests either convergence between GRU units' tooling or pre-positioning for contingency destructive operations against Western government infrastructure. </p> <p> Associated network indicators and file hashes for this sample are available through Anomali ThreatStream Next-Gen and partner feeds. </p> <p> <strong> Confidence: MODERATE-HIGH </strong> &mdash; Attribution confirmed via TTP overlap and victimology matching APT28's known profile. </p> <h3> <strong> 3. GOOTLOADER: SEO Poisoning Targeting Government Searches </strong> </h3> <p> GOOTLOADER operations confirmed active as of May 21, specifically targeting government entities. This malware family poisons search engine results for terms commonly searched by government employees &mdash; legal templates, policy documents, contract language, compliance forms &mdash; and delivers malicious JavaScript payloads. </p> <p> <strong> Kill chain: </strong> Compromised WordPress sites &rarr; SEO-poisoned search results &rarr; user downloads .zip containing .js file &rarr; wscript.exe executes JavaScript &rarr; GOOTLOADER establishes persistence &rarr; secondary payload delivery (historically: Cobalt Strike, REvil ransomware, or banking trojans) </p> <p> <strong> ATT&amp;CK Techniques: </strong> <strong> T1189 </strong> (Drive-by Compromise), <strong> T1059.007 </strong> (JavaScript Execution), <strong> T1027 </strong> (Obfuscated Files), <strong> T1105 </strong> (Ingress Tool Transfer) </p> <h3> <strong> 4. ICS/SCADA Advisory Surge </strong> </h3> <p> Five industrial control system advisories in a single cycle affect systems commonly deployed in state government facilities: </p> <table> <thead> <tr> <th> <p> Advisory </p> </th> <th> <p> Product </p> </th> <th> <p> Risk </p> </th> </tr> </thead> <tbody> <tr> <td> <p> ICSA-26-141-02 </p> </td> <td> <p> ABB B&amp;R PCs </p> </td> <td> <p> Industrial workstation compromise </p> </td> </tr> <tr> <td> <p> ICSA-26-141-03 </p> </td> <td> <p> ABB B&amp;R Automation Studio </p> </td> <td> <p> Engineering environment compromise </p> </td> </tr> <tr> <td> <p> ICSA-26-141-04 </p> </td> <td> <p> ABB B&amp;R Automation Runtime </p> </td> <td> <p> Runtime manipulation of control logic </p> </td> </tr> <tr> <td> <p> ICSA-26-141-01 </p> </td> <td> <p> Hitachi Energy GMS600 </p> </td> <td> <p> Grid management system (CVE-2022-4304, OpenSSL) </p> </td> </tr> <tr> <td> <p> (May 21) </p> </td> <td> <p> ABB Terra AC Wallbox </p> </td> <td> <p> EV charging infrastructure </p> </td> </tr> </tbody> </table> <p> State agencies overseeing water/wastewater, transportation management, building automation, and energy utilities should verify whether these products are deployed in their environments. </p> <h3> <strong> 5. OAuth Abuse and Credential Harvesting </strong> </h3> <p> Research published this cycle details phishing attacks exploiting OAuth authorization flows &mdash; specifically device code flow abuse &mdash; to bypass traditional email security controls and steal persistent access tokens. Combined with APT43's ongoing credential harvesting campaigns targeting government personnel through rapport-building social engineering, identity-based attacks remain the #1 initial access vector for state networks. </p> <h2> <strong> Predictive Analysis </strong> </h2> <table> <thead> <tr> <th> <p> Scenario </p> </th> <th> <p> Probability </p> </th> <th> <p> Timeframe </p> </th> <th> <p> Basis </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Additional Ivanti EPMM exploitation attempts against government MDM infrastructure </p> </td> <td> <p> <strong> 70% </strong> </p> </td> <td> <p> Next 72 hours </p> </td> <td> <p> Active campaign maturing; government confirmed as target </p> </td> </tr> <tr> <td> <p> OAuth/device-code-flow attack targeting state M365 tenants </p> </td> <td> <p> <strong> 55% </strong> </p> </td> <td> <p> Next 14 days </p> </td> <td> <p> Technique publicly documented; APT43 and APT29 both known to use OAuth abuse </p> </td> </tr> <tr> <td> <p> Ransomware group claims a state/local government victim </p> </td> <td> <p> <strong> 50% </strong> </p> </td> <td> <p> Next 7 days </p> </td> <td> <p> Current 72+ hour silence is anomalous vs. historical cadence of 2&ndash;3 incidents/week; may indicate pre-positioning </p> </td> </tr> <tr> <td> <p> APT28 campaign escalation with expanded destructive operations </p> </td> <td> <p> <strong> 40% </strong> </p> </td> <td> <p> Next 14 days </p> </td> <td> <p> Fresh tooling deployment with new <strong> T1485 </strong> capability; expanded TTP set </p> </td> </tr> <tr> <td> <p> ICS/OT exploitation attempt against state-adjacent utility infrastructure </p> </td> <td> <p> <strong> 20% </strong> </p> </td> <td> <p> Next 30&ndash;90 days </p> </td> <td> <p> Typical lag from advisory publication to weaponization </p> </td> </tr> </tbody> </table> <h2> <strong> SOC Operational Guidance </strong> </h2> <h3> <strong> Hunt Hypotheses </strong> </h3> <table> <thead> <tr> <th> <p> Hypothesis </p> </th> <th> <p> What to Look For </p> </th> <th> <p> ATT&amp;CK ID </p> </th> <th> <p> Data Source </p> </th> </tr> </thead> <tbody> <tr> <td> <p> Ivanti EPMM compromise </p> </td> <td> <p> Anomalous admin authentication to EPMM console since May 15; unexpected device profile deployments; new admin accounts </p> </td> <td> <p> <strong> T1190 </strong> , <strong> T1078 </strong> </p> </td> <td> <p> EPMM admin logs, network flow to EPMM server </p> </td> </tr> <tr> <td> <p> APT28 backdoor execution </p> </td> <td> <p> Process injection from unknown executables; registry modifications in HKLM\SOFTWARE; security tool service stops </p> </td> <td> <p> <strong> T1055.002 </strong> , <strong> T1112 </strong> , <strong> T1562.001 </strong> </p> </td> <td> <p> EDR telemetry, Windows Event Logs (Sysmon 8, 13) </p> </td> </tr> <tr> <td> <p> GOOTLOADER delivery </p> </td> <td> <p> wscript.exe spawning from browser-downloaded .js files in %USERPROFILE%\Downloads; outbound HTTPS to compromised WordPress sites </p> </td> <td> <p> <strong> T1059.007 </strong> , <strong> T1189 </strong> </p> </td> <td> <p> EDR process tree, proxy logs </p> </td> </tr> <tr> <td> <p> Volt Typhoon LOTL pre-positioning </p> </td> <td> <p> Unusual use of certutil, ntdsutil, netsh, or wmic by service accounts; scheduled tasks created via command line on infrastructure servers </p> </td> <td> <p> <strong> T1218 </strong> , <strong> T1059.001 </strong> </p> </td> <td> <p> Windows Event Log 4688, Sysmon 1 </p> </td> </tr> <tr> <td> <p> OAuth token abuse </p> </td> <td> <p> Device code flow authentications from unexpected geographies; refresh tokens with anomalous lifetimes; consent grants to unrecognized applications </p> </td> <td> <p> <strong> T1550.001 </strong> </p> </td> <td> <p> Azure AD sign-in logs, audit logs </p> </td> </tr> <tr> <td> <p> Data destruction preparation </p> </td> <td> <p> Unusual volume shadow copy deletions (vssadmin delete shadows); bcdedit modifications; mass file enumeration on file servers </p> </td> <td> <p> <strong> T1485 </strong> , <strong> T1490 </strong> </p> </td> <td> <p> Windows Event Log, EDR </p> </td> </tr> </tbody> </table> <h3> <strong> Detection Priorities </strong> </h3> <ul> <li> <strong> <strong> Block immediately: </strong> APT28 backdoor file and network indicators &mdash; retrieve current hashes and C2 infrastructure from Anomali ThreatStream Next-Gen (search: APT28, May 2026 campaign) </strong> </li> </ul> <ul> <li> <strong> Alert on: </strong> wscript.exe executing .js files from Downloads folders (GOOTLOADER indicator) </li> </ul> <ul> <li> <strong> Monitor: </strong> All Ivanti EPMM administrative actions &mdash; new device profiles, admin account creation, bulk policy changes </li> </ul> <ul> <li> <strong> Baseline: </strong> OAuth application consent grants in Azure AD/Entra ID &mdash; alert on new grants to unrecognized application IDs </li> </ul> <ul> <li> <strong> Hunt: </strong> Living-off-the-land binary usage (certutil, wmic, ntdsutil) by non-administrative accounts on critical infrastructure servers </li> </ul> <h2> <strong> Sector-Specific Defensive Priorities </strong> </h2> <h3> <strong> Financial Services (Revenue/Taxation Agencies) </strong> </h3> <ul> <li> APT28's fresh sample explicitly targets financial services alongside government </li> <li> Prioritize EDR coverage on systems processing tax returns and payment data </li> <li> Monitor for <strong> T1056.001 </strong> (keylogging) on financial transaction workstations </li> <li> Ensure PCI-scoped systems are segmented from general government network </li> </ul> <h3> <strong> Energy (Utility Oversight / State Energy Office) </strong> </h3> <ul> <li> Hitachi Energy GMS600 advisory (CVE-2022-4304) directly affects grid management </li> <li> ABB B&amp;R advisories affect industrial automation in power generation/distribution </li> <li> Verify OT asset inventory against advisory product lists within 7 days </li> <li> Ensure IT/OT network segmentation prevents lateral movement from compromised IT systems to SCADA networks </li> </ul> <h3> <strong> Healthcare (Health &amp; Human Services) </strong> </h3> <ul> <li> German hospital breach via third-party billing provider (Unimed) demonstrates supply chain risk pattern directly applicable to state Medicaid/HHS systems </li> <li> Audit third-party vendor access to health data systems </li> <li> GOOTLOADER historically delivers ransomware &mdash; healthcare data systems are high-value targets </li> <li> Ensure HIPAA breach notification procedures are current </li> </ul> <h3> <strong> Government (All Executive Branch Agencies) </strong> </h3> <ul> <li> Ivanti EPMM patching is the #1 priority &mdash; every enrolled mobile device is at risk </li> <li> APT28, APT29, and APT43 all confirmed targeting government this cycle </li> <li> GOOTLOADER SEO poisoning specifically targets government employee search behavior </li> <li> Brief staff on risks of downloading document templates from search results </li> </ul> <h3> <strong> Aviation/Logistics (Transportation / DMV) </strong> </h3> <ul> <li> Ivanti EPMM campaign explicitly targets transportation sector </li> <li> ABB B&amp;R automation products may be deployed in traffic management systems </li> <li> Ensure transportation management system (TMS) networks are segmented </li> <li> Monitor for anomalous access to vehicle registration and driver's license databases </li> </ul> <h2> <strong> Prioritized Defense Recommendations </strong> </h2> <h3> <strong> IMMEDIATE (Within 24 Hours) </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🔴 CRITICAL </strong> </p> </td> <td> <p> IT Ops / MDM Team </p> </td> <td> <p> Verify Ivanti EPMM is patched against CVE-2026-1281 and CVE-2026-1340. If unpatched, apply emergency maintenance window TODAY. If patching is not immediately possible, restrict EPMM admin interface to management VLAN only. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 CRITICAL </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Retrieve current APT28 backdoor indicators (hashes, C2 IPs, domains) from ThreatStream Next-Gen and block across all EDR, email gateway, and web proxy platforms. </p> </td> </tr> <tr> <td> <p> <strong> 🔴 CRITICAL </strong> </p> </td> <td> <p> SOC / MDM Team </p> </td> <td> <p> Audit Ivanti EPMM admin access logs from May 15 onward. Look for: new admin accounts, authentication from unexpected IPs, bulk device profile changes, API calls outside business hours. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Brief executive leadership on APT28 destructive capability development. Recommend tabletop exercise for data destruction scenario within 30 days. </p> </td> </tr> </tbody> </table> <h3> <strong> 7-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> IT Ops / Facilities </p> </td> <td> <p> Apply ABB B&amp;R patches per ICSA-26-141-02, -03, -04 for any building automation or industrial systems in state facilities. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> SOC </p> </td> <td> <p> Deploy GOOTLOADER detection: alert on wscript.exe spawning from browser-downloaded .js files in user Download directories. </p> </td> </tr> <tr> <td> <p> <strong> 🟠 HIGH </strong> </p> </td> <td> <p> IT Ops / Energy </p> </td> <td> <p> Verify Hitachi Energy GMS600 firmware version in any energy/utility oversight systems; apply OpenSSL patch for CVE-2022-4304. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> SOC / Identity Team </p> </td> <td> <p> Implement OAuth token anomaly detection in Azure AD/Entra ID &mdash; alert on device code flow from unexpected locations and consent grants to unrecognized applications. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> Security Awareness </p> </td> <td> <p> Issue targeted advisory to staff: do not download document templates, legal forms, or policy documents from search engine results without verifying the source domain. </p> </td> </tr> </tbody> </table> <h3> <strong> 30-DAY </strong> </h3> <table> <thead> <tr> <th> <p> Priority </p> </th> <th> <p> Owner </p> </th> <th> <p> Action </p> </th> </tr> </thead> <tbody> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> CISO / Procurement </p> </td> <td> <p> Evaluate and procure backup OSINT intelligence feed to eliminate single-provider dependency. Budget estimate: $15&ndash;40K/year. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> IT Ops / Network </p> </td> <td> <p> Reclassify Ivanti EPMM servers to Tier 0 asset status (equivalent to domain controllers). Implement: network segmentation, privileged access workstations for admin, continuous log monitoring. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> OT Security </p> </td> <td> <p> Build and maintain a living inventory of deployed ICS/OT vendors across all state facilities to enable rapid triage when advisories are published. </p> </td> </tr> <tr> <td> <p> <strong> 🟡 MODERATE </strong> </p> </td> <td> <p> IR Team </p> </td> <td> <p> Conduct tabletop exercise simulating APT28 data destruction scenario &mdash; test backup integrity, recovery time objectives, and communication procedures. </p> </td> </tr> <tr> <td> <p> <strong> 📋 PLANNING </strong> </p> </td> <td> <p> CISO </p> </td> <td> <p> Review AWS federation and cloud identity persistence mechanisms. Ensure incident response playbooks account for adversary persistence that survives credential rotation (reference: CrowdStrike federation persistence technique, published May 21). </p> </td> </tr> </tbody> </table> <h2> <strong> IOC Blocking Table </strong> </h2> <p> <strong> Note: </strong> Verified, production-ready IOCs for all campaigns discussed in this report &mdash; including APT28 backdoor hashes and C2 infrastructure, GOOTLOADER network indicators, and Ivanti EPMM exploitation artifacts &mdash; are available through <strong> ThreatStream </strong> Next-Gen and partner feeds. SOC teams should query ThreatStream Next-Gen directly for the latest defanged indicators prior to blocking. Contact your Anomali representative for access or to request a curated indicator export for these campaigns. </p> <h2> <strong> The Bottom Line </strong> </h2> <p> State government networks face a compounding threat picture this week. The Ivanti EPMM exploitation campaign is not theoretical &mdash; it is actively targeting government MDM infrastructure right now. Russia's APT28 is evolving from pure espionage toward destructive capability, a shift that changes the consequence calculus from "data theft" to "operational disruption." And the sustained volume of CISA KEV additions (nine in 48 hours) means your patch backlog is growing faster than most teams can remediate. </p> <p> The anomalous silence in ransomware activity against state and local government &mdash; typically 2&ndash;3 incidents per week &mdash; should not be interpreted as safety. It may reflect pre-positioning before coordinated attacks, or simply a reporting lag. </p> <p> <strong> Three decisions needed from leadership this week: </strong> </p> <ul> <li> <strong> <strong> Confirm Ivanti EPMM is patched today. </strong> Not next sprint. Today. </strong> </li> </ul> <ul> <li> <strong> Approve backup intelligence collection capability. </strong> Nine days of degraded visibility is unacceptable for an organization managing millions of residents' data. </li> </ul> <ul> <li> <strong> Acknowledge the APT28 destructive shift. </strong> Schedule the tabletop. Test your backups. Verify your recovery time objectives assume a wiper, not just ransomware. </li> </ul> <p> The threat actors are not waiting. Neither should we. </p> <p> <em> Published 2026-05-22 by the Anomali CTI Desk. For questions or to request additional indicators, contact your Anomali representative. </em> </p> <p> <em> This report is TLP:GREEN &mdash; share freely within the state government community and with peer organizations in the public sector. </em> </p>