TLP:GREEN  ·  States / Public Sector
What State CISOs Must Do This Week:

Russian Intelligence Services Actively Scanning Government Networks

ELEVATED. Today marks a watershed moment in the attribution of Russian state-sponsored cyber operations. The EU and UK jointly sanctioned 24+ individuals and entities tied to Russia's FSB Center 16 — the unit behind Turla — while a 12-nation coalition confirmed active, global scanning of government routers for exploitation. Simultaneously, Adobe ColdFusion is under active exploitation via a CVSS 10.0 vulnerability, APT28 has produced fresh government-targeting malware, and four ransomware groups continue their drumbeat against public sector targets.

I am a
My sector

DevelopmentDateWhy It Matters
EU/UK sanction FSB Center 16 (Turla/Berserk Bear) for December 2025 Poland energy grid attack2026-07-13Formal attribution confirms this unit actively targets government networks and critical infrastructure globally
12-nation joint advisory: FSB Center 16 scanning for routers with weak SNMP community strings2026-07-13State government network devices are explicitly in the target set — CVE-2018-0171 (Cisco Smart Install) being exploited
UK sanctions Lumma Stealer operators2026-07-132,100+ UK victims in 6 months; credential theft at industrial scale
APT28 (GRU Unit 26165) — 4 new government-targeting malware samples ingested2026-07-12/13Sustained Russian espionage pressure against government sector
TA505 activates new government-targeting C2 infrastructure2026-07-12Fresh IP (confidence 95) signals imminent phishing/ransomware campaign against government
CVE-2026-48282 (Adobe ColdFusion, CVSS 10.0) — confirmed active exploitation2026-07-07 (KEV)Exploited within 2 hours of disclosure; any unpatched ColdFusion portal is compromised or will be
CVE-2026-48939 (iCagenda for Joomla, CVSS 9.8) — added to KEV2026-07-10Second Joomla extension on KEV in three weeks; systematic exploitation of Joomla ecosystem
Schneider Electric Easergy MiCOM Px40 advisory (substation protection relays)2026-07-09Direct relevance to state-managed electrical infrastructure
Deadlock, Akira, BITWISE SPIDER, WARLOCK SPIDER — all updated with government targeting2026-07-10–13Four ransomware operations simultaneously active against government sector

DateEventActor / CVEImpact
2025-12Poland energy grid attack (could have cut power to ~500K people)FSB Center 16 / DynoWiperDestructive — formally attributed Jul 13
2026-06-12California water utility destructive breachVOID MANTICORE (Iran/IRGC)Confirmed destructive attack on U.S. critical infrastructure
2026-07-07ColdFusion CVE-2026-48282 added to CISA KEV; exploitation within 2 hoursUnknown actorsRCE on citizen-facing portals
2026-07-09Schneider Electric ICS advisories (PowerChute, Easergy MiCOM Px40, OpenPLC)N/A (vendor disclosure)Substation relay and UPS vulnerabilities
2026-07-10iCagenda CVE-2026-48939 added to CISA KEVUnknown actorsUnauthenticated RCE via Joomla extension
2026-07-10Akira ransomware actor model updated — government targetingAkiraActive ransomware threat
2026-07-12TA505 new C2 IP activated (government-targeting, confidence 95)TA505 / WARLOCK SPIDERPhishing infrastructure staged for campaign
2026-07-12APT28 — 4 fresh MD5 samples tagged government/public-servicesAPT28 (GRU Unit 26165)Espionage tooling refresh
2026-07-12Deadlock ransomware updated; BITWISE SPIDER updated Jul 13Deadlock, BITWISE SPIDERGovernment-targeting ransomware
2026-07-13EU/UK sanctions + 12-nation advisory on FSB Center 16 router scanningFSB Center 16 (Turla)Active scanning of government routers worldwide

What they are: Russia's FSB 16th Centre, now formally linked to the Turla hacking group (also known as Berserk Bear, Energetic Bear, Crouching Yeti, DragonFly, Ghost Blizzard). This unit has targeted government networks across Europe since 2010 and was responsible for the December 2025 destructive attack on Poland's energy grid using DynoWiper malware.

What they're doing now: actively scanning globally for network devices with weak SNMP community strings and exploiting CVE-2018-0171 (Cisco Smart Install, CVSS 9.8). Once inside a router, they exfiltrate configurations via TFTP and establish persistent access for espionage or pre-positioning for destructive operations.

Why state government is at risk: state agencies operate extensive Cisco networking infrastructure. Many legacy devices still run SNMPv1/v2 with default or weak community strings. Smart Install may remain enabled on switches that were deployed years ago and never hardened.

T1078T1557T1048T1485

Four new malware samples explicitly tagged for government and public services targeting were ingested this cycle. The samples use Expiro file infector techniques combined with PowerShell-based loaders — a combination that enables persistence and lateral movement while evading signature-based detection.

T1059T1105T1195.002T1203T1204.002T1553.002

TA505 is a financially motivated, Russia-nexus cybercriminal group historically associated with Clop ransomware, FlawedAmmyy RAT, and ServHelper. A new command-and-control IP was activated on July 12 with explicit government sector targeting at confidence level 95. This group's operational pattern — infrastructure staging followed by mass phishing campaigns — suggests an imminent campaign within days.

T1071T1571

This CVSS 10.0 path traversal to arbitrary code execution vulnerability was exploited in the wild within 2 hours of public disclosure. It affects ColdFusion 2025.9, 2023.20, and all earlier versions. State government agencies are known to operate legacy ColdFusion applications for citizen-facing portals (benefits applications, permit systems, public records). Any unpatched instance should be presumed compromised.

T1190T1059T1083

Two Joomla extensions are now on CISA's Known Exploited Vulnerabilities catalog: CVE-2026-48939 (iCagenda, CVSS 9.8) — unauthenticated file upload → RCE — and CVE-2026-48908 (SP Page Builder, CVSS 9.8) — unauthenticated file upload → RCE.

State agencies commonly use Joomla for public-facing websites. The pattern of systematic Joomla extension exploitation suggests attackers are specifically targeting this CMS ecosystem.

T1190

Four distinct ransomware operations showed fresh activity against the government sector between July 10–13: Deadlock (updated Jul 12), Akira (updated Jul 10), BITWISE SPIDER (updated Jul 13), and WARLOCK SPIDER / TA505 (updated Jul 13).

This convergence, combined with TA505's fresh C2 infrastructure, represents the highest ransomware pressure on state/local government observed in recent cycles.

The Schneider Electric Easergy MiCOM Px40 advisory affects protection relays used in electrical substations. Combined with the formal attribution of FSB Center 16's destructive attack on Poland's energy grid, state agencies managing electrical infrastructure face a dual threat: known vulnerabilities in deployed equipment and a confirmed adversary with destructive intent.

ScenarioProbabilityBasis
Additional exploitation attempts against ColdFusion and Joomla KEV vulnerabilities on state-hosted web applicationsHIGH (>75%)Active exploitation confirmed; state agencies known to run these platforms; automated scanning is trivial
FSB Center 16 router scanning yields compromised devices in U.S. government networksMODERATE (40–60%)12-nation advisory is a leading indicator; scanning is confirmed active; many state devices likely have weak SNMP
Ransomware group (Akira or Deadlock) claims a U.S. state/local government victimMODERATE (40–60%)Four groups simultaneously active against government; TA505 C2 infrastructure freshly staged; historical tempo supports this
TA505 launches phishing campaign against government targets using 80.87.206[.]239 infrastructureMODERATE (40–60%)Infrastructure staging pattern historically precedes campaign launch by 3–7 days
Direct APT28 intrusion attempt against state government infrastructureLOW (<25%)APT28 primarily targets federal/defense; spillover possible but not primary targeting
Destructive attack on U.S. water/energy infrastructure (VOID MANTICORE or FSB Center 16 pattern)LOW (<25%)Capability confirmed (California water utility Jun 12, Poland grid Dec 2025); but escalation threshold remains high absent geopolitical trigger

FSB Center 16 Router Compromise:

Query all Cisco device logs for Smart Install protocol activity (TCP/4786). Alert on any TFTP configuration exfiltration from network devices. Hunt for SNMP authentication failures followed by successful authentication (brute-force pattern). Baseline SNMP community strings — any device still on SNMPv1/v2 with "public" or "private" strings is presumed targeted. Monitor for unexpected configuration changes on routers/switches.

APT28 Expiro/PowerShell Loaders:

Deploy hash-based detection for the four MD5s below. Hunt for PowerShell execution with encoded commands spawned from Office applications or PDF readers. Alert on powershell.exe with -enc or -encodedcommand flags launched by non-admin users. Monitor for file infector behavior: unexpected modification of legitimate executables (Expiro signature).

TA505 C2 Infrastructure:

Block 80.87.206[.]239 at all perimeter firewalls, proxy servers, and DNS sinkholes. Hunt historical netflow for any prior connections to this IP. Monitor for connections to OVHcloud (ASN 16276) IP ranges from internal systems — while OVHcloud is legitimate, unusual outbound connections to Russian-geolocated OVHcloud IPs warrant investigation.

ColdFusion Exploitation:

If ColdFusion is deployed: review web server logs for path traversal patterns (../, ..%2f, %252e%252e). Alert on new file creation in ColdFusion web roots (webshell deployment). Monitor for cmd.exe or powershell.exe spawned by ColdFusion service processes. Check for unexpected outbound connections from ColdFusion servers.

Joomla Extension Exploitation:

Review web logs for POST requests to iCagenda or SP Page Builder upload endpoints. Alert on new PHP/JSP files created in Joomla upload directories. Monitor for web shells: unusual HTTP response sizes from upload directories.

ThreatATT&CK
FSB Center 16 Router CompromiseT1557 T1048 T1078 T1601.001
APT28 Expiro/PowerShell LoadersT1059.001 T1105 T1204.002
TA505 C2 InfrastructureT1071 T1571
ColdFusion ExploitationT1190 T1059 T1083
Joomla Extension ExploitationT1190
IOC Blocking Table:
80.87.206[.]239

80.87.206[.]239 — TA505 government-targeting C2, confidence 95. Block at all perimeter firewalls, proxies, and DNS. APT28 malware hashes (MD5): 89618515b9522c0ae1914dd8b4147ac5 (Expiro loader), 5e8bf20650411220c6514dff67f2e2b6 (PowerShell loader), c2b3338ee82496f8c6154f2f560e59b7 (PowerShell loader), 176b0e6caed3ee017e138d5f6454aab7 (PowerShell loader) — alert and investigate on any match. Additional IOCs available via Anomali ThreatStream and partner feeds.

Hunting Hypotheses:
HUNT 01 · T1557
Router compromised via weak SNMP, exfiltrating configs?
Search for TFTP transfers from network devices to unknown destinations; SNMP SET operations from non-management IPs; router configuration files appearing in unexpected locations.
HUNT 02 · T1190
ColdFusion portal backdoored for initial access?
Search for new files in ColdFusion directories created after July 7; ColdFusion processes spawning shells; outbound connections from ColdFusion servers to non-standard ports.
HUNT 03 · T1071
TA505 phishing already delivered access, beacon calling home?
Search for DNS queries or connections to 80.87.206[.]239; new scheduled tasks or services created in the last 72 hours; unusual PowerShell or WMI activity on workstations.
HUNT 04 · T1195.002
Developer workstation infected via poisoned Visual Studio project (Siggen)?
Search for unexpected pre-build commands in .vcxproj or .csproj files; Visual Studio processes making network connections to Steam or GitHub for C2 resolution; modifications to Windows SDK header files.

Financial Services
State Treasury, Revenue, Tax Systems
Primary threat
TA505 phishing → Clop ransomware targeting financial data; Lumma Stealer credential harvesting
Actions
  • Enforce phishing-resistant MFA on all treasury and revenue system access
  • Block 80.87.206[.]239; hunt for Lumma Stealer artifacts (browser credential store access, exfiltration to Telegram/Discord)
  • Monitor for unusual bulk data access patterns in tax/revenue databases; credential stuffing against citizen-facing tax portals
Energy
State-Managed Utilities, Grid Interconnects
Primary threat
FSB Center 16 destructive capability (DynoWiper precedent); Schneider Electric Easergy MiCOM Px40 vulnerability in substation relays
Actions
  • Audit all Schneider Electric protection relays for firmware currency; segment OT networks from IT
  • Validate SNMP hardening on all SCADA-adjacent network devices
  • Monitor for unexpected commands to protection relays; TFTP transfers from OT network segments; any IT-to-OT lateral movement
Healthcare
Health & Human Services, Medicaid Systems
Primary threat
Ransomware (Akira, Deadlock) targeting healthcare data for double extortion; ColdFusion exploitation of benefits portals
Actions
  • Confirm ColdFusion patch status on all HHS portals
  • Validate offline backup integrity for Medicaid/benefits databases
  • Ensure incident response playbook covers PHI breach notification timelines; monitor bulk PII/PHI exfiltration patterns and lateral movement from DMZ web servers to backend databases
Government
Courts, Elections, Public Safety, DMV
Primary threat
APT28 espionage targeting government PII; ransomware disruption of public services; FSB Center 16 router compromise for persistent access
Actions
  • Deploy APT28 IOC hashes across all endpoints
  • Audit Cisco Smart Install on all network devices; ensure elections infrastructure is segmented and monitored independently
  • Monitor unusual access to voter registration databases; PowerShell execution on domain controllers; configuration changes on network devices outside maintenance windows
Aviation / Logistics
State DOT, Port Authorities, Transit
Primary threat
Supply chain compromise via developer tooling (Siggen backdoor); ICS vulnerabilities in transit SCADA systems
Actions
  • Brief development teams on the Siggen Visual Studio infection vector
  • Audit OpenPLC deployments in transit control systems
  • Validate network segmentation between corporate IT and operational transit systems; monitor for unexpected modifications to source code repositories and lateral movement from corporate to OT segments
No sector cards match the selected filters.

Audit ALL Cisco devices for Smart Install feature (TCP/4786) — disable Smart Install or confirm CVE-2018-0171 patch applied. FSB Center 16 is actively scanning for this globally.
Incident Responder
Confirm Adobe ColdFusion instances patched beyond versions 2025.9/2023.20. CVE-2026-48282 (CVSS 10.0) is actively exploited. Any unpatched portal should be taken offline pending patching.
Incident Responder
Block IP 80.87.206[.]239 at all perimeter firewalls, proxies, and DNS. TA505 government-targeting C2, confidence 95.
SOC Analyst
Deploy hash-based detection for APT28 samples: 89618515b9522c0ae1914dd8b4147ac5, 5e8bf20650411220c6514dff67f2e2b6, c2b3338ee82496f8c6154f2f560e59b7, 176b0e6caed3ee017e138d5f6454aab7
SOC Analyst
Brief executive leadership: Russian cyber operations under international sanctions today — elevated risk of retaliatory or accelerated operations against Western government targets in the near term.
CISO / Exec
No immediate actions for the selected roles.
Migrate ALL network devices from SNMPv1/v2 to SNMPv3 with authentication and encryption. Any device with plaintext community strings is a confirmed FSB Center 16 target.
Incident ResponderIAM Analyst
Inventory all Joomla instances — identify and patch or decommission any running iCagenda (CVE-2026-48939) or SP Page Builder (CVE-2026-48908). Both are CVSS 9.8, both on KEV, both allow unauthenticated RCE.
Incident Responder
Brief development teams on the Siggen backdoor infection vector — inspect Visual Studio .vcxproj/.csproj files for unexpected pre-build commands; scan externally-sourced code projects before opening.
Threat Hunter
Conduct a threat hunt for historical connections to 80.87.206[.]239 and for Smart Install protocol activity (TCP/4786) in netflow data from the past 90 days.
SOC Analyst
Update the ransomware incident response playbook to account for four simultaneously active government-targeting groups (Deadlock, Akira, BITWISE SPIDER, WARLOCK SPIDER). Validate backup restoration procedures.
Incident Responder
No 7-day actions for the selected roles.
Commission assessment of all Schneider Electric Easergy MiCOM Px40 protection relays in state-managed electrical infrastructure — confirm firmware patched per ICSA-26-190-03.
ICS / OTCISO / Exec
Conduct a comprehensive Joomla extension audit across all state web properties — the pattern of systematic Joomla extension exploitation (3 extensions in 3 weeks) indicates broader ecosystem risk beyond the two current KEVs.
Incident Responder
Evaluate network architecture for router compromise resilience — implement out-of-band management for critical network devices; deploy configuration integrity monitoring to detect unauthorized changes.
CISO / Exec
Conduct a tabletop exercise simulating simultaneous ransomware attack on citizen services AND router compromise discovery — test coordination between SOC, IT Ops, and executive leadership under dual-incident pressure.
Incident ResponderCISO / Exec
Review and update cyber insurance policy coverage in light of nation-state attribution (FSB Center 16, APT28) — confirm war exclusion clauses do not create coverage gaps for state-sponsored criminal operations.
CISO / Exec
No 30-day actions for the selected roles.
The Bottom Line

Today's EU/UK sanctions and 12-nation advisory are not just diplomatic signals — they are intelligence confirmations. FSB Center 16 is actively scanning your routers. APT28 is actively producing malware targeting your sector. TA505 has staged infrastructure for an imminent campaign against government. And four ransomware groups are simultaneously hunting in your space. The sanctions may provoke acceleration, not deterrence — when threat actors are publicly exposed, the historical pattern is intensified operations in the short term, either to demonstrate capability or to exploit access before it's burned.

1
Disable Cisco Smart Install and patch ColdFusion within 24 hours.
2
Block the TA505 C2 IP and hunt for APT28 hashes today.
3
Harden SNMP across your entire network device fleet within 7 days — everything else flows from whether those routers are already compromised.
No items found.