Security Intelligence for Real-World Decisions
← Back to Archive

Iran-Linked Hackers Disrupt U.S. Critical Infrastructure via PLC Attacks as FBI Dismantles Russian APT28 Espionage Network

1. Executive Summary

This week's intelligence landscape is dominated by significant nation-state threat activity targeting U.S. critical infrastructure, with Iranian-affiliated actors causing operational disruptions through attacks on internet-exposed programmable logic controllers (PLCs) and SCADA systems. Simultaneously, U.S. federal authorities successfully disrupted a widespread Russian espionage operation leveraging compromised routers across 18,000 devices.

Key Developments:

  • Iranian OT Attacks: CISA and federal partners issued an urgent advisory warning that Iran-linked cyber actors are actively targeting internet-facing operational technology devices across multiple U.S. critical infrastructure sectors, with confirmed operational disruptions reported.
  • Russian APT28 Disruption: The FBI dismantled a Forest Blizzard (APT28) espionage network that exploited vulnerable TP-Link and MikroTik routers to conduct adversary-in-the-middle attacks and DNS hijacking operations targeting Ukraine and NATO allies.
  • Healthcare Sector Impact: Signature Healthcare in Massachusetts diverted ambulances and canceled services following a cyberattack, highlighting continued targeting of healthcare facilities.
  • FBI Cybercrime Report: The FBI's annual Internet Crime Report reveals cybercrime losses approached $21 billion in 2025, with investment fraud, business email compromise, and tech support scams causing the highest financial impact.
  • Critical Vulnerabilities: CISA issued an emergency directive requiring federal agencies to patch an actively exploited Ivanti EPMM vulnerability by April 13, 2026. Additionally, a 13-year-old RCE vulnerability was discovered in Apache ActiveMQ Classic.
  • AI-Driven Vulnerability Discovery: Anthropic announced Project Glasswing, utilizing its Claude Mythos AI model to autonomously discover thousands of zero-day vulnerabilities across major systems, signaling a paradigm shift in vulnerability research.

2. Threat Landscape

Nation-State Threat Actor Activities

Iran-Linked Critical Infrastructure Targeting

Federal agencies including CISA have issued urgent warnings regarding Iranian-affiliated cyber actors actively targeting U.S. critical infrastructure through attacks on internet-exposed operational technology (OT) devices. The campaign specifically targets programmable logic controllers (PLCs) and SCADA systems across multiple sectors, with confirmed reports of operational disruptions and financial losses at affected facilities.

Key Observations:

  • Attackers are exploiting default credentials and known vulnerabilities in internet-facing PLCs
  • Multiple critical infrastructure sectors have reported real-world operational impacts
  • The campaign demonstrates Iran's continued focus on OT/ICS environments
  • Despite a shaky ceasefire, security researchers assess that Iran-linked hackers have vowed to revive efforts against America "when the time is right"

Sources: SecurityWeek, The Hacker News, CISA, Homeland Security Today

Russian APT28 (Forest Blizzard) Operations

U.S. authorities successfully disrupted a sophisticated Russian espionage operation attributed to APT28 (also known as Forest Blizzard and Pawn Storm), a threat group linked to Russia's GRU military intelligence agency. The operation compromised approximately 18,000 devices globally.

Technical Details:

  • Exploited vulnerable TP-Link and MikroTik routers to build a malicious network
  • Conducted adversary-in-the-middle (AitM) attacks to intercept network traffic
  • Performed DNS hijacking to redirect victims to credential-harvesting infrastructure
  • Targeted Microsoft account credentials and session tokens
  • Deployed previously undocumented PRISMEX malware in spear-phishing campaigns targeting Ukraine and NATO allies

Sources: SecurityWeek, CyberScoop, Infosecurity Magazine

North Korean Supply Chain Attacks

The Contagious Interview campaign, attributed to North Korean threat actors, has expanded its malicious package distribution across multiple software ecosystems. Researchers identified approximately 1,700 malicious packages targeting npm, PyPI, Go, and Rust package repositories, representing a significant expansion of supply chain attack capabilities.

Source: The Hacker News

Ransomware and Cybercriminal Developments

FBI Internet Crime Report 2025

The FBI received over 1 million complaints of malicious cyber activity in 2025, with total losses approaching $21 billion. Key findings include:

  • Investment Scams: Highest financial losses, often involving cryptocurrency
  • Business Email Compromise (BEC): Continues to cause significant enterprise losses
  • Tech Support Scams: Remain a persistent threat, particularly targeting elderly victims

Source: SecurityWeek

Hack-for-Hire Operations

A coordinated spyware campaign targeting journalists in the Middle East and North Africa has been attributed to the suspected Indian government-connected group known as Bitter. The campaign deployed ProSpy spyware and other surveillance tools against media professionals.

Source: CyberScoop

Emerging Botnets and DDoS Threats

Masjesu Botnet

Security researchers have identified a new DDoS-for-hire botnet called Masjesu, advertised via Telegram and targeting IoT devices globally. Notable characteristics include:

  • Focuses on persistence rather than widespread infection
  • Deliberately avoids blacklisted IPs and critical infrastructure entities
  • Operates as a commercial DDoS-for-hire service

Sources: SecurityWeek, The Hacker News

Chaos Malware Variant

A new variant of the Chaos malware has been observed targeting misconfigured cloud deployments, adding SOCKS proxy capabilities. This expansion indicates threat actors are increasingly targeting cloud infrastructure misconfigurations.

Source: The Hacker News

Russia's Shadow War in Europe

A new report warns that Russia's "shadow war" is expanding across Europe, encompassing hybrid warfare tactics including cyber operations, sabotage, and influence campaigns targeting critical infrastructure and democratic institutions.

Source: Homeland Security Today

3. Sector-Specific Analysis

Energy Sector

Threat Level: ELEVATED

The energy sector remains a primary target of Iranian-linked cyber actors exploiting internet-exposed PLCs and SCADA systems. Organizations should immediately audit all internet-facing OT assets and implement network segmentation.

Key Concerns:

  • Direct targeting of industrial control systems by nation-state actors
  • Potential for cascading impacts across interconnected grid systems
  • Supply chain vulnerabilities in Strait of Hormuz affecting energy logistics

Recommended Actions:

  • Conduct immediate inventory of all internet-exposed OT/ICS devices
  • Implement network segmentation between IT and OT environments
  • Review and rotate default credentials on all PLC and SCADA systems
  • Enable enhanced logging and monitoring for OT network traffic

Water and Wastewater Systems

Threat Level: ELEVATED

Water utilities are explicitly included in the Iranian PLC targeting campaign. The sector's historically limited cybersecurity resources make it particularly vulnerable to these attacks.

Recommended Actions:

  • Immediately disconnect PLCs from direct internet access where operationally feasible
  • Implement VPN or jump server requirements for remote access
  • Review CISA's water sector-specific guidance and implement recommended controls
  • Establish manual override procedures for critical treatment processes

Healthcare and Public Health

Threat Level: HIGH

Active Incident: Signature Healthcare Cyberattack

Signature Healthcare in Massachusetts experienced a significant cyberattack forcing the diversion of ambulances and cancellation of services. Pharmacies affiliated with the healthcare system are unable to fill prescriptions, directly impacting patient care.

Impact Assessment:

  • Emergency services disrupted with ambulance diversions
  • Pharmacy operations halted, affecting medication access
  • Scheduled services and appointments canceled
  • Potential patient data exposure under investigation

Sector-Wide Recommendations:

  • Review and test incident response plans for ransomware scenarios
  • Ensure offline backup systems for critical patient care functions
  • Establish mutual aid agreements with neighboring healthcare facilities
  • Conduct tabletop exercises focused on operational continuity during cyber incidents

Source: SecurityWeek

Communications and Information Technology

Threat Level: ELEVATED

Supply Chain Compromise Concerns

Multiple supply chain threats emerged this week:

  • Python/LiteLLM Compromise: A malicious supply chain compromise was identified in the LiteLLM Python package, highlighting ongoing risks in open-source software dependencies
  • North Korean Package Campaigns: 1,700 malicious packages distributed across npm, PyPI, Go, and Rust ecosystems
  • WordPress Vulnerabilities: Critical Ninja Forms vulnerability enabling site takeover is being actively exploited

LEO Satellite Communications Risk

Analysis indicates that supply chain disruptions in the Strait of Hormuz could threaten Low Earth Orbit (LEO) satellite communications resilience, with potential implications for communications infrastructure globally.

Source: Homeland Security Today

Transportation Systems

Threat Level: MODERATE

Maritime Security Update

Iran continues to tighten control over the Strait of Hormuz, with shipping forced into controlled routes under Islamic Revolutionary Guard Corps oversight. While traffic volume remains steady, the geopolitical situation presents ongoing risks to maritime supply chains.

Aviation Sector:

ASRC Federal was selected for the FAA Second Level Engineering Services Contract, supporting continued modernization of aviation infrastructure systems.

Source: Homeland Security Today

Financial Services

Threat Level: MODERATE

The sector faces continued threats from BEC schemes and investment fraud, as highlighted in the FBI's 2025 Internet Crime Report. Additionally, the UNC6783 threat actor is compromising business process outsourcing (BPO) providers to gain access to high-value financial sector targets.

Cryptocurrency Concerns:

MEMRI's Cyber & Jihad Lab continues to monitor an uptick in ISIS-K use of cryptocurrency for financing operations, presenting potential compliance and security implications for financial institutions.

Sources: SecurityWeek, Homeland Security Today

Government Facilities

Threat Level: ELEVATED

LAPD Data Breach

A data breach has resulted in the exposure of sensitive Los Angeles Police Department records. The incident underscores the continued targeting of law enforcement and government databases by threat actors.

Source: Security Magazine

4. Vulnerability and Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

CISA Emergency Directive: Ivanti EPMM (CVE-2026-XXXX)

Severity: CRITICAL | Deadline: April 13, 2026

CISA has issued an emergency directive requiring federal agencies to patch an actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM) within four days. The vulnerability has been exploited in attacks since January 2026.

Required Actions:

  • Apply vendor patches immediately
  • If patching is not possible, implement network isolation
  • Review logs for indicators of compromise
  • Report any suspected compromises to CISA

Source: Bleeping Computer

Apache ActiveMQ Classic RCE (13-Year-Old Vulnerability)

Severity: HIGH

Security researchers, assisted by Anthropic's Claude AI, discovered a remote code execution vulnerability in Apache ActiveMQ Classic that has existed undetected for 13 years. While the primary vulnerability requires authentication, a secondary flaw exposes the Jolokia API without authentication.

Affected Systems: Apache ActiveMQ Classic installations

Recommended Action: Apply patches immediately; audit systems for potential historical compromise

Sources: SecurityWeek, Bleeping Computer, Infosecurity Magazine

OpenSSL Data Leakage Vulnerability

Severity: MODERATE to HIGH

Seven vulnerabilities have been patched in OpenSSL, including a data leakage vulnerability. Most can be exploited for denial-of-service attacks.

Recommended Action: Update OpenSSL to the latest patched version

Source: SecurityWeek

Ninja Forms WordPress Plugin (CVE-2026-XXXX)

Severity: CRITICAL | Status: Actively Exploited

A critical vulnerability in the Ninja Forms WordPress plugin allows unauthenticated arbitrary file uploads, enabling remote code execution and complete site takeover.

Recommended Action: Update to version 3.3.27 immediately

Sources: SecurityWeek, Infosecurity Magazine

Flowise AI Workflow Vulnerability

Severity: CRITICAL | Status: Actively Exploited

Hackers are exploiting a critical flaw in Flowise affecting thousands of AI workflow deployments.

Recommended Action: Review Flowise deployments and apply available patches

Source: CSO Online

Google API Key Vulnerability

A flaw in Google API key handling exposes mobile applications to unauthorized Gemini AI access, private file exposure, and billing risks on Android devices.

Source: Infosecurity Magazine

Notable Security Tools and Frameworks

Microsoft Agent Governance Toolkit

Microsoft released a new Agent Governance Toolkit designed to address top OWASP risks for AI agents, providing organizations with tools to secure AI deployments.

Source: CSO Online

Anthropic Project Glasswing

Anthropic announced Project Glasswing, utilizing its Claude Mythos Preview AI model to autonomously identify and fix undiscovered vulnerabilities in critical software. The initiative has already discovered thousands of zero-day flaws across major systems, representing a significant advancement in AI-assisted vulnerability research.

Implications for Defenders:

  • Accelerated vulnerability discovery may compress patch timelines
  • Organizations should prepare for increased vulnerability disclosure volume
  • AI-assisted security tools may become essential for keeping pace with threats

Sources: The Hacker News, Infosecurity Magazine, CSO Online

Defensive Recommendations

For OT/ICS Environments (Iranian Threat Response)

  • Immediately audit all internet-exposed PLCs and SCADA systems
  • Implement network segmentation between IT and OT networks
  • Deploy monitoring solutions capable of detecting anomalous OT traffic
  • Review and change default credentials on all industrial control systems
  • Establish out-of-band communication channels for incident response
  • Document manual override procedures for critical processes

For Network Infrastructure (APT28 Response)

  • Audit TP-Link and MikroTik router configurations
  • Update router firmware to latest versions
  • Implement DNS security monitoring
  • Review authentication logs for suspicious Microsoft account activity
  • Consider implementing DNSSEC where feasible

5. Resilience and Continuity Planning

Lessons Learned: Healthcare Sector Incident Response

The Signature Healthcare cyberattack provides several lessons for healthcare organizations and other critical infrastructure operators:

  • Ambulance Diversion Protocols: Pre-established mutual aid agreements enabled patient care continuity despite system outages
  • Pharmacy Operations: Dependency on digital systems for prescription fulfillment created patient care gaps; manual backup procedures should be documented and tested
  • Communication Plans: Clear public communication about service disruptions helps manage patient expectations and safety

Ransomware Response Best Practices

Security Magazine published guidance on ransomware response, emphasizing that while organizations cannot control when attacks occur, they can control their response. Key recommendations include:

  • Maintain offline, tested backups of critical systems and data
  • Establish clear decision-making authority for incident response
  • Pre-negotiate relationships with incident response firms and legal counsel
  • Document and regularly test recovery procedures
  • Conduct tabletop exercises that include executive leadership

Source: Security Magazine

Tabletop Exercise Evolution

CSO Online reports on the evolution of tabletop exercises, noting that modern exercises are becoming more sophisticated and realistic. Organizations should consider:

  • Incorporating real-world threat intelligence into scenarios
  • Including cross-functional teams beyond IT security
  • Testing communication and decision-making under pressure
  • Evaluating third-party and supply chain dependencies

Source: CSO Online

Supply Chain Security Developments

Strait of Hormuz Implications

Iran's tightened control over the Strait of Hormuz presents supply chain risks extending beyond energy to include:

  • Components for LEO satellite communications systems
  • Industrial equipment and spare parts
  • Technology hardware supply chains

Recommended Actions:

  • Assess supply chain dependencies on Hormuz transit routes
  • Identify alternative suppliers and logistics pathways
  • Increase inventory buffers for critical components
  • Monitor geopolitical developments affecting maritime shipping

Software Supply Chain

The Python/LiteLLM compromise and North Korean package campaigns highlight ongoing software supply chain risks:

  • Implement software composition analysis (SCA) tools
  • Establish approved package repositories
  • Monitor for dependency confusion attacks
  • Review third-party code before integration

Cross-Sector Dependencies

This week's Iranian OT attacks underscore the interconnected nature of critical infrastructure:

  • Energy → Water: Power disruptions affect water treatment and distribution
  • Communications → All Sectors: Network compromises can cascade across dependent systems
  • Healthcare → Public Safety: Hospital disruptions affect emergency response capabilities

Organizations should map their dependencies on other critical infrastructure sectors and develop contingency plans for upstream disruptions.

6. Regulatory and Policy Developments

Federal Cybersecurity Initiatives

CISA Emergency Directive on Ivanti EPMM

CISA's emergency directive requiring federal agencies to patch Ivanti EPMM vulnerabilities by April 13, 2026, reflects the urgency of addressing actively exploited vulnerabilities. While binding only on federal agencies, private sector organizations should treat this as a strong signal to prioritize similar patching efforts.

FBI Cybercrime Statistics

The FBI's 2025 Internet Crime Report documenting nearly $21 billion in losses provides data supporting continued investment in cybersecurity programs and may influence future regulatory requirements.

International Developments

Russia's Shadow War

Reports of Russia's expanding "shadow war" across Europe may influence transatlantic cybersecurity cooperation and information sharing arrangements. Organizations with European operations should monitor for potential regulatory responses.

Iran Ceasefire Implications

Despite a reported ceasefire, Iranian-linked hackers have indicated intentions to resume operations against U.S. targets. This suggests that current threat levels should be maintained regardless of diplomatic developments.

Privacy and Data Protection

LinkedIn Data Practices

Questions have been raised about how LinkedIn uses the petabytes of data it collects, potentially signaling increased regulatory scrutiny of large-scale data collection practices.

Source: CSO Online

Compliance Considerations

Immediate Deadlines:

  • April 13, 2026: Federal agencies must complete Ivanti EPMM patching per CISA emergency directive

Ongoing Requirements:

  • Organizations in critical infrastructure sectors should review sector-specific cybersecurity requirements
  • Healthcare entities should ensure HIPAA security rule compliance in light of continued sector targeting
  • Financial institutions should review BSA/AML compliance regarding cryptocurrency-related threats

7. Training and Resource Spotlight

Upcoming Training and Events

NIST Workshop: Blockchain and Distributed Ledger Technologies

Date: April 16, 2026

NIST will host a workshop examining blockchain and DLT potential for supporting new forms of digital infrastructure and recordkeeping. Relevant for organizations exploring blockchain applications in critical infrastructure.

Source: NIST

Improving the Nation's Cybersecurity - Open Forum

Date: April 30, 2026

Red Hat, NIST, and the Office of Space Commerce are co-hosting the fifth annual Cybersecurity Open Forum. This event provides opportunities for public-private dialogue on national cybersecurity priorities.

Source: NIST

NICE Webinar: Beyond Technical Skills - The Human Element of a Cyber Career

Date: May 13, 2026

This NIST NICE webinar will address non-technical aspects of cybersecurity careers, moderated by Daniel Eliot, Lead for Small Business Engagement at NIST.

Source: NIST

MLXN: Machine Learning for X-ray and Neutron Scattering

Date: April 13, 2026

Building on previous workshops, this event continues exploration of machine learning applications in scientific research.

Source: NIST

Artificial Intelligence for Manufacturing Workshop

Date: May 27, 2026

NIST workshop addressing AI integration in manufacturing, including security considerations for AI-enabled production systems.

Source: NIST

Iris Experts Group Annual Meeting

Date: June 25, 2026

Forum for discussion of technical questions related to iris recognition for government agency missions.

Source: NIST

2026 Time and Frequency Seminar

Date: July 21, 2026

NIST Time and Frequency Division's annual seminar covering precision timing technologies relevant to critical infrastructure synchronization.

Source: NIST

New Tools and Frameworks

Microsoft Agent Governance Toolkit

Microsoft's new toolkit addresses OWASP top risks for AI agents, providing governance frameworks for organizations deploying AI systems.

Anthropic Project Glasswing

While primarily a research initiative, Project Glasswing's approach to AI-assisted vulnerability discovery may inform future defensive tools and methodologies.

Best Practices and Guidance

Post-Incident Review

CSO Online published guidance on conducting effective post-incident reviews, emphasizing the importance of learning from security events to improve future response capabilities.

Source: CSO Online

Zero-Day Response

Analysis from CSO Online addresses the collapsing zero-day timeline and provides guidance for security leaders on adapting response strategies to accelerated vulnerability disclosure cycles.

Source: CSO Online

Radiological Emergency Preparedness

Domestic Preparedness published guidance on integrating radiological emergency preparedness into all-hazards planning, advocating for broader application of REP training beyond fixed-facility scenarios.

Source: Domestic Preparedness

Hurricane Season Lessons

Pasco County Fire Rescue shared lessons learned from the 2024 hurricane season, providing insights applicable to emergency preparedness across critical infrastructure sectors.

Source: Domestic Preparedness

DDoS Protection Resources

Multiple reports this

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.