(00:00)
Welcome to Absolutely Critical by Fortress, where leaders across government and industry
(00:11)
share how they protect mission-critical systems in environments where disruption,
(00:15)
compromise, or failure simply isn't an option.
(00:18)
Welcome to the Absolutely Critical podcast. I am your host, Lee Mangold.
(00:23)
Today we're doing something a little bit different. No external guests, no single topic.
(00:28)
Instead, we're bringing you directly into the Fortress Q1 2026 Threat Intel Brief.
(00:35)
So every quarter, our Threat Intel team puts together a deep dive, a deep look into what's
(00:40)
actually happening inside U.S. critical infrastructure supply chains.
(00:44)
And today we're going to walk through the highlights with two of the people that are kind of closest
(00:50)
to this. So joining me today, we have Dave Gordon, Senior Threat Intelligence Specialist here at
(00:56)
Fortress. Dave, why don't you give us a quick 30-second version of your day-to-day?
(01:00)
Sure. So we have a number of clients. These clients have asked us to monitor a lot of their vendors.
(01:07)
So we have a list of the vendors that are directly supplying like the U.S. energy infrastructure.
(01:13)
We also have some government clients. So going through the vendor list, we'll determine if there
(01:18)
are breaches, threats, or vulnerabilities that are impacting the critical infrastructure for the U.S.
(01:23)
Those events that occur turn into alerts or reports that go to the clients for their awareness.
(01:30)
We also do research reports. And that's pretty much it.
(01:35)
All right. Well, Dave, welcome to the podcast.
(01:39)
So joining us from the federal defense side of the house, Andrea Shaman Phillips, our Director
(01:45)
of Federal Engagement. Andrea, tell us a little bit about your role and your vantage on Threat
(01:50)
Intel data.
(01:50)
Yeah. So I work directly with our federal clients. And I work through the full lifecycle of our support
(01:57)
with them. So from the pre-engagement discussions to really understanding how we can best provide
(02:01)
mission support through delivery. And then when we start talking about that next iterative phase
(02:07)
in the scaling up across their program. So these threat intelligence reports are so important to
(02:11)
them because they have such a huge ecosystem that they're trying to manage. And we're often the only
(02:17)
source of this near real-time threat intelligence. So that's something that we can provide with them
(02:21)
throughout their program, whether they're just starting to scope their effort or it's fully
(02:25)
implemented and we're really well executed in their environment.
(02:28)
Yeah. Well, thank you. And welcome to the podcast.
(02:32)
Thanks.
(02:33)
Yeah. So we wanted to have both sides here kind of represented. We do a lot of work, obviously,
(02:39)
for critical infrastructure on the commercial side, but also for the federal defense side.
(02:43)
And both have very, very similar overlapping requirements and needs just in different areas.
(02:50)
So it's very interesting to hear the different vantage points from both sides.
(02:54)
So let's get started here. I'm going to kind of start with the headline numbers from the report
(03:01)
because they are worth talking about. So in the Q1 2026 report, Fortress identified 157
(03:10)
critical cybersecurity incidents directly affecting the U.S. critical infrastructure supply chain.
(03:17)
32 of those were data breaches, everything from ransomware to data exposures.
(03:23)
And zooming out a little bit across all industries, we saw about 5,216 cybersecurity incidents in a single quarter.
(03:34)
That seems like a lot.
(03:37)
Dave, what do you make of those numbers? What story is that telling us?
(03:41)
So when we talk about cybersecurity incidents, most people picture a direct attack, an attacker breaking into a company's network.
(03:47)
But supply chain incidents are fundamentally different, and understanding that distinction matters a lot for critical infrastructure.
(03:53)
A direct or broader incident is when an attacker targets your organization specifically, your system, your credentials, your data.
(03:59)
Example is a ransomware hitting a corporate environment or a nation state probing your perimeter.
(04:05)
The attacker is targeting you.
(04:06)
A supply chain incident is when the attacker gets to you through someone you trust.
(04:10)
So either a vendor, software provider, managed service provider, whomever.
(04:13)
You didn't have to be the target, you just had to be a customer.
(04:16)
And that's what makes it so dangerous and scalable.
(04:18)
Our Q1 report shows 157 incidents affecting the U.S. critical infrastructure supply chain.
(04:23)
And of those, 12 were specifically tied to roll-up updates and critical vulnerabilities propagating through supply chains.
(04:29)
The Team PCP of PAC is a perfect example.
(04:32)
Attackers compromise CICD pipelines and tools like Trivia and Checksmarks.
(04:36)
And in doing so, pulled cloud credentials, SSH keys, Kubernetes tokens across Cisco, AWS, Azure, and thousands of other software-as-a-service environments.
(04:45)
So one breach impacted thousands of victims.
(04:47)
Now, what does the threat activity on the first slide tell us about attacker behavior?
(04:51)
So a few things stand out.
(04:53)
First, persistence over noise is key.
(04:55)
So the Notepad++ breach went undetected from June to September 2025, with some persistence surviving until December.
(05:04)
That was after detection.
(05:05)
Attackers aren't always smashing and grabbing.
(05:07)
They're quietly sitting in your environment watching.
(05:09)
Second, credential harvesting as a precursor.
(05:12)
The Team PCP and Axios NPM attacks weren't just about data theft.
(05:15)
They were about collecting keys to the kingdom.
(05:17)
Tokens, credentials, access paths, the kind of material that enables a follow-on destructive attack.
(05:23)
And third, wiper deployment as a signal of intent.
(05:26)
So Iranian group Handala hit striker with a wiper, causing mass business outages.
(05:31)
That's not espionage.
(05:32)
That's a threat actor intentionally causing visible operational damage.
(05:35)
So when you put it all together, what you're seeing is a pattern.
(05:38)
Attackers are using supply chain footholds to pre-position themselves for destructive operations, particularly Iranian-aligned actors.
(05:45)
And Q2 looks like the risk is only escalating.
(05:47)
Yeah, interesting.
(05:48)
And I guess it's important to mention there that we're not talking about the normal routine kind of scanning, right?
(05:56)
Anyone who's done this or looked at the security ops side of, you know, watching logs, which some of us have had the, we'll call it the privilege of doing.
(06:05)
For a good portion of our careers, you know, there's those constant logs and constant scanning going on all the time.
(06:12)
And, you know, the random exploitation attempts, like the, you know, it doesn't matter what, if you host a website, somebody's trying to use WordPress exploits on your website.
(06:22)
It doesn't matter if it's WordPress or not.
(06:24)
But, yeah, that's correct, right, Dave?
(06:26)
So it's really going to be more about the targeted, you know, what we can confirm, obviously, attacks, right?
(06:32)
Not just the, a lot of the noise.
(06:35)
Yeah.
(06:36)
So, all right.
(06:39)
So, Dave, one of the things I wanted to highlight for our listeners, you know, we sent out vendor breach outreach surveys this quarter.
(06:47)
So what does that, what does that process look like?
(06:50)
Why does it matter to our, to the organizations that we support?
(06:53)
Sure.
(06:54)
So let's say a vendor that we're monitoring has a breach.
(06:57)
That may be state reported breach.
(06:59)
That may be SEC reported breach.
(07:01)
That may be a breach we saw on a ransomware site and the vendor doesn't necessarily know.
(07:05)
It'd be a lot of different things.
(07:07)
So when we detect these, we inform the clients, like, hey, your vendor was breached.
(07:11)
Here are the details that we have.
(07:12)
And if they're concerned, which they typically are, they can request an outreach.
(07:16)
An outreach consists of a number of questions, such as, are you aware of the breach was reported?
(07:20)
Can you confirm if the breach actually occurred?
(07:22)
Because sometimes threat actors will just make stuff up.
(07:25)
They will pull data from a different breach and they'll just say, oh, well, we actually hit this big company and they did not.
(07:30)
Can you confirm if the breach occurred?
(07:32)
How did it occur?
(07:33)
Was client data exposed?
(07:34)
That's probably the biggest one.
(07:36)
These responses can help clients dictate their incident response and avoid potential follow-on attacks.
(07:40)
Yeah, interesting.
(07:43)
And what I think I, you know, what I, what I like about that is, you know, we become, in a way, you start looking at being sort of a trusted partner.
(07:51)
We do work between our, our vendors and our customers, right?
(07:56)
And the news isn't always right, right?
(08:00)
Sometimes it's a little bit exaggerated.
(08:01)
And, you know, sometimes the reports will come out and it looks like everything's impacted,
(08:06)
but actually for your client, it's, it may not be impacting.
(08:09)
They obviously want to know about it, but, you know, context, context matters, right?
(08:14)
So I think there's, you know, we, we've kind of want to pivot a little bit here.
(08:20)
There's a, obviously at the time of recording, a big international incident, I guess you can say.
(08:30)
We are, for lack of a better term, engaged in, in combat with, with Iran.
(08:37)
And that's obviously going to have some widespread impacts in, in the cybersecurity world too.
(08:46)
Not just cybersecurity, obviously, the kinetic side as well.
(08:49)
So, you know, that's, I think that's one of the things that we should kind of be thinking about.
(08:55)
And, and we're going to start here with the, some of the Iranian threat attack, threat actors, right?
(09:00)
So first we'll start with Handala, Iranian aligned threat actor, breached medical tech, technology company, striker, and deployed wiper wear across the entire company.
(09:12)
And, and separately, Lockheed Martin, one of the biggest defense contractors in the country, was also breached.
(09:20)
Dave, let's start with kind of the mechanics.
(09:22)
What is, let's start basic and what is wiper deployed across the company to actually mean?
(09:27)
Sure.
(09:28)
So this is a textbook case of how wipers are fundamentally different than ransomware attacks.
(09:33)
So when ransomware hits, the attacker's goal is money.
(09:36)
That's all financially interested.
(09:38)
They want to get paid.
(09:39)
They want to encrypt your data, lock you out and wait for payment.
(09:42)
That's a form of extortion.
(09:43)
So theoretically, theoretically, if you pay, or if you have clean backups, you can recover.
(09:49)
Wiper wearer has a completely different intent, and that is strictly destruction.
(09:51)
So the goal is not your wallet.
(09:53)
It's your operational capability.
(09:54)
So unlike typical financially driven incursions, striker attack is a fundamental destructive wiper campaign.
(10:01)
Striker confirmed across multiple customer updates that there was no indication of ransomware, pointing out investigators toward deliberate data destruction rather than extortion.
(10:10)
You can't negotiate your way out of a wipe.
(10:12)
That data is gone.
(10:13)
So how did Handala pull this off at scale?
(10:16)
This is where the trade craft gets interesting.
(10:18)
Rather than deploying sophisticated malware or exploiting zero-day vulnerabilities, the attackers compromised their credentials of a Microsoft Intune administrator.
(10:25)
Intune is a platform large enterprises uses to remotely manage corporate laptops and phones.
(10:31)
It's a legitimate IT tool built for convenience.
(10:33)
I discussed this attack with the Striker employee.
(10:36)
He said that the attack impacted all phones and workstations that had the Intune app installed and running.
(10:41)
So it's important to note that employees were paid a stipend to keep Intune on their personal phones.
(10:45)
So Handala was able to gain access to the Intune admin console and send remote wipe commands, which effectively wiped out every device that had the Intune app running on it.
(10:54)
So it was one admin console and one command and simultaneously wipe across the entire fleet.
(10:59)
So this was simple and effective.
(11:01)
There was no novel malware required.
(11:04)
When I say mass business outage, what's that look like on the ground?
(11:07)
So in Ireland, which is Striker's largest hub outside of the U.S., there were 5,500 employees who were sent home as internal networks went offline.
(11:14)
This incident disrupted order processing, manufacturing, and shipping.
(11:18)
Employees couldn't log in.
(11:20)
Their phones were bricked.
(11:21)
And two-factor authentication was knocked out because the phones they used for it were wiped.
(11:25)
In the Striker's SEC-AK disclosure filing, they confirmed they had no timeline for full system restoration.
(11:31)
That's a Fortune 500 company with $25 billion in annual revenue telling its investors it doesn't know when it will be back online.
(11:37)
Striker's public statements actually reveal the blast radius more than they contain it.
(11:41)
So the company acknowledged a global network disruption to its Microsoft environment, stating it had no indication of ransomware or malware, and believed the incident was contained.
(11:50)
But reading between the lines, Handala claimed offices in 79 countries were forced offline after data was erased from more than 200,000 systems, servers, and mobile devices.
(11:58)
That gap between contained to our Microsoft environment and 200,000 devices across 79 countries tells you everything.
(12:05)
Also, Handala published claims of access to rubric secure vault backups and vSphere control panels, meaning they may have targeted the recovery infrastructure too.
(12:14)
A big takeaway is that whenever Siri gets admin access to your endpoint management layer, they don't need to be sophisticated.
(12:20)
They just need to push that button.
(12:21)
Yeah, you say that.
(12:24)
And, you know, everyone who's, we'll say most people who are deploying a Microsoft cloud environment are connected with Intune at some level, right?
(12:33)
And I will tell you, you're right.
(12:34)
You log in, the Intune admin console, and you can wipe, you can deploy, you can do pretty much anything.
(12:41)
And you don't have to really know how Intune works.
(12:43)
In fact, the easiest way to destroy your Intune deployment is to not know how it works.
(12:47)
But, yeah.
(12:48)
You know, I think we see this a lot as like an operational problem, right?
(12:53)
Something goes offline, we lose revenue, and we kind of know that, right?
(12:56)
But, you know, in critical infrastructure and critical infrastructure companies, this isn't just a data problem.
(13:04)
It's not just an operational, you know, continuity problem.
(13:06)
This could be a real, you know, safety and security problem, right?
(13:11)
So, you know, I want to make sure that listeners understand that, you know, this isn't theoretical, right?
(13:17)
If your supply chain includes vendors, which your supply chain includes vendors, right, this is a, you need to understand how their resilience affects your own.
(13:28)
And, you know, I think you kind of touched on it a little bit, you know, are there, you know, what are some of those, those really quick, that the high level tips that we need to, that, you know, critical infrastructure orgs need to take into account, you know, the takeaway from Striker?
(13:43)
You know, it's, you know, it's a way that they're, they're getting in, and it's a lot more strategy than we previously thought before, and the fact that they're weaponizing the enterprise controls that we use to protect the environment, right?
(13:55)
So if, if they get in, and they disrupt the supply chain for the gates that you're using, the gate is no longer useful, you know, and so it's these tools that are implemented, like Dave mentioned, that they were required to be on the devices in order to support, you know, multi-factor authentication and other security operating procedures.
(14:11)
So they weaponize the security operating procedures.
(14:14)
I mean, it's terrifying, but it's also brilliant, because, you know, we, you talk about a criminal isn't going to go through the door, they'll go through the drywall.
(14:22)
I mean, they're using these tools in a way that doesn't align with the rules, it doesn't align with the specs, it doesn't align with the way you're supposed to use them, which is why they're the perfect attack factor.
(14:31)
Yeah. And, you know, I think they're going to have, you know, you have the same, sort of the same risk that every country company will have there, right, is, you know, understanding that the basics really do matter.
(14:43)
You know, I don't know the, the exact, you know, mechanism and how they got in, but things, the little things like multi-factor authentication matters.
(14:52)
You know, you know, zero-trust architectures matter, they really do.
(14:57)
You know, making sure, you know, to Dave's point about, you know, there was evidence that they were looking at some of the backup infrastructure, right, having your backups, not just fully segmented, but also offline backups, it's really, really important.
(15:12)
You know, and I think that's something that, you know, everyone listening kind of take a moment and think, if I came in tomorrow, and all of my data's gone, everything's gone, what do I do, right?
(15:26)
Do I have a backup somewhere that I can get back online, right?
(15:30)
What do I do?
(15:31)
It's a very scary question, but companies find themselves in those positions, and this isn't new, right?
(15:37)
So, you know, Andrea, you know, from the, you know, defense perspective, like Lockheed Martin, this one kind of hits different, right, from defense industrial base perspective.
(15:49)
You know, several U.S. government-affiliated vendors were breached this quarter, and Lockheed was among them.
(15:56)
You know, what's the significance on the federal side?
(15:58)
So, I mean, the defense industrial base, the supply chain is massive, it is dynamic, it is widespread, and you have so many organizations with varying levels of maturity, and the way that they're approaching their systems of redundancies, their ability to, you know, protect themselves at scale is all over the place.
(16:20)
It's from, you know, tier one defense contractors like Lockheed and mom and pop, you know, suppliers that are veterans, you know, that just have this one small business that is selling this one specific widget, you know, where their, like, grandson has set up their Wi-Fi.
(16:35)
It's a completely different operation, and yet it has the same ability to infiltrate the supply chain and affect everything that it touches.
(16:42)
And so, you know, we've seen in the past, you know, other tier one defense contractors who have had breaches that have led to, you know, contract halts.
(16:52)
They can lead to loss of life.
(16:53)
You know, you can lead to millions and millions of dollars of damage to a program.
(16:58)
Obviously, the reputational damage to the organization itself as the name becomes inexorably linked to a breach.
(17:03)
You know, there's so many challenges that it's more difficult to pinpoint just one or identifying one priority.
(17:12)
So when you think about the downstream cleared subcontractors, those smaller organizations, those impacts are deep and they're rippling, and a programmatic pause for a few months or even a couple of years on a multimillion or even billion dollar project to Lockheed isn't going to have the same devastating impacts as it's going to have downstream.
(17:29)
You know, I mean, just a program that's on pause could shutter a business.
(17:33)
You also have attestation only programs where these downstream suppliers are operating on good faith or they've tried their best to provide an attestation to show that their environment is secure.
(17:45)
And that rolls up.
(17:46)
You know, the primes are responsible for all of the actions and attestations of their downstream suppliers.
(17:51)
So it again shows where the subcontractors in the downstream supply chain environments can impact the larger environment.
(17:59)
And then there's also CMMC implications and who's operating at what level and who has which controls in place and the growing importance of continuous monitoring versus a single point assessment to pass a regulatory checkmark, right?
(18:12)
So, you know, you may be completely safe, you know, today, but then if there's a breach or something tomorrow, your security posture has changed not only for you, but it's got a tremendous rippling impact across the entire environment.
(18:25)
Right.
(18:27)
Yeah.
(18:27)
And, you know, the EISAC reporting on Iranian reconnaissance from their IP addresses, you know, Dave, does that reconnaissance activity look like it's connected to what we saw with Stryker, Lockheed?
(18:40)
For sure.
(18:42)
So Iran runs its cyber operations primarily through the IRGC and MOIS, Ministry of Intelligent Service, I believe, linked groups, making state-directed attacks kind of their baseline.
(18:53)
These groups focus on long-term credential harvesting and embedded backdoors while before any conflict begins.
(18:58)
So when the tensions escalate, the same preposition access gets activated for disruption.
(19:03)
Stryker fits the pattern precisely.
(19:05)
That's reconnaissance, credential harvesting, and then a wiper time to a kinetic event.
(19:09)
Underneath that layer sits a second tier.
(19:11)
So Handala's operational pattern is opportunistic and velocity-focused.
(19:15)
They compromise low-security system through supply chain footholds, exfiltrating data, and timing publication for maximum psychological impact.
(19:22)
Iran deliberately maintains both layers, according to state operations with a plausible deniability through proxy groups.
(19:28)
So even when its core command is degraded, cyber retaliation is swift and infuse.
(19:32)
The reconnaissance in our QBR, Iranian IPs were probing U.S. energy, according to EISAC.
(19:37)
That's the coordinated layer doing its job.
(19:39)
The Stryker wiper was the activation.
(19:43)
Yeah, that's, you know, and it's really interesting because we have a reluctance to use IP addresses for correlation, for attribution, right?
(19:57)
But there is still a lot of thread out there to pull, right?
(20:00)
You can still see a lot of those sources.
(20:03)
And, yeah, it is very, very interesting.
(20:06)
So I want to shift a little bit to a different kind of supply chain attack.
(20:12)
And this one is actually, this one is one of those that I'm really interested in.
(20:18)
And this is, I think, one of the things that kind of, I guess you can say, keeps me up at night.
(20:22)
You know, it's less about, you know, ransomware and breaking into buildings, right?
(20:28)
It's more about, you know, poisoning those tools and the tools that developers use to build and secure software.
(20:34)
And two stories this quarter really stood out.
(20:38)
The Team PCP CICD attack and the Notepad++ compromise.
(20:45)
So, Dave, I need you to walk us through some of these because some of the technical details do matter here.
(20:52)
So what can you tell us about those?
(20:55)
So let's talk about the Team PCP attack because this one requires a bit of context to understand just how bad it is.
(21:00)
First, what are trivia and check marks?
(21:02)
These are security scanning tools that organizations embed directly into their software build pipelines.
(21:07)
Every time a developer pushes code, these tools automatically scan for vulnerabilities, misconfigurations, and expose secrets before anything goes to production.
(21:15)
These are the security checkpoints inside your DevSecOps workflow.
(21:19)
Trivia is among the most widely deployed container vulnerability scanner embedded by default across a broad range of Kubernetes and CICD environments.
(21:27)
Checks marks KICS and forms infrastructure as code, security analysis, and pipelines across thousands of organizations.
(21:34)
They're not fringe tools.
(21:35)
They're trusted gatekeepers inside enterprise-built systems everywhere.
(21:39)
So what does a CICD supply chain attack actually mean?
(21:42)
It means the attackers don't target your company directly.
(21:45)
They target the tool that runs inside your pipeline.
(21:47)
On March 19th, attackers injected malware into official GitHub action workflows and Docker images associated with Trivia.
(21:54)
As a result, every automated pipeline scan triggered malware that stole SSH keys, cloud access tokens, and other valuable data from compromised systems.
(22:02)
The scans look normal.
(22:03)
Your developers saw green check marks, but in the background, your secrets are going out the door.
(22:07)
The type of credentials stolen also matter enormously.
(22:10)
Team TCP cloud stealer dumped CI runner memory, swept SSH keys, cloud provider credentials, and Kubernetes secrets,
(22:17)
and then encrypted and exfiltrated the data to attacker-controlled servers.
(22:20)
Let's break down why each of these are dangerous.
(22:24)
So cloud credentials such as AWS IAM keys and interior environmental variables give the attacker the ability to spin up infrastructure,
(22:30)
access storage, or move laterally across your cloud environment without ever touching your corporate network.
(22:36)
SSH keys let them log directly to servers.
(22:38)
Kubernetes tokens give control over your entire container orchestration layer.
(22:43)
And NPM published tokens, those let attackers push malicious code to your own software packages,
(22:47)
turning you into the next supply chain attack.
(22:50)
To the downstream, blast radius is staggering.
(22:54)
Team PCP stole credentials from more than 10,000 organizations, and the attack compounded upon itself.
(23:00)
So among credentials harvested from Trivia's environment were GitHub personal access tokens belonging to check marks.
(23:05)
Team PCP used those stolen tokens four days later to push malicious commits to all 35 versions of check marks GitHub actions.
(23:12)
One breach led to the next.
(23:14)
Cisco, AWS, Azure, and thousands of SaaS environments weren't directly hacked.
(23:19)
They were downstream casualties of trusting a compromised tool that had been running quietly in their own pipelines.
(23:23)
So the lesson here is that security scanning tools occupy privileged positions in CICD pipelines where they have simultaneous access to cloud credentials,
(23:32)
code repositories, and container infrastructure.
(23:34)
Compromising a scanner exposes every secret accessible within that pipeline context.
(23:38)
The protector begins the weapon.
(23:40)
Yeah, and it's really interesting, too.
(23:43)
If you go and you do a search for, you know, CICD container security and, like, what tools can I use and what's free,
(23:51)
every response is going to come back and say Trivi, right?
(23:55)
If you don't want to pay for it, it's going to say Trivi.
(23:58)
It's used, it's so ubiquitous, and that's the scary part.
(24:02)
And I think for those who kind of are uninitiated, this whole process happens when you upload your code into, in this case, into GitHub,
(24:11)
and it's running actions that you allow it to run in the back end to do all sorts of scanning or testing before you do a deploy.
(24:19)
And Trivi just happens to be one of the really common ones that you can use.
(24:22)
That was what got compromised and then just used as the top of that downstream effect.
(24:28)
That is scary, and it's definitely something that I don't think we're looking at.
(24:35)
And we're not looking at nearly enough.
(24:37)
Yeah, certainly not enough.
(24:38)
That's what I was going to say.
(24:39)
Yeah.
(24:40)
Yeah, and, you know, it's interesting.
(24:42)
I had just been looking a couple weeks earlier, very seriously, just been looking at Trivi and kind of seeing if there's a way
(24:49)
that we should look at kind of including that in our own pipeline as a, you know, belt and suspenders approach to what we already do.
(24:58)
And obviously, we just, we didn't do that.
(25:01)
But, you know, two weeks later, we see this.
(25:03)
So everyone is subject to this stuff, right?
(25:07)
So, you know, when we say, you know, thousands of, you know, thousands of SaaS enterprise environments are impacted, right?
(25:14)
You know, help me ground that a little bit.
(25:16)
What does that mean, Dave?
(25:17)
What does that mean for, you know, the energy companies or defense contractors who use these tools?
(25:23)
I mean, I think we answered that, right?
(25:25)
It's a lot of downstream impact.
(25:28)
Do we see this getting into, I know you said, you know, into checks, Marks.
(25:34)
Do we see this in any other tools or any other infections that have happened that we know of?
(25:41)
Still kind of bring us back to ground a little bit for any organization running trivia in their pipeline between March 19th and 23rd.
(25:47)
When the malicious trivia binary executed, it ran the legitimate scanner in parallel while simultaneously sleeping the system for credentials stored in the file system, gathering environment variables, enumerating the network interface, then compressing, encrypting, and exfiltrating your data.
(26:02)
There is so much to this that it is so foundational, right?
(26:07)
Is that this is before a customer even gets the code, which is, or in a SaaS product, it's before the customer even, you know, sees the product that you've produced, right?
(26:19)
You know, Andrea from, you know, well, let me back up.
(26:23)
I think because we didn't really talk through Notepad++, which is another extremely popular application, been around forever.
(26:31)
You know, this was kind of a little bit of a different attack.
(26:36)
Can you walk us through that, Dave?
(26:37)
Sure.
(26:39)
So the Notepad++ incident and the Q1 report, that was a very instructive attack over the past year.
(26:46)
It was quiet, surgical, and very difficult to detect.
(26:48)
So in June 2025, a Chinese state-sponsored group gained access to the third-party hosting provider serving Notepad++ update infrastructure.
(26:57)
Between June and September, the attacker quietly and very selectively redirected traffic from Notepad++ Wenji Updater to her attacker-controlled servers that downloaded malicious executables.
(27:09)
They didn't touch the source code.
(27:10)
They didn't break a signature.
(27:11)
They compromised the pipeline between software and its users.
(27:14)
This is a long-dwelled problem in its purest form.
(27:17)
So the server wasn't compromised until September when scheduled maintenance included kernel and firmware updates, which was not a detection, which was kind of a coincidence.
(27:27)
Even after losing direct server access, attackers maintained stolen credentials to internal services until December 2nd, which allowed continued traffic interception for three additional months.
(27:37)
So six months total.
(27:38)
The only reason it surfaced at all is because a security researcher noticed anomalous Notepad++ processes at a handful of targeted organizations in December, three months after the attacker had already been forced to adapt their access method.
(27:50)
Think about what that dwell time means operationally.
(27:53)
So that's six months of hands-on keyboard recon and size telecom and financial targets delivered through a routine software update at every endpoint trusted.
(28:00)
The target logic tells you everything you know about the attacker's intent.
(28:03)
So they filtered update requests by IP range and hand-delivered trojanized installers specifically to East Asian telecom and financial targets, while millions of others pulled clean copies.
(28:12)
That's not a spray and pray.
(28:14)
That's a surgical espionage attack using the update mechanism as a precision delivery vehicle.
(28:19)
So what that means for software supply chain integrity is fundamental.
(28:21)
Auto updaters are remote code execution pipelines.
(28:25)
The lesson is to stop treating updates as trusted just because they arrive from legitimate domains.
(28:29)
Legitimate domain, a legitimate process name, clean-looking network requests all means nothing if the hosting layer between the vendor and the user has been compromised.
(28:37)
So your endpoint didn't get attacked, your trust model did.
(28:41)
And for developers, IT administrators, and analysts running ubiquitous utilities like Notepad++ on privileged workstations, the trust model is the attack surface.
(28:49)
Right.
(28:50)
And, you know, I think you hit a piece there, too, that I think is worth emphasizing.
(28:55)
When you're running applications in privileged modes, it's probably a problem to begin with, right?
(29:03)
Kind of back to a lot of that, you know, the basics of, you know, the stuff we're still trying to fight all these years later of implement those security essentials, right?
(29:11)
And we're seeing it everywhere, right?
(29:13)
It's not, this is in every sector, even across defense and everything, everywhere.
(29:17)
It's sometimes hard to implement that little thing that I think is really easy.
(29:22)
It's really hard to implement across, you know, 80,000 endpoints.
(29:27)
So, but yeah, I think, you know, we talk, we're talking a lot about those elements inside of, inside of the software, and it's not stuff that we usually, you know, talk about.
(29:38)
And Andrea, you know, from a, you know, federal compliance supply chain standpoint, you know, these two stories, you know, Team PCP, Notepad++, they're kind of the argument for why SBOM requirements exist and secure software attestation exists.
(29:53)
What's your, what's your read on how the federal sector is absorbing these kinds of risks?
(29:58)
One bite at a time, right?
(30:00)
So they're doing their best.
(30:01)
They're doing it with the best intent.
(30:03)
And I think that this, the executive order, like executive order 14028, it's, it's been needed for a very long time.
(30:10)
I think organizations within the Department of Defense and the defense industrial base, they've known the vulnerabilities that these software packages or these vendor deployments that they can introduce into an environment for a very long time.
(30:23)
I mean, I was, I don't want to date myself, but I oversaw an onsite control assessment over a decade ago that included strict scrutiny of the software that was deployed in the environment.
(30:33)
So this is not a new conversation, but the challenge is that this has been an unfunded requirement for so long.
(30:39)
So it was up to the programs to do it because they knew it was important, because it was a value add for their own program, or because they had found a way to negotiate the contract in a way that it included areas of responsibility on both the government procurement side and the, say the commercial vendor side.
(30:55)
Now, the challenges have always been to get the vendor to cooperate, right?
(30:59)
They don't want to provide the full S-bomb.
(31:02)
They don't want to provide what they call business proprietary info, you know, the secret ingredients.
(31:07)
In the case that the government is going to become really industrious and try to replicate everything that Microsoft or Adobe or, you know, these software companies are creating and suddenly switch their model.
(31:18)
But the reality is the S-bombs are necessary in order to evaluate those lines of code, the hashes, the signatures, the certifications, to ensure that what was deployed from the vendor is what's being installed into the environment.
(31:30)
That's all they want, right?
(31:31)
They're not trying to steal anybody's business or negatively impact anybody's revenue.
(31:34)
They just want to deliver on their own mission, which is not software development or often not software development.
(31:39)
So, you know, these incidents, the software incidents occur with the government and with the Dib at all sorts of different levels and different ages of programs, right?
(31:51)
So you have brand new programs that are thinking about cybersecurity considerations now.
(31:56)
They're getting the software, they're adhering to Executive Order 14028, which, if you're not familiar, requires secure software development practices.
(32:06)
You know, so they're able to really get a hold of that.
(32:08)
They're on the bleeding edge of that.
(32:09)
But then you have a much larger swath of the government that is legacy programs.
(32:15)
So they're using older software systems.
(32:18)
They bootstrapped software programs to run together because they're often no longer supported by the vendor.
(32:24)
They're sandboxing it in their own environment because they're trying their best to kluge together this old technology and these new software programs that are available to them.
(32:32)
You've also got open source software that has completely different requirements and isn't even considered under Executive Order 14028.
(32:41)
So it's only software that's deployed from vendors.
(32:44)
So what does that mean, right?
(32:45)
What are we incentivizing there with the government where you have this strict level of scrutiny and regulatory control for software that's purchased from a vendor in a secure environment?
(32:54)
But if they switch to open source, it means something different.
(32:57)
And then, you know, the legacy software is a particular concern because that also can mean that the vulnerabilities are no longer being announced.
(33:05)
They're no longer being patched.
(33:07)
There's no support for vendors through updates and things like that to continue to shore up any sort of vulns that may exist in the software that might have been developed before cyber supply chain risk management or cybersecurity practices were even a consideration.
(33:22)
It's easy to solve it, super easy.
(33:24)
It's just, it's an easy problem.
(33:26)
Yeah.
(33:27)
Yeah.
(33:27)
You know, it's, I guess what a lot of folks don't realize is that, you know, when you get a piece of software, there's obviously a lot of, a lot of dependencies in that software, right?
(33:36)
And those, those first party dependencies are, are significant, right?
(33:42)
And a lot of them in every application, you've got open source dependencies in there somewhere, right?
(33:48)
Linking dependencies that have a domino effect across the environment.
(33:52)
Yes.
(33:52)
So I, I think it's really interesting, your point there, you know, about the aging infrastructure and the aging, you know, software in that infrastructure, because there are third party, fourth, fifth, there's nth party dependencies that, you know, if your software requires a certain, you know, a certain library, that library probably also has dependencies.
(34:14)
And those dependencies could also have dependencies.
(34:17)
And you find yourself in that situation where you, you might not be able to upgrade your software because the dependency six layers deep breaks something.
(34:28)
So it breaks everything all the way back up.
(34:30)
Yep.
(34:31)
Um, and with so much of this software, especially in the open source world, a lot of the stuff we rely on, a lot of the stuff we really rely on is still maintained, but it's not, um, it's not actively maintained like you would hope it is.
(34:44)
Right.
(34:44)
Or with the same level of scrutiny or, or it's abandoned at some point, right?
(34:48)
The version skip number.
(34:49)
Yeah.
(34:50)
Right.
(34:50)
And, and, and it's, and we find, you know, all the time, uh, there's CBEs that have existed.
(34:55)
You know, we just find them today as the vulnerability that's been in, you know, the, the, you know, Linux is the first example for me and Linux kernel, I think it was a couple of years ago.
(35:05)
They found a vulnerability of, you know, level 10 CBE or CBSS vulnerability, um, that apparently had existed in the kernel for something like 10 years, something like that.
(35:15)
Right.
(35:15)
Those things happen.
(35:17)
Right.
(35:17)
So if you have that situation, what is your upgrade path on aging infrastructure?
(35:21)
Um, that is a, that is a significant problem.
(35:24)
Um, but yeah, I, I think, and, you know, kind of to Andrea's point about SBOMs, you know, we, we will collect and analyze SBOMs too.
(35:31)
Nobody here, you know, at the Fortress side, we don't, we don't want your software.
(35:36)
We're trying to figure out, do you have those kinds of dependencies that would raise a red flag?
(35:41)
Which makes everybody.
(35:43)
And you may not know them.
(35:44)
Yeah.
(35:45)
And it makes everybody safer.
(35:46)
It's not just the customer that's purchased and deployed the software, but it also, it's important for the vendor to really understand what has been deployed, right?
(35:53)
If they've unintentionally had, um, you know, someone that got in and was able to manipulate the code at some stage of the implementation or, or through a vault or through an update or something along those lines.
(36:04)
I mean, it's beneficial to every side of the, of the equation.
(36:09)
It's just a matter of really getting those vendors on board with understanding like, no, this is actually important for everyone because it does make everybody safer.
(36:16)
Right.
(36:17)
So we're going to move a little bit here.
(36:19)
I'm going to, I'm going to continue our trip around the globe because, uh, you know, Q1 was, was active on every continent.
(36:26)
Um, you know, so, you know, Dave, I want you to kind of, uh, walk me through the key events region by region.
(36:32)
And, and Andrea, I'll, I'll put you on the defense, uh, federal angle where it's, where it's relevant.
(36:37)
Yeah, yeah, Dave, we're going to, we're going to start, we're going to start with Russia.
(36:40)
So, um, you know, we saw a Midwest electric, uh, cooperative hit by Russian ransomware as a service group, um, and, and Poland's renewable energy plants targeted by, again, uh, Russian, but again, wiperware, um, that disabled RTUs and HMIs.
(36:56)
You know, Dave, the, the Poland attack is significant because of what was targeted.
(37:00)
Can you, can you walk us through and kind of explain it, explain that a little bit?
(37:04)
Sure.
(37:05)
Uh, so in Poland, we have a number of renewable energy plants, um, and these plants, you have RTUs, which are remote, uh, terminal units.
(37:12)
Are, they're devices that are physically monitoring and controlling field equipment, such as wind turbines, solar emburgers, circuit breakers.
(37:19)
Um, then you have HMI, which is a human machine interface, and that's the operator screen, uh, the dashboard that lets a human see and command all that in real time.
(37:26)
Uh, they're not IT systems, they're the physical control layer of the grid.
(37:30)
Uh, this malicious cyber activity caused a loss to view control between facilities and distribution system operators, uh, destroy data on HMIs and corrupted system firmware device on the OT devices.
(37:42)
While the affected renewable energy systems continue production, the system operator cannot control or monitor them according to their intended design.
(37:49)
So the turbines were still spinning, but nobody was at the wheel, uh, Poland's digital affairs minister said that the incident came very close to causing a blackout and showed signs of a coordinate sabotage campaign.
(37:59)
Uh, this was timed notably during cold temperatures and snow storms.
(38:02)
Uh, this is why wipe-erware on OT adjacent systems is categorically different than an IT breach.
(38:07)
You're not losing files, you're losing situational awareness and control over physical infrastructure.
(38:12)
That's a step toward a kinetic level disruption through purely digital means.
(38:16)
Slovakia, I'm sorry, Slovakia's ESET attributed the attack with medium confidence of Sandworm, uh, it's a unit within Russia's military intelligence agency GRU, which is the same group linked to the actual blackouts in Ukraine.
(38:27)
So we see a very similar tie there, um, that brings us to the RAS question in the Russian context.
(38:32)
So ransomware as a service means criminal groups operate like franchises where they sell attack toolkits and infrastructure to affiliates.
(38:39)
Russia's relationship with these groups isn't coincidental.
(38:41)
Uh, the Kremlin tolerates and in some cases directs RAS operators as long as they avoid Russian targets, which gives Moscow plausible deniability while maintaining a standing offensive cyber capability.
(38:51)
Sandworm, uh, is GRU.
(38:54)
The RAS groups hitting U.S. and European energy cooperatives are in the gray zone beneath that, uh, which is criminal in appearance, but they're strategic in effect.
(39:01)
Andrea, do you have thoughts on that?
(39:03)
Yeah.
(39:04)
I mean, uh, you know, like Dave mentioned, the, the Poland incident was notable because it was disruptive, obviously, but also because of what was targeted inside the environment.
(39:12)
So this went directly to impact the system's operators and, and the tools that they use to monitor and control the physical processes was weaponized.
(39:22)
So this isn't like a traditional cyber breach.
(39:25)
They were weaponizing their own tools against them.
(39:27)
So this is a lot more closely aligned to operational impact than what we think of as ransomware.
(39:32)
So even if the intent wasn't full physical damage, going after those interfaces shows familiarity with how energy systems run and where disruptions would matter most.
(39:42)
I mean, like Dave said, think about the time of year that this occurred, right?
(39:45)
So this is much more broad impact than a traditional cyber incident.
(39:49)
So when you connect that with what we've seen with Russian linked ransomware hitting small utilities, the implication is less about one-off incidents and more about creating patterns, you know, and in the United States, smaller co-ops, co-ops have much smaller budgets, right?
(40:07)
So they're, they're having then leaner security teams.
(40:10)
They have less to invest in, in an overall maturity posture against these types of attacks.
(40:15)
So they might have more legacy systems, more vendor managed environments.
(40:20)
So they have less control or less visibility.
(40:22)
You know, we talked a little bit about vendors who may or may not cooperate when we're, when we're thinking about these types of assessments.
(40:28)
So all of that combined means less visibility, slower patching, heavier and over, maybe over-reliance on third parties.
(40:36)
And that all creates opportunities for bad actors.
(40:40)
That all creates opportunities for threats, right?
(40:42)
So the takeaway here isn't that we're guaranteed to see identical attacks happening over and over,
(40:49)
but that they're, the pathways are going to continue to be execute, executed and exercised and exploited.
(40:54)
And the, they're finding more and more pathways through non-traditional attack vectors.
(41:00)
And so the challenges that we're always planning based on the last attack, we're, we're trying to, you know, close the gate behind the horse every single time and not the potential for what might be exploited in the future.
(41:11)
We're not getting creative and what we don't want.
(41:14)
And what's been happening is we have all these bad actors teaching us the art of the possible.
(41:19)
So, you know, for smaller providers, especially the risk is that disruption doesn't have to be sophisticated to have a high emission impact.
(41:26)
It just, instead it can create a limited outage at the distribution level and still have very real downstream effects for communities and civilians.
(41:34)
The government, of course, the defense industrial base, any military bases, anybody that depends on that power.
(41:41)
Yeah, no, that's definitely a, a interesting and scary, uh, it's something, it's a scary attack, but it's also something that we've talked about for years as a hypothetical, right?
(41:53)
And, and to see it actually happening is, is, is, we'll say, we'll say extremely concerning.
(41:58)
Yeah, it's something to add to your cyber tabletop for sure.
(42:01)
You know, you got to get really creative.
(42:03)
Right.
(42:04)
What do you do when, what do you do when the HMI is offline?
(42:06)
Yep.
(42:07)
Right.
(42:07)
And the, and the turbine's still spinning.
(42:09)
Yeah.
(42:10)
Yeah.
(42:10)
You know, so continuing our, our world tour, uh, China.
(42:14)
So, uh, Volt Typhoon breaching Midwest utilities and Taiwan's, uh, national security bureau reporting high escalation against their energy sector.
(42:23)
Dave, Volt, Volt Typhoon has been in the news for, for quite a while.
(42:28)
What's, uh, what's new about what we saw in, in Q1?
(42:31)
So, Volt Typhoon is definitely the most strategic, significant threat in our Q1 report.
(42:36)
And it's one that looks at least like an attack while it's happening.
(42:39)
Uh, their signature technique is called living off the land.
(42:42)
So, rather than dropping malware, Volt Typhoon leverages legitimate pre-installed tools native to the operating system.
(42:47)
PowerShell, scheduled task, built-in admin utilities, um, these all blend malicious activity into normal network operations in ways that evade traditional detection.
(42:56)
They're not loud, they're not stealing data for immediate use.
(42:59)
Uh, according to the joint advisory from CISA, NSA, and FBI, the group is seeking to pre-position themselves on IT networks for disruptive and destructive cyber attacks against U.S. critical infrastructure in the event of a major crisis or conflict.
(43:14)
The U.S. government has observed Volt Typhoon maintaining access in some victim environments for years.
(43:18)
So, they're holding a loaded capability in reserve and waiting for the light geopolitical moment.
(43:22)
Um, that moment is Taiwan.
(43:24)
So, Taiwan's National Security Bureau reported that China's cyber operations against the island's critical infrastructure increased to 113% from 2023 levels.
(43:33)
So, energy, emergency services, and hospitals are seeing the sharpest increases.
(43:37)
Uh, the pattern is clear.
(43:39)
As Taiwan tension escalates, Chinese cyber activity against U.S. infrastructure intensifies in parallel because disrupting the U.S. domestic grid during a Taiwan conflict would degrade America's ability to mobilize and respond.
(43:50)
Um, kind of explains the Midwest targeting specifically.
(43:54)
The U.S. Midwest is home to dense concentrations of electric cooperatives and regional transformation, transmission infrastructure.
(44:00)
Uh, that's the unglamorous backbone of the national grid, historically under-resourced on cybersecurity.
(44:05)
Bolt Typhoon represents a quiet but strategic threat characterized by long-term access and persistence rather than immediate disruption.
(44:12)
So, they're not creating prestige assets.
(44:14)
They're targeting nodes that, if taken offline simultaneously, can create a cascading failure.
(44:19)
And that's not crime.
(44:20)
That's war planning.
(44:21)
Yeah, and I think that's the, you know, the scary thing.
(44:25)
And, Dave, you and I have talked, you know, at other times about, you know, this is very common, you know, a TTP for the Chinese threat actors is, you know,
(44:35)
they're all about the long game, right?
(44:37)
They're going to get in the house and stay in the house as long as they can and then just wait until they need to execute.
(44:43)
Andrea, what is, what's your take on this?
(44:47)
Well, I mean, speaking of the house, right?
(44:49)
You know the old adage, the calls are coming from inside the house.
(44:52)
So, I mean, these attacks are proving that attackers are thinking about pre-positioning as a strategy while they're evading detection, right?
(45:00)
So, they're getting in place, they're embedding themselves within this environment, and then they're waiting.
(45:05)
They're ready for the long game, right?
(45:07)
They are already inside the house, like you said.
(45:10)
And so, they're using things like botnets and living off the land in order to hide in plain sight.
(45:15)
And that makes them so much more dangerous because they're harder to detect and they're harder to fully understand the level of the infiltration.
(45:22)
So, the joint CISA and NSA and FBI advisories matter because they're the government saying, in effect, this is real.
(45:30)
These are already inside of some critical networks.
(45:33)
And defenders should assume the objective may include future disruption, right?
(45:37)
Not just espionage, not just data leak, but it may include future disruption.
(45:43)
So, for cleared contractors and federal sites, the lesson is simple.
(45:48)
Even if you're not a utility, you may already, I mean, certainly depend on the commercial grid, right?
(45:52)
So, telecoms, water, any other outside infrastructure that you need to keep your mission running.
(45:57)
So, cyber risk in the infrastructure around you becomes mission risk for you.
(46:02)
It's shared risk and it's shared responsibility.
(46:04)
And then the five eyes angle is important because this is not just one country who's freelancing a theory.
(46:10)
It's the United States, UK, Australia, Canada, and New Zealand sharing intelligence in order to put out a common warning.
(46:18)
And so, then we can have a joint response or the potential for, you know, a joint response.
(46:22)
Right.
(46:24)
And, you know, I love that kind of piece there you alluded to a little bit of, you know, if you do rely on that commercial energy infrastructure, right?
(46:35)
It doesn't matter what industry you're in.
(46:36)
It doesn't matter if you're a government agency.
(46:37)
You're still relying on that commercial infrastructure.
(46:39)
So, these are relevant to everyone at every company.
(46:43)
Yeah, for sure.
(46:44)
Every organization, right?
(46:45)
So, let's continue our tour.
(46:48)
We're going to hit kind of two-in-one here in North Korea and South America.
(46:51)
So, North Korea's Lazarus Group pulled off an NPM supply chain attack on Axios.
(46:58)
So, it's one of the most widely used JavaScript libraries on the Internet.
(47:03)
We're kind of going back to another attack pattern we just talked about.
(47:08)
But, Dave, quickly, how does that work?
(47:10)
What's the exposure?
(47:11)
Here's a quick but important one.
(47:13)
So, Axios is a JavaScript HTTP library that simplifies making HTTP requests.
(47:19)
It has 70 million weekly downloads.
(47:21)
It's a foundational plumbing inside thousands of enterprise applications.
(47:24)
NPM is the package registry where JavaScript developers pull dependencies.
(47:28)
When your pipeline runs NPM install, it trusts what comes down as clean.
(47:33)
On March 31st, Lazarus Group, which is a North Korean Nexus actor, conducted a multi-week social engineering campaign against an Axios maintainer, hijacking their account and publishing two malicious versions that deployed a cross-platform remote access Trojan across Windows, macOS, and Linux.
(47:49)
No user interaction was required.
(47:51)
If you install the package, you got the RAT, which is a remote access tool.
(47:54)
This is distinctly Lazarus, and their motivation matters.
(47:57)
So, unlike Volt Typhoon's patient pre-positioning, Lazarus is financially motivated.
(48:02)
Their stolen secrets are expected to enable crypto heists, ransomware, and SaaS environment compromises over the following months.
(48:08)
North Korea funds its weapons program through cyber theft.
(48:11)
That is their revenue generation.
(48:14)
For organizations, check your pipelines for Axios versions 1.14.1 or 0.30.4.
(48:21)
Audit for callbacks to sfrclack.com.
(48:24)
And review any GitHub action workflows using floating tags rather than pin commit hashes.
(48:29)
If Axios ran in your build environment on March 34th, I would treat your secrets as compromised.
(48:34)
Yeah, and that's kind of terrifying.
(48:38)
You know, on two fronts, like to your point, Axios has used so many.
(48:43)
Not just in the end users that know that they're using it.
(48:46)
It's part of so many frameworks that are out there that developers are using these frameworks, and they may not know that they're including a lot of these libraries.
(48:54)
And NPM, you know, it's, again, it's that remote update issue, right?
(49:01)
Of, you know, if you're downloading software, especially, you know, developers really take note, right?
(49:06)
If you're downloading software, it's web-based software, and it's got JavaScript dependencies, and you just do an NPM install, right?
(49:13)
You're downloading whatever the package maintainer said to download.
(49:16)
You might be downloading the latest version.
(49:18)
You don't really know what you're pulling.
(49:21)
It is a significant and scary issue.
(49:25)
So let's pivot a little bit to, you know, South America.
(49:28)
Chile's energy company plus Peru's energy hit by, what is that, Vect, right?
(49:38)
Somewhere?
(49:38)
Yes, sir.
(49:39)
Yeah, it's a pattern that's worth naming.
(49:42)
So what's happening in South American energy?
(49:45)
Sure.
(49:45)
So Chile's energy company was hit by Nubis RAS with a follow-on attack against COPEC directly resulting from that breach.
(49:52)
Peru's Berlat Energy was hit by Vect RAS that patterned deliberate.
(49:58)
Just a side note, Team PCP, which did the big large supply chain attack mentioned earlier, has partnered with Vect Ransomware for their infrastructure.
(50:05)
Emerging market-critical infrastructure is being targeted specifically because it's less hardened.
(50:10)
Smaller teams, aging OT infrastructure, fewer regulatory mandates, and the same Internet-exposed ed devices that got Poland hit.
(50:17)
RAS operators are running on a return on investment calculation, and Latin American energy utilities check every box.
(50:23)
The cascading dynamic is what should concern U.S. operators the most.
(50:28)
So the Nubis to COPEC follow-on attack wasn't a coincidence, it was a feature.
(50:32)
Breach of supplier, pivot to the customer.
(50:35)
And energy is always the target because it's the one sector where disruption has immediate physical consequences.
(50:40)
No power means no water treatment, no hospitals, no fuel distribution.
(50:43)
It's not the most profitable sector to ransomware, but it is the most coercive.
(50:47)
Well, so continuing our tour, going to the Middle East, obviously a big topic right now, but, you know, the Middle East reads like a sustained multi-vector campaign, right?
(51:01)
Qatar energy targeted by cyber and drone activity, Kuwait power and desalinization plants hit.
(51:10)
Al-Sarif oil targeted by Iranian alleged groups.
(51:13)
Andrea, what's the significance of Iran attacking its regional neighbors' energy infrastructure?
(51:19)
Yeah, and what you just described, it's a combination of cyber and kinetic attacks, right?
(51:25)
So what's been shown over time is a preference for these pressure campaigns that are both painful and calibrated.
(51:31)
And it's pressure that's sharp enough to hurt, but it's still blurry enough that it makes retaliation really complicated.
(51:38)
And it can mean cyber disruption, proxy attacks, harassment of shipping, or like I said, kinetic strikes, right, that are attacking energy and infrastructure targets.
(51:48)
So when people talk about the threat to the Gulf states in the regional area, the key isn't just that they can be attacked.
(51:54)
It's that there's always an attempt to create additional leverage, you know, without necessarily crossing straight into all-out war.
(52:01)
And so that's what makes the attacks in this region so confusing and hard to pinpoint.
(52:06)
We just kind of are following the aftermath and trying to better understand what's happened and not necessarily able to really firmly grasp how to prevent it.
(52:14)
So the cyber piece matters, particularly because it leaves options that are just below the threshold of conventional escalation.
(52:21)
And the kinetic piece, of course, it matters because the region has also seen real-world attacks on areas like shipping and energy infrastructure, military-linked targets, like you mentioned, the different targets that were hit with drone activity.
(52:31)
It's pressure from two different directions, with one hitting the network, but the other one is hitting in the real world.
(52:38)
I mean, it's visible to everybody around them.
(52:40)
You have civilians who are watching their infrastructure crumble in real time.
(52:44)
And so this combo move, it creates so much confusion and raises the stakes and raises the fear, right?
(52:51)
It's keeping the fear at an escalated and heightened level at all times.
(52:55)
So for our allies and our forward deployed forces, it means that they have to be resilient more than they can be adaptive.
(53:05)
So physically hardened bases, like your traditional gates, guards, and guns, redundant communications, we talked about redundancy at the top of the pod, air and missile defenses, contingency planning for commercial infrastructure outages.
(53:18)
This is your true defense in depth, but it's going way beyond your cyber environment and into your physical environment as well.
(53:24)
And for energy companies, the lesson is that regional risk is no longer just about oil prices.
(53:29)
I mean, it's about operational continuity and OT security, shipping exposures, partner risk, and whether disruption at a local utility or joint venture site can cascade into business interruption.
(53:40)
We talked about reliance on critical infrastructure.
(53:42)
Who's going to be impacted by these attacks?
(53:45)
And so the Gulf's infrastructure isn't a backdrop into geopolitics.
(53:49)
It's one of the main instruments, and it's something that is either already or in very short time going to impact all of us in our day-to-day, no matter how far we live from the region.
(54:02)
Yeah, and you know, one of the big areas that the Threat Intel report hits on is looking at, you know, the Iranian prepositioning of, we'll say, assets, right?
(54:17)
Yeah.
(54:18)
And this is really a key piece that I think is worth really diving into.
(54:24)
You know, we have Iranian alleged actors prepositioning for destructive operations against U.S. critical infrastructure.
(54:33)
Dave, let's try to be a little precise here.
(54:37)
What does prepositioning mean, and why is now the time to be worried?
(54:42)
So prepositioning starts all before any destructive action.
(54:46)
The team PCP and Axios supply chain attacks didn't just compromise SaaS environments, they generated a massive harvest of cloud credentials, SSH keys, and authentication tokens across a zillion organizations, including energy sector vendors.
(54:59)
Iranian actors are positioned to target energy, water, and transportation sectors, exploiting legacy, ICS, and weak segmentation with operations designed not only for immediate disruption, but for prepositioning access for fuser escalation.
(55:13)
That's creating lateral risk inside networks that may only surface during moments of geopolitical crisis.
(55:18)
The credential pull from March's supply chain attack is precisely the kind of material that funds that access.
(55:23)
The entry points are well documented.
(55:25)
Iranian operations will likely leverage phishing campaigns for credential theft and account takeover, exploitation of unpatched edge devices, such as VPNs of firewalls, and lateral movement through third-party vendors and managed service providers with privileged access to OT environments.
(55:40)
Third-party compromise is particularly dangerous in energy.
(55:43)
IT integrators and remote monitoring vendors routinely have persistent access to OT networks, and their security postures rarely scrutinize at the same level as the operator itself.
(55:52)
Once they're inside the IT environment, they can pivot toward the OT, which is the critical escalation step.
(55:59)
Iranian actors have been teleported from exploiting default credentials on PLCs to deploying custom ICS malware platforms, and most recently to actively exploiting a critical authentication bypass and Rockwell automation controllers across U.S. energy, water, and government facilities.
(56:16)
A six-agency joint advisory confirmed operational disruption and financial loss at multiple U.S. organizations already.
(56:23)
They're not mapping networks anymore.
(56:25)
They're manipulating physical processes.
(56:27)
That's where the STRIKER blueprint becomes the energy sector's nightmare scenario.
(56:31)
Iran demonstrated with STRIKER that gaining administrative access to a corporate endpoint management platform, which was one legitimate tool, is sufficient to simultaneously destroy operations across an entire global enterprise.
(56:42)
Unit 42 assessed that Iranian-affiliated actors installed Rockwell Automation's factory talk software on their own infrastructure to enable exploitation efforts against ICS targets, which means that they are rehearsing.
(56:53)
They're learning the tools that energy operators use to manage physical equipment the same way they learned Microsoft Intune before STRIKER.
(57:00)
So this scenario kind of writes itself.
(57:02)
Credentials harvested from a supply chain breach give initial IT access to an energy operator.
(57:08)
Phishing establishes persistence.
(57:09)
Attack surface mapping identifies the OT management layer.
(57:12)
And then with one admin console and one command, the equivalent of a remote wipe, but for turbines, substations, and grid control systems.
(57:19)
That's not hypothetical.
(57:20)
That's the logical extension of a capability Iran already demonstrated.
(57:23)
Right.
(57:25)
And, you know, I think it's worth pointing out there is a certain amount of irony here.
(57:29)
You know, one of the easiest, one of the very common vectors has been, you know, hitting unpatched edge network devices and VPNs, right?
(57:40)
Well, those patches come from somewhere, and are you going to auto-update them?
(57:44)
And what are you doing to assess those patches, right?
(57:48)
There's a lot of interesting downstream problems for sure.
(57:52)
Yeah.
(57:53)
But let's, you know, let's kind of dig on this a little bit more.
(57:58)
The report specifically calls out the kinetic strikes against Iranian critical infrastructure, including energy sector, and are driving reciprocal cyber threats or cyber intent.
(58:14)
So, you know, the escalation loop, you know, Iran gets hit physically, they hit back digitally.
(58:20)
And how can we talk, we touched on this a little bit earlier, right?
(58:24)
How confident are we in the attribution and that intent assessment?
(58:29)
So, kind of a quick and important and a close note, because attribution language matters, and Iran did this, Iran could do this, are different statements.
(58:38)
What we have confirmed is demonstrated capability, tracing the history of Iranian cyber retaliation against perceived geopolitical slights, there's a cleave, there's a clear escalating pattern of capability and intent over the last decade.
(58:51)
That's from Shamoon in 2012, to zero clear against energy and industrial sectors, to the shift in custom wiper malware, to native administrative tool abuse at Stryker.
(59:00)
The progression is not inference, it's a documented capability ladder.
(59:04)
Demonstrated intent against U.S. energy specifically is assessed, not confirmed.
(59:08)
It rests on three pillars.
(59:10)
First is TTP overlap between observed Iranian tooling and energy sector reconnaissance activity.
(59:15)
The second is EISAC warnings in our QBR.
(59:19)
And the third is historical patterns.
(59:21)
So, Iran's approach is no longer episodic or symbolic, reflecting a sustained strategic posture that treats cyberspace as an extension of state power,
(59:29)
with operations designed to create latent risk inside networks that services during moments of geopolitical crisis.
(59:35)
So, Andrea, from where you sit with, you know, federal defense customers, how are they receiving this forecast?
(59:43)
And what does Shields Up actually look like operationally for a defense contractor or a federal agency that depends on that commercial grid infrastructure?
(59:53)
Well, those are good questions.
(59:55)
And, I mean, I've been part of this discussion as part of the National Cyber Summit and other cyber defense conferences for the past several years.
(01:00:03)
And so, you know, they are readily receiving this forecast.
(01:00:07)
They're very aware that this was possible.
(01:00:09)
They've talked about the possibilities.
(01:00:11)
They've fortunately been wargaming these for a very long time.
(01:00:14)
I mean, of course, it's very scary to see it come to life.
(01:00:17)
And, you know, when you previously thought, like, this is the most outrageous thing we can possibly imagine happening, and then now we're seeing it play out in real time.
(01:00:25)
But, you know, SIS's Shields Up is actually really great.
(01:00:29)
It's proactive, and it's shifted everyone's mindset from compliance to are we ready to operate through an attack, right?
(01:00:35)
So it's no longer a case of if, but when.
(01:00:38)
And it's not assigning blame to any organization that gets attacked.
(01:00:41)
It's not assigning blame to programs that have vulnerabilities or have been exploited.
(01:00:45)
What it's saying is let's just assume everyone is going to be exploited or attacked at some point.
(01:00:50)
How quickly can you recover and continue to deliver on your mission with minimum impact, right?
(01:00:55)
So what we want to see is minimum downtime, certainly no loss of life, minimize the loss of our assets, you know, of our, well, anything that's central to the mission of that specific government unit.
(01:01:06)
So it's recognizing the reality of the world that we live in today versus thinking about it either that we've overhardened or overprotected our environments or that we're overconfident about how protected we really are.
(01:01:18)
And it's telling all federal agencies to assume elevated threat conditions at all times, right?
(01:01:24)
So instead what they're doing is they're focusing on fundamentals like patching and identity security and monitoring and incident response readiness.
(01:01:31)
And you're seeing more and more emphasis on cyber tabletop exercises, more wargaming, more creativity in how to respond and coming up with, again, that defense in depth approach where, you know, they have systems of redundancies and complexities that maybe they didn't have before because they were a little bit either overrelying on their systems or overconfident in their ability to protect them.
(01:01:53)
So now the supply chain angle, of course, is where things get really interesting and really messy.
(01:01:58)
So a cleared contractor may have strong internal controls, but if one of their vendors, like we talked about before, or an equipment supplier or a managed service provider that they use is compromised, that becomes an entry point into their system as well.
(01:02:11)
So the risk doesn't live anymore within their own networks, but it's in the entire ecosystem, the entire supply chain.
(01:02:18)
And previously, all of those controls relied solely on attestation, again, that best practice and assumption that they were doing what they were supposed to do in order to be a government contractor.
(01:02:31)
And sector-specific ISACs are playing a key role here now in translating government warnings into actionable intelligence that is sector-relevant.
(01:02:40)
So operationalized, actionable intelligence, which is the key.
(01:02:45)
And the broader trend is towards a more public-private partnership model with the government sharing their threat intelligence with the public sector, right, the commercial sector, and other data that they have access to exclusively because they're the government.
(01:03:01)
And then industry has the ability to move at the speed of business.
(01:03:04)
So they can move much faster.
(01:03:05)
They can contribute best practices.
(01:03:07)
They can contribute policies and tool sets and platforms and, you know, all of these things in order to enable the policies and practices and needs of these government programs.
(01:03:18)
All right.
(01:03:20)
So I think we're going to wind down here and wrap up.
(01:03:25)
I wanted to kind of cap this off with the recommendations, right?
(01:03:29)
We've talked a lot about the threats and a lot of things going on.
(01:03:33)
We'll talk about some of those.
(01:03:35)
Now the good news.
(01:03:35)
Yeah, right.
(01:03:36)
Yeah, here's all the good news.
(01:03:37)
You get to do all this work.
(01:03:38)
So, you know, the recommendations, right?
(01:03:41)
And there's some recommendations from the report.
(01:03:42)
And I think we've kind of talked about them throughout, right?
(01:03:45)
So let me run you guys through a couple of the report, the recommendations, and then I'll hand it back to you guys for some commentary, right?
(01:03:54)
So the Fortress recommendations.
(01:03:56)
So harden identity and access paths, doing things like enforcing MFA, eliminating shared vendor credentials, locking VPN and edge devices, enable applying zero trust controls as one big category.
(01:04:12)
So I call those the security basics, right?
(01:04:14)
That security basics that are easy for me to implement, and I'm not everyone.
(01:04:18)
And isolating and protecting OT and ICS, segmenting from IT from OT networks, govern all remote access, strictly deploy ICS-aware monitoring, and maintaining offline backups of control logic and configurations.
(01:04:36)
And then finally, following CISA's shields up guidance for organizations, and really more to the point, treating it as a baseline and not just an aspirational guide, right?
(01:04:49)
So Dave, you know, there's this, this is always one of those fun questions, right?
(01:04:54)
So the team comes in Monday, right?
(01:04:57)
What could they do based on this report to kind of actively move the needle in terms of the threat intelligence results here?
(01:05:05)
Sure.
(01:05:06)
So your DevSecOps pipeline.
(01:05:08)
Audit your GitHub action workflows from March 19th to March 23rd.
(01:05:12)
You're looking for any references to tpcp.tar.gz, AquaSecurity, or checkmarks.zone and runner logs.
(01:05:19)
Then search your GitHub organization for any repository named tpcp-docs.
(01:05:24)
Its presence is a clear sign data was successfully exfiltrated.
(01:05:28)
If organizations use Trivia, checks, marks, GitHub actions, or light LLM, assume compromise and rotate every credential on affected systems.
(01:05:35)
Cloud keys, SHH keys, Kubernetes tokens, all of it.
(01:05:38)
Secondly, your perimeter.
(01:05:40)
So pull up your VPN and edge device inventory and ask one question.
(01:05:44)
Are any vendor accounts still using shared or default credentials?
(01:05:47)
The pull-in grid attack and the Iranian e-ISAC reconnaissance activity in our QBR both stated it exactly there.
(01:05:53)
The three highest impact actions don't require large budgets.
(01:05:57)
Take ICS interfaces off the Internet, change default passwords, and block industrial protocol ports at the perimeter.
(01:06:03)
Neither of these actions require budget approval, and both of these can close doors that are open right now.
(01:06:08)
Okay.
(01:06:09)
Thank you.
(01:06:10)
Yeah, and so, Andrea, a final word from the federal and Dib side?
(01:06:14)
How about a few final words?
(01:06:17)
Okay, a few final words.
(01:06:18)
What I'd leave people with is that what we're talking about isn't theoretical, right?
(01:06:23)
So, obviously, here at Fortress, we're seeing it professionally.
(01:06:26)
But, I mean, just as normal people out in the world, we're seeing it in the news every day on a global scale.
(01:06:31)
It's impacting the Dib, for sure, and our Department of Defense customers and partners.
(01:06:36)
But it's also impacting all other industries and the people who rely on these systems.
(01:06:41)
We talked about the people who are reliant on critical infrastructure.
(01:06:44)
So, it's not a question of whether your professional organization or someone in your supply chain has been targeted or will be targeted.
(01:06:51)
Just assume that they have, right?
(01:06:54)
And then focus on whether or not you have clear visibility to know that when it does happen, you will have the ability to respond before it becomes a full-blown crisis for you, right?
(01:07:06)
That's the key.
(01:07:07)
Assume that it's all vulnerable.
(01:07:09)
Now what?
(01:07:10)
So, that's why continuous monitoring matters so much.
(01:07:13)
It gets away from a security snapshot in time, you know, that regulatory checkbox.
(01:07:18)
And instead, it allows you to catch a change in real time before it can scale across your environment, you know?
(01:07:23)
Nobody wants to read about their vendor or themselves being breached in a threat intelligence brief at the end of next quarter when it's already too late.
(01:07:31)
And for federal and Dib customers especially, we help to understand and contextualize the third-party risk in near real time so that when that event happens, you're not starting from zero or forever tied to a headline about a disastrous breach.
(01:07:47)
It's absolutely the worst time to find out that you have a blind spot when someone's already in it.
(01:07:53)
And we've seen what happens over and over again when organizations find out through the breach.
(01:07:59)
So, you don't have the luxury of building the visibility while you're managing an incident.
(01:08:04)
You can't do both at the same time, right?
(01:08:06)
So, by the time you're responding, it's too late to wish that you had been paying attention.
(01:08:11)
Yeah, for sure.
(01:08:13)
And I think that's sort of the lament of everyone who's done incident response.
(01:08:19)
Yeah.
(01:08:20)
Could have, should have been.
(01:08:21)
We're here now, right?
(01:08:22)
We're here now.
(01:08:23)
You've got to do something.
(01:08:24)
So, wish we had done something earlier, right?
(01:08:26)
Yeah.
(01:08:27)
So, well, that is it for the Q1 2026 podcast for the Fortress Threat Intelligence Summary.
(01:08:36)
Dave, Andrea, thank you both for being here.
(01:08:39)
If you want to go any deeper on this, please reach out to us at Fortress.
(01:08:43)
The link's in the show notes.
(01:08:44)
And if you found this useful, subscribe, share it with your security team, and we'll see you next time.
(01:08:49)
Take care.
(01:08:50)
Bye-bye.