Sources: CISA CVIE March 2026 · Qualys Threat Dashboard · Joint FBI/CISA Advisory
Following the U.S.-Israel Operation Epic Fury strikes on Iran beginning February 28, 2026, CISA issued a Cyber Vulnerability Insights Estimate identifying 136 CVEs that Iranian government-sponsored actors have shown active interest in, targeted, or successfully exploited. Defense contractors are priority targets. Iranian-affiliated actors exploit unpatched software, default passwords, and internet-connected industrial control systems. Their tactics are lower sophistication but highly scalable — they don't need a zero-day when your VPN hasn't been patched in six months. Dragos additionally identified a new Iranian-linked group, Pyroxene (overlapping with IRGC's Imperial Kitten/APT35), conducting supply chain attacks targeting defense and critical infrastructure sectors, now expanding into North America from the Middle East.
Action Required: Audit all internet-facing systems against CISA's CVIE catalog immediately. Priority patch: any unpatched Fortinet, Ivanti, Cisco, or Palo Alto edge devices. Enable MFA on all remote access. Report anomalous authentication attempts to ic3.gov.
Sources: CISA AA24-038A · Dragos 2026 Annual Report · Palo Alto Unit 42 · DefenseScoop
Volt Typhoon (PRC state-sponsored, also tracked as Voltzite by Dragos) continued embedding inside U.S. critical infrastructure throughout 2025 and into 2026. Critically, Dragos CEO Robert Lee confirmed in February 2026 that Voltzite was getting "inside the control loop" of utility systems — not just maintaining access, but positioning for future disruption. The Air Force publicly warned this week that Volt Typhoon's persistent access to CIKR could enable China to wage "total war" against the U.S. by targeting base utilities. Defense contractors dependent on public utilities are directly in the blast radius. Tactics: living-off-the-land using legitimate Windows tools (wmic, netsh, PowerShell), SOHO router compromise for C2 traffic masking, credential harvesting via NTDS.dit extraction.
Action Required: Hunt for LOLBin abuse in your environment. Review SOHO/edge device logs for unusual outbound connections. Audit Active Directory for unauthorized NTDS.dit access. Implement CISA CPG 2.0 OT-specific controls if any OT systems are present. Do not assume prior FBI disruption of KV Botnet eliminated the threat — it has been rebuilt.
Sources: CISA/FBI/NSA Joint Advisory AA22-047A (ongoing) · CISA Emergency Directive 26-03
Russian state-sponsored actors continue persistent targeting of U.S. cleared defense contractors (CDCs) supporting Army, Air Force, Navy, Space Force, and Intelligence Community programs. Primary objectives: weapons platform development timelines, communications infrastructure plans, export-controlled technology. TTPs include brute force credential attacks against M365 accounts, spearphishing with malicious domain links, harvested credentials combined with known CVEs for privilege escalation, and Active Directory mapping. In several documented instances, actors maintained persistent access for over six months using legitimate credentials. Additionally, CISA Emergency Directive 26-03 this week calls on federal agencies to inventory SD-WAN systems and apply mitigations for CVE-2026-20127 and CVE-2022-20775 — relevant for any contractor with federal network adjacency.
Action Required: Enforce MFA on all M365 and cloud accounts immediately. Review authentication logs for impossible logins and VPS-originated access. Audit SD-WAN infrastructure against CVE-2026-20127 and CVE-2022-20775. Implement centralized SIEM logging if not already in place.
Sources: CISA ICS Advisories · Industrial Cyber · CISA CPG 2.0 December 2025
CISA recently flagged critical vulnerabilities in industrial control systems deployed across defense industrial base, critical manufacturing, and transportation sectors. Affected vendors include Siemens, Schneider Electric, Rockwell, and National Instruments LabView — common in defense manufacturing environments. CVSS scores ranging 7.8–8.2. Successful exploitation allows arbitrary code execution and information disclosure. Separately, Claroty reports that 82% of CPS attacks in 2025 used remote access protocols, with hacktivists actively targeting HMIs and SCADA systems at scale. CISA CPG 2.0, released December 2025, now addresses IT and OT holistically with new zero-trust requirements for lateral movement prevention.
Action Required: Inventory all ICS/OT systems against CISA's recent advisories. Patch or isolate affected Siemens, Schneider, Rockwell, and LabView systems. Restrict remote access protocols to OT environments. Review CPG 2.0 zero-trust goals for OT applicability.
Sources: FARA Registration Database · OSINT Corporate Filings · DOJ Public Records
Two entities with foreign principal registrations under FARA have been identified operating within proximity of defense facilities in the Ohio corridor — relevant to organizations in Columbus and the Dayton/Wright-Patterson AFB region. One entity, registered as a consulting firm, lists a principal office within 4 miles of a known defense contractor cluster. A second entity, registered under a separate foreign principal, has incorporated a subsidiary in the Columbus metro area within the past 18 months. Neither registration alone constitutes illegal activity. The aggregate pattern — proximity to defense infrastructure, recent incorporation timing, and foreign principal connections — is consistent with documented pre-positioning behavior. This is a watch item, not a confirmed threat. Organizations in this region should be aware.
Action Required: No immediate action required. Heighten physical security awareness at facilities in the Columbus/Dayton corridor. Report any unusual physical surveillance or unexpected vendor/visitor activity to your security officer. Cross-reference any new vendor relationships against FARA registration database.
Sources: Flashpoint 2026 GTIR · FBI Counterintelligence · OSINT
Flashpoint's 2026 Global Threat Intelligence Report documented 91,321 instances of insider recruiting activity in 2025, averaging 1,162 insider-related posts per month — with extortionist groups specifically targeting employees at defense and critical infrastructure organizations to financially motivate insider access. Physical access through contractors and vendors represents the fastest growing non-cyber threat vector. The IRGC-linked group Pyroxene has been documented using recruitment-themed social engineering via fake social media profiles before delivering targeted spearphishing. The insider threat is not purely digital — it begins with physical and social access.
Action Required: Review contractor vetting procedures. Ensure all third-party physical access is logged and badged. Brief employees on recruitment-themed social engineering — especially those with public LinkedIn profiles listing cleared positions. Establish a clear insider threat reporting mechanism.
Active since mid-2021. Primary mission: pre-position inside U.S. critical infrastructure for future disruption during geopolitical conflict — particularly a potential Taiwan scenario. FBI Director Wray called this group "the defining threat of our generation." As of February 2026, confirmed embedded inside U.S. utility control loops. Defense contractors dependent on public utilities are directly exposed. Does not need to attack your network to affect your operations.
Primary TTPs
LOLBins, SOHO Router C2, Credential Theft
Target Sectors
Defense, Energy, Telecom, Transportation
Activity Level
Active · Elevated
Newly identified by Dragos in 2025. Conducts supply chain-leveraged attacks targeting defense, critical infrastructure, and industrial sectors. Expanding operations from Middle East into North America and Western Europe. Uses recruitment-themed social engineering via fake social media profiles before delivering spearphishing. Works with Parisite as an initial access broker into target networks. Elevated activity following Operation Epic Fury.
Primary TTPs
Supply Chain, Social Engineering, Spearphishing
Target Sectors
Defense, Critical Infrastructure, Industrial
Activity Level
Active · Expanding
Long-running persistent campaign against U.S. cleared defense contractors. Primary objective is acquisition of weapons platform data, communications infrastructure plans, and export-controlled technology. Documented targeting of Army, Air Force, Navy, Space Force, and Intelligence Community contractors. Maintained access for 6+ months in multiple documented incidents using legitimate credentials. Pattern: brute force → credential theft → lateral movement → persistent access → long-term exfiltration.
Primary TTPs
Credential Theft, Spearphishing, M365 Compromise
Target Sectors
Cleared Defense Contractors (CDCs)
Activity Level
Persistent · Ongoing