Lazarus Group Deploys Medusa Ransomware Against U.S. Healthcare; Russian Hackers Exploit 600 Fortinet Firewalls Using AI; Critical SolarWinds Flaws Enable Root Access

Executive Summary

This week's intelligence reveals a significant escalation in nation-state cyber operations targeting critical infrastructure, with particular concern for healthcare and telecommunications sectors. Key developments requiring immediate attention:

Healthcare Sector Under Attack: North Korea's Lazarus Group has expanded operations to deploy Medusa ransomware against U.S. healthcare organizations, representing a dangerous convergence of state-sponsored actors and ransomware operations targeting life-safety systems.
AI-Enabled Attacks Accelerating: Multiple reports confirm threat actors are leveraging artificial intelligence to dramatically increase attack speed and scale. A Russian threat actor exploited over 600 Fortinet firewalls in a single month using AI-assisted techniques, while CrowdStrike reports average breakout times have dropped to 29 minutes—with some AI-powered attacks achieving lateral movement in under four minutes.
Critical Vulnerabilities in OT/ICS Systems: CISA issued three ICS advisories this week affecting building automation (Schneider Electric EcoStruxure) and SCADA systems (InSAT MasterSCADA). SolarWinds disclosed four critical Serv-U vulnerabilities enabling root-level server access.
Supply Chain Threats Evolving: A sophisticated NPM supply chain attack dubbed "Sandworm_Mode" demonstrates worm-like propagation capabilities, targets CI/CD pipelines and AI coding assistants, and includes a destructive dead switch—representing an evolution in software supply chain attack methodology.
DHS Partial Shutdown: The Department of Homeland Security remains in partial shutdown following a failed Senate funding vote, potentially impacting coordination capabilities for critical infrastructure protection activities.

Threat Landscape

Nation-State Threat Actor Activities

North Korea – Lazarus Group (Diamond Sleet/Pompilus)

Lazarus Group has been confirmed deploying Medusa ransomware against healthcare targets in the Middle East and United States, according to The Hacker News and Bleeping Computer.
This marks a significant tactical shift, as Lazarus traditionally focused on cryptocurrency theft and espionage rather than ransomware-as-a-service operations.
Assessment: The targeting of healthcare organizations suggests either revenue generation priorities or potential preparation for disruptive operations. Healthcare sector organizations should treat this as an elevated threat requiring immediate defensive posture review.

Russia – AI-Enhanced Firewall Exploitation

Amazon security researchers report a Russian threat actor exploited over 600 weakly-protected Fortinet firewalls within a single month using AI-assisted attack techniques, per CSO Online.
The campaign targeted organizations with inadequate patch management and default configurations.
Assessment: This demonstrates how AI is enabling threat actors to scale exploitation of known vulnerabilities at unprecedented rates. Organizations running Fortinet products should immediately verify patch status and configuration hardening.

Russia – UAC-0050 Financial Sector Targeting

The Russia-aligned threat cluster UAC-0050 has been observed targeting a European financial institution using spoofed domains and RMS (Remote Manipulator System) malware, per The Hacker News.
The campaign employs social engineering tactics likely aimed at intelligence gathering or financial theft.

Russia – Hybrid Warfare Escalation

Recorded Future released analysis warning that Russia is escalating hybrid warfare against NATO into a "coordinated, full-scale campaign blending cyber attacks, sabotage, and influence operations."
European critical infrastructure operators should anticipate increased targeting across multiple threat vectors.

China – APT Exploitation of Security Tools

Taiwan-based security firm TeamT5 confirmed a vulnerability in its ThreatSonar Anti-Ransomware product (recently added to CISA's Known Exploited Vulnerabilities catalog) is likely being exploited by Chinese APT groups, per SecurityWeek.
Assessment: This represents a concerning trend of threat actors targeting security tools themselves, potentially to disable defenses or gain privileged access to protected environments.

China – UnsolicitedBooker Telecommunications Targeting

The threat cluster UnsolicitedBooker has shifted targeting from Saudi Arabian entities to telecommunications companies in Kyrgyzstan and Tajikistan, deploying LuciDoor and MarsSnake backdoors, per The Hacker News.
Central Asian telecommunications infrastructure may serve as strategic collection points for regional intelligence.

Ransomware and Cybercriminal Developments

ShinyHunters Extortion Campaign

The ShinyHunters extortion group has claimed multiple high-profile breaches this week:
- Wynn Resorts: Employee data stolen; company confirmed breach after appearing on ShinyHunters' leak site (Bleeping Computer)
- CarGurus: 12.4 million account records allegedly stolen from the U.S. automotive platform
- Odido: Dutch telecommunications provider breach affecting millions of users
Assessment: ShinyHunters continues aggressive data theft and extortion operations across multiple sectors. Organizations should monitor for credential exposure and prepare incident response procedures.

Diesel Vortex Logistics Targeting

A financially motivated group dubbed "Diesel Vortex" is conducting credential theft campaigns against freight and logistics operators in the U.S. and Europe using 52 malicious domains, per Bleeping Computer.
Transportation and logistics sector organizations should implement enhanced email security and user awareness training.

Anonymous Fénix Arrests

Spanish authorities arrested two additional members of the Anonymous Fénix cybercriminal group this month, following the arrest of the group's administrator and moderator last year, per SecurityWeek.

Attack Speed and AI-Enabled Threats

Dramatically Reduced Breakout Times

CyberScoop reports CrowdStrike's 2026 Global Threat Report found average intrusion-to-lateral-movement time is now 29 minutes—a 65% increase in speed from the prior year.
Infosecurity Magazine reports ReliaQuest observed AI-powered attacks achieving breakout and exfiltration in under 10 minutes, with some cases as fast as four minutes.
Assessment: These findings underscore the critical importance of automated detection and response capabilities. Manual incident response processes are increasingly inadequate against AI-accelerated attacks.

Insider Threat Developments

DTEX research indicates the cost of insider incidents surged 20% to nearly $20 million in 2025, with employee negligence representing the most expensive category, per Infosecurity Magazine.

Sector-Specific Analysis

Healthcare & Public Health

ELEVATED THREAT LEVEL

Lazarus Group Ransomware Operations: The confirmed deployment of Medusa ransomware by North Korean state actors against U.S. healthcare organizations represents a critical threat requiring immediate attention. Healthcare organizations should:
- Review and test incident response and business continuity plans
- Ensure offline backups of critical patient care systems
- Implement network segmentation between IT and clinical systems
- Verify endpoint detection and response coverage across all systems
GAO Report on HHS Preparedness: The Government Accountability Office released findings indicating improved coordination is needed for HHS emergency preparedness programs, per Homeland Security Today. This finding takes on added urgency given the current threat environment.

Energy Sector

Building Automation Vulnerabilities

CISA issued an advisory for Schneider Electric EcoStruxure Building Operation Workstation (ICSA-26-055-02). While primarily affecting building automation, these systems are deployed across energy sector facilities for environmental controls.
Energy sector organizations should inventory EcoStruxure deployments and apply vendor mitigations.

Water & Wastewater Systems

SCADA System Vulnerabilities

CISA advisory for InSAT MasterSCADA BUK-TS (ICSA-26-055-01) affects SCADA systems potentially deployed in water/wastewater environments.
Water utilities should verify whether MasterSCADA products are in use and implement recommended mitigations.

Communications & Information Technology

Telecommunications Targeting

UnsolicitedBooker targeting of Central Asian telecommunications providers (Kyrgyzstan, Tajikistan) demonstrates continued nation-state interest in communications infrastructure.
Odido breach (Netherlands) by ShinyHunters affects millions of telecommunications customers, highlighting data protection challenges in the sector.

AI Development Security Concerns

Anthropic disclosed that Chinese AI firms DeepSeek, Moonshot AI, and MiniMax conducted "industrial-scale campaigns" using 16 million queries to extract capabilities from Claude, per The Hacker News and Infosecurity Magazine.
This "model distillation" attack represents intellectual property theft at scale and raises concerns about AI supply chain integrity.

Transportation Systems

Freight and Logistics Under Attack

The Diesel Vortex credential theft campaign specifically targets freight and logistics operators across the U.S. and Europe.
Transportation sector organizations should alert personnel to phishing risks and implement domain-based email authentication (DMARC, DKIM, SPF).

Maritime Security

The U.S. Coast Guard highlighted port protection mission and joint force support capabilities in an Indo-Pacific wartime scenario exercise, per Homeland Security Today.

Financial Services

European Institution Targeting

UAC-0050's social engineering campaign against a European financial institution using spoofed domains and RMS malware warrants sector-wide awareness.
Financial institutions should review domain monitoring and implement enhanced verification procedures for external communications.

Government Facilities

DHS Partial Shutdown

The Department of Homeland Security remains in partial shutdown after a funding bill failed in the Senate, per Homeland Security Today.
Assessment: Extended shutdown could impact CISA coordination activities, information sharing programs, and critical infrastructure protection initiatives. Private sector organizations should maintain heightened vigilance and leverage sector-specific ISACs for threat intelligence.

Vulnerability & Mitigation Updates

Critical Vulnerabilities Requiring Immediate Attention

Product	Severity	Impact	Action Required
SolarWinds Serv-U	CRITICAL	Remote code execution with root access	Patch immediately; four critical vulnerabilities disclosed
VMware Aria Operations	HIGH	Command injection, potential RCE	Apply Broadcom patches; review access controls
TeamT5 ThreatSonar Anti-Ransomware	HIGH (KEV)	Likely exploited by Chinese APTs	Added to CISA KEV; patch per vendor guidance
Schneider Electric EcoStruxure Building Operation	HIGH	Building automation compromise	Review CISA ICS Advisory ICSA-26-055-02
InSAT MasterSCADA BUK-TS	HIGH	SCADA system compromise	Review CISA ICS Advisory ICSA-26-055-01
Fortinet Firewalls	VARIES	Mass exploitation via AI-assisted attacks	Verify all patches applied; harden configurations

CISA ICS Advisories (February 24, 2026)

ICSA-26-055-01: InSAT MasterSCADA BUK-TS – Multiple vulnerabilities enabling system compromise
ICSA-26-055-02: Schneider Electric EcoStruxure Building Operation Workstation – Vulnerability disclosure
ICSA-26-055-03: Gardyn Home Kit – Consumer IoT vulnerabilities (lower priority for CI operators)

Supply Chain Attack Mitigation

Sandworm_Mode NPM Attack

A sophisticated supply chain attack targeting NPM packages demonstrates worm-like propagation, CI/CD pipeline targeting, AI coding assistant poisoning, and includes a destructive dead switch, per SecurityWeek and CSO Online.
Recommended Mitigations:
- Implement software composition analysis (SCA) in CI/CD pipelines
- Review and restrict AI coding assistant permissions
- Monitor for unexpected package dependencies
- Implement package integrity verification

GitHub Copilot Vulnerability

A vulnerability dubbed "RoguePilot" allows attackers to inject malicious instructions via GitHub Issues that are automatically processed by Copilot when launching Codespaces, potentially leading to repository takeover and GITHUB_TOKEN leakage, per SecurityWeek and The Hacker News.
Recommended Mitigations:
- Review Copilot permissions and access controls
- Implement code review requirements for AI-generated code
- Monitor for suspicious repository activity

Emerging Threat Vectors

Fake Zoom Meeting Surveillance Campaign

Malwarebytes reports a campaign using fake Zoom meeting invitations to silently install surveillance software, per CSO Online.
Organizations should alert users to verify meeting invitations and download software only from official sources.

1Campaign Malvertising Service

A new cybercrime service called "1Campaign" enables threat actors to run malicious Google Ads that evade security researcher detection for extended periods, per Bleeping Computer.

Resilience & Continuity Planning

Lessons Learned: Attack Speed Implications

This week's reporting on dramatically reduced attacker breakout times (29 minutes average, under 4 minutes in AI-assisted attacks) has significant implications for incident response planning:

Detection Windows Are Shrinking: Traditional detection and response timelines measured in hours or days are no longer viable. Organizations must invest in automated detection and response capabilities.
Containment Must Be Automated: Pre-authorized automated containment actions (network isolation, account suspension, system quarantine) should be implemented for high-confidence detections.
Tabletop Exercises Need Updating: Incident response exercises should incorporate realistic timelines reflecting current threat actor capabilities.

Supply Chain Security Developments

NIST Supply Chain Workshop

NIST has announced a workshop on "Building the Strategic Supply Chain Network" scheduled for March 9, 2026, addressing vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies.
Registration details available at NIST.gov.

Cross-Sector Dependencies

AI Tool Dependencies: The GitHub Copilot and NPM supply chain attacks highlight growing dependencies on AI-assisted development tools. Organizations should:

Inventory AI tools with access to code repositories and CI/CD systems
Implement least-privilege access for AI assistants
Establish code review requirements for AI-generated content

Public-Private Coordination

The Center for Critical Infrastructure Security was awarded a Maryland Cyber & AI Clinic Grant, per Homeland Security Today. This initiative may provide resources for critical infrastructure organizations in the Maryland region.
During the DHS partial shutdown, sector-specific ISACs remain operational and should serve as primary coordination points for threat intelligence sharing.

Regulatory & Policy Developments

Enforcement Actions

UK ICO Fines Reddit $19.5 Million

The UK Information Commissioner's Office fined Reddit £14.47 million (over $19.5 million) for collecting and using personal information of children under 13 without adequate safeguards, per Bleeping Computer.
Implication: Organizations operating platforms accessible to minors should review data collection practices and age verification mechanisms.

Zero-Day Broker Prosecution

Former L3Harris executive Peter Williams was sentenced to 87 months in prison for selling zero-day exploits to a Russian broker. The U.S. Treasury simultaneously sanctioned the Russian zero-day brokerage, per CyberScoop.
Implication: This case demonstrates increased enforcement focus on individuals facilitating offensive cyber capabilities to adversary nations.

Federal Developments

DHS Shutdown Impact

The ongoing DHS partial shutdown may affect regulatory guidance, compliance assistance, and coordination activities. Organizations should:
- Document any compliance activities that cannot be completed due to agency unavailability
- Maintain records of good-faith compliance efforts
- Monitor for resumption of normal operations

State Department IT Modernization

The State Department announced winners of the EVOLVE IT acquisition contract, signaling continued federal investment in IT modernization, per Homeland Security Today.

CISO Governance Considerations

CSO Online published analysis arguing it is "time to rethink CISO reporting lines," suggesting security leadership should have more direct access to boards and executive leadership given the current threat environment.

Training & Resource Spotlight

New Tools and Frameworks

Microsoft Copilot Data Controls

Microsoft is expanding data loss prevention (DLP) controls to block Microsoft 365 Copilot from processing confidential Word, Excel, and PowerPoint documents across all storage locations, per Bleeping Computer.
Organizations using Microsoft 365 Copilot should review and implement these new controls to prevent sensitive data exposure through AI assistants.

Anthropic Claude Code Security

Anthropic's Claude Code Security rollout is described as an "industry wakeup call" for AI security practices, per CSO Online.
Organizations deploying AI coding assistants should review security configurations and access controls.

Best Practices Highlighted

Business Email Compromise Prevention

CSO Online published a series on BEC including:
- What does business email compromise look like?
- How to prevent business email compromise
- Red flags and warning signs to identify BEC attempts
These resources are valuable for security awareness training programs.

Identity-First Security

The Hacker News published analysis on identity prioritization as a "risk math problem," emphasizing the need to treat AI agents as identities requiring governance.
Bleeping Computer featured Token Security guidance on why CISOs must add intent to identity-first AI security strategies.

Proactive Cyber Defense

CSO Online published guidance on transitioning from reactive to proactive cyber defense postures, relevant given current threat actor speed and sophistication.

Funding Opportunities

Maryland Cyber & AI Clinic Grant: The Center for Critical Infrastructure Security received funding through this program. Similar state-level programs may be available in other jurisdictions.

Looking Ahead: Upcoming Events

Workshops and Conferences

Date	Event	Focus Area
March 9, 2026	NIST: Building the Strategic Supply Chain Network	Supply chain resilience, coordinated response to disruptions
March 19, 2026	NIST: Technologies and Use Cases for Smart Standards	AI, blockchain, IoT standards development
March 31, 2026	NIST: Cybersecurity for IoT Workshop – Future Directions	Emerging IoT trends, cybersecurity implications
June 25, 2026	NIST: Iris Experts Group Annual Meeting	Biometric recognition for government applications

Threat Periods Requiring Heightened Awareness

DHS Shutdown Duration: Monitor for resolution; extended shutdown may create coordination gaps during potential incidents.
Healthcare Sector: Given confirmed Lazarus Group ransomware targeting, healthcare organizations should maintain elevated defensive postures.
AI-Assisted Attack Acceleration: The documented reduction in attacker breakout times suggests all sectors should anticipate faster-moving intrusions requiring automated response capabilities.

Anticipated Developments

Recorded Future Russia Analysis: The newly released report on Russia's "New Generation Warfare" in Europe warrants review by organizations with European operations or dependencies.
AI Security Standards: Anthropic's disclosure of model distillation attacks and security rollouts may drive industry-wide AI security standard development.
Supply Chain Regulations: NIST's March workshops may preview upcoming guidance on supply chain security requirements.

This intelligence briefing is derived from open-source reporting and is intended to support critical infrastructure protection decision-making. Recipients are encouraged to verify information through primary sources and sector-specific ISACs. For time-sensitive threat information, contact your sector ISAC or CISA.

Disclaimer

This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.