US-Israel Strikes on Iran Spark Global Cyber Retaliation Fears; North Korean APT Targets Air-Gapped Systems; CISA Leadership Change Amid DHS Shutdown
1. EXECUTIVE SUMMARY
The critical infrastructure threat landscape has intensified significantly this week as military operations against Iran trigger concerns about retaliatory cyber campaigns targeting Western infrastructure. Concurrently, nation-state actors continue sophisticated operations against high-value targets, while organizational changes at CISA occur during an ongoing DHS partial shutdown.
Major Developments
- Iran Conflict Escalation: Following US-Israeli military strikes (Operation Epic Fury), security agencies worldwide are warning of imminent Iranian cyber retaliation targeting critical infrastructure, with Google's Threat Intelligence head predicting "aggressive" attacks against US and Gulf allies.
- Nation-State Activity Surge: North Korean APT groups have launched campaigns targeting air-gapped systems using novel malware delivery techniques, while APT28 (Russia) has been linked to exploitation of a Microsoft MSHTML zero-day (CVE-2026-21513) prior to patching.
- CISA Leadership Transition: Nick Andersen has been appointed Acting Director of CISA as Madhu Gottumukkala moves to a new DHS role, occurring as the DHS partial shutdown enters its third week without Senate resolution.
- AI Security Concerns: Multiple vulnerabilities in AI systems disclosed, including Chrome's Gemini Live assistant hijacking and OpenClaw AI agent takeover capabilities, highlighting emerging attack surfaces.
- Major Data Breach Confirmed: Madison Square Garden confirmed a data breach stemming from the 2025 Oracle E-Business Suite hacking campaign, underscoring ongoing supply chain security concerns.
2. THREAT LANDSCAPE
Nation-State Threat Actor Activities
Iranian Threat Actors – ELEVATED THREAT
Following Operation Epic Fury, multiple intelligence sources indicate Iranian threat actors are preparing retaliatory cyber operations. Google's Head of Threat Intelligence John Hultquist warns that Iran will likely deploy:
- Plausibly deniable ransomware attacks against critical infrastructure
- Hacktivist-style campaigns for disruption and propaganda
- Wiper malware targeting US and Gulf state organizations
- DDoS attacks against financial and government services
The UK's National Cyber Security Centre (NCSC) has issued alerts to British organizations regarding heightened Iranian cyber attack risks. Water ISAC has released a TLP:AMBER+STRICT situation report on potential retaliation by Iranian threat actors specifically targeting water sector infrastructure.
North Korean APT Activity
A North Korean APT has been observed targeting air-gapped systems using Windows shortcut files to deploy:
- A new implant designed for isolated network environments
- Custom loader and propagation tools
- Two previously undocumented backdoors
Additionally, North Korean actors have published 26 malicious npm packages as part of the ongoing Contagious Interview campaign, using Pastebin for command-and-control communications to deliver cross-platform RAT malware.
Russian APT28 (Fancy Bear)
Akamai researchers have linked APT28 to exploitation of CVE-2026-21513, a Microsoft MSHTML zero-day vulnerability that was actively exploited before the February 2026 Patch Tuesday release. Organizations should verify patches are applied and conduct threat hunting for indicators of compromise.
Ransomware and Cybercriminal Developments
According to Chainalysis analysis, ransomware payments declined 8% overall in 2025, despite a 50% surge in attack volume. However, median payment sizes have increased significantly, indicating threat actors are becoming more selective in targeting organizations with greater ability to pay.
Emerging Attack Vectors
AI-Powered Attack Tools
Researchers have identified CyberStrikeAI, an open-source AI security testing platform that has been adopted by threat actors for AI-powered attacks. The same threat actor behind recent Fortinet FortiGate breaches has been observed using this tool.
Silent Probing Technique
A new technique called "silent probing" uses AI to measure security team response patterns over time, building behavioral profiles that make follow-on attacks harder to detect and easier to time. Security teams should vary response procedures and implement deception technologies.
Deepfake and Injection Attacks
Identity verification systems are increasingly targeted by deepfakes and injection attacks during onboarding and account recovery processes. Organizations should implement full session validation including media and device integrity checks.
Physical Security Threats
The ongoing Middle East conflict has triggered regional disruptions affecting supply chains and physical security postures. Companies are reassessing security measures as Iran responds with a layered military, cyber, and proxy strategy while managing escalation constraints.
3. SECTOR-SPECIFIC ANALYSIS
Energy Sector
Threat Level: ELEVATED
Energy infrastructure faces heightened risk from Iranian retaliation. Historical Iranian targeting of energy systems (including the 2012 Saudi Aramco attack) suggests this sector remains a priority target. Operators should:
- Review and test incident response procedures
- Increase monitoring of OT/ICS networks for anomalous activity
- Verify segmentation between IT and OT environments
- Coordinate with sector ISACs for threat intelligence updates
Water & Wastewater Systems
Threat Level: ELEVATED
Water ISAC has issued a TLP:AMBER+STRICT situation report specifically addressing potential Iranian threat actor retaliation against water sector infrastructure. Given documented Iranian interest in water systems (including the 2020 Israeli water facility targeting), utilities should:
- Implement enhanced monitoring of remote access systems
- Review and restrict HMI access permissions
- Ensure manual override capabilities are tested and documented
- Contact Water ISAC for the full situation report if not yet received
Communications & Information Technology
Key Developments:
- AWS has expanded Security Hub into a cross-domain security platform, correlating findings across multiple security domains to reduce tool sprawl
- Google is developing Merkle Tree Certificates (MTCs) for quantum-resistant HTTPS in Chrome, preparing for post-quantum cryptographic threats
- Anthropic's Claude AI experienced a major worldwide outage, highlighting dependencies on AI services
Transportation Systems
Threat Level: MODERATE-ELEVATED
Regional disruptions from Middle East conflict are affecting global supply chains and transportation logistics. Organizations should:
- Monitor for disruptions to shipping routes, particularly through the Strait of Hormuz
- Review contingency plans for supply chain disruptions
- Assess cybersecurity posture of transportation management systems
Healthcare & Public Health
Threat Level: ELEVATED
Healthcare organizations remain high-value ransomware targets. The increase in median ransomware payment sizes suggests threat actors are specifically targeting organizations with critical operational needs and resources to pay. Healthcare entities should:
- Ensure offline backups of critical systems and patient data
- Test business continuity procedures for extended system outages
- Review third-party vendor security, particularly for Oracle E-Business Suite users given the ongoing campaign
Financial Services
Threat Level: ELEVATED
Financial institutions face dual threats from Iranian retaliation (historically targeting banking systems with DDoS) and ongoing credential theft campaigns. A phishing campaign using fake Google security pages is deploying web-based apps capable of stealing MFA codes and cryptocurrency wallet addresses.
Government Facilities
Key Development:
The DHS partial shutdown continues into its third week as the Senate adjourned without action on funding. This creates operational challenges for federal cybersecurity coordination during a period of elevated threat activity. A new vulnerability monitoring service has been deployed to help secure public-sector websites more rapidly.
4. VULNERABILITY & MITIGATION UPDATES
Critical Vulnerabilities Requiring Immediate Attention
| CVE/Vulnerability | Affected System | Severity | Status |
|---|---|---|---|
| CVE-2026-21513 | Microsoft MSHTML | Critical | Patched Feb 2026; APT28 exploitation confirmed pre-patch |
| Qualcomm Zero-Day | Android Devices | Critical | Actively exploited; patched in March Android update |
| Chrome Gemini Live Flaw | Google Chrome | High | Patched; allowed extension privilege escalation |
| ClawJacked (OpenClaw) | OpenClaw AI Gateway | High | Disclosed; patch status pending |
Notable Patches and Updates
Google Android Security Update (March 2026)
Google has released patches for 129 Android vulnerabilities, the highest number patched in a single month since April 2018. This includes an actively exploited Qualcomm zero-day. Organizations managing Android device fleets should prioritize deployment.
Microsoft February 2026 Patch Tuesday
The CVE-2026-21513 MSHTML vulnerability patched in February was exploited by APT28 prior to patch release. Organizations should:
- Verify patch deployment across all Windows systems
- Conduct threat hunting for indicators of compromise
- Review logs for suspicious MSHTML-related activity
AI System Vulnerabilities
Chrome Gemini Live Vulnerability
A vulnerability in Chrome's Gemini Live AI assistant allowed malicious extensions to hijack the feature, spy on users, and steal files. The flaw has been patched, but organizations should:
- Review and audit installed Chrome extensions
- Implement extension allowlisting policies
- Update Chrome to the latest version
OpenClaw AI Agent Vulnerability (ClawJacked)
Oasis Security disclosed the ClawJacked vulnerability affecting OpenClaw AI agents. Malicious websites could open WebSocket connections to localhost, brute force passwords, and take control of AI agents. Organizations using OpenClaw should contact the vendor for mitigation guidance.
Recommended Defensive Measures
- Immediate: Verify all February 2026 Microsoft patches are deployed, particularly CVE-2026-21513
- Immediate: Update Android devices to March 2026 security patch level
- High Priority: Audit npm package dependencies for the 26 malicious packages identified in the Contagious Interview campaign
- High Priority: Review Chrome extension policies and update browsers
- Ongoing: Implement enhanced monitoring for Iranian threat actor TTPs
5. RESILIENCE & CONTINUITY PLANNING
Lessons from Recent Incidents
Oracle E-Business Suite Campaign Impact
The Madison Square Garden breach confirmation, stemming from the 2025 Oracle E-Business Suite hacking campaign, underscores the extended timeline of supply chain compromises. Organizations should:
- Conduct retrospective analysis of Oracle EBS environments
- Review vendor security assessments for enterprise software
- Implement enhanced monitoring for lateral movement from compromised applications
AI Service Dependencies
The Anthropic Claude worldwide outage highlights growing organizational dependencies on AI services. Business continuity plans should address:
- Fallback procedures when AI-assisted tools are unavailable
- Documentation of AI service dependencies across operations
- Alternative providers or manual processes for critical functions
Supply Chain Security Developments
NIST has announced a workshop on "Building the Strategic Supply Chain Network" (March 9, 2026) addressing vulnerabilities exposed by recent disruptions including pandemics, infrastructure failures, and changing trade policies. This event will focus on coordinated approaches to supply chain resilience.
Cross-Sector Dependencies
The current geopolitical situation highlights cascading risks:
- Energy → All Sectors: Potential disruptions to oil/gas supplies from Middle East conflict
- IT → All Sectors: AI service outages affecting operations across industries
- Government → All Sectors: DHS shutdown impacting federal cybersecurity coordination during elevated threat period
Workforce Resilience
CSO Online provides guidance on building resilient security workforces, emphasizing the importance of cross-training, documentation, and succession planning during periods of elevated threat activity.
6. REGULATORY & POLICY DEVELOPMENTS
Federal Developments
CISA Leadership Transition
Nick Andersen has been appointed Acting Director of CISA as Madhu Gottumukkala transitions to a new role within DHS. This leadership change occurs during a critical period with elevated nation-state threats and ongoing DHS funding challenges.
DHS Partial Shutdown
The DHS partial shutdown continues into its third week after the Senate adjourned without action on funding. Critical infrastructure stakeholders should be aware of potential delays in federal coordination and support during this period.
FBI Winter SHIELD Initiative
FBI Cyber Division is running the Winter SHIELD campaign, the bureau's most public cyber initiative to date. The program focuses on:
- Basic security hygiene promotion
- Accelerated threat intelligence sharing
- Preparation for stepped-up Chinese cyber threats
International Developments
UK NCSC Alert
The UK's National Cyber Security Centre has issued formal alerts to British organizations regarding heightened Iranian cyber attack risks. This represents coordinated allied messaging on the threat environment.
Emerging Technology Standards
NIST has scheduled a workshop on "Technologies and Use Cases for Smart Standards" (March 19, 2026) addressing the need for standards that can keep pace with AI, blockchain, and IoT deployment.
7. TRAINING & RESOURCE SPOTLIGHT
Upcoming Training Opportunities
NIST Supply Chain Workshop – March 9, 2026
"Building the Strategic Supply Chain Network" will address critical vulnerabilities in US supply chains and coordinated response strategies.
NIST Smart Standards Workshop – March 19, 2026
"Technologies and Use Cases for Smart Standards" will cover emerging technology standards for AI, blockchain, and IoT.
NIST IoT Cybersecurity Workshop – March 31, 2026
"Cybersecurity for IoT Workshop: Future Directions" will discuss emerging trends and implications for IoT cybersecurity as systems become more sophisticated and automated.
Security Frameworks and Resources
Secure-by-Design Framework
CSO Online has published a CISO framework for achieving business outcomes through secure-by-design principles, balancing innovation with exposure management.
Cyber and Risk Culture Scorecard
A new scorecard methodology for assessing organizational cyber and risk culture has been released, providing metrics for measuring security awareness and behavior.
SaaS Bot Protection
Guidance on protecting SaaS applications from bot attacks using Web Application Firewalls has been published, addressing the growing challenge of automated attacks against cloud services.
Tools and Best Practices
- Recruitment Fraud Prevention: Security Magazine guidance on addressing recruitment fraud at the intersection of brand, identity, and enterprise security
- LLM Deanonymization Awareness: Research indicates LLMs can effectively deanonymize users, with implications for privacy and security operations
8. LOOKING AHEAD: UPCOMING EVENTS
Key Dates and Events
| Date | Event | Relevance |
|---|---|---|
| March 9, 2026 | NIST Supply Chain Network Workshop | Supply chain resilience strategies |
| March 19, 2026 | NIST Smart Standards Workshop | AI, blockchain, IoT standards development |
| March 31, 2026 | NIST IoT Cybersecurity Workshop | Future IoT security directions |
| June 25, 2026 | NIST Iris Experts Group Annual Meeting | Biometric security for government agencies |
Threat Periods Requiring Heightened Awareness
Immediate – Iranian Retaliation Window
The period following Operation Epic Fury represents elevated risk for Iranian cyber retaliation. Historical patterns suggest attacks may occur within days to weeks of kinetic operations. Organizations should maintain heightened monitoring postures.
Ongoing – DHS Shutdown Impact
Until DHS funding is resolved, federal cybersecurity coordination may be impacted. Organizations should ensure direct communication channels with sector ISACs and state/local partners.
Anticipated Developments
- Android Patch Deployment: Organizations should plan for March 2026 Android security update deployment given the 129 vulnerabilities addressed
- Quantum-Safe Certificate Evolution: Google's Merkle Tree Certificate development signals coming changes to HTTPS certificate infrastructure
- AI Security Standards: Expect continued vulnerability disclosures in AI systems as security researchers focus on this emerging attack surface
Seasonal Considerations
Spring 2026 brings typical increases in:
- Phishing campaigns leveraging tax season themes
- Ransomware activity as threat actors target organizations before fiscal year-end
- Supply chain attacks targeting software update cycles
This intelligence briefing is based on open-source reporting and analysis current as of March 3, 2026. Organizations should verify information through official channels and adapt recommendations to their specific operational environments. For sector-specific threat intelligence, contact your relevant Information Sharing and Analysis Center (ISAC).
This briefing is generated using AI analysis of public news sources. Always verify critical information through authoritative sources before taking action.