In-depth daily coverage of state-sponsored cyber operations, critical infrastructure attacks, space militarization, and emerging technology threats.
| Actor | Energy | Gov't | Defense | Finance | Telecom | Health | Transport | Tech | Other |
|---|
On Thursday, March 26, Day 27 of Operation Epic Fury, CISA added CVE-2026-33634, the supply-chain compromise embedded in Aqua Security's Trivy vulnerability scanner, to its Known Exploited Vulnerabilities Catalog and released three Industrial Control System advisories, including a CVSS 10.0 critical flaw in WAGO industrial managed switches. Stryker Corporation reported manufacturing operations were "mostly restored" following the March 11 Handala wiper attack, while Resecurity published new intelligence on pro-Iranian group NasirSecurity conducting supply-chain attacks against Gulf energy infrastructure contractors. The pro-Ukraine hacktivist group Bearlyfy escalated its campaign against Russian companies by deploying a custom Windows ransomware strain called GenieLocker. Law enforcement closed two significant cybercriminal cases: an Armenian national linked to the RedLine infostealer was extradited to the United States, and Russian authorities arrested the suspected administrator of the LeakBase cybercrime marketplace. At least 12 new organizations appeared on ransomware leak sites across six operations. The Pentagon successfully tested its Dark Eagle Long Range Hypersonic Weapon from Cape Canaveral Space Force Station. Lt. Gen. Douglas Schiess told Congress that the grounding of ULA's Vulcan Centaur rocket threatens multiple national security satellite missions. CNBC published comprehensive documentation of GPS jamming affecting 1,735 vessels across 655 GPS interference events in the Persian Gulf since February 28. The U.S. Army announced acceleration of AI-enabled targeting while troops are engaged in active combat, citing Operation Ivy Sting results at Fort Carson. Researchers confirmed that Volt Typhoon and Salt Typhoon remain active. Norway disclosed it was a Salt Typhoon victim. RSAC 2026 concluded its final day at Moscone Center without participation by CISA, the FBI, or NSA.
CISA added CVE-2026-33634 to its Known Exploited Vulnerabilities Catalog on March 26, formally acknowledging that the supply-chain compromise embedded in Aqua Security's Trivy container-scanning tool (versions 0.45.0 through 0.48.2) is under active exploitation. The flaw, classified CWE-506 with a CVSS score of 9.4, allows attackers to steal tokens, SSH keys, cloud credentials, and database secrets from any CI/CD pipeline where a compromised Trivy version runs. Federal agencies under Binding Operational Directive 22-01 face a remediation deadline of April 9. The addition formalized what had been widely known since TeamPCP's CanisterWorm campaign began spreading through the vulnerability on or around March 19. By March 26, the campaign had compromised servers through 141 or more malicious npm packages using an Internet Computer Protocol blockchain canister as command-and-control infrastructure, a design that prevents conventional domain seizure. Systems matching Iran's Asia/Tehran timezone or Farsi locale are wiped; all others receive a persistent backdoor.
CISA separately released three Industrial Control System advisories on March 26. The highest-priority was ICSA-26-085-01, covering WAGO GmbH and Co. KG industrial managed switches. A hidden command-line interface function in affected devices allows unauthenticated remote attackers to escape the restricted management shell and achieve full device compromise. CISA assigned this flaw a CVSS score of 10.0. Affected sectors include energy, critical manufacturing, and transportation across multiple countries. A second advisory covered PTC Windchill Product Lifecycle Management software, describing a code injection path enabling remote code execution against engineering document management systems. The Langflow AI workflow automation vulnerability CVE-2026-33017, added to the KEV Catalog on March 25, continued to dominate defender attention on March 26: BleepingComputer reported that attackers began exploitation approximately 20 hours after the advisory published, having reverse-engineered the patch without access to a public proof-of-concept. Federal agencies face an April 8 deadline for that remediation.
KFGO and Reuters reported on March 26 that Stryker Corporation stated its manufacturing operations were "mostly restored" and "steadily improving toward full capacity" following the March 11 wiper attack attributed to Handala. The company's stock rose approximately 2 percent on the news. The attack, executed through compromised Microsoft Intune administrator accounts that issued mass remote-wipe commands to approximately 200,000 devices across offices in 79 countries, had been the most destructive corporate cyberattack attributed to Iran-linked actors. The DOJ had previously seized four domains tied to Handala's psychological operations infrastructure, including the site used to claim credit for the Stryker attack.
Separately, Resecurity published intelligence on March 26 documenting that NasirSecurity, a pro-Iranian hacktivist group, had been conducting supply-chain attacks against energy sector contractors operating in the UAE, Oman, Iraq, and Saudi Arabia. The group claimed breaches of Dubai Petroleum, CC Energy Development, and Al-Safi Oil Company, though Dark Reading cautioned that the group "vastly overstated its achievements," with confirmed access limited to third-party contractors rather than the major firms claimed. Stolen materials included engineering documents and schematics from energy infrastructure contractors. NasirSecurity also posted UAE Customs as a ransomware leak site victim on March 26. Palo Alto Networks Unit 42 updated its Iran threat brief at 2:00 PM Pacific time on March 26, adding data on 7,381 conflict-themed phishing URLs spanning 1,881 unique hostnames, with threat actors impersonating telecommunications providers and national airlines for credential harvesting. Iran's near-total internet blackout, which had reduced civilian connectivity to between 1 and 4 percent, entered its 27th consecutive day. Former White House CIO Teresa Payton warned on March 26 that Iran may escalate to targeting communication satellites as the five-day pause in hostilities was expected to end.
The Record reported on March 26 that the pro-Ukraine hacktivist group Bearlyfy had deployed a custom-built Windows ransomware strain called GenieLocker since early March, escalating from its prior use of modified LockBit 3 Black and Babuk tooling. The group has conducted over 70 cyberattacks against Russian companies over the past year. GenieLocker is purpose-built ransomware with no reliance on publicly available source code. Russian cybersecurity firm F6 estimated that approximately one in five Russian victims of Bearlyfy attacks pays the ransom demanded, with ransom amounts scaling from thousands to hundreds of thousands of dollars depending on target size. Bearlyfy collaborates with other pro-Ukrainian hacktivist collectives including Head Mare. The transition from modified commodity ransomware to custom-built tooling marks a significant capability maturation for a group that began as a low-sophistication hacktivist operation in 2024.
The Record reported on March 26 that Armenian national Hambardzum Minasyan appeared in federal court in Austin, Texas following extradition on charges of being a lead developer of RedLine, a credential-stealing infostealer that has been deployed in attacks across more than 150 countries since March 2020. Minasyan faces up to 30 years on charges including conspiracy to commit access device fraud, Computer Fraud and Abuse Act violations, and money laundering. The case stems from the October 2024 joint DOJ, Dutch, and Belgian takedown of RedLine infrastructure.
Separately, The Record reported on March 26 that Russian law enforcement detained the suspected administrator of LeakBase in the city of Taganrog, in southern Russia. LeakBase was a cybercrime marketplace with over 147,000 registered users that hosted hundreds of millions of stolen credentials, credit card numbers, and personal records. The arrest followed Operation Leak, an international crackdown by the FBI and European law enforcement that had already taken down the site itself and involved over 100 enforcement actions against 45 individuals across 12 or more countries in early March. Russian domestic action against cybercriminals is rare during the current geopolitical period, and the arrest was assessed as a notable departure from the tolerance extended to cybercriminals who avoid targeting Russian entities. In a separate sentencing covered by The Record on March 26, Ilya Angelov, a 40-year-old Russian national, received 81 months in federal prison and a $100,000 fine for co-managing the TA551/Shathak botnet, which distributed BitPaymer ransomware against 72 U.S. companies causing over $9 million in damages.
BreachSense documented at least 12 new victim claims posted to ransomware leak sites on March 26 across six distinct operations. Medusa claimed Cape May County, New Jersey (a county government serving approximately 600,000 residents), Lorain County Community College in Ohio, and a third entity, LiveCH. NightSpire claimed three victims including Anbogen, Eastex Labs, and HLF Goslar in Germany. INC Ransom claimed Glenmark Pharmaceuticals and Pulpdent, a dental product manufacturer. Qilin claimed LP Kolding in Denmark and Noi Hotels. ALP-001 claimed Esprinet, a major European IT and electronics distributor. NasirSecurity claimed UAE Customs. The government targets, specifically Cape May County and UAE Customs, are notable given the geopolitical environment. The healthcare and pharma targets, Glenmark Pharmaceuticals and Pulpdent, continue INC Ransom's documented pattern of targeting medical organizations. No ransom amounts were disclosed in any of the postings.
The Pentagon successfully tested the Dark Eagle Long Range Hypersonic Weapon from Cape Canaveral Space Force Station on March 26, according to Space Coast Daily. The Dark Eagle system pairs a common hypersonic glide body with a road-mobile launcher, giving the Army a strike capability against time-sensitive targets at ranges exceeding 1,700 miles at speeds above Mach 5. The test comes amid active U.S. military operations against Iran, where hypersonic strike capability represents a distinct asymmetric advantage over conventional ballistic weapons.
In congressional testimony on March 26, Lt. Gen. Douglas Schiess, Space Force deputy chief of operations, told the House Armed Services Committee that the grounding of United Launch Alliance's Vulcan Centaur rocket, imposed after a Northrop Grumman GEM 63XL solid rocket motor anomaly on February 12, could delay or require reassignment of several national security launches. Missions at risk include WGS-11 (Wideband Global SATCOM), the first Next-Generation OPIR GEO missile warning satellite (already delayed from September 2025), and the SILENTBARKER space domain awareness satellite developed jointly by the Space Force and the National Reconnaissance Office. The GPS III SV-10 satellite had already been shifted from Vulcan to a SpaceX Falcon 9 on March 20. In orbital activity on March 26, SpaceX launched Starlink 17-17 from Vandenberg Space Force Base at 4:03 PM Pacific time, deploying 25 Starlink V2 Mini Optimized satellites, the 20th liftoff from Vandenberg in 2026. A Chinese Long March 2C rocket deployed an undisclosed payload from Jiuquan Satellite Launch Center at 22:50 UTC.
CNBC published a comprehensive report on March 26 documenting the scale of GPS interference across the Persian Gulf since Operation Epic Fury began on February 28. Within 24 hours of the conflict's start, maritime analytics firm Windward logged over 1,100 vessels experiencing AIS interference. By mid-March, Lloyd's List Intelligence had documented 1,735 GPS interference events affecting 655 distinct vessels. Affected ships appeared in navigation systems to teleport across airports, a nuclear power plant, and onto Iranian land, signatures consistent with GPS spoofing designed to confuse drone and missile guidance systems. The GPS Innovation Alliance called on the White House to prioritize deployment of next-generation GPS satellites incorporating anti-jamming and anti-spoofing technology. The Space Force's 4th Electromagnetic Warfare Squadron at Peterson Space Force Base operates the Counter Communications System used for jamming and spoofing adversary satellite communications, a capability assessed as actively supporting current operations.
Also on March 26, the United Kingdom and Belgium announced the establishment of a Joint Electronic Warfare Centre, designated JEWC 2.0, with a $176 million budget covering 2026 through 2030. The centre will focus on cyberwarfare integration, weapon system data reprogramming, ISR support, and counter-UAS electronic warfare capabilities. March 26 was also the final day of the Electronic Warfare Association Conference at Robins Air Force Base, Georgia, which ran classified and unclassified sessions on electromagnetic warfare developments. Armada International's March Spectrum SitRep documented that GPS interference clusters active in the Persian Gulf had expanded from 21 identified clusters in early March to a wider pattern of overlapping zones by late March.
At the AUSA Global Force Symposium in Huntsville, Alabama on March 26, Under Secretary of the Army Michael Obadal announced that the Army is accelerating AI-enabled targeting while soldiers are engaged in active combat during Operation Epic Fury. Obadal cited results from Operation Ivy Sting at Fort Carson, where the 4th Infantry Division used AI-enabled tools integrating intelligence, surveillance, and reconnaissance data with fire mission planning to execute 15 targeting actions in one hour. Military.com reported the announcement on March 26. The Palantir Maven Smart System, formalized as a Pentagon program of record on March 20, now has over 20,000 active users generating approximately 1,000 targeting recommendations per hour. The system processed 1,000 targets within the first 24 hours of Operation Epic Fury. Pentagon investment in Maven has grown from $480 million in 2024 to approximately $13 billion.
DefenseScoop published an op-ed on March 26 warning that the Trump administration's designation of Anthropic as a supply-chain risk had exposed a critical policy vacuum governing military AI, with the Pentagon relying only on general guidance requiring "appropriate levels of human judgment" without specifying accountability mechanisms. Defense One reported separately that French Admiral Pierre Vandier, NATO's Supreme Allied Commander for Transformation, had warned that increased reliance on AI changes how military decision-makers use their own cognitive processes, with Princeton research cited indicating that AI tools can instill false confidence in human operators.
The Record reported on March 26 that Volt Typhoon, the China-linked pre-positioning operation targeting U.S. critical infrastructure, remains actively embedded. Dragos CEO Rob Lee assessed the group as "still very active" and "still absolutely mapping out and getting into" U.S. infrastructure. Some utility breaches from Volt Typhoon intrusions may never be detected or fully remediated. The FCC's National Security Determination issued in late March, banning all foreign-manufactured consumer routers, was a direct response to the documented exploitation of edge devices in both Volt Typhoon and Salt Typhoon operations.
CyberScoop reported on March 26 that the FBI confirmed Salt Typhoon's threats are "still very much ongoing," with the campaign having affected over 200 targets across more than 80 countries. Norway's intelligence service disclosed on March 26 that the country had been hit by the Salt Typhoon telecommunications espionage campaign. AT&T and Verizon continued to withhold Mandiant security assessments from Congress despite requests from Senate Commerce Committee Ranking Member Maria Cantwell. Separately, Security Affairs reported on March 26 that China-linked Red Menshen APT had deployed BPFDoor implants in telecommunications networks across the Middle East and Asia. BPFDoor is a kernel-level backdoor that activates only when it receives specially crafted network packets, generating no outbound traffic and leaving no detectable listening ports, making it extremely difficult to identify during standard security audits.
NK News reported on March 26 that a high-profile North Korean hacker group had reorganized into three distinct operational units. Bloomberg had reported on March 19 that North Korea now earns over $1 billion annually from cyber operations, supported in part by arms sales to Russia. The Lazarus Group had deployed Medusa ransomware-as-a-service in attacks targeting healthcare organizations and nonprofits in the Middle East and the United States, and had breached cryptocurrency platform Bitrefill on March 1, exposing 18,500 purchase records. The reorganization of North Korea's cyber structure, combined with the group's demonstrated willingness to deploy both espionage and ransomware tooling against overlapping target sets, reflects a maturation of North Korea's cyber enterprise into multiple specialized operational tracks.
Sandworm's December 2025 DynoWiper attack against Poland's power sector remained under investigation on March 26. ESET had attributed the attack to GRU Unit 74455, with DynoWiper uploading corrupt firmware to remote terminal units causing continuous reboot loops across grid management systems. The attack marked the third confirmed Russian wiper deployment against European power infrastructure since 2016. Russia's COSMOS 2553 satellite continued to generate concern among Western defense analysts as a potential nuclear anti-satellite weapon platform operating in medium-Earth orbit.
March 26 was the final day of RSAC 2026 at Moscone Center in San Francisco. In an unprecedented development, CISA, the FBI, and the NSA did not send speakers to the conference after withdrawing in January, following former CISA Director Jen Easterly's appointment as CEO of RSA Conference. The absence of federal cybersecurity leadership drew significant commentary. At the conference, the European Union's cybersecurity agency ENISA formally offered to help fund and modernize the CVE vulnerability database program, citing concerns raised by the April 2025 MITRE funding disruption. Four former NSA and Cyber Command leaders who did attend warned that Americans are becoming "numb" to cyber threats and that the United States has not achieved deterrence. Taiwan's Ministry of Digital Affairs disclosed that the island faces 2.6 million daily cyberattacks and launched its first cybersecurity pavilion at the conference. Among new threat disclosures on March 26: Kaspersky researchers linked the Coruna iOS exploit kit to the 2023 Operation Triangulation campaign, suggesting the framework has evolved into active cyberespionage and cryptocurrency theft operations.