Issue #002 · April 22, 2026

Cyber Threat Brief — Issue #002

What's active. What matters. What to do about it.

Active Campaigns

[ ESCALATING ]Iran-Aligned Actors Escalate Cyber Operations Following Operation Epic Fury

ACTOR: Iranian state-aligned threat actors — nation-state and proxyTARGETS: US and Israeli critical infrastructure, cloud providers, OT/ICS environments, government agencies

Following the February 28 joint US-Israeli military strikes designated Operation Epic Fury, Iran-aligned threat actors launched a sustained multi-vector cyber campaign targeting US and Israeli infrastructure. Observed activity includes DDoS attacks on cloud hosting providers, destructive wiper deployments, and data exfiltration operations. Iranian actors briefly disrupted by a domestic internet blackout — which lasted 47 days before partial restoration on April 17 — shifted operational infrastructure to VSAT services including Starlink to maintain tempo. Approximately 60 hacktivist groups have been observed active in support of Iranian objectives, with Handala Hack, linked to Iran's Ministry of Intelligence and Security, leading the most significant claimed operations including attacks on Israeli energy and Jordanian fuel systems.

[ ACTIVE ]Salt Typhoon Maintains Congressional Targeting — Telecom Access Status Unresolved

ACTOR: Salt Typhoon — China Ministry of State Security (MSS)TARGETS: US telecommunications carriers, congressional staff, national security personnel

Salt Typhoon's breach of US telecommunications infrastructure, first confirmed in late 2024, continues to generate active oversight pressure in 2026 with the group's full eviction from carrier networks still unconfirmed. Senator Cantwell's February 2026 letter to the Senate Commerce Committee requested hearings with AT&T and Verizon CEOs to verify remediation claims — a signal that government confidence in carrier-reported containment remains low. The group's confirmed January 2026 targeting of House Committee staff focused on personnel with national security oversight responsibilities, consistent with Salt Typhoon's established counterintelligence mandate. With over 200 confirmed targets across 80 countries, the campaign remains one of the most significant telecommunications espionage operations on record.

[ ACTIVE ]Cisco SD-WAN Manager Actively Exploited — CISA Issues Emergency Directive

ACTOR: Multiple threat actors — nation-state and financially motivatedTARGETS: Enterprise and government networks running Cisco Catalyst SD-WAN Manager

CISA added three critical vulnerabilities in Cisco Catalyst SD-WAN Manager to the Known Exploited Vulnerabilities catalog on April 20, 2026, and issued Emergency Directive 26-03 requiring federal agencies to remediate by April 23. The flaws allow attackers to overwrite arbitrary files, recover stored credentials from the filesystem, and expose sensitive configuration data — a chain that, combined, provides a path from initial access to full network management control. SD-WAN infrastructure is a high-value target because compromising the manager provides visibility and control over the entire software-defined network it administers. Non-federal organizations running affected versions should treat CISA's emergency directive timeline as their own.

CVE Watch

CVE-2026-34197CVSS 8.8[ ACTIVE ]

PRODUCT: Apache ActiveMQ

WHAT IT MEANS:

An improper input validation vulnerability in Apache ActiveMQ allows authenticated users to achieve remote code execution via the administrative interface used to monitor and manage broker instances. ActiveMQ is widely deployed as a message broker in enterprise middleware, CI/CD pipelines, and financial services infrastructure, making it an attractive target for actors seeking lateral movement from integration layers into core systems. CISA added this to the Known Exploited Vulnerabilities catalog on April 16, confirming active exploitation. ActiveMQ has a documented history of rapid weaponization — a prior flaw in the same product became a ransomware vector within days of disclosure.

ACTION:Patch Apache ActiveMQ immediately and restrict public exposure of management interfaces — they should never be internet-facing.

CVE-2026-20133CVSS 9.1[ ACTIVE ]

PRODUCT: Cisco Catalyst SD-WAN Manager

WHAT IT MEANS:

One of three Cisco SD-WAN Manager flaws added to the Known Exploited Vulnerabilities catalog, this vulnerability exposes sensitive configuration information to unauthorized actors through the API interface. Combined with companion flaws that allow file overwrite and credential recovery, the three vulnerabilities together create a complete attack chain from initial reconnaissance to privileged network management access. CISA issued Emergency Directive 26-03 with a remediation deadline of April 23, 2026 — the shortest federal patch window issued in 2026 to date.

ACTION:Apply Cisco patches immediately. Assess for existing compromise before patching — if the manager has been internet-facing, assume it has been probed.

CVE-2026-21643CVSS 9.3[ ACTIVE ]

PRODUCT: Fortinet — multiple products

WHAT IT MEANS:

A SQL injection vulnerability in Fortinet products confirmed in active exploitation as of April 13, 2026. Fortinet vulnerabilities are consistently among the most rapidly exploited by both nation-state and ransomware actors due to the product's prevalence at network perimeters. At this severity level, attackers can extract credentials, manipulate authentication logic, and establish persistent access before defenders detect the intrusion. Fortinet has a documented pattern of vulnerabilities being weaponized within 48 hours of disclosure.

ACTION:Apply Fortinet patches immediately, audit authentication logs for anomalous access, and verify no unauthorized admin accounts have been created.

Threat Actor Activity

Iran-aligned (Handala, MuddyWater, Cyber Av3ngers)[ ESCALATING ]

Sustained retaliatory campaign following Operation Epic Fury. Handala leads claimed operations against Israeli and regional infrastructure. MuddyWater is running a structured offensive targeting the Middle East, Turkey, and Africa. Cyber Av3ngers has shifted focus to Rockwell Automation industrial control systems.

Salt Typhoon[ ACTIVE ]

Congressional scrutiny over unverified carrier remediation intensifies. Full eviction from US telecommunications infrastructure remains unconfirmed. Targeting of national security committee staff in January 2026 represents a direct escalation of the group's counterintelligence mandate.

Volt Typhoon[ MONITORING ]

No new confirmed activity. Pre-positioning within US critical infrastructure from prior periods remains unresolved. Operational silence is consistent with the group's established pattern of long-dwell access over visible action.

LockBit[ MONITORING ]

Affiliate activity continues at reduced volume following 2025 law enforcement disruptions. No major confirmed incidents. Infrastructure and affiliate relationships remain sufficient to resume operations at scale.

Actor	Status	Activity
Iran-aligned (Handala, MuddyWater, Cyber Av3ngers)	[ ESCALATING ]	Sustained retaliatory campaign following Operation Epic Fury. Handala leads claimed operations against Israeli and regional infrastructure. MuddyWater is running a structured offensive targeting the Middle East, Turkey, and Africa. Cyber Av3ngers has shifted focus to Rockwell Automation industrial control systems.
Salt Typhoon	[ ACTIVE ]	Congressional scrutiny over unverified carrier remediation intensifies. Full eviction from US telecommunications infrastructure remains unconfirmed. Targeting of national security committee staff in January 2026 represents a direct escalation of the group's counterintelligence mandate.
Volt Typhoon	[ MONITORING ]	No new confirmed activity. Pre-positioning within US critical infrastructure from prior periods remains unresolved. Operational silence is consistent with the group's established pattern of long-dwell access over visible action.
LockBit	[ MONITORING ]	Affiliate activity continues at reduced volume following 2025 law enforcement disruptions. No major confirmed incidents. Infrastructure and affiliate relationships remain sufficient to resume operations at scale.

Key Takeaway

The biggest story in this issue is not a vulnerability — it is a war. Following military strikes against Iran in late February, Iranian-aligned cyber actors launched a sustained retaliatory campaign that is still escalating as of this publication. For organizations in energy, cloud infrastructure, government contracting, or any sector with ties to US or Israeli operations, the threat posture has materially shifted. Simultaneously, Cisco SD-WAN Manager — the software that controls how entire enterprise networks route traffic — has three actively exploited vulnerabilities with a federal remediation deadline that has already passed for most readers. If your organization runs SD-WAN infrastructure and has not patched, the window to do so before becoming a statistic is closing fast. The throughline across every item in this issue is the same one that defined Issue #001: attackers move faster than patch cycles, and the organizations that treat critical advisories as scheduled maintenance will learn that lesson the hard way.

Sources

CISA Known Exploited Vulnerabilities Catalog
CISA Emergency Directive 26-03
Unit 42 — Palo Alto Networks
Halcyon Ransomware Research Center
Trend Micro Research
The Hacker News