Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #09-2026

Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face a rapidly deteriorating threat environment shaped by three converging forces: (1) machine-speed exploitation driven by AI-assisted automation, (2) the deliberate targeting of IT/OT convergence points by nation-state actors, and (3) an expanding supply chain attack surface that includes managed service providers, code repositories, and certificate authorities. Threat actors are using generative AI and agentic workflows to discover vulnerabilities, fabricate phishing lures at scale, and automate credential exfiltration through poisoned development pipelines. Simultaneously, state-sponsored actors—particularly Iranian and Chinese-affiliated groups—are refining destructive and persistent techniques against internet-exposed operational technology, including programmable logic controllers and energy management gateways. These trends are compressing the window between vulnerability disclosure and active exploitation to hours or days. Organizations relying solely on periodic patching and signature-based detection are no longer adequately protected. CI owners and operators must treat operational resilience—including tested manual fallback procedures and isolated OT network architectures—as a baseline operational requirement, not a contingency plan. CISA’s new CI Fortify initiative, structured around proactive isolation and systematic recovery, provides a practical starting framework for this transition.

Confidence – High

Executive Summary

• All Sectors: GenAI and automated tools are lowering the barrier for cyber threat actors to execute high-fidelity phishing and machine-speed exploitation, necessitating a strategic shift toward operational resilience and manual fallback capabilities.
• Commercial Facilities: Large hospitality venues and building automation systems face data extortion and BAS hijacking risk. The Carnival Corporation incident in which ShinyHunters claims, via phishing, to have stolen 8.7 million records, demonstrates that pure data-extortion operations without encryption are increasingly common and may bypass traditional ransomware detection.
• Communications: Telecommunications carriers and managed service providers (MSPs) face elevated ransomware targeting as adversaries seek to launch cascading attacks against downstream municipal utilities.
• Critical Manufacturing: Financially motivated actors continue to target the aerospace supply chain with ransomware, highlighting the critical need to harden remote access gateways and segment manufacturing operations.
• Defense Industrial Base: Persistent targeting of third-party application programming interfaces (APIs) and supply chain vulnerabilities.
• Energy: Energy providers face multi-vector threats from Iranian-affiliated actors actively probing internet-facing OT systems, a new destructive wiper (Lotus) with no financial motive—indicating state-sponsored intent—and a supply chain breach at smart-meter provider Itron that underscores vendor access risk.
• Financial Services: The financial sector remains a top target for ransomware and phishing campaigns abusing legitimate management platforms, requiring robust vendor management and anti-money laundering (AML) controls.
• Government Facilities: Municipal and educational institutions face ransomware, third-party vendor breaches, and identity fraud involving the fabrication of official government credentials.
• Healthcare and Public Health: Hospitals remain a primary target for sophisticated double-extortion ransomware and medical device targeting, necessitating the adoption of manual-first downtime procedures to sustain patient care.
• Information Technology: Developer environments and automated build pipelines are experiencing a surge in supply-chain attacks utilizing poisoned open-source packages, agentic AI backdoors, and compromised administrative portals.
• Transportation Systems: Commercial maritime traffic networks face emerging operational risks from advanced electronic warfare tactics, including localized spoofing and the targeted interception of vessel communication systems.
• Water and Wastewater Systems: Water utilities must defend against AI-assisted exploitation of PLCs and persistent living-off-the-land (LOTL) administrative access.

All Sectors

Cybersecurity and Infrastructure Security Agency Tells Critical Organizations to Prepare for Cyber Outages The Cybersecurity and Infrastructure Security Agency (CISA) has launched the CI Fortify initiative, a formal CI emergency planning framework to enhance preparation for significant cyber outages. The initiative centers on two operational objectives: (1) isolation—proactively severing connections from third-party and business networks to protect OT environments, and (2) recovery—documenting system configurations, backing up critical files offline, and practicing restoration or transition to manual operations. CISA emphasizes that in the current geopolitical context, as adversaries refine their disruptive capabilities (e.g., Volt Typhoon-style prepositioning), the focus must shift from pure prevention to operational resilience and the ability to maintain essential services during a sustained technical failure. This development is relevant to Florida because the state’s reliance on integrated digital systems for power and water management means that an outage in one sector can quickly cascade into others, requiring tested manual fallback procedures to protect public safety.

Europol IOCTA 2026 Report Highlights Evolving Threat Landscape and the Proliferation of Artificial Intelligence Europol released its 2026 Internet Organised Crime Threat Assessment (IOCTA), detailing a strategic shift toward multi-staged cyber operations. The report emphasizes how generative artificial intelligence (GenAI) lowers the barrier for entry by facilitating high-fidelity phishing and basic malware creation. Additionally, it identifies the expansion of “as-a-service” models into initial access brokerage and distributed denial-of-service (DDoS). This development is significant for Florida’s critical infrastructure (CI) as it signals an increased volume of non-state threats targeting essential services through automated exploitation.

BlueKit Phishing Kit Targets Multiple Platforms with Sophisticated MFA Bypass Attacks The emergence of the “BlueKit” phishing kit marks a significant escalation in credential-harvesting tactics by multi-factor authentication (MFA) bypass through adversary-in-the-middle (AitM) techniques. Bluekit operates as a Phishing-as-a-Service (PhaaS) platform, consolidating all attack functions—domain purchase, phishing page deployment, victim session monitoring, and credential exfiltration via Telegram—into a single commercial dashboard. The kit targets over 40 platforms, including Gmail, Outlook, iCloud, GitHub, ProtonMail, and cryptocurrency services, to capture session cookies and bypass traditional authentication guardrails. Because Bluekit steals authenticated session cookies rather than just credentials, standard one-time-password (OTP) and push-notification MFA are not effective defenses. Only FIDO2-compliant hardware security keys fully mitigate this threat class. This development is relevant to Florida as state agencies and municipal utilities increasingly rely on these cloud platforms for administrative operations.

Pro-Russian Hacker Group Gamifies Cyberattacks on Europe with Cryptocurrency Rewards. An investigation revealed that a pro-Russian hacktivist collective is utilizing a gamified platform to coordinate cyberattacks against European infrastructure. Participants earn cryptocurrency rewards for successfully carrying out DDoS attacks or defacing government websites. While currently focused on European targets, the industrialized scale and crowdsourced nature of this campaign represent a transferable risk to the United States infrastructure. This news is relevant to Florida as it highlights how ideological adversaries can incentivize widespread disruption of municipal or utility networks through decentralized financial incentives and automated attack platforms.

Hundreds of Internet-Facing VNC Servers Expose Industrial Control Systems and Operational Technology A global scan by security researchers has identified hundreds of internet-facing virtual network computing (VNC) servers that provide direct access to industrial control systems (ICS) and operational technology (OT) environments. These servers are often configured without authentication or with weak credentials, allowing unauthorized actors to manipulate human-machine interface (HMI) screens and control logic. This exposure is highly relevant to Florida as many municipal water and energy utilities utilize VNC for remote monitoring.

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia The Chinese-affiliated advanced persistent threat (APT) group Silver Fox is targeting organizations across the industrial, consulting, retail, and transportation sectors using a new Python-based backdoor dubbed ABCDoor alongside the ValleyRAT malware. The campaign sent over 1,600 malicious emails between early January and early February 2026. The attack chain begins with tax-themed phishing emails containing PDF files with malicious links to ZIP or RAR archives hosted on abc.haijing88[.]com. The archives contain a modified RustSL loader that unpacks the payload and employs phantom persistence to hijack system reboot sequences for survival. While current targeting focuses heavily on Russia and India, Florida’s critical infrastructure operators should monitor for these tactics, techniques, and procedures.

Fortinet Flags Industrial-Scale Cybercrime Driven by Continuous Machine-Speed Attacks A recent report from Fortinet highlights a strategic shift toward industrial-scale cybercrime where attackers utilize automated tools to conduct machine-speed exploitation of vulnerabilities. These campaigns do not rely on manual interaction; instead, they use scripts to identify and compromise thousands of targets simultaneously. This trend is significant for Florida as the state’s large footprint of small and medium-sized municipal utilities may lack the automated defensive tools necessary to counter these high-velocity attacks, making them susceptible to rapid, widespread compromise of their administrative and OT networks.

Security Professionals Identify Identity Management as a Growing Challenge A recent industry survey indicates that the vast majority of cybersecurity professionals now view identity and access management (IAM) as their primary operational hurdle. The rise of GenAI-powered social engineering has made traditional authentication methods less effective, leading to increased unauthorized access. Florida organizations must recognize that identity is the new perimeter and prioritize phishing-resistant MFA to protect sensitive administrative credentials.

Mirai-Based XLabsV1 Botnet Exploits Android Debugging Interfaces Security researchers have identified a new Mirai-based botnet variant, XLabsV1, which is actively exploiting exposed Android Debug Bridge (ADB) interfaces to enlist devices into a DDoS network. The botnet targets Internet of Things (IoT) devices and industrial sensors that have remained insecurely connected to the public internet. This trend is relevant to Florida’s critical infrastructure because of the high density of connected sensors used in smart-city and environmental-monitoring applications across the state.

United States Lists Offensive Cyberattacks in Counterterrorism Strategy The White House has released the 2026 United States Counterterrorism Strategy, which for the first time explicitly integrates offensive cyber operations to proactively disrupt the digital infrastructure of threat actors. This strategy aims to dismantle command and control (C2) nodes before they can be utilized for coordinated physical or cyber strikes. This development is significant for Florida as it signals a shift toward federal pre-emptive actions that may decrease the volume of sophisticated external threats targeting state municipal networks.

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access The Google Threat Intelligence Group (GTIG) has identified the first known instance of a zero-day exploit developed with the assistance of a large language model (LLM). A prominent cybercrime group utilized AI to create a Python script designed to bypass two-factor authentication (2FA) on a popular open-source system administration tool. Additionally, Chinese threat groups (UNC2814) and North Korean actors (APT45) are increasingly using “agentic” workflows to recursively analyze technical documentation and automate vulnerability discovery in embedded devices. This development is highly relevant to Florida as state agencies and municipal utilities rely on these ubiquitous administration tools and connected hardware for public service delivery. Relevant forensic data are being exfiltrated via AI-assisted reconnaissance to facilitate mass exploitation. Organizations must shift toward automated vulnerability management and reduce exposure windows as AI-assisted weaponization compresses the time between disclosure and exploitation.

New Ghostlock Tool Abuses Windows API to Block File Access and Facilitate Extortion The “Ghostlock” tool has emerged as a novel extortion mechanism that abuses legitimate Windows APIs to lock file access without performing traditional encryption. By manipulating system permissions and handles, the tool renders data inaccessible to users, allowing threat actors to demand payment for restoration. These tactics, techniques, and procedures (TTPs) is relevant to Florida CI because it bypasses many signature-based ransomware detection tools that monitor specifically for intermittent file encryption patterns or mass file renaming.

Critical Infrastructure Coalition ACI Government Partners with Federal Agencies to Bolster Defense A new coalition of critical infrastructure providers has partnered with federal agencies to streamline threat intelligence sharing and incident response coordination. This partnership is highly relevant to Florida, where the decentralized nature of municipal utilities requires a unified reporting structure.

Mini Shai-Hulud Worm Compromises Development Pipelines via Malicious npm Packages Security researchers have identified a successor to the Bitwarden CLI worm, dubbed “Mini Shai-Hulud,” that uses poisoned npm packages to automate credential exfiltration from continuous integration and continuous delivery (CI/CD) pipelines. The worm targets cloud provider tokens and exfiltrates them to public repositories, mimicking legitimate developer activity. This trend is significant for Florida’s IT and administrative sectors, as automated deployment pipelines are increasingly utilized for municipal web services and infrastructure management.

All Sectors Recommendations:

• Implement phishing-resistant multi-factor authentication, such as FIDO2-compliant security keys, to mitigate session hijacking via automated adversary-in-the-middle attacks.
• Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
• Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
• Disable exposed ADB interfaces on internet-connected sensors and internet-of-things devices to prevent enrollment in distributed denial-of-service botnets.
• Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.

Chemical Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

Carnival Corporation Targeted in Ransomware Attack
ShinyHunters, a group known for data extortion, claimed responsibility for the theft of approximately 8.7 million Carnival Corporation records, including names, dates of birth, and loyalty program data, after gaining access through a phishing attack on a single employee account. Carnival confirmed the unauthorized access and activated its incident response plan but has not confirmed whether customer data was compromised. This incident highlights the ongoing exposure of large hospitality and entertainment venues within the commercial facilities infrastructure. Florida serves as the global epicenter for the cruise industry, with major hubs in Miami and Fort Lauderdale, making this breach directly relevant to the state’s economic and maritime safety. Relevant data are often exfiltrated to pressure operators during peak travel seasons. Organizations must prioritize segmenting guest services from core vessel navigation and administrative systems.

EnOcean SmartServer Flaws Expose Building Automation Systems to Remote Hijacking Security researchers disclosed multiple critical vulnerabilities in the EnOcean SmartServer IoT gateway, which is widely used in building automation systems (BAS). The flaws allow unauthenticated remote code execution (RCE) on the device, potentially giving attackers control over physical building systems, including lighting, climate control, and electronic locks. This discovery is relevant to Florida as many large-scale commercial facilities, such as stadiums and convention centers, rely on these gateways for facility management. Compromised systems could be used to disrupt operations or facilitate unauthorized physical access during high-traffic public events.

Commercial Facilities Sector Recommendations:

• Segment guest services and public-facing networks from core vessel navigation and administrative systems to prevent lateral movement during a ransomware intrusion.
• Patch EnOcean SmartServer IoT gateways immediately and restrict external network access to building automation systems to block unauthenticated remote code execution attempts.
• Monitor network environments for unauthorized data exfiltration activities that frequently precede ransomware deployment and extortion demands during peak operational seasons.

Communications Sector

VECTR-CAST: Elevated Telecom and MSP Targeting in Next 14 Days A private threat-forecast report released on May 4, 2026, highlights a heightened risk of ransomware and data-theft operations against United States telecommunications carriers and managed service providers (MSPs) over the next two weeks. The report notes that several ransomware groups have expanded affiliate recruiting and are prioritizing service providers with downstream critical infrastructure (CI) customers. This development is highly relevant to Florida, as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services, making these providers prime targets for “cascading” attacks designed to disrupt multiple downstream entities simultaneously.

Communications Sector Recommendations:

• Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
• Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
• Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
• Back up all critical configuration files and operational data to secure, offline storage to ensure rapid recovery capabilities for downstream local government services during a data-theft or encryption event.

Critical Manufacturing Sector

Stelia Aerospace Targeted in Apparent Ransomware Attack Impacting Industrial Operations Stelia North America, a major Airbus Atlantic subsidiary specializing in aerostructures, reportedly experienced a ransomware attack that disrupted its internal information technology (IT) systems. While the company stated that the incident was strictly contained to the Stelia North America IT environment and does not impact the broader Airbus Atlantic network, the breach highlights the persistent targeting of the aerospace supply chain by financially motivated actors. Rhysida, the ransomware group responsible, issued a $2.07 million ransom demand and claimed to possess 10 TB of data, including records associated with defense contractors such as Lockheed Martin, Northrop Grumman, Sikorsky, and Boeing. This incident is highly relevant to Florida’s extensive aerospace and defense technology clusters, particularly in the Space Coast and Northwest Florida regions. Relevant production data are often exfiltrated during these intrusions to pressure victims into payment. Manufacturers must prioritize hardening remote access gateways and implement immutable, offline backups of all critical engineering workstations and design files.

Critical Manufacturing Sector Recommendations:

• Harden remote access gateways to prevent initial unauthorized access by financially motivated threat actors targeting the aerospace supply chain.
• Implement immutable, offline backups for all critical engineering workstations and design files to ensure resilience against ransomware encryption and data extortion.
• Monitor internal information technology systems for unauthorized data exfiltration activities that frequently precede ransomware deployment and operational disruption.
• Segment critical manufacturing operations from internal information technology networks to prevent lateral movement and maintain operational resilience during a breach.

Dams Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector (Updated)

Critical API Flaw In Defense Contractor Platform Exposes Military Data A high-severity vulnerability was identified in an application programming interface (API) used by a DoD contractor, which could have allowed unauthorized access to sensitive military logistics data. The flaw involved improper authentication handling, which allowed unprivileged users to query restricted records. This incident is highly relevant to Florida’s extensive defense industrial base, as many regional contractors utilize similar third-party APIs for automated data exchange, necessitating immediate audits of all external-facing service points.

Pentagon Changing Cybersecurity Training Requirement to Focus on Continuous Assessment The Pentagon is transitioning its cybersecurity training requirements from periodic annual certifications to a model of continuous, hands-on technical assessment. This change is designed to ensure the defense workforce remains proficient against rapidly evolving threats like AI-assisted exploitation. Florida-based defense contractors should anticipate updated compliance mandates that prioritize active defense skills and verified technical competency over traditional awareness training

Army Integrates Defense Industry Hackathon To Identify Supply Chain Flaws The United States Army has launched a new initiative to integrate defense industry partners into collaborative “hackathons” designed to identify vulnerabilities in the military supply chain. These events allow security researchers to probe contractor systems for weaknesses in a controlled environment. This development is significant for Florida contractors as it provides a proactive avenue to identify and remediate flaws before they can be exploited by advanced persistent threats (APTs).

Defense Industrial Base Sector Recommendations:

• Audit all external-facing APIs and service points to identify and remediate improper authentication handling.
• Transition internal training models to prioritize continuous technical assessments and hands-on skills over traditional annual awareness certifications.
• Incorporate high-speed data processing and AI-driven trajectory prediction into defense-related software to align with future command-and-control procurement standards.

Emergency Services Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Energy Sector

Operational Technology Information Sharing and Analysis Center Flags Rising Cyber Risk to Energy Environments The Operational Technology Cybersecurity Information Sharing and Analysis Center (OT-ISAC) issued an advisory regarding escalating risks to energy-sector operational technology. This warning cites recent destructive attacks abroad and the ongoing exploitation of internet-facing programmable logic controllers (PLCs) by Iranian-affiliated actors. Groups such as CyberAv3ngers are specifically refining attacks against Rockwell Automation and Allen-Bradley devices used in power generation. This development is relevant to Florida, where municipal power utilities rely on these specific controller types. Relevant telemetry data are often targeted to cause localized disruptions. Operators should verify that all OT assets are removed from the public internet.

Destructive Lotus Wiper Malware Targets Regional Energy Providers and Utilities Security researchers identified a new destructive malware variant, dubbed “Lotus,” utilized in targeted attacks against energy providers and utilities in Venezuela. The wiper is specifically engineered to permanently delete critical system files and master boot records (MBR), rendering affected systems permanently inoperable and unrecoverable. While this specific campaign is regional, the tradecraft used to bypass industrial security controls represents a significant “transferable risk” to United States energy infrastructure. Unlike ransomware, Lotus Wiper contains no payment demand or extortion mechanism. The sole objective is permanent, irreversible system destruction—indicating state-sponsored targeting rather than financial motivation. Standard ransomware response protocols do not apply. This news is relevant to Florida because state utility operators use similar industrial control systems (ICS) that could be targeted by malicious actors during periods of geopolitical escalation. Relevant telemetry data are essential for identifying unauthorized changes to system logic files. Energy providers should ensure that all critical configurations and backups for operational technology (OT) are stored in an immutable, offline format to ensure rapid recovery.

Itron Hackers Accessed Critical Infrastructure Operators Hackers breached Itron, a major provider of smart meters and grid management systems, though he breach was confined to Itron’s own corporate IT network and no unauthorized activity was observed in the customer-hosted portion of its systems and operations continued without material disruption. The full scope of the breach—including what data may have been accessed—remains under investigation. Given Itron’s role as a foundational supplier to energy and water utilities, this incident represents a significant third-party supply chain risk for Florida operators who rely on Itron’s platforms. While operational disruption to the grid has not been confirmed, the access granted to attackers potentially provided control over energy distribution endpoints. This is highly relevant to Florida’s Energy and Water sectors, which rely on similar AMI deployments. Florida operators should audit all third-party service account permissions and monitor for anomalous remote access activity originating from vendor-managed gateways.

Iranian-Linked Actors Continue OT Targeting Of U.S. Energy Sector A May 3, 2026, legal-sector brief reiterates that Iranian-linked cyber actors are actively probing and exploiting internet-facing OT used in United States energy facilities. These actors focus on insecure remote access, misconfigurations, and limited OT visibility to enable disruptive physical effects rather than pure data theft. This activity remains highly relevant to Florida as state energy providers rely heavily on internet-connected industrial hardware, making them susceptible to targeted efforts designed to cause operational downtime during periods of geopolitical escalation.

DOE’s Skyfall Testbed Highlights U.S. Preparation for Power-Grid Cyberattacks Lawrence Livermore National Laboratory (LLNL) publicized its Skyfall facility, a platform for modeling malware-driven attacks on power-grid ICS. The testbed is designed to evaluate defenses against Ukraine-style grid intrusions that could be replicated against United States utilities. This project is significant for Florida energy providers, as it provides a validated framework for testing the resilience of the state’s electric grid against sophisticated, state-sponsored, disruptive malware.

Nuclear Power Reaches Record 41 Percent Of Tennessee Valley Authority Generation Nuclear generation has reached a record high of 41 percent of the total power supply for the Tennessee Valley Authority (TVA), highlighting the growing reliance on nuclear energy for regional grid stability. This trend emphasizes the critical need to secure nuclear infrastructure against cyber-physical disruption. Florida’s energy providers must recognize that as nuclear generation becomes more foundational to the grid, the OT managing these facilities becomes a primary target for state-sponsored adversaries.

EPA Plan Allows Work on Data Centers and Power Plants Before Air Permits are Finalized A new Environmental Protection Agency (EPA) proposal would allow developers to begin preliminary work on data centers and power plants before final air quality permits are issued. The move aims to accelerate infrastructure growth to meet the energy demands of artificial intelligence. This development is significant for Florida’s energy sector, as it may lead to faster deployment of regional generation facilities but also necessitates a proactive approach to securing these new construction sites against physical and cyber intrusions.

PPL Corporation and Blackstone Announce Major Data Center Pipeline for Grid Stability PPL Corporation and Blackstone have announced a massive new pipeline for data center construction, highlighting the immense load growth currently challenging grid operators. The expansion focuses on facilities optimized for AI workloads, which require significantly higher power density than traditional data centers. This trend is highly relevant to Florida as the state’s own data center boom places increased strain on municipal power generation and requires coordinated load-shedding agreements with industrial consumers.

Energy Sector Recommendations:

• Verify all OT assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet.
• Store all critical OT system configurations and industrial control system backups in an immutable, offline format to enable rapid recovery from destructive wiper attacks.
• Audit third-party service account permissions and monitor vendor-managed gateways for anomalous remote access activity impacting smart meter management systems.

Financial Services Sector

Federal Bureau of Investigation Identifies Financial Services as Second-Most Targeted Critical Infrastructure Sector (Source also cited under Healthcare and Public Health) Newly released Federal Bureau of Investigation (FBI) statistics show that the financial services sector experienced 447 combined ransomware and data-breach incidents in 2025. This makes it the second-most targeted critical infrastructure sector, just behind healthcare. The sustained pressure on banks, insurers, and payment processors underscores the high value that criminal actors place on financial records. Florida has a significant financial hub in Miami, making this trend relevant to the state’s economic stability. Relevant data are frequently targeted for financial fraud or high-stakes extortion. Organizations should prioritize real-time monitoring of external data flows and more rigorous vendor management protocols.

Threat Actors Abuse Google Ads for GoDaddy and ManageWP Phishing Campaigns Hackers are utilizing malicious Google Ads to impersonate legitimate GoDaddy and ManageWP login pages, targeting website administrators with sophisticated phishing campaigns. These ads lead to “poisoned” landing pages that harvest credentials to gain access to financial and administrative portals. This development is relevant to Florida, as many small businesses and financial service providers rely on these platforms for web management, making them susceptible to account takeovers that could facilitate further financial fraud.

Financial Services Sector Recommendations:

• Prioritize real-time monitoring of external data flows to identify and block unauthorized exfiltration of sensitive financial records.
• Enforce phishing-resistant multi-factor authentication on all web management and administrative portals to prevent account takeovers via poisoned landing pages.
• Implement robust AML controls and formal incident response protocols to mitigate the legal and operational risks associated with ransomware interactions.
• Perform rigorous vendor management assessments to identify and secure vulnerabilities within the supply chain that could facilitate financial fraud.

Food and Agriculture Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Federal Shutdown Ends as Cybersecurity and Infrastructure Security Agency Faces Long Recovery Window Following the end of a record 75-day partial government shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) is facing a significant backlog in vulnerability assessments and incident response support. The shutdown disrupted critical monitoring of state and local government networks, potentially allowing adversaries to establish persistent footholds. This development is significant for Florida as municipal agencies often rely on CISA for specialized technical support. Government facilities should conduct comprehensive audits of their perimeter hardware to identify any indicators of compromise (IOCs) that may have occurred during the reduced-oversight period.

Cyberattack Continues to Disrupt County Tax Operations In Mississippi As of May 3, 2026, a cyberattack continues to disrupt county tax operations in Adams County, Mississippi, specifically impacting the “car tag” processing system. The incident has forced officials to rely on manual workarounds, causing significant delays for residents as restoration efforts continue. While the specific attack type or actor has not been confirmed, this event serves as a tactical analog for Florida municipal government facilities, highlighting the immediate operational impact and public service strain caused by disruptions to specialized administrative tax and registration databases.

Hawaii AG Claims Someone is Impersonating the State’s CTO, a Role that Doesn’t Exist The Hawaii Department of the Attorney General issued a public warning in April 2026 that an individual named Iqbal Khowaja was fraudulently presenting himself as the ‘CTO of the State of Hawaii’ at national conferences, including the Bitcoin 2026 conference in Las Vegas, and on social media platforms. Hawaii has no state CTO position; the relevant leadership role is held by Chief Information Officer Christine Sakuda. This incident is relevant to Florida as a reminder that government officials and vendors should verify the credentials of individuals claiming to represent state technology agencies before sharing operational or organizational information.

Instructure Data Breach Highlights Risks Of School District Vendor Dependence A data breach at Instructure, the provider of the Canvas learning management system, has exposed sensitive information from multiple school districts. The breach resulted from unauthorized access to a third-party vendor environment where administrative data were stored. This incident underscores the systemic risk to Florida’s educational institutions, which rely heavily on centralized vendors for student and faculty data management, necessitating more rigorous third-party risk assessments.

Russia Operates Top-Secret Spy School For Hacking And Western Electoral Interference A joint investigation has revealed the existence of a specialized Russian intelligence facility dedicated to training operatives in advanced hacking and social engineering for Western electoral interference. The school focuses on bypass techniques for modern security software and the industrialization of “fake news” campaigns. This development is significant for Florida as the state’s political and government infrastructure remains a priority target for foreign influence and disruptive cyber operations.

San Diego Colleges Hit by Sophisticated Cyberattack Disrupting Campus Operations Several colleges in the San Diego area have experienced a major cyberattack that has disrupted campus networks, administrative systems, and student services. The incident forced the institutions to take many systems offline, impacting registration and financial aid processing. This event is a critical reminder to Florida’s higher education institutions that educational facilities are prime targets for ransomware and other disruptive attacks, necessitating robust network segmentation and off-site backups of essential academic and financial records.

Government Services and Facilities Sector Recommendations:

• Perform comprehensive audits of perimeter hardware to identify indicators of compromise that may have occurred during periods of reduced oversight.
• Verify mobile device management policies and ensure all government-issued hardware is strictly inventoried and secured with updated software.
• Implement rigorous third-party risk assessments for all administrative and educational vendors to mitigate systemic supply chain vulnerabilities.
• Conduct employee training on emerging social engineering tactics, including deepfake audio impersonation, to prevent unauthorized disclosure of network configurations.

Healthcare and Public Health Sector

Global Medical Device Manufacturer Medtronic Discloses Cyberattack on Internal Information Technology Network Medtronic, one of the world’s largest medical device manufacturers, disclosed that its internal information technology (IT) network was targeted in a sophisticated cyberattack on April 27, 2026. The company reported that while corporate systems were accessed, the intrusion did not disrupt manufacturing operations or impact the safety of patient devices. This incident highlights the persistent targeting of the medical technology supply chain by advanced persistent threat (APT) actors. This event is relevant to Florida healthcare networks because Medtronic products, including pacemakers and insulin pumps, are ubiquitous in clinical settings and widely used by the state’s large retiree population. Compromised corporate data are often utilized to identify vulnerabilities in product firmware or to facilitate social engineering against healthcare providers. Florida hospitals must prioritize vendor risk management and ensure that all medical devices are isolated on dedicated, non-routed network segments to prevent lateral movement.

FBI Urges Hospitals to Elevate Cybersecurity as a Patient Safety Priority A recent Federal Bureau of Investigation (FBI) briefing reports that the healthcare sector was the most targeted critical infrastructure sector in 2025, with 460 ransomware attacks and 182 data breaches. Organized cybercrime groups are deliberately prioritizing hospitals due to the life-or-death pressure to restore systems, prompting policy experts to call for terrorism designations for these attacks. This development is relevant to Florida’s extensive healthcare network and large retiree population, where disruptions to care can have immediate consequences. Relevant data are often exfiltrated to maximize extortion leverage. Hospitals should integrate cybersecurity into their broader clinical safety protocols and maintain redundant communication protocols for emergencies.

Sandhills Medical Foundation Discloses Ransomware Breach Affecting 170,000 Individuals Sandhills Medical Foundation confirmed a significant data breach following a ransomware attack that impacted the records of approximately 170,000 individuals. The compromised information included patient names, Social Security numbers, and clinical data. While the medical facility maintained clinical continuity, the large-scale exposure of sensitive records highlights the persistent threat to municipal healthcare systems. This incident is relevant to Florida as state medical networks and community health centers are primary targets for double-extortion campaigns. Relevant patient data are often exfiltrated before encryption to maximize extortion leverage. Healthcare providers should implement robust network segmentation and prioritize protecting diagnostic imaging and patient record systems.

Ransomware and Data-Theft Campaigns Persistent Threat to Healthcare Infrastructure Aggregated April 2026 incident reporting highlights that ransomware and data-theft campaigns against healthcare providers and medical technology firms continue to disrupt clinical operations. These attacks, which have included hospital IT outages that forced ambulance diversions and major breaches at global medical device manufacturers, expose large volumes of patient records. Ransomware remains a dominant threat to healthcare infrastructure, frequently using double-extortion tactics to pressure victims into paying. This development is relevant to Florida because the state’s large healthcare sector and major trauma centers are primary targets for sophisticated threat actors seeking high-leverage data. Relevant patient data are often exfiltrated before the encryption phase, necessitating a shift toward hardware-enforced protections. Organizations must prioritize developing clinical downtime procedures and isolating legacy medical devices to maintain life-safety services during a sustained technical outage.

U.S. Hospital Sector Launches New Cybersecurity Readiness Initiative After FBI Notes Healthcare as Top Ransomware Target In 2025 The American Hospital Association (AHA) and The Joint Commission announced a joint cybersecurity readiness effort to strengthen hospital defenses and incident response. This initiative follows the FBI’s report identifying healthcare as the leading sector for ransomware and cyber threats in 2025. Florida health systems are urged to participate in these voluntary readiness programs to align with national standards and mitigate the risks associated with high-volume ransomware attacks.

Data Breaches At Four Healthcare Providers Expose Sensitive Records In May 2026 Four major healthcare providers reported significant data breaches in early May 2026, resulting in the unauthorized exposure of patient medical records and personally identifiable information (PII). These incidents involved a mix of direct credential-stuffing attacks and the exploitation of vulnerabilities in third-party billing platforms. This trend is relevant to Florida, as the state’s large healthcare sector remains a primary target for ransomware groups seeking high-leverage data for double-extortion tactics.

Artificial Intelligence Finds Thirty-Eight Security Flaws In OpenEMR Healthcare Software Security researchers utilizing an AI-assisted software scanner identified thirty-eight previously unknown security vulnerabilities in OpenEMR, a widely used open-source electronic health record (EHR) platform. These flaws include critical remote code execution (RCE) and Structured Query Language (SQL) injection vulnerabilities that could allow unauthorized access to patients’ medical records. This development is significant for Florida, as many municipal health departments and smaller clinics utilize open-source EHR solutions for patient management. Relevant diagnostic data are at risk if APTs exploit these vulnerabilities. Organizations are urged to verify their OpenEMR versions and apply the latest security patches immediately.

Ransomware Group ‘The Gentlemen’ Claims Attack On Puerto Rico Community Hospital Caribbean Medical Center in Fajardo, Puerto Rico, disclosed a February ransomware attack claimed by “The Gentlemen,” an emerging double-extortion group. The intrusion led to the theft of data affecting approximately 92,000 patients, which was subsequently posted to the group’s leak site. This incident underscores the growing threat to regional healthcare providers and is relevant to Florida, given the close medical and social ties between the state and Puerto Rico.

Gentleman Ransomware Group Suffers Data Breach Exposing Internal Negotiator Communications In a significant turn, the “Gentleman” ransomware group, known for targeting healthcare providers, has reportedly suffered a data breach. The leak includes internal chat logs and negotiator communications, providing researchers with rare insight into the group’s operational structure and double-extortion tactics, techniques, and procedures (TTPs). This development is relevant to Florida healthcare networks as the exfiltrated data are being used to refine defensive strategies and better prepare hospital negotiators for future interactions with this specific threat cluster.

Healthcare and Public Health Sector Recommendations:

• Isolate all medical devices, such as pacemakers and insulin pumps, on dedicated, non-routed network segments to prevent lateral movement.
• Verify OpenEMR versions immediately and apply security patches to remediate remote code execution and SQL injection vulnerabilities.
• Integrate cybersecurity into clinical safety protocols and develop “manual-first” downtime procedures to sustain patient care during sustained technical outages.
• Participate in national readiness initiatives and implement phishing-resistant multi-factor authentication to protect sensitive patient records from credential-stuffing attacks.

Information Technology Sector

Malicious SAP npm Packages Compromised in Supply Chain Attack Targeting Developer Pipelines Security researchers identified several malicious packages on the npm registry that impersonate legitimate systems, applications, and product libraries (e.g., SAP) to facilitate supply chain compromises. These “poisoned” packages are designed to exfiltrate environment variables, cloud provider credentials, and Secure Shell (SSH) keys from developer workstations during installation. This incident is significant for Florida because many large-scale enterprises and municipal utilities use SAP for enterprise resource planning (ERP) and supply chain management. Relevant credential data is often stolen to facilitate further lateral movement into production environments. Florida development and operations (DevOps) teams must implement strict package verification and audit all package.json files for unauthorized dependencies.

New MOVEit Vulnerabilities Prompt Urgent Patch Warning Progress Software has issued an urgent advisory for two newly discovered vulnerabilities in its MOVEit Automation file transfer tool: CVE-2026-4670, a critical authentication bypass, and CVE-2026-5174, and improper input validation vulnerability that allows a high-severity privilege escalation. Exploitation of these flaws allows unauthorized access, administrative control, and data exposure. Scans indicate that over 1,440 internet-connected devices are running vulnerable versions, including those in state and local government agencies. o remediate these vulnerabilities, organizations must upgrade to a patched release using the full software installer, a process that requires temporarily taking the MOVEit Automation service offline. Scans indicate over 1,440 internet-connected devices are running vulnerable versions, including those in state and local government agencies. As of this bulletin’s publication, no confirmed in-the-wild exploitation has been reported. However, given the 2023 Cl0p campaign that weaponized a prior MOVEit flaw within hours of public disclosure, treating this as an imminent exploitation risk is prudent. Florida critical infrastructure entities relying on MOVEit Automation should immediately apply updates to prevent unauthorized data access.

Palo Alto PAN-OS Flaw Under Active Exploitation Leads to Remote Code Execution A critical vulnerability in Palo Alto Networks PAN-OS (CVE-2026-0300) is being actively exploited in the wild, allowing unauthenticated attackers to achieve root RCE. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026. The flaw exists in the User-ID Authentication Portal (Captive Portal) and has been used to deploy backdoors and harvest internal credentials. As of May 14, 2026, a patch has been available. This development is highly relevant to Florida’s public and private sectors, where Palo Alto firewalls are widely deployed as perimeter defenses; failure to patch immediately could result in a complete network compromise.

PyTorch Lightning Compromised in Supply Chain Attack via Python Package Index Security researchers identified a malicious version of the PyTorch Lightning library uploaded to the Python Package Index (PyPI). The compromised version contained a backdoor designed to exfiltrate developer secrets and establish persistent access to cloud environments. This supply chain attack targets the automated build pipelines of artificial intelligence (AI) developers. This news is significant for Florida’s information technology IT sector as local technology firms increasingly utilize these libraries for AI development. Relevant data are often exfiltrated through malicious environment variables, necessitating strict verification of all third-party libraries used in the software development life cycle (SDLC).

Google Remediates High-Severity Remote Code Execution Vulnerability in Gemini CLI Tool Google has issued a critical security patch to remediate a high-severity remote code execution (RCE) vulnerability in its Gemini Command-Line Interface (CLI) tool. The flaw, which received a Common Vulnerability Scoring System CVSS score of 10.0, allowed unauthenticated attackers to execute arbitrary commands within continuous integration and continuous delivery (CI/CD) pipelines. This vulnerability is highly relevant to Florida as state agency developers and municipal IT teams increasingly adopt AI-assisted automation for infrastructure management. Relevant build data may be exposed if the CLI tool remains unpatched. Organizations should immediately update all developer workstations and automated build environments to the latest version of the Gemini CLI.

Ransomware Groups Pivot to Abusing Remote-Access Pathways and SaaS Administrative Portals Ransomware intelligence reporting from the first quarter of 2026 shows that encryption-focused groups such as Inc, Akira, and Qilin are increasingly abusing remote-access pathways rather than using legacy virtual private networks (VPNs). Threat actors utilize compromised Single Sign-On (SSO), OAuth tokens, and Software-as-a-Service (SaaS) administrative access to infiltrate enterprise information technology (IT) environments. Once access is established, adversaries use extensive lateral movement to stage extortion operations against organizations that support critical infrastructure. This trend is significant for Florida because many state agencies and municipal utilities are migrating to cloud-based SaaS solutions, expanding the digital attack surface. Relevant credential data are often harvested through sophisticated phishing or by exploiting unpatched vulnerabilities in remote-access utilities. Organizations are urged to enforce phishing-resistant multi-factor authentication (MFA) and implement strict monitoring of administrative logs to detect unauthorized access to cloud-based management platforms.

National Security Agency Testing Anthropic Mythos AI Model to Identify Microsoft Software Flaws The National Security Agency (NSA) is reportedly testing Anthropic’s high-capability “Mythos” AI model to identify previously unknown vulnerabilities in Microsoft software. The model’s agentic capabilities allow it to perform complex, multi-step exploitation simulations. This development highlights a shift where AI is used to accelerate vulnerability discovery. This is relevant to Florida as the use of AI to find flaws could significantly collapse the patching window for state agencies and municipal utilities. Relevant data are being used to automate exploit discovery, necessitating that organizations move toward more rapid, automated responses to security patches.

Analysis Warns of Converging Cyber-Physical Threats to Critical Infrastructure and Agentic-AI-Driven OT Attacks An industry analysis outlined how cyber-physical threats are escalating as adversaries increasingly utilize operational technology (OT), artificial intelligence (AI) assisted tooling, and living-off-the-land (LOTL) techniques. These threats target the convergence points between OT and IT, hardening these gateway systems and auditing IT, particularly in the energy, water, and manufacturing sectors. Florida IT providers supporting critical infrastructure must prioritize hardening these gateway systems and auditing AI-assisted automation for potential prompt injection or unauthorized code execution.

OpenClaw Supply Chain Scanner Detects Backdoor in AI Agent Repositories The discovery of the “OpenClaw” backdoor in several open-source AI agent repositories highlights a significant supply-chain risk for DevOps teams. The malicious code allows for unauthorized RCE on systems where the AI agent is deployed. This is highly relevant to Florida IT providers that utilize AI-assisted automation, as failure to scan repositories could result in a complete compromise of sensitive administrative environments.

Researchers Spot Significant Uptick in Malicious Activity Targeting Vercel Infrastructure Cybersecurity researchers have identified a significant uptick in targeted attacks against Vercel infrastructure, focusing on the theft of environment variables and API keys. Attackers are leveraging “nested” supply-chain tactics to reach large-scale platform providers through smaller analytics firms. Florida IT organizations utilizing Vercel or similar CI/CD platforms should immediately rotate all production secrets and audit access logs for unauthorized activity.

Critical Security Flaws in Redis Expose Thousands of Servers to Unauthorized Access Multiple critical vulnerabilities have been disclosed in Redis, an open-source in-memory data structure store, that allow remote code execution and unauthorized data access. These flaws are being actively probed by botnets seeking to enlist servers into distributed-denial-of-service (DDoS) networks. This news is significant for Florida as Redis is widely used in the backend architectures of many state and municipal web applications, necessitating immediate patching to prevent system takeover.

Malicious NuGet Packages Distribution Campaign Targets Developer Workstations A new campaign is distributing “poisoned” NuGet packages designed to exfiltrate sensitive developer data, including SSH keys and cloud provider credentials. The packages impersonate legitimate libraries used for encryption and data processing. This attack targets the automated build pipelines of software developers, potentially allowing malware to propagate into enterprise applications. DevOps is used by software developers, potentially enabling teams to implement strict verification procedures for all third-party libraries.

DigiCert Revokes Certificates after Support Portal Hack In early April 2026, an unknown threat actor breached DigiCert’s internal support portal by infecting an analyst’s endpoint via a malicious payload disguised as a screenshot in a customer chat channel. The attackers proxy-accessed customer accounts to fraudulently obtain EV Code Signing certificates, allowing signed malware to bypass standard endpoint security controls. The campaign has been linked to GoldenEyeDog (APT-Q-27), a Chinese e-crime group associated with cryptocurrency theft. DigiCert subsequently revoked 60 certificates, including 27 explicitly linked to the attackers, that were used to sign the Zhong Stealer malware family. As a critical infrastructure-enabling vector, this breach presents supply chain risks for Florida critical infrastructure organizations that utilize DigiCert services or encounter newly signed malicious binaries.

Researchers Report Amazon SES Abused in Phishing to Evade Detection Cybersecurity researchers at Kaspersky report a significant increase in threat actors abusing the Amazon Simple Email Service (SES) to distribute convincing phishing emails that bypass standard reputation-based blocks and authentication checks. Attackers are leveraging automated bots like TruffleHog to harvest exposed Amazon Web Services (AWS), identity and access management (IAM) keys from GitHub repositories, .env files, and S3 buckets. Campaigns deliver fake document-signing notifications that imitate DocuSign and business email compromise attacks. Florida critical infrastructure organizations that utilize AWS should enforce least-privilege principles, enable multi-factor authentication, and regularly rotate IAM keys to mitigate exposure.

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities Security researchers have disclosed two critical vulnerabilities, CVE-2026-2005 and CVE-2026-2006, affecting the pgcrypto extension in PostgreSQL databases, which are present in numerous enterprise environments. CVE-2026-2005 involves a buffer overflow in pgp_parse_pubenc_sesskey during public key decryption, while CVE-2026-2006 causes out-of-bounds reads and writes via malformed UTF-8 in symmetric decryption. Exploitation permits logged-in users with basic create privileges to execute code as the database owner. Florida critical infrastructure administrators should immediately apply patches released for branches 14.21 through 18.2, restrict extension creation, and audit logs for anomalous Pretty Good Privacy (PGP) or JavaScript Object Notation (JSON) activity.

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited Via Debug API Threat actors are actively exploiting CVE-2026-22679, a critical unauthenticated RCE vulnerability in the Weaver E-cology enterprise office automation platform. The flaw affects versions before 20260312 and is triggered via the /papi/esearch/data/devops/dubboApi/debug/method endpoint. Attackers craft POST requests with manipulated interfaceName and methodName parameters to achieve arbitrary command execution. Observed campaigns involved dropping an MSI installer named fanwei0324.msi and executing discovery commands like whoami and ipconfig. Florida critical infrastructure networks running Weaver E-cology should immediately apply the vendor patches and restrict exposure of application programming interfaces for debugging.

New Stealthy Quasar Linux Malware Targets Software Developers via Supply Chain Attack Security researchers have identified a new variant of the Quasar Remote Access Trojan (RAT) specifically designed to target Linux environments used by software developers. The malware is distributed through compromised open-source repositories and is designed to exfiltrate SSH keys, API tokens, and cloud credentials. This trend is significant for Florida’s growing technology sector, as a compromise of a local developer could facilitate a supply-chain attack on larger enterprise or government platforms.

Argo CD ServerSideDiff Flaw Allows for Unauthorized Access to Kubernetes Environments A high-severity vulnerability in the Argo CD continuous delivery tool (CVE-2026-29014) allows unauthenticated users to gain access to sensitive information within Kubernetes environments. The flaw involves an improper implementation of the ServerSideDiff feature, which can be exploited to exfiltrate cluster configurations. This news is relevant to Florida as many state and municipal IT organizations utilize Argo CD for automated cloud deployments, necessitating immediate updates to version 2.11.0 or higher.

Poisoned Truth: The Quiet Security Threat inside Enterprise Artificial Intelligence Security researchers have disclosed a new class of threat dubbed “Poisoned Truth” attacks, which target the inference pipelines of enterprise AI models. By injecting malicious data into the model’s feedback loop, attackers can manipulate the AI to provide incorrect security guidance or bypass automated guardrails. This development is relevant to Florida’s critical infrastructure because the growing adoption of AI-assisted automation in municipal operations could be compromised, facilitating unauthorized access or operational sabotage.

SailPoint GitHub Repository Targeted in Third-Party Cyberattack Exposing Internal Tooling Identity management firm SailPoint confirmed that its GitHub repository was targeted in a cyberattack after an attacker compromised a third-party contractor’s credentials. The breach exposed internal tooling and configuration files, highlighting the persistent threat of “nested” supply chain attacks. This news is significant for Florida, as many state agencies use SailPoint for identity governance, making the security of its source code critical to regional administrative integrity.

Fake Claude Code Installer Distributes Malware Targeting Developer Credentials A malicious campaign is distributing fake installers for the “Claude Code” AI-assisted programming tool to infect developer workstations with infostealers. The installer appears legitimate but silently exfiltrates SSH keys and cloud provider tokens upon execution. This trend is relevant to Florida IT providers as local developers increasingly adopt AI-assisted coding tools, making them high-value targets for adversaries seeking access to enterprise deployment pipelines.

FCC Slightly Relaxes Foreign Router Ban to Allow Critical Software Updates Through 2029 The Federal Communications Commission (FCC) has slightly relaxed its ban on high-risk foreign routers, allowing for critical security software updates until 2029. The move aims to prevent existing hardware from becoming even more vulnerable while organizations transition to approved alternatives. This is significant for Florida’s IT sector as it provides a limited window for municipal utilities and agencies to maintain legacy perimeter hardware while planning for a comprehensive “rip-and-replace” cycle.

Information Technology Sector Recommendations:

• Apply critical security patches for Palo Alto PAN-OS, MOVEit Automation, and Redis instances immediately to remediate remote code execution and authentication bypass vulnerabilities.
• Implement strict package verification and audit all developer manifests for unauthorized npm, PyPI, and NuGet dependencies to prevent the exfiltration of administrative credentials.
• Enforce phishing-resistant multi-factor authentication on all Software-as-a-Service administrative portals to mitigate the risk of account takeover via session and token theft.
• Rotate all production secrets, including Amazon Web Services Identity and Access Management keys and Secure Shell keys, if unauthorized activity is detected in build environments.

Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iran Utilizes Cyber Capabilities to Monitor and Threaten Maritime Traffic in Strait of Hormuz New analysis details how Iran is utilizing sophisticated cyber and electronic warfare capabilities to monitor and potentially disrupt maritime traffic through the Strait of Hormuz. These activities include Global Positioning System (GPS) spoofing and the interception of vessel communication systems to interfere with navigation. This development is relevant to Florida as a major maritime state, as the tradecraft used in these regional conflicts could be adapted to target Florida’s commercial ports and logistics networks during periods of geopolitical escalation.

Transportation Systems Sector Recommendations:

• Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
• Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
• Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
• Establish manual navigation fallback protocols and drill operational contingencies for commercial ports facing targeted electronic interference.

Water and Wastewater Systems Sector

Dragos Intelligence Brief Details AI-Assisted Cyberattack on Water Infrastructure A tactical intelligence brief from Dragos detailed a sophisticated cyberattack targeting water infrastructure, in which threat actors used artificial intelligence (AI) to identify and exploit vulnerabilities in programmable logic controllers (PLCs). The attack resulted in the unauthorized manipulation of water pressure and treatment levels. This event provides a tactical analog for Florida water utilities, as the use of AI to automate vulnerability discovery significantly compresses the window for patching and defensive hardening of municipal water supplies.

UK Water Company Fined After Hackers Lurked Undetected for Nearly Two Years A major United Kingdom water utility was fined after the Cl0p ransomware group maintained undetected access to its IT network for nearly two years, exposing the personal data of over 630,000 individuals. The attackers exploited critical unpatched vulnerabilities, legacy operating systems, and excessive domain administrator privileges. This incident serves as a critical tactical analog for Florida water utilities, highlighting the need for comprehensive security operations center coverage, continuous vulnerability scanning, and strict enforcement of least privilege principles.

Water and Wastewater Systems Sector Recommendations:

• Prioritize the patching and defensive hardening of programmable logic controllers to defend against rapid, automated vulnerability discovery, and strictly monitor for unauthorized manipulations of water pressure or treatment levels.
• Execute deep behavioral monitoring across operational networks to detect adversaries utilizing living-off-the-land tactics that intentionally blend in with legitimate administrative activity.
• Remove all stale administrative accounts immediately and continuously audit administrative privileges to prevent state-sponsored actors from establishing and maintaining long-term persistent access.