Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #10-2026

Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face escalating pressure from three reinforcing threats: Iranian state-sponsored actors targeting energy, water, and transportation OT systems; financially motivated extortion groups exploiting third-party vendors in education, healthcare, and commercial facilities; and automated vulnerability exploitation that is closing the gap between disclosure and weaponization faster than most organizations can patch. The 2026 Verizon Data Breach Investigations Report confirmed that exploitation of unpatched vulnerabilities has surpassed credential theft as the leading breach entry point — a structural shift that favors well-resourced adversaries and penalizes organizations slow to remediate. CISA’s CI Fortify initiative signals that federal planners now treat destructive OT attacks as a near-term contingency, not a theoretical risk. The campaign against LA Metro and ongoing Iranian targeting of gas-station tank gauges and PLCs in water and energy systems demonstrate transferable risk to Florida’s ports, utilities, and transit networks. Critical infrastructure owners should treat supply chain vendors, contractor-managed cloud accounts, and internet-exposed OT devices as the highest-priority attack surface for the foreseeable future.

Confidence – High

Executive Summary

• All Sectors: CISA’s CI Fortify initiative and continued Iranian OT targeting require Florida operators to test manual fallback procedures and close contractor access gaps.
• Commercial Facilities: ShinyHunters breached 7-Eleven, exposing personal data on 185,300 individuals after holding the data for ransom and then leaking it publicly.
• Communications: Major U.S. telecoms launched the C2 ISAC, a new sector-specific threat-sharing body; a Huawei zero-day caused a nationwide telecom outage in Luxembourg.
• Critical Manufacturing: Nitrogen ransomware breached Foxconn’s North American facilities, exfiltrating 8 TB of data and disrupting production; Four-Faith router exploitation continues at scale.
• Defense Industrial Base: Iranian APT Seedworm (MuddyWater) maintains persistent access inside a U.S. defense and aerospace software supplier using the previously undocumented Dindoor backdoor.
• Energy: NEMA and NERC warn of growing data-center grid strain; Iranian actors have breached unprotected automatic tank gauge systems at gas stations across multiple states.
• Government Services and Facilities: ShinyHunters’ Canvas breach directly hit USF and multiple Florida school districts; Chelan County’s full network shutdown illustrates ransomware risk for Florida municipalities; federal cyber grant reauthorization is in jeopardy.
• Healthcare and Public Health: OpenLoop Health breach exposed 716,000 individuals; a ransomware attack at another hospital allegedly caused an infant’s death; NYC Health + Hospitals vendor breach exposed 1.8 million patients.
• Information Technology: Exploited vulnerabilities in Drupal, Gitea, Notepad++, and SonicWall SSL-VPN, combined with GitHub supply chain compromises and novel blockchain-based malware, expand attack surface across developer and CI environments.
• Transportation Systems: Iranian state-linked actors breached LA Metro in a destructive attack that required weeks of recovery — directly transferable risk to Florida ports, transit, and aviation.
• Water and Wastewater Systems: CISA CI Fortify guidance is directly applicable to Florida water utilities, which face continued Iranian PLC targeting and reduced federal support.

All Sectors

CISA Unveils New Initiative to Fortify America’s Critical Infrastructure The Cybersecurity and Infrastructure Security Agency (CISA) launched the CI Fortify initiative on May 5, 2026, urging critical infrastructure operators, particularly in energy, water, and government facilities, to prepare for “weeks to months” of information technology/operational technology (IT/OT) isolation and manual operations in the event of sustained state-sponsored cyber campaigns. The guidance emphasizes proactive network segmentation, offline backups of system configurations, and regular drills of manual fallback procedures. It is important to note that the initiative’s planning assumption is that adversaries may already have a foothold inside OT networks during a conflict scenario, requiring operators to plan for continuity under a ‘communications-degraded’ environment in which external vendors, internet connectivity, and third-party dependencies may be unavailable. This is directly relevant to Florida, whose hurricane-prone utilities, ports, and water systems already face compounded risks from Iranian-linked OT targeting campaigns that continue to probe internet-exposed programmable logic controllers.

CISA Adds Seven Known Exploited Vulnerabilities to Catalog CISA added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 21, 2026, based on confirmed active exploitation in the wild. The additions include CVE-2026-41091 (a link-following vulnerability) in the Microsoft Malware Protection Engine that enables local privilege escalation to SYSTEM level) and CVE-2026-45498 (Microsoft Defender denial of service), along with several legacy but still-weaponized flaws. These vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to federal, state, local, and critical infrastructure entities. Florida operators of Microsoft Defender, Windows systems, and related OT environments should apply patches immediately to prevent privilege escalation and service disruption. Organizations that disable automatic Microsoft Defender engine updates, including some OT-adjacent environments, should verify manually that engine version 1.1.26040.8 or later is installed.

Verizon DBIR 2026: Vulnerability Exploitation Overtakes Credential Theft as Top Breach Vector Verizon’s 2026 Data Breach Investigations Report (DBIR) found that vulnerability exploitation surpassed credential theft as the leading initial access vector in confirmed breaches. The DBIR analyzed more than 31,000 security incidents, of which more than 22,000 were confirmed breaches. Approximately 31% of breaches involved exploitation of unpatched vulnerabilities, highlighting the growing impact of internet-facing systems and delayed remediation cycles. Third-party involvement also rose sharply, reaching 48% of confirmed breaches. That represents a 60% year-over-year increase underscoring the growing risk of vendor and contractor access across CI environments. The report emphasized that organizations continue to struggle with patch management timelines and exposure to third-party applications. These findings reinforce concerns that cyber threat actors are increasingly prioritizing automated exploitation of known vulnerabilities across critical infrastructure sectors.

CISA Admin Leaked AWS GovCloud Keys on Github A public GitHub repository managed by a CISA contractor (Nightwing) inadvertently exposed credentials for several highly privileged Amazon Web Services (AWS) GovCloud accounts as well as a large number of internal CISA systems. The leak prompted legislators to request an urgent classified briefing within 24 hours. This incident underscores persistent third-party and supply chain risks, where basic credential hygiene and repository security failures can have cascading effects. Notably, the contractor had disabled GitHub’s built-in secret-scanning protections, underscoring that policy-level controls are insufficient without enforced technical guardrails that prevent circumvention. Florida critical infrastructure owners and operators should apply the same rigorous scrutiny to contractor-managed code repositories and third-party cloud environments that they apply to external vendors.

Security Update for LiteSpeed cPanel Plugin CISA added CVE-2026-48172, a critical privilege-escalation vulnerability in the LiteSpeed user-end cPanel plugin (before version 2.4.5), to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. The flaw allows any authenticated cPanel user, including low-privileged or compromised accounts, to execute arbitrary scripts with root privileges, meaning a single compromised hosting account on a shared server is sufficient for full system takeover. LiteSpeed resolved the issue in version 2.4.5. This development is highly relevant to Florida state agencies, school districts, municipal utilities, and other critical infrastructure entities that use cPanel-hosted web services for public-facing systems.

FBI Warns Extortion Hackers are Visiting US Law Firms to Steal Data The FBI has issued a warning about the Silent Ransom Group (SRG), a cyber extortion gang with roots in the Conti ransomware syndicate that is actively targeting U.S. law firms using an unusually bold mix of phishing, fake IT calls, and in-person office visits. The group’s tactics are exceptionally hard to detect: attackers use legitimate remote management tools and transfer stolen data through trusted platforms such as Google Drive and Microsoft OneDrive, blending in with normal IT activity. Notably, SRG deploys no ransomware encryption — systems remain fully operational throughout the attack with no locked files or ransom screens, making the intrusion effectively invisible until an extortion email arrives. SRG’s reach extends beyond legal services—the FBI notes the group has also hit organizations in healthcare, insurance, and financial sectors. This is pertinent to all Florida critical infrastructure sectors, and law firms frequently hold sensitive legal, financial, and corporate data for CI operators. SRG has been active since at least 2022. They have compromised data from more than 38 law firms, with at least 100 confirmed attacks as of Spring 2026.

All Sectors Recommendations:

• Implement phishing-resistant multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
• Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
• Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
• Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.
• Audit all third-party and contractor-managed code repositories, cloud credentials, and privileged service accounts, and the use of cloud collaboration tools (such as Google Drive and Microsoft OneDrive) for exposed secrets or misconfigured access controls.
• Immediately inventory, patch, or isolate systems affected by newly added CISA KEVs to prevent active exploitation.

Chemical Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

185,000 Likely Impacted by 7-Eleven Data Breach 7-Eleven has confirmed that it was the victim of a data breach. An April 8, 2026 breach of 7-Eleven systems, via their Salesforce environment, exposed personal information (including names, dates of birth, email addresses, phone numbers, and physical addresses) affecting roughly 185,300 individuals. The ShinyHunters extortion group claimed responsibility, initially demanding ransom and later offering the data for sale on a Russian hacking forum. This incident highlights ongoing risks to commercial facilities from extortion groups like ShinyHunters, which have also targeted education vendors serving Florida school districts and higher-education institutions.

Commercial Facilities Sector Recommendations:

• Conduct regular third-party risk assessments of vendors and service providers that handle customer or employee personally identifiable information (PII).
• Implement robust data encryption, access controls, and data-loss-prevention monitoring on systems containing sensitive personal or financial data.
• Develop and regularly test incident response playbooks specifically for data-extortion campaigns, including protocols for ransom demands and mandatory breach notification.
• Monitor closely for anomalous data exfiltration, especially involving legitimate cloud storage and file-sharing platforms commonly abused by groups like ShinyHunters.
• Provide targeted security awareness training for staff on advanced social engineering, phishing, and impersonation tactics used in these extortion operations.

Communications Sector

Telecom Sector Launches its Own Private ISAC Major U.S. telecommunications providers launched the Communications Cybersecurity Information Sharing and Analysis Center (C2 ISAC) to improve coordination against AI-enabled cyberattacks, espionage, and nation-state threats targeting communications infrastructure. The initiative aims to strengthen collaboration between telecommunications companies and government cybersecurity partners. Officials warned that adversaries continue targeting telecom infrastructure to support surveillance, espionage, and operational disruption campaigns. This development is relevant to Florida as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services.

Huawei Zero-day Attack Behind Last Year’s Crash of Luxembourg’s Entire Telecoms Network An attack exploiting a previously undisclosed vulnerability in Huawei enterprise router software caused a nationwide telecom outage in Luxembourg, disrupting mobile, landline, and emergency communications for more than three hours. As of this reporting, the vulnerability has not been publicly disclosed or assigned as a CVE identifier. Because no CVE has been assigned, operators cannot rely on standard vulnerability management tools to identify this exposure — network inventory and manual review of Huawei equipment are the only current detection paths. This incident highlights persistent supply-chain risks associated with Chinese-manufactured networking equipment in critical communications infrastructure. Florida’s telecommunications providers, managed service providers, and municipal utilities that rely on similar enterprise routing and OT networking hardware should review Huawei equipment inventories and consider immediate segmentation or replacement strategies where feasible.

Communications Sector Recommendations:

• Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
• Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
• Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
• Inventory all enterprise routers and OT networking hardware for Huawei or other high-risk vendors and implement strict network segmentation or accelerated replacement to mitigate undisclosed zero-day supply-chain risks.

Critical Manufacturing Sector

Ransomware Hackers Claim Breach at Foxconn, Major Electronics Manufacturer for Apple, Google, and Nvidia The Nitrogen ransomware group claimed responsibility for breaching Foxconn’s North American facilities in Mount Pleasant, Wisconsin and Houston, Texas, alleging theft of more than 11 million files totaling 8 terabytes (TB) of data, including confidential instructions, internal project documentation, technical drawings (including circuit board layouts and integrated circuit documentation), financial files, and temperature sensor records — tied to projects for Apple, Intel, Google, Dell, Nvidia, and AMD. The affected plants have resumed normal production, but the incident highlights downstream supply chain risk to U.S. critical manufacturing. This is highly relevant to Florida, where ports in Jacksonville, Tampa, and Miami serve as key logistics hubs for electronics and aerospace components.

CVE-2024-9643: Four-Faith Router Authentication Bypass Fuels Botnet Activity CrowdSec researchers reported a surge in exploitation of Common Vulnerabilities and Exposures (CVE)-2024-9643, a critical authentication-bypass flaw with hard-coded credentials in Four-Faith F3x36 industrial cellular routers. The activity has escalated into large-scale botnet campaigns targeting utilities, warehouses, and critical infrastructure. These routers are commonly deployed in remote monitoring and operational technology (OT) environments. Florida municipal utilities, water systems, and energy providers using similar industrial routers should immediately inventory, patch, or isolate these devices.

CVE-2026-8153: Command Injection in the PolyScope 5 Dashboard Server Universal Robots disclosed and patched a critical command injection vulnerability (CVE-2026-8153) in the Dashboard Server interface of its PolyScope 5 operating system used on collaborative robots deployed across operational technology environments. The flaw allows unauthenticated remote attackers to execute arbitrary commands, potentially compromising system integrity and physical security safety. Collaborative robots are widely used in manufacturing, energy, and logistics facilities. This development is highly relevant to Florida’s aerospace, critical manufacturing, and port logistics clusters that employ Universal Robots systems.

Critical Manufacturing Sector Recommendations:

• Harden remote access gateways and segment manufacturing networks from corporate IT systems to limit lateral movement during supply-chain ransomware incidents.
• Implement immutable offline backups of engineering schematics and design files to ensure rapid recovery without paying ransoms.
• Conduct immediate third-party risk assessments of electronics and component suppliers to identify exposure from large-scale breaches such as the Foxconn incident.
• Inventory all collaborative robots and industrial cellular routers (Universal Robots PolyScope and Four-Faith F3x36) for exposed interfaces and apply available patches or implement strict network segmentation.

Dams Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector

Iran-Linked Seedworm Maintains Persistent Access in U.S. Defense Supply Chain Networks Symantec reporting (continuing through recent days) describes Iranian APT Seedworm targeting the Israeli operation of a U.S. software company that supplies defense and aerospace. The campaign, which began in early February 2026, is ongoing, and that the activity correlates with U.S. and Israeli military strikes on Iran. The attack using a new Dindoor backdoor and a second, separate Python-based backdoor called Fakeset on networks of a U.S. airport and nonprofit, to engage in espionage and potential follow-on disruption against defense-related environments in the U.S. and allied countries. This activity underscores persistent supply-chain risks to the Defense Industrial Base from Iranian cyber threat actors. Florida’s aerospace clusters and defense contractors should conduct immediate third-party risk assessments of software suppliers.

Defense Industrial Base Sector Recommendations:

• Conduct rigorous and recurring third-party risk assessments of all software suppliers and service providers supporting defense and aerospace operations, with focused scrutiny on potential Iranian-linked activity.
• Implement continuous monitoring and behavioral analytics to detect persistent access, backdoors (such as Dindoor), and anomalous activity originating from supply-chain compromises.
• Enforce strict network segmentation and least-privilege principles between supplier-managed systems and critical internal networks to limit lateral movement.
• Verify the integrity of all third-party software updates and components prior to deployment in operational environments.
• Develop and regularly test incident response plans tailored to nation-state supply-chain attacks involving long-term espionage and potential disruptive follow-on operations.

Emergency Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Energy Sector

US Annual Electricity Consumption to Grow 55% by 2050: NEMA The National Electrical Manufacturers Association (NEMA) forecast shows accelerating electricity demand from data centers, straining U.S. utilities and raising affordability concerns. Florida utilities are already experiencing similar grid pressure from artificial intelligence (AI)-driven data-center growth.

NERC 2026 Summer Reliability Assessment North American Electric Reliability Corporation’s (NERC) 2026 Summer Reliability Assessment warned that accelerated electricity demand, rapid growth of large data-center loads, and extreme heat conditions may strain portions of the North American electric grid. The assessment highlighted increasing operational pressure associated with AI-driven infrastructure expansion, maintenance outages, and periods of reduced renewable energy generation. Several regions may experience elevated reserve shortfalls during sustained peak-demand conditions. Florida utilities may face similar reliability and operational challenges during hurricane season and summer heat events.

Hackers Have Breached Tank Readers at US Gas Stations; Officials Suspect Iran is Responsible U.S. officials suspect Iranian-linked actors are responsible for a series of breaches targeting automatic tank gauge (ATG) systems. Notably, the affected systems were internet-exposed and unprotected by passwords, which represents a basic configuration failure. CI operators should immediately verify that all ATG systems are removed from the public internet or placed behind password-protected access controls. The attacks focus on operational technology used for real-time inventory and distribution management rather than traditional information technology (IT) networks. The attackers capability, however, was limited to manipulating display readings, not actual fuel levels or distribution flows. U.S. officials suspect Iranian-linked actors are responsible, though a lack of forensic evidence means definitive attribution has not been confirmed. If confirmed, the activity would represent continued Iranian interest in disrupting or gathering intelligence on U.S. energy infrastructure. The incidents are highly relevant to Florida’s extensive fuel distribution networks, ports, and municipal energy providers that rely on similar tank-gauge and monitoring systems.

PJM Gets Emergency Approval to Curtail Data Centers, Large Loads During Hot Weather The Department of Energy authorized PJM Interconnection to curtail power usage by large facilities with backup generation capability, including data centers, amid reserve shortages caused by extreme heat and maintenance outages. The emergency authority reflects growing operational stress on energy infrastructure that supports AI-driven data-center growth and increasing electricity demand. Grid operators continue evaluating emergency procedures to maintain system stability during high-load events. The incident also highlights increasing dependence on resilient backup-generation systems across critical infrastructure sectors.

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s energy providers.

Energy Sector Recommendations:

• Verify that all operational technology (OT) assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet or placed behind strict network segmentation.
• Store critical OT configurations and backups in immutable offline formats to enable manual operations during sustained cyber campaigns.
• Audit third-party vendor accounts and monitor for anomalous remote access to smart-grid and energy-management systems.
• Inventory and segment all operational technology assets used for fuel storage, tank monitoring, and distribution systems, ensuring they are not internet-exposed and are protected by strict network segmentation.

Financial Services Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Food and Agriculture Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Aurora Lost Nearly $1.1M from City Bank Accounts After Employee Fell for Phone Scam Authorities in Aurora, Illinois are investigating a cyber-enabled fraud incident that resulted in approximately $1.1 million being transferred from municipal accounts after an employee reportedly fell victim to a phone scam. The incident reflects continuing business email compromise and social-engineering threats targeting local governments and public-sector financial operations. Cyber threat actors increasingly use impersonation techniques and financial fraud schemes to exploit municipal payment processes. Florida municipalities and tourism-dependent communities remain vulnerable to similar financially motivated cyber campaigns.

Chelan County WA Government Shuts Down Networks After Cyberattack Chelan County officials shut down all government computers, networks, and telephone systems on Memorial Day after detecting a malware attack that impacted every county department. The county’s information technology (IT) department identified the malware at 10 a.m. and immediately isolated systems as a safety precaution. Emergency services remained operational. This incident serves as a direct tactical analog for Florida’s numerous county and municipal government facilities that routinely handle high-volume administrative and public safety systems.

State IT Officials Make a Case for Cyber Grant Reauthorization Before House Subcommittee Florida’s Chief Information Officer and technology leaders from Tennessee and New York testified before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection regarding the now-unfunded State and Local Cybersecurity Grant Program (SLCGP). The officials highlighted how the grant program has improved state and local network defenses and urged Congress to reauthorize funding amid escalating nation-state threats and reduced federal support. This testimony is directly relevant to Florida’s municipal, county, and educational networks, which rely on these grants to maintain resilience against ransomware, operational technology (OT) targeting, and supply chain risks.

Canvas Hack: Company Pays Criminals to Delete Students’ Stolen Data Instructure (provider of the widely used Canvas learning management system) reached an agreement with the ShinyHunters group after a major breach that exposed student and staff data from 275 million records across approximately 9,000 institutions, including names, email addresses, student ID numbers, and private messages between students and instructors. across thousands of educational institutions. Instructure reportedly paid a ransom to the ShinyHunters group, receiving digital confirmation that exfiltrated data was destroyed, though no certainty exists that the cybercriminals honored the agreement. The FBI’s Internet Crime Complaint Center (IC3) issued a separate advisory on May 15, 2026 warning students and staff that ShinyHunters may directly contact individuals whose data was exposed. The incident directly impacted the University of South Florida (USF) in Tampa as well as Hillsborough County Public Schools, Pinellas County Schools, and other Florida districts, underscoring the systemic risk to Florida’s K-12 and higher-education systems that rely on third-party education vendors.

Hackers Exploited KnowledgeDeliver Zero-Day for Web Shell Deployment Attackers have exploited a zero-day vulnerability in KnowledgeDeliver, a widely used learning management system (LMS). The flaw stemmed from hardcoded ASP.NET machineKey values shared across installations. With these keys, cyber threat actors performed ViewState deserialization attacks to achieve remote code execution and deployed web shells. This incident demonstrates that cyber threat actors continue to pursue LMS platforms used by schools and government entities. The development is highly relevant to Florida’s K-12 and higher-education systems as well as municipal government facilities that rely on similar third-party administrative and education platforms.

Government Services and Facilities Sector Recommendations:

• Train staff to verify all financial requests through out-of-band channels before initiating wire transfers or payments.
• Implement strict multi-factor authentication and least-privilege controls on email and financial systems used by municipal staff.
• Conduct regular phishing simulations and rigorous vendor risk assessments of third-party learning management systems (LMS), education platforms, and administrative software to reduce exposure to supply-chain and zero-day vulnerabilities.
• Inventory, promptly patch (or isolate) all internet-facing third-party LMS and web-based administrative applications, with special attention to hardcoded credentials, shared configuration keys, and web-shell risks.
• Maintain and regularly test offline backups and manual fallback procedures for all county and municipal administrative systems to ensure continuity during ransomware or malware-induced outages.
• Advocate for and prepare contingency plans around reauthorization of the State and Local Cybersecurity Grant Program to sustain network defenses amid reduced federal support.

Healthcare and Public Health Sector

OpenLoop Health Data Breach Affects 716,000 Individuals OpenLoop Health disclosed a breach exposing names, addresses, email addresses, dates of birth, and medical information (but not Social Security Numbers) of approximately 716,000 individuals. The incident aligns with the broader pattern of persistent data-theft and extortion campaigns targeting the U.S. healthcare sector. Florida’s large healthcare network and retiree population make this a continuing high-priority risk.

Data Breach on New York Public Health System Claims 1.8M Victims, Leaking Biometric Data to Hackers NYC Health + Hospitals confirmed that a vendor-related compromise exposed sensitive patient data, including biometric data, affecting approximately 1.8 million individuals after attackers reportedly maintained access to systems for several months. Exposed information included protected health information and personally identifiable information tied to healthcare operations. The incident highlights the ongoing risks associated with third-party vendors and healthcare-sector supply chain exposure.

Hospital Ransomware Attack Led to Infant’s Death, Lawsuit Alleges A hospital ransomware attack allegedly led to an infant’s death, according to a lawsuit. The incident highlights the severe life-safety risks when ransomware disrupts critical healthcare operations and patient care systems. This is directly relevant to Florida’s large healthcare network and retiree population, where ransomware continues to threaten both patient data and care continuity.

Healthcare and Public Health Sector Recommendations:

• Isolate electronic health record systems and medical devices on segmented networks to prevent lateral movement during ransomware incidents.
• Maintain and regularly test manual downtime procedures for all critical patient care and life-safety systems to sustain operations and protect patient safety during IT outages or ransomware events.
• Perform rigorous third-party risk assessments of billing and health-data vendors to limit exposure from supply-chain breaches.
• Prioritize patient safety and life-safety system continuity in all ransomware incident response planning and conduct regular drills focused on rapid transition to manual operations.

Information Technology Sector

CISA Releases 18 New ICS Advisories Cybersecurity and Infrastructure Security Agency (CISA) released 18 new industrial control system advisories on May 14, 2026, detailing remotely exploitable vulnerabilities in products used across manufacturing, emergency communications, and supporting OT environments. Florida operators of these systems should apply patches immediately.

GitHub Confirms Breach of 3,800 Repos via Malicious VSCode Extension GitHub confirmed that approximately 3,800 internal repositories were compromised after an employee installed a malicious Visual Studio Code extension. The incident demonstrates the growing threat posed by software supply chain compromises targeting trusted developer environments and third-party extensions. Additional organizations, including major technology firms and artificial intelligence (AI) companies, were reportedly impacted by related activity. The compromise reinforces concerns about dependency trust, extension security, and vulnerabilities in the software development ecosystem.

CISA Adds One Known Exploited Vulnerability to Catalog CISA has added CVE-2026-9082, a critical SQL injection vulnerability in Drupal Core’s database abstraction API, to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The agency ordered federal agencies to patch by May 27, 2026. Drupal is widely used by government agencies, educational institutions, and critical infrastructure entities for managing large-scale websites and content. Florida state agencies, school districts, and municipal utilities running Drupal instances should apply patches immediately to prevent unauthorized database access and potential lateral movement.

Exposing Fox Tempest: A Malware-signing Service Operation Microsoft identified Fox Tempest as a financially motivated cyber threat actor operating a malware-signing-as-a-service platform used by cybercriminals and ransomware operators. The group abuses Microsoft Artifact Signing to generate fraudulent short-lived certificates that allow malicious software to appear legitimate and evade traditional security controls. The operation demonstrates the increasing sophistication of ransomware enablement services and malware delivery infrastructure. Security researchers warned that signed malware continues posing significant detection and trust challenges for defenders.

Patch Bypass Allows Hackers to Exploit Prior Flaw in SonicWall SSL-VPN Cyber threat actors continue to exploit a SonicWall Secure Sockets Layer virtual private network (SSL-VPN) vulnerability that enables attackers to bypass multifactor authentication protections during automated brute-force attacks. Researchers warned that a patch bypass allowed exploitation activity to continue despite earlier remediation efforts. SSL-VPN appliances remain at frequent targets for ransomware operators and cybercriminal groups seeking remote access into enterprise environments. Organizations relying on internet-facing VPN infrastructure continue facing elevated risks from credential attacks and remote-access exploitation.

ClearFake Abuses BSC Testnet Contracts for Resilient C2 Operations Cyber threat actors behind the ClearFake campaign have adopted a novel and highly resilient command-and-control (C2) architecture by leveraging BNB Smart Chain (BSC) testnet smart contracts. This approach embeds malicious JavaScript and instructions within immutable blockchain storage. That means that standard threat intelligence feeds and domain blocklists are ineffective against this C2 channel, so defenders must instead focus on monitoring anomalous outbound connections and JavaScript injection patterns. That makes the infrastructure effectively immune to traditional takedown efforts. The tactic expands supply-chain and developer-pipeline risks for Florida critical infrastructure entities that rely on third-party IT tools and extensions.

Hackers Host JS Malware GHOSTYNETWORKS and OMEGATECH Hackers are abusing two bulletproof hosting providers, GHOSTYNETWORKS and OMEGATECH, to run a global JavaScript (JS) malware infrastructure that powers large-scale malspam and business email compromise (BEC) activity. In March 2026, multiple malspam waves delivered a JavaScript backdoor via ZIP or RAR attachments to organizations across sectors, including energy companies and finance ministries. The financially motivated operators focus on email account compromise and BEC rather than espionage.

Gitea Vulnerability Exposes Private Container Images Without Authentication Cybersecurity researchers disclosed a security flaw in Gitea (CVE-2026-27771, CVSS 8.2) that allows unauthenticated remote attackers to pull private container images from Gitea deployments without requiring credentials. The vulnerability affects all versions prior to 1.26.2 and likely impacts more than 30,000 deployments worldwide. Florida state agencies, school districts, and critical infrastructure operators running self-hosted Gitea instances should apply the patch immediately.

Critical Notepad++ Flaw Could Enable Remote Code Execution Attacks Notepad++ has released version 8.9.6.1 to address multiple critical vulnerabilities, including CVE-2026-48778, which could allow arbitrary code execution under specific conditions involving improper handling of configuration files. The update patches flaws in versions up to 8.9.6. Developers and administrators across Florida critical infrastructure environments should update immediately to prevent potential supply-chain compromise via developer tools.

Information Technology Sector Recommendations:

• Apply all CISA Known Exploited Vulnerabilities catalog updates and the latest ICS advisories without delay.
• Immediately inventory, patch, or isolate all Drupal installations, Gitea instances, and other internet-facing web applications, prioritizing those used by government, educational, and critical infrastructure systems.
• Enforce strict package verification, code-signing validation, and security checks for all developer tools, extensions (including VSCode), and applications such as Notepad++ to prevent supply-chain and remote code execution attacks.
• Implement strong authentication and access controls on self-hosted code repositories and container registries (such as Gitea) to block unauthenticated access to private container images and source code.
• Monitor for and block malicious JavaScript malware campaigns, abuse of bulletproof hosting providers, and resilient C2 techniques such as blockchain-based infrastructure.
• Scan and restrict internet-facing remote-access services (including SSL-VPN appliances) and apply patches immediately to counter bypass techniques and automated attacks.
• Strengthen supply-chain security practices to defend against malware-signing-as-a-service operations (such as Fox Tempest) and third-party extension compromises.

Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or operationally relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iranian Hackers Blamed for Breach of Los Angeles Transit System that Took Weeks to Recover Israeli cybersecurity firm Gambit Security attributed a March 2026 breach of the Los Angeles County Metropolitan Transportation Authority (LA Metro) to Iranian government-linked (MOSI) actors—Black Shadow–operating under a hacktivist cover persona of “Ababil of Minab”. Attackers used a virtual machine to delete critical operating system data, stole at least 700 GB of emails/backups/files, and forced multi-week network isolation and recovery. Gambit Security reported that attackers also reached a real-time rail yard control display system, crossing from administrative IT networks into OT territory — though no manipulation of physical operations has been confirmed. This incident demonstrates state-sponsored destructive capabilities against U.S. transportation OT/IT systems. Florida’s ports, transit authorities, and logistics networks that rely on similar interconnected systems should treat this as a transferable risk.

Iranian APT Targets Aviation, Software Companies with Updated Tools Iranian APT Nimbus Manticore has adopted new tactics and malware variants in campaigns against aviation and software companies. Recent operations used updated tooling that enhances persistence and evasion. This activity demonstrates continued Iranian state-sponsored focus on transportation and related supply-chain targets. Florida’s ports, aviation facilities, and transit networks should treat this as transferable risk and review vendor software supply chains.

Transportation Systems Sector Recommendations:

• Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
• Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
• Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
• Audit and segment all virtual machines, remote-access tools, and OT/IT convergence points in transit and port systems to prevent destructive data-wiping attacks by state actors.

Water and Wastewater Systems Sector

CI Fortify: Strengthening Resilience Across Critical Infrastructure Iranian-linked actors continue to target internet-exposed PLCs and SCADA systems in the water and energy sectors. CISA’s CI Fortify guidance explicitly calls for OT isolation and manual operations readiness—directly applicable to Florida’s municipal water utilities.

Water and Wastewater Systems Sector Recommendations:

• Immediately remove or isolate all internet-exposed programmable logic controllers and SCADA interfaces.
• Develop and regularly test manual fallback procedures for water treatment and distribution operations.
• Monitor anomalous changes to PLC project files and HMI configurations that could indicate manipulation attempts.
• Accelerate the adoption of AI-assisted defensive tools and conduct regular third-party risk assessments of OT vendors in light of shrinking federal support for water-sector cybersecurity.

Florida Critical Infrastructure Cybersecurity Intelligence

This bulletin is produced by USF’s Strategic and Cyber Intelligence Program, in collaboration with Cyber Florida, to deliver timely, actionable insights and recommendations to help Critical Infrastructure owners and operators better protect Florida’s Critical Infrastructure.

Situational Awareness Bulletin #09-2026

Cyber Threat Outlook

Over the next six to nine months, Florida’s critical infrastructure operators face a rapidly deteriorating threat environment shaped by three converging forces: (1) machine-speed exploitation driven by AI-assisted automation, (2) the deliberate targeting of IT/OT convergence points by nation-state actors, and (3) an expanding supply chain attack surface that includes managed service providers, code repositories, and certificate authorities. Threat actors are using generative AI and agentic workflows to discover vulnerabilities, fabricate phishing lures at scale, and automate credential exfiltration through poisoned development pipelines. Simultaneously, state-sponsored actors—particularly Iranian and Chinese-affiliated groups—are refining destructive and persistent techniques against internet-exposed operational technology, including programmable logic controllers and energy management gateways. These trends are compressing the window between vulnerability disclosure and active exploitation to hours or days. Organizations relying solely on periodic patching and signature-based detection are no longer adequately protected. CI owners and operators must treat operational resilience—including tested manual fallback procedures and isolated OT network architectures—as a baseline operational requirement, not a contingency plan. CISA’s new CI Fortify initiative, structured around proactive isolation and systematic recovery, provides a practical starting framework for this transition.

Confidence – High

Executive Summary

• All Sectors: GenAI and automated tools are lowering the barrier for cyber threat actors to execute high-fidelity phishing and machine-speed exploitation, necessitating a strategic shift toward operational resilience and manual fallback capabilities.
• Commercial Facilities: Large hospitality venues and building automation systems face data extortion and BAS hijacking risk. The Carnival Corporation incident in which ShinyHunters claims, via phishing, to have stolen 8.7 million records, demonstrates that pure data-extortion operations without encryption are increasingly common and may bypass traditional ransomware detection.
• Communications: Telecommunications carriers and managed service providers (MSPs) face elevated ransomware targeting as adversaries seek to launch cascading attacks against downstream municipal utilities.
• Critical Manufacturing: Financially motivated actors continue to target the aerospace supply chain with ransomware, highlighting the critical need to harden remote access gateways and segment manufacturing operations.
• Defense Industrial Base: Persistent targeting of third-party application programming interfaces (APIs) and supply chain vulnerabilities.
• Energy: Energy providers face multi-vector threats from Iranian-affiliated actors actively probing internet-facing OT systems, a new destructive wiper (Lotus) with no financial motive—indicating state-sponsored intent—and a supply chain breach at smart-meter provider Itron that underscores vendor access risk.
• Financial Services: The financial sector remains a top target for ransomware and phishing campaigns abusing legitimate management platforms, requiring robust vendor management and anti-money laundering (AML) controls.
• Government Facilities: Municipal and educational institutions face ransomware, third-party vendor breaches, and identity fraud involving the fabrication of official government credentials.
• Healthcare and Public Health: Hospitals remain a primary target for sophisticated double-extortion ransomware and medical device targeting, necessitating the adoption of manual-first downtime procedures to sustain patient care.
• Information Technology: Developer environments and automated build pipelines are experiencing a surge in supply-chain attacks utilizing poisoned open-source packages, agentic AI backdoors, and compromised administrative portals.
• Transportation Systems: Commercial maritime traffic networks face emerging operational risks from advanced electronic warfare tactics, including localized spoofing and the targeted interception of vessel communication systems.
• Water and Wastewater Systems: Water utilities must defend against AI-assisted exploitation of PLCs and persistent living-off-the-land (LOTL) administrative access.

All Sectors

Cybersecurity and Infrastructure Security Agency Tells Critical Organizations to Prepare for Cyber Outages The Cybersecurity and Infrastructure Security Agency (CISA) has launched the CI Fortify initiative, a formal CI emergency planning framework to enhance preparation for significant cyber outages. The initiative centers on two operational objectives: (1) isolation—proactively severing connections from third-party and business networks to protect OT environments, and (2) recovery—documenting system configurations, backing up critical files offline, and practicing restoration or transition to manual operations. CISA emphasizes that in the current geopolitical context, as adversaries refine their disruptive capabilities (e.g., Volt Typhoon-style prepositioning), the focus must shift from pure prevention to operational resilience and the ability to maintain essential services during a sustained technical failure. This development is relevant to Florida because the state’s reliance on integrated digital systems for power and water management means that an outage in one sector can quickly cascade into others, requiring tested manual fallback procedures to protect public safety.

Europol IOCTA 2026 Report Highlights Evolving Threat Landscape and the Proliferation of Artificial Intelligence Europol released its 2026 Internet Organised Crime Threat Assessment (IOCTA), detailing a strategic shift toward multi-staged cyber operations. The report emphasizes how generative artificial intelligence (GenAI) lowers the barrier for entry by facilitating high-fidelity phishing and basic malware creation. Additionally, it identifies the expansion of “as-a-service” models into initial access brokerage and distributed denial-of-service (DDoS). This development is significant for Florida’s critical infrastructure (CI) as it signals an increased volume of non-state threats targeting essential services through automated exploitation.

BlueKit Phishing Kit Targets Multiple Platforms with Sophisticated MFA Bypass Attacks The emergence of the “BlueKit” phishing kit marks a significant escalation in credential-harvesting tactics by multi-factor authentication (MFA) bypass through adversary-in-the-middle (AitM) techniques. Bluekit operates as a Phishing-as-a-Service (PhaaS) platform, consolidating all attack functions—domain purchase, phishing page deployment, victim session monitoring, and credential exfiltration via Telegram—into a single commercial dashboard. The kit targets over 40 platforms, including Gmail, Outlook, iCloud, GitHub, ProtonMail, and cryptocurrency services, to capture session cookies and bypass traditional authentication guardrails. Because Bluekit steals authenticated session cookies rather than just credentials, standard one-time-password (OTP) and push-notification MFA are not effective defenses. Only FIDO2-compliant hardware security keys fully mitigate this threat class. This development is relevant to Florida as state agencies and municipal utilities increasingly rely on these cloud platforms for administrative operations.

Pro-Russian Hacker Group Gamifies Cyberattacks on Europe with Cryptocurrency Rewards. An investigation revealed that a pro-Russian hacktivist collective is utilizing a gamified platform to coordinate cyberattacks against European infrastructure. Participants earn cryptocurrency rewards for successfully carrying out DDoS attacks or defacing government websites. While currently focused on European targets, the industrialized scale and crowdsourced nature of this campaign represent a transferable risk to the United States infrastructure. This news is relevant to Florida as it highlights how ideological adversaries can incentivize widespread disruption of municipal or utility networks through decentralized financial incentives and automated attack platforms.

Hundreds of Internet-Facing VNC Servers Expose Industrial Control Systems and Operational Technology A global scan by security researchers has identified hundreds of internet-facing virtual network computing (VNC) servers that provide direct access to industrial control systems (ICS) and operational technology (OT) environments. These servers are often configured without authentication or with weak credentials, allowing unauthorized actors to manipulate human-machine interface (HMI) screens and control logic. This exposure is highly relevant to Florida as many municipal water and energy utilities utilize VNC for remote monitoring.

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia The Chinese-affiliated advanced persistent threat (APT) group Silver Fox is targeting organizations across the industrial, consulting, retail, and transportation sectors using a new Python-based backdoor dubbed ABCDoor alongside the ValleyRAT malware. The campaign sent over 1,600 malicious emails between early January and early February 2026. The attack chain begins with tax-themed phishing emails containing PDF files with malicious links to ZIP or RAR archives hosted on abc.haijing88[.]com. The archives contain a modified RustSL loader that unpacks the payload and employs phantom persistence to hijack system reboot sequences for survival. While current targeting focuses heavily on Russia and India, Florida’s critical infrastructure operators should monitor for these tactics, techniques, and procedures.

Fortinet Flags Industrial-Scale Cybercrime Driven by Continuous Machine-Speed Attacks A recent report from Fortinet highlights a strategic shift toward industrial-scale cybercrime where attackers utilize automated tools to conduct machine-speed exploitation of vulnerabilities. These campaigns do not rely on manual interaction; instead, they use scripts to identify and compromise thousands of targets simultaneously. This trend is significant for Florida as the state’s large footprint of small and medium-sized municipal utilities may lack the automated defensive tools necessary to counter these high-velocity attacks, making them susceptible to rapid, widespread compromise of their administrative and OT networks.

Security Professionals Identify Identity Management as a Growing Challenge A recent industry survey indicates that the vast majority of cybersecurity professionals now view identity and access management (IAM) as their primary operational hurdle. The rise of GenAI-powered social engineering has made traditional authentication methods less effective, leading to increased unauthorized access. Florida organizations must recognize that identity is the new perimeter and prioritize phishing-resistant MFA to protect sensitive administrative credentials.

Mirai-Based XLabsV1 Botnet Exploits Android Debugging Interfaces Security researchers have identified a new Mirai-based botnet variant, XLabsV1, which is actively exploiting exposed Android Debug Bridge (ADB) interfaces to enlist devices into a DDoS network. The botnet targets Internet of Things (IoT) devices and industrial sensors that have remained insecurely connected to the public internet. This trend is relevant to Florida’s critical infrastructure because of the high density of connected sensors used in smart-city and environmental-monitoring applications across the state.

United States Lists Offensive Cyberattacks in Counterterrorism Strategy The White House has released the 2026 United States Counterterrorism Strategy, which for the first time explicitly integrates offensive cyber operations to proactively disrupt the digital infrastructure of threat actors. This strategy aims to dismantle command and control (C2) nodes before they can be utilized for coordinated physical or cyber strikes. This development is significant for Florida as it signals a shift toward federal pre-emptive actions that may decrease the volume of sophisticated external threats targeting state municipal networks.

Adversaries Leverage AI for Vulnerability Exploitation, Augmented Operations, and Initial Access The Google Threat Intelligence Group (GTIG) has identified the first known instance of a zero-day exploit developed with the assistance of a large language model (LLM). A prominent cybercrime group utilized AI to create a Python script designed to bypass two-factor authentication (2FA) on a popular open-source system administration tool. Additionally, Chinese threat groups (UNC2814) and North Korean actors (APT45) are increasingly using “agentic” workflows to recursively analyze technical documentation and automate vulnerability discovery in embedded devices. This development is highly relevant to Florida as state agencies and municipal utilities rely on these ubiquitous administration tools and connected hardware for public service delivery. Relevant forensic data are being exfiltrated via AI-assisted reconnaissance to facilitate mass exploitation. Organizations must shift toward automated vulnerability management and reduce exposure windows as AI-assisted weaponization compresses the time between disclosure and exploitation.

New Ghostlock Tool Abuses Windows API to Block File Access and Facilitate Extortion The “Ghostlock” tool has emerged as a novel extortion mechanism that abuses legitimate Windows APIs to lock file access without performing traditional encryption. By manipulating system permissions and handles, the tool renders data inaccessible to users, allowing threat actors to demand payment for restoration. These tactics, techniques, and procedures (TTPs) is relevant to Florida CI because it bypasses many signature-based ransomware detection tools that monitor specifically for intermittent file encryption patterns or mass file renaming.

Critical Infrastructure Coalition ACI Government Partners with Federal Agencies to Bolster Defense A new coalition of critical infrastructure providers has partnered with federal agencies to streamline threat intelligence sharing and incident response coordination. This partnership is highly relevant to Florida, where the decentralized nature of municipal utilities requires a unified reporting structure.

Mini Shai-Hulud Worm Compromises Development Pipelines via Malicious npm Packages Security researchers have identified a successor to the Bitwarden CLI worm, dubbed “Mini Shai-Hulud,” that uses poisoned npm packages to automate credential exfiltration from continuous integration and continuous delivery (CI/CD) pipelines. The worm targets cloud provider tokens and exfiltrates them to public repositories, mimicking legitimate developer activity. This trend is significant for Florida’s IT and administrative sectors, as automated deployment pipelines are increasingly utilized for municipal web services and infrastructure management.

All Sectors Recommendations:

• Implement phishing-resistant multi-factor authentication, such as FIDO2-compliant security keys, to mitigate session hijacking via automated adversary-in-the-middle attacks.
• Identify all internet-facing VNC instances and secure them behind a virtual private network with multi-factor authentication to prevent unauthorized manipulation of industrial controls.
• Develop and test manual fallback procedures for all life-safety services to ensure operational resilience during a sustained cyber outage.
• Disable exposed ADB interfaces on internet-connected sensors and internet-of-things devices to prevent enrollment in distributed denial-of-service botnets.
• Shift toward automated vulnerability management to reduce exposure windows as artificial intelligence-assisted exploitation compresses the time between disclosure and weaponization.

Chemical Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Commercial Facilities Sector

Carnival Corporation Targeted in Ransomware Attack
ShinyHunters, a group known for data extortion, claimed responsibility for the theft of approximately 8.7 million Carnival Corporation records, including names, dates of birth, and loyalty program data, after gaining access through a phishing attack on a single employee account. Carnival confirmed the unauthorized access and activated its incident response plan but has not confirmed whether customer data was compromised. This incident highlights the ongoing exposure of large hospitality and entertainment venues within the commercial facilities infrastructure. Florida serves as the global epicenter for the cruise industry, with major hubs in Miami and Fort Lauderdale, making this breach directly relevant to the state’s economic and maritime safety. Relevant data are often exfiltrated to pressure operators during peak travel seasons. Organizations must prioritize segmenting guest services from core vessel navigation and administrative systems.

EnOcean SmartServer Flaws Expose Building Automation Systems to Remote Hijacking Security researchers disclosed multiple critical vulnerabilities in the EnOcean SmartServer IoT gateway, which is widely used in building automation systems (BAS). The flaws allow unauthenticated remote code execution (RCE) on the device, potentially giving attackers control over physical building systems, including lighting, climate control, and electronic locks. This discovery is relevant to Florida as many large-scale commercial facilities, such as stadiums and convention centers, rely on these gateways for facility management. Compromised systems could be used to disrupt operations or facilitate unauthorized physical access during high-traffic public events.

Commercial Facilities Sector Recommendations:

• Segment guest services and public-facing networks from core vessel navigation and administrative systems to prevent lateral movement during a ransomware intrusion.
• Patch EnOcean SmartServer IoT gateways immediately and restrict external network access to building automation systems to block unauthenticated remote code execution attempts.
• Monitor network environments for unauthorized data exfiltration activities that frequently precede ransomware deployment and extortion demands during peak operational seasons.

Communications Sector

VECTR-CAST: Elevated Telecom and MSP Targeting in Next 14 Days A private threat-forecast report released on May 4, 2026, highlights a heightened risk of ransomware and data-theft operations against United States telecommunications carriers and managed service providers (MSPs) over the next two weeks. The report notes that several ransomware groups have expanded affiliate recruiting and are prioritizing service providers with downstream critical infrastructure (CI) customers. This development is highly relevant to Florida, as the state’s extensive network of MSPs provides foundational support for municipal utilities and local government services, making these providers prime targets for “cascading” attacks designed to disrupt multiple downstream entities simultaneously.

Communications Sector Recommendations:

• Enforce strict multi-factor authentication and the principle of least privilege on all managed service provider remote access connections to prevent adversaries from pivoting into downstream municipal utility networks.
• Monitor telecommunications and managed service provider environments continuously for unauthorized affiliate activity or staging of data exfiltration tools that typically precede ransomware deployment.
• Prepare contingency plans to immediately sever or isolate administrative access from managed service providers if anomalous activity or cascading ransomware attempts are detected.
• Back up all critical configuration files and operational data to secure, offline storage to ensure rapid recovery capabilities for downstream local government services during a data-theft or encryption event.

Critical Manufacturing Sector

Stelia Aerospace Targeted in Apparent Ransomware Attack Impacting Industrial Operations Stelia North America, a major Airbus Atlantic subsidiary specializing in aerostructures, reportedly experienced a ransomware attack that disrupted its internal information technology (IT) systems. While the company stated that the incident was strictly contained to the Stelia North America IT environment and does not impact the broader Airbus Atlantic network, the breach highlights the persistent targeting of the aerospace supply chain by financially motivated actors. Rhysida, the ransomware group responsible, issued a $2.07 million ransom demand and claimed to possess 10 TB of data, including records associated with defense contractors such as Lockheed Martin, Northrop Grumman, Sikorsky, and Boeing. This incident is highly relevant to Florida’s extensive aerospace and defense technology clusters, particularly in the Space Coast and Northwest Florida regions. Relevant production data are often exfiltrated during these intrusions to pressure victims into payment. Manufacturers must prioritize hardening remote access gateways and implement immutable, offline backups of all critical engineering workstations and design files.

Critical Manufacturing Sector Recommendations:

• Harden remote access gateways to prevent initial unauthorized access by financially motivated threat actors targeting the aerospace supply chain.
• Implement immutable, offline backups for all critical engineering workstations and design files to ensure resilience against ransomware encryption and data extortion.
• Monitor internal information technology systems for unauthorized data exfiltration activities that frequently precede ransomware deployment and operational disruption.
• Segment critical manufacturing operations from internal information technology networks to prevent lateral movement and maintain operational resilience during a breach.

Dams Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Defense Industrial Base Sector (Updated)

Critical API Flaw In Defense Contractor Platform Exposes Military Data A high-severity vulnerability was identified in an application programming interface (API) used by a DoD contractor, which could have allowed unauthorized access to sensitive military logistics data. The flaw involved improper authentication handling, which allowed unprivileged users to query restricted records. This incident is highly relevant to Florida’s extensive defense industrial base, as many regional contractors utilize similar third-party APIs for automated data exchange, necessitating immediate audits of all external-facing service points.

Pentagon Changing Cybersecurity Training Requirement to Focus on Continuous Assessment The Pentagon is transitioning its cybersecurity training requirements from periodic annual certifications to a model of continuous, hands-on technical assessment. This change is designed to ensure the defense workforce remains proficient against rapidly evolving threats like AI-assisted exploitation. Florida-based defense contractors should anticipate updated compliance mandates that prioritize active defense skills and verified technical competency over traditional awareness training

Army Integrates Defense Industry Hackathon To Identify Supply Chain Flaws The United States Army has launched a new initiative to integrate defense industry partners into collaborative “hackathons” designed to identify vulnerabilities in the military supply chain. These events allow security researchers to probe contractor systems for weaknesses in a controlled environment. This development is significant for Florida contractors as it provides a proactive avenue to identify and remediate flaws before they can be exploited by advanced persistent threats (APTs).

Defense Industrial Base Sector Recommendations:

• Audit all external-facing APIs and service points to identify and remediate improper authentication handling.
• Transition internal training models to prioritize continuous technical assessments and hands-on skills over traditional annual awareness certifications.
• Incorporate high-speed data processing and AI-driven trajectory prediction into defense-related software to align with future command-and-control procurement standards.

Emergency Services Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Energy Sector

Operational Technology Information Sharing and Analysis Center Flags Rising Cyber Risk to Energy Environments The Operational Technology Cybersecurity Information Sharing and Analysis Center (OT-ISAC) issued an advisory regarding escalating risks to energy-sector operational technology. This warning cites recent destructive attacks abroad and the ongoing exploitation of internet-facing programmable logic controllers (PLCs) by Iranian-affiliated actors. Groups such as CyberAv3ngers are specifically refining attacks against Rockwell Automation and Allen-Bradley devices used in power generation. This development is relevant to Florida, where municipal power utilities rely on these specific controller types. Relevant telemetry data are often targeted to cause localized disruptions. Operators should verify that all OT assets are removed from the public internet.

Destructive Lotus Wiper Malware Targets Regional Energy Providers and Utilities Security researchers identified a new destructive malware variant, dubbed “Lotus,” utilized in targeted attacks against energy providers and utilities in Venezuela. The wiper is specifically engineered to permanently delete critical system files and master boot records (MBR), rendering affected systems permanently inoperable and unrecoverable. While this specific campaign is regional, the tradecraft used to bypass industrial security controls represents a significant “transferable risk” to United States energy infrastructure. Unlike ransomware, Lotus Wiper contains no payment demand or extortion mechanism. The sole objective is permanent, irreversible system destruction—indicating state-sponsored targeting rather than financial motivation. Standard ransomware response protocols do not apply. This news is relevant to Florida because state utility operators use similar industrial control systems (ICS) that could be targeted by malicious actors during periods of geopolitical escalation. Relevant telemetry data are essential for identifying unauthorized changes to system logic files. Energy providers should ensure that all critical configurations and backups for operational technology (OT) are stored in an immutable, offline format to ensure rapid recovery.

Itron Hackers Accessed Critical Infrastructure Operators Hackers breached Itron, a major provider of smart meters and grid management systems, though he breach was confined to Itron’s own corporate IT network and no unauthorized activity was observed in the customer-hosted portion of its systems and operations continued without material disruption. The full scope of the breach—including what data may have been accessed—remains under investigation. Given Itron’s role as a foundational supplier to energy and water utilities, this incident represents a significant third-party supply chain risk for Florida operators who rely on Itron’s platforms. While operational disruption to the grid has not been confirmed, the access granted to attackers potentially provided control over energy distribution endpoints. This is highly relevant to Florida’s Energy and Water sectors, which rely on similar AMI deployments. Florida operators should audit all third-party service account permissions and monitor for anomalous remote access activity originating from vendor-managed gateways.

Iranian-Linked Actors Continue OT Targeting Of U.S. Energy Sector A May 3, 2026, legal-sector brief reiterates that Iranian-linked cyber actors are actively probing and exploiting internet-facing OT used in United States energy facilities. These actors focus on insecure remote access, misconfigurations, and limited OT visibility to enable disruptive physical effects rather than pure data theft. This activity remains highly relevant to Florida as state energy providers rely heavily on internet-connected industrial hardware, making them susceptible to targeted efforts designed to cause operational downtime during periods of geopolitical escalation.

DOE’s Skyfall Testbed Highlights U.S. Preparation for Power-Grid Cyberattacks Lawrence Livermore National Laboratory (LLNL) publicized its Skyfall facility, a platform for modeling malware-driven attacks on power-grid ICS. The testbed is designed to evaluate defenses against Ukraine-style grid intrusions that could be replicated against United States utilities. This project is significant for Florida energy providers, as it provides a validated framework for testing the resilience of the state’s electric grid against sophisticated, state-sponsored, disruptive malware.

Nuclear Power Reaches Record 41 Percent Of Tennessee Valley Authority Generation Nuclear generation has reached a record high of 41 percent of the total power supply for the Tennessee Valley Authority (TVA), highlighting the growing reliance on nuclear energy for regional grid stability. This trend emphasizes the critical need to secure nuclear infrastructure against cyber-physical disruption. Florida’s energy providers must recognize that as nuclear generation becomes more foundational to the grid, the OT managing these facilities becomes a primary target for state-sponsored adversaries.

EPA Plan Allows Work on Data Centers and Power Plants Before Air Permits are Finalized A new Environmental Protection Agency (EPA) proposal would allow developers to begin preliminary work on data centers and power plants before final air quality permits are issued. The move aims to accelerate infrastructure growth to meet the energy demands of artificial intelligence. This development is significant for Florida’s energy sector, as it may lead to faster deployment of regional generation facilities but also necessitates a proactive approach to securing these new construction sites against physical and cyber intrusions.

PPL Corporation and Blackstone Announce Major Data Center Pipeline for Grid Stability PPL Corporation and Blackstone have announced a massive new pipeline for data center construction, highlighting the immense load growth currently challenging grid operators. The expansion focuses on facilities optimized for AI workloads, which require significantly higher power density than traditional data centers. This trend is highly relevant to Florida as the state’s own data center boom places increased strain on municipal power generation and requires coordinated load-shedding agreements with industrial consumers.

Energy Sector Recommendations:

• Verify all OT assets, particularly Rockwell Automation and Allen-Bradley programmable logic controllers, are removed from the public internet.
• Store all critical OT system configurations and industrial control system backups in an immutable, offline format to enable rapid recovery from destructive wiper attacks.
• Audit third-party service account permissions and monitor vendor-managed gateways for anomalous remote access activity impacting smart meter management systems.

Financial Services Sector

Federal Bureau of Investigation Identifies Financial Services as Second-Most Targeted Critical Infrastructure Sector (Source also cited under Healthcare and Public Health) Newly released Federal Bureau of Investigation (FBI) statistics show that the financial services sector experienced 447 combined ransomware and data-breach incidents in 2025. This makes it the second-most targeted critical infrastructure sector, just behind healthcare. The sustained pressure on banks, insurers, and payment processors underscores the high value that criminal actors place on financial records. Florida has a significant financial hub in Miami, making this trend relevant to the state’s economic stability. Relevant data are frequently targeted for financial fraud or high-stakes extortion. Organizations should prioritize real-time monitoring of external data flows and more rigorous vendor management protocols.

Threat Actors Abuse Google Ads for GoDaddy and ManageWP Phishing Campaigns Hackers are utilizing malicious Google Ads to impersonate legitimate GoDaddy and ManageWP login pages, targeting website administrators with sophisticated phishing campaigns. These ads lead to “poisoned” landing pages that harvest credentials to gain access to financial and administrative portals. This development is relevant to Florida, as many small businesses and financial service providers rely on these platforms for web management, making them susceptible to account takeovers that could facilitate further financial fraud.

Financial Services Sector Recommendations:

• Prioritize real-time monitoring of external data flows to identify and block unauthorized exfiltration of sensitive financial records.
• Enforce phishing-resistant multi-factor authentication on all web management and administrative portals to prevent account takeovers via poisoned landing pages.
• Implement robust AML controls and formal incident response protocols to mitigate the legal and operational risks associated with ransomware interactions.
• Perform rigorous vendor management assessments to identify and secure vulnerabilities within the supply chain that could facilitate financial fraud.

Food and Agriculture Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Government Services and Facilities Sector

Federal Shutdown Ends as Cybersecurity and Infrastructure Security Agency Faces Long Recovery Window Following the end of a record 75-day partial government shutdown, the Cybersecurity and Infrastructure Security Agency (CISA) is facing a significant backlog in vulnerability assessments and incident response support. The shutdown disrupted critical monitoring of state and local government networks, potentially allowing adversaries to establish persistent footholds. This development is significant for Florida as municipal agencies often rely on CISA for specialized technical support. Government facilities should conduct comprehensive audits of their perimeter hardware to identify any indicators of compromise (IOCs) that may have occurred during the reduced-oversight period.

Cyberattack Continues to Disrupt County Tax Operations In Mississippi As of May 3, 2026, a cyberattack continues to disrupt county tax operations in Adams County, Mississippi, specifically impacting the “car tag” processing system. The incident has forced officials to rely on manual workarounds, causing significant delays for residents as restoration efforts continue. While the specific attack type or actor has not been confirmed, this event serves as a tactical analog for Florida municipal government facilities, highlighting the immediate operational impact and public service strain caused by disruptions to specialized administrative tax and registration databases.

Hawaii AG Claims Someone is Impersonating the State’s CTO, a Role that Doesn’t Exist The Hawaii Department of the Attorney General issued a public warning in April 2026 that an individual named Iqbal Khowaja was fraudulently presenting himself as the ‘CTO of the State of Hawaii’ at national conferences, including the Bitcoin 2026 conference in Las Vegas, and on social media platforms. Hawaii has no state CTO position; the relevant leadership role is held by Chief Information Officer Christine Sakuda. This incident is relevant to Florida as a reminder that government officials and vendors should verify the credentials of individuals claiming to represent state technology agencies before sharing operational or organizational information.

Instructure Data Breach Highlights Risks Of School District Vendor Dependence A data breach at Instructure, the provider of the Canvas learning management system, has exposed sensitive information from multiple school districts. The breach resulted from unauthorized access to a third-party vendor environment where administrative data were stored. This incident underscores the systemic risk to Florida’s educational institutions, which rely heavily on centralized vendors for student and faculty data management, necessitating more rigorous third-party risk assessments.

Russia Operates Top-Secret Spy School For Hacking And Western Electoral Interference A joint investigation has revealed the existence of a specialized Russian intelligence facility dedicated to training operatives in advanced hacking and social engineering for Western electoral interference. The school focuses on bypass techniques for modern security software and the industrialization of “fake news” campaigns. This development is significant for Florida as the state’s political and government infrastructure remains a priority target for foreign influence and disruptive cyber operations.

San Diego Colleges Hit by Sophisticated Cyberattack Disrupting Campus Operations Several colleges in the San Diego area have experienced a major cyberattack that has disrupted campus networks, administrative systems, and student services. The incident forced the institutions to take many systems offline, impacting registration and financial aid processing. This event is a critical reminder to Florida’s higher education institutions that educational facilities are prime targets for ransomware and other disruptive attacks, necessitating robust network segmentation and off-site backups of essential academic and financial records.

Government Services and Facilities Sector Recommendations:

• Perform comprehensive audits of perimeter hardware to identify indicators of compromise that may have occurred during periods of reduced oversight.
• Verify mobile device management policies and ensure all government-issued hardware is strictly inventoried and secured with updated software.
• Implement rigorous third-party risk assessments for all administrative and educational vendors to mitigate systemic supply chain vulnerabilities.
• Conduct employee training on emerging social engineering tactics, including deepfake audio impersonation, to prevent unauthorized disclosure of network configurations.

Healthcare and Public Health Sector

Global Medical Device Manufacturer Medtronic Discloses Cyberattack on Internal Information Technology Network Medtronic, one of the world’s largest medical device manufacturers, disclosed that its internal information technology (IT) network was targeted in a sophisticated cyberattack on April 27, 2026. The company reported that while corporate systems were accessed, the intrusion did not disrupt manufacturing operations or impact the safety of patient devices. This incident highlights the persistent targeting of the medical technology supply chain by advanced persistent threat (APT) actors. This event is relevant to Florida healthcare networks because Medtronic products, including pacemakers and insulin pumps, are ubiquitous in clinical settings and widely used by the state’s large retiree population. Compromised corporate data are often utilized to identify vulnerabilities in product firmware or to facilitate social engineering against healthcare providers. Florida hospitals must prioritize vendor risk management and ensure that all medical devices are isolated on dedicated, non-routed network segments to prevent lateral movement.

FBI Urges Hospitals to Elevate Cybersecurity as a Patient Safety Priority A recent Federal Bureau of Investigation (FBI) briefing reports that the healthcare sector was the most targeted critical infrastructure sector in 2025, with 460 ransomware attacks and 182 data breaches. Organized cybercrime groups are deliberately prioritizing hospitals due to the life-or-death pressure to restore systems, prompting policy experts to call for terrorism designations for these attacks. This development is relevant to Florida’s extensive healthcare network and large retiree population, where disruptions to care can have immediate consequences. Relevant data are often exfiltrated to maximize extortion leverage. Hospitals should integrate cybersecurity into their broader clinical safety protocols and maintain redundant communication protocols for emergencies.

Sandhills Medical Foundation Discloses Ransomware Breach Affecting 170,000 Individuals Sandhills Medical Foundation confirmed a significant data breach following a ransomware attack that impacted the records of approximately 170,000 individuals. The compromised information included patient names, Social Security numbers, and clinical data. While the medical facility maintained clinical continuity, the large-scale exposure of sensitive records highlights the persistent threat to municipal healthcare systems. This incident is relevant to Florida as state medical networks and community health centers are primary targets for double-extortion campaigns. Relevant patient data are often exfiltrated before encryption to maximize extortion leverage. Healthcare providers should implement robust network segmentation and prioritize protecting diagnostic imaging and patient record systems.

Ransomware and Data-Theft Campaigns Persistent Threat to Healthcare Infrastructure Aggregated April 2026 incident reporting highlights that ransomware and data-theft campaigns against healthcare providers and medical technology firms continue to disrupt clinical operations. These attacks, which have included hospital IT outages that forced ambulance diversions and major breaches at global medical device manufacturers, expose large volumes of patient records. Ransomware remains a dominant threat to healthcare infrastructure, frequently using double-extortion tactics to pressure victims into paying. This development is relevant to Florida because the state’s large healthcare sector and major trauma centers are primary targets for sophisticated threat actors seeking high-leverage data. Relevant patient data are often exfiltrated before the encryption phase, necessitating a shift toward hardware-enforced protections. Organizations must prioritize developing clinical downtime procedures and isolating legacy medical devices to maintain life-safety services during a sustained technical outage.

U.S. Hospital Sector Launches New Cybersecurity Readiness Initiative After FBI Notes Healthcare as Top Ransomware Target In 2025 The American Hospital Association (AHA) and The Joint Commission announced a joint cybersecurity readiness effort to strengthen hospital defenses and incident response. This initiative follows the FBI’s report identifying healthcare as the leading sector for ransomware and cyber threats in 2025. Florida health systems are urged to participate in these voluntary readiness programs to align with national standards and mitigate the risks associated with high-volume ransomware attacks.

Data Breaches At Four Healthcare Providers Expose Sensitive Records In May 2026 Four major healthcare providers reported significant data breaches in early May 2026, resulting in the unauthorized exposure of patient medical records and personally identifiable information (PII). These incidents involved a mix of direct credential-stuffing attacks and the exploitation of vulnerabilities in third-party billing platforms. This trend is relevant to Florida, as the state’s large healthcare sector remains a primary target for ransomware groups seeking high-leverage data for double-extortion tactics.

Artificial Intelligence Finds Thirty-Eight Security Flaws In OpenEMR Healthcare Software Security researchers utilizing an AI-assisted software scanner identified thirty-eight previously unknown security vulnerabilities in OpenEMR, a widely used open-source electronic health record (EHR) platform. These flaws include critical remote code execution (RCE) and Structured Query Language (SQL) injection vulnerabilities that could allow unauthorized access to patients’ medical records. This development is significant for Florida, as many municipal health departments and smaller clinics utilize open-source EHR solutions for patient management. Relevant diagnostic data are at risk if APTs exploit these vulnerabilities. Organizations are urged to verify their OpenEMR versions and apply the latest security patches immediately.

Ransomware Group ‘The Gentlemen’ Claims Attack On Puerto Rico Community Hospital Caribbean Medical Center in Fajardo, Puerto Rico, disclosed a February ransomware attack claimed by “The Gentlemen,” an emerging double-extortion group. The intrusion led to the theft of data affecting approximately 92,000 patients, which was subsequently posted to the group’s leak site. This incident underscores the growing threat to regional healthcare providers and is relevant to Florida, given the close medical and social ties between the state and Puerto Rico.

Gentleman Ransomware Group Suffers Data Breach Exposing Internal Negotiator Communications In a significant turn, the “Gentleman” ransomware group, known for targeting healthcare providers, has reportedly suffered a data breach. The leak includes internal chat logs and negotiator communications, providing researchers with rare insight into the group’s operational structure and double-extortion tactics, techniques, and procedures (TTPs). This development is relevant to Florida healthcare networks as the exfiltrated data are being used to refine defensive strategies and better prepare hospital negotiators for future interactions with this specific threat cluster.

Healthcare and Public Health Sector Recommendations:

• Isolate all medical devices, such as pacemakers and insulin pumps, on dedicated, non-routed network segments to prevent lateral movement.
• Verify OpenEMR versions immediately and apply security patches to remediate remote code execution and SQL injection vulnerabilities.
• Integrate cybersecurity into clinical safety protocols and develop “manual-first” downtime procedures to sustain patient care during sustained technical outages.
• Participate in national readiness initiatives and implement phishing-resistant multi-factor authentication to protect sensitive patient records from credential-stuffing attacks.

Information Technology Sector

Malicious SAP npm Packages Compromised in Supply Chain Attack Targeting Developer Pipelines Security researchers identified several malicious packages on the npm registry that impersonate legitimate systems, applications, and product libraries (e.g., SAP) to facilitate supply chain compromises. These “poisoned” packages are designed to exfiltrate environment variables, cloud provider credentials, and Secure Shell (SSH) keys from developer workstations during installation. This incident is significant for Florida because many large-scale enterprises and municipal utilities use SAP for enterprise resource planning (ERP) and supply chain management. Relevant credential data is often stolen to facilitate further lateral movement into production environments. Florida development and operations (DevOps) teams must implement strict package verification and audit all package.json files for unauthorized dependencies.

New MOVEit Vulnerabilities Prompt Urgent Patch Warning Progress Software has issued an urgent advisory for two newly discovered vulnerabilities in its MOVEit Automation file transfer tool: CVE-2026-4670, a critical authentication bypass, and CVE-2026-5174, and improper input validation vulnerability that allows a high-severity privilege escalation. Exploitation of these flaws allows unauthorized access, administrative control, and data exposure. Scans indicate that over 1,440 internet-connected devices are running vulnerable versions, including those in state and local government agencies. o remediate these vulnerabilities, organizations must upgrade to a patched release using the full software installer, a process that requires temporarily taking the MOVEit Automation service offline. Scans indicate over 1,440 internet-connected devices are running vulnerable versions, including those in state and local government agencies. As of this bulletin’s publication, no confirmed in-the-wild exploitation has been reported. However, given the 2023 Cl0p campaign that weaponized a prior MOVEit flaw within hours of public disclosure, treating this as an imminent exploitation risk is prudent. Florida critical infrastructure entities relying on MOVEit Automation should immediately apply updates to prevent unauthorized data access.

Palo Alto PAN-OS Flaw Under Active Exploitation Leads to Remote Code Execution A critical vulnerability in Palo Alto Networks PAN-OS (CVE-2026-0300) is being actively exploited in the wild, allowing unauthenticated attackers to achieve root RCE. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026. The flaw exists in the User-ID Authentication Portal (Captive Portal) and has been used to deploy backdoors and harvest internal credentials. As of May 14, 2026, a patch has been available. This development is highly relevant to Florida’s public and private sectors, where Palo Alto firewalls are widely deployed as perimeter defenses; failure to patch immediately could result in a complete network compromise.

PyTorch Lightning Compromised in Supply Chain Attack via Python Package Index Security researchers identified a malicious version of the PyTorch Lightning library uploaded to the Python Package Index (PyPI). The compromised version contained a backdoor designed to exfiltrate developer secrets and establish persistent access to cloud environments. This supply chain attack targets the automated build pipelines of artificial intelligence (AI) developers. This news is significant for Florida’s information technology IT sector as local technology firms increasingly utilize these libraries for AI development. Relevant data are often exfiltrated through malicious environment variables, necessitating strict verification of all third-party libraries used in the software development life cycle (SDLC).

Google Remediates High-Severity Remote Code Execution Vulnerability in Gemini CLI Tool Google has issued a critical security patch to remediate a high-severity remote code execution (RCE) vulnerability in its Gemini Command-Line Interface (CLI) tool. The flaw, which received a Common Vulnerability Scoring System CVSS score of 10.0, allowed unauthenticated attackers to execute arbitrary commands within continuous integration and continuous delivery (CI/CD) pipelines. This vulnerability is highly relevant to Florida as state agency developers and municipal IT teams increasingly adopt AI-assisted automation for infrastructure management. Relevant build data may be exposed if the CLI tool remains unpatched. Organizations should immediately update all developer workstations and automated build environments to the latest version of the Gemini CLI.

Ransomware Groups Pivot to Abusing Remote-Access Pathways and SaaS Administrative Portals Ransomware intelligence reporting from the first quarter of 2026 shows that encryption-focused groups such as Inc, Akira, and Qilin are increasingly abusing remote-access pathways rather than using legacy virtual private networks (VPNs). Threat actors utilize compromised Single Sign-On (SSO), OAuth tokens, and Software-as-a-Service (SaaS) administrative access to infiltrate enterprise information technology (IT) environments. Once access is established, adversaries use extensive lateral movement to stage extortion operations against organizations that support critical infrastructure. This trend is significant for Florida because many state agencies and municipal utilities are migrating to cloud-based SaaS solutions, expanding the digital attack surface. Relevant credential data are often harvested through sophisticated phishing or by exploiting unpatched vulnerabilities in remote-access utilities. Organizations are urged to enforce phishing-resistant multi-factor authentication (MFA) and implement strict monitoring of administrative logs to detect unauthorized access to cloud-based management platforms.

National Security Agency Testing Anthropic Mythos AI Model to Identify Microsoft Software Flaws The National Security Agency (NSA) is reportedly testing Anthropic’s high-capability “Mythos” AI model to identify previously unknown vulnerabilities in Microsoft software. The model’s agentic capabilities allow it to perform complex, multi-step exploitation simulations. This development highlights a shift where AI is used to accelerate vulnerability discovery. This is relevant to Florida as the use of AI to find flaws could significantly collapse the patching window for state agencies and municipal utilities. Relevant data are being used to automate exploit discovery, necessitating that organizations move toward more rapid, automated responses to security patches.

Analysis Warns of Converging Cyber-Physical Threats to Critical Infrastructure and Agentic-AI-Driven OT Attacks An industry analysis outlined how cyber-physical threats are escalating as adversaries increasingly utilize operational technology (OT), artificial intelligence (AI) assisted tooling, and living-off-the-land (LOTL) techniques. These threats target the convergence points between OT and IT, hardening these gateway systems and auditing IT, particularly in the energy, water, and manufacturing sectors. Florida IT providers supporting critical infrastructure must prioritize hardening these gateway systems and auditing AI-assisted automation for potential prompt injection or unauthorized code execution.

OpenClaw Supply Chain Scanner Detects Backdoor in AI Agent Repositories The discovery of the “OpenClaw” backdoor in several open-source AI agent repositories highlights a significant supply-chain risk for DevOps teams. The malicious code allows for unauthorized RCE on systems where the AI agent is deployed. This is highly relevant to Florida IT providers that utilize AI-assisted automation, as failure to scan repositories could result in a complete compromise of sensitive administrative environments.

Researchers Spot Significant Uptick in Malicious Activity Targeting Vercel Infrastructure Cybersecurity researchers have identified a significant uptick in targeted attacks against Vercel infrastructure, focusing on the theft of environment variables and API keys. Attackers are leveraging “nested” supply-chain tactics to reach large-scale platform providers through smaller analytics firms. Florida IT organizations utilizing Vercel or similar CI/CD platforms should immediately rotate all production secrets and audit access logs for unauthorized activity.

Critical Security Flaws in Redis Expose Thousands of Servers to Unauthorized Access Multiple critical vulnerabilities have been disclosed in Redis, an open-source in-memory data structure store, that allow remote code execution and unauthorized data access. These flaws are being actively probed by botnets seeking to enlist servers into distributed-denial-of-service (DDoS) networks. This news is significant for Florida as Redis is widely used in the backend architectures of many state and municipal web applications, necessitating immediate patching to prevent system takeover.

Malicious NuGet Packages Distribution Campaign Targets Developer Workstations A new campaign is distributing “poisoned” NuGet packages designed to exfiltrate sensitive developer data, including SSH keys and cloud provider credentials. The packages impersonate legitimate libraries used for encryption and data processing. This attack targets the automated build pipelines of software developers, potentially allowing malware to propagate into enterprise applications. DevOps is used by software developers, potentially enabling teams to implement strict verification procedures for all third-party libraries.

DigiCert Revokes Certificates after Support Portal Hack In early April 2026, an unknown threat actor breached DigiCert’s internal support portal by infecting an analyst’s endpoint via a malicious payload disguised as a screenshot in a customer chat channel. The attackers proxy-accessed customer accounts to fraudulently obtain EV Code Signing certificates, allowing signed malware to bypass standard endpoint security controls. The campaign has been linked to GoldenEyeDog (APT-Q-27), a Chinese e-crime group associated with cryptocurrency theft. DigiCert subsequently revoked 60 certificates, including 27 explicitly linked to the attackers, that were used to sign the Zhong Stealer malware family. As a critical infrastructure-enabling vector, this breach presents supply chain risks for Florida critical infrastructure organizations that utilize DigiCert services or encounter newly signed malicious binaries.

Researchers Report Amazon SES Abused in Phishing to Evade Detection Cybersecurity researchers at Kaspersky report a significant increase in threat actors abusing the Amazon Simple Email Service (SES) to distribute convincing phishing emails that bypass standard reputation-based blocks and authentication checks. Attackers are leveraging automated bots like TruffleHog to harvest exposed Amazon Web Services (AWS), identity and access management (IAM) keys from GitHub repositories, .env files, and S3 buckets. Campaigns deliver fake document-signing notifications that imitate DocuSign and business email compromise attacks. Florida critical infrastructure organizations that utilize AWS should enforce least-privilege principles, enable multi-factor authentication, and regularly rotate IAM keys to mitigate exposure.

Wiz ZeroDay.Cloud Event Reveals 20-Year-Old PostgreSQL Vulnerabilities Security researchers have disclosed two critical vulnerabilities, CVE-2026-2005 and CVE-2026-2006, affecting the pgcrypto extension in PostgreSQL databases, which are present in numerous enterprise environments. CVE-2026-2005 involves a buffer overflow in pgp_parse_pubenc_sesskey during public key decryption, while CVE-2026-2006 causes out-of-bounds reads and writes via malformed UTF-8 in symmetric decryption. Exploitation permits logged-in users with basic create privileges to execute code as the database owner. Florida critical infrastructure administrators should immediately apply patches released for branches 14.21 through 18.2, restrict extension creation, and audit logs for anomalous Pretty Good Privacy (PGP) or JavaScript Object Notation (JSON) activity.

Weaver E-cology RCE Flaw CVE-2026-22679 Actively Exploited Via Debug API Threat actors are actively exploiting CVE-2026-22679, a critical unauthenticated RCE vulnerability in the Weaver E-cology enterprise office automation platform. The flaw affects versions before 20260312 and is triggered via the /papi/esearch/data/devops/dubboApi/debug/method endpoint. Attackers craft POST requests with manipulated interfaceName and methodName parameters to achieve arbitrary command execution. Observed campaigns involved dropping an MSI installer named fanwei0324.msi and executing discovery commands like whoami and ipconfig. Florida critical infrastructure networks running Weaver E-cology should immediately apply the vendor patches and restrict exposure of application programming interfaces for debugging.

New Stealthy Quasar Linux Malware Targets Software Developers via Supply Chain Attack Security researchers have identified a new variant of the Quasar Remote Access Trojan (RAT) specifically designed to target Linux environments used by software developers. The malware is distributed through compromised open-source repositories and is designed to exfiltrate SSH keys, API tokens, and cloud credentials. This trend is significant for Florida’s growing technology sector, as a compromise of a local developer could facilitate a supply-chain attack on larger enterprise or government platforms.

Argo CD ServerSideDiff Flaw Allows for Unauthorized Access to Kubernetes Environments A high-severity vulnerability in the Argo CD continuous delivery tool (CVE-2026-29014) allows unauthenticated users to gain access to sensitive information within Kubernetes environments. The flaw involves an improper implementation of the ServerSideDiff feature, which can be exploited to exfiltrate cluster configurations. This news is relevant to Florida as many state and municipal IT organizations utilize Argo CD for automated cloud deployments, necessitating immediate updates to version 2.11.0 or higher.

Poisoned Truth: The Quiet Security Threat inside Enterprise Artificial Intelligence Security researchers have disclosed a new class of threat dubbed “Poisoned Truth” attacks, which target the inference pipelines of enterprise AI models. By injecting malicious data into the model’s feedback loop, attackers can manipulate the AI to provide incorrect security guidance or bypass automated guardrails. This development is relevant to Florida’s critical infrastructure because the growing adoption of AI-assisted automation in municipal operations could be compromised, facilitating unauthorized access or operational sabotage.

SailPoint GitHub Repository Targeted in Third-Party Cyberattack Exposing Internal Tooling Identity management firm SailPoint confirmed that its GitHub repository was targeted in a cyberattack after an attacker compromised a third-party contractor’s credentials. The breach exposed internal tooling and configuration files, highlighting the persistent threat of “nested” supply chain attacks. This news is significant for Florida, as many state agencies use SailPoint for identity governance, making the security of its source code critical to regional administrative integrity.

Fake Claude Code Installer Distributes Malware Targeting Developer Credentials A malicious campaign is distributing fake installers for the “Claude Code” AI-assisted programming tool to infect developer workstations with infostealers. The installer appears legitimate but silently exfiltrates SSH keys and cloud provider tokens upon execution. This trend is relevant to Florida IT providers as local developers increasingly adopt AI-assisted coding tools, making them high-value targets for adversaries seeking access to enterprise deployment pipelines.

FCC Slightly Relaxes Foreign Router Ban to Allow Critical Software Updates Through 2029 The Federal Communications Commission (FCC) has slightly relaxed its ban on high-risk foreign routers, allowing for critical security software updates until 2029. The move aims to prevent existing hardware from becoming even more vulnerable while organizations transition to approved alternatives. This is significant for Florida’s IT sector as it provides a limited window for municipal utilities and agencies to maintain legacy perimeter hardware while planning for a comprehensive “rip-and-replace” cycle.

Information Technology Sector Recommendations:

• Apply critical security patches for Palo Alto PAN-OS, MOVEit Automation, and Redis instances immediately to remediate remote code execution and authentication bypass vulnerabilities.
• Implement strict package verification and audit all developer manifests for unauthorized npm, PyPI, and NuGet dependencies to prevent the exfiltration of administrative credentials.
• Enforce phishing-resistant multi-factor authentication on all Software-as-a-Service administrative portals to mitigate the risk of account takeover via session and token theft.
• Rotate all production secrets, including Amazon Web Services Identity and Access Management keys and Secure Shell keys, if unauthorized activity is detected in build environments.

Nuclear Reactors, Materials, and Waste Sector

No sector-specific incidents, advisories, or tactically relevant reporting were identified during this biweekly reporting period.

Transportation Systems Sector

Iran Utilizes Cyber Capabilities to Monitor and Threaten Maritime Traffic in Strait of Hormuz New analysis details how Iran is utilizing sophisticated cyber and electronic warfare capabilities to monitor and potentially disrupt maritime traffic through the Strait of Hormuz. These activities include Global Positioning System (GPS) spoofing and the interception of vessel communication systems to interfere with navigation. This development is relevant to Florida as a major maritime state, as the tradecraft used in these regional conflicts could be adapted to target Florida’s commercial ports and logistics networks during periods of geopolitical escalation.

Transportation Systems Sector Recommendations:

• Monitor maritime traffic networks and commercial port environments for localized GPS spoofing attempts or electronic warfare interference.
• Encrypt all vessel communication systems to prevent threat actors from intercepting sensitive navigation and logistics data.
• Implement redundant positioning, navigation, and timing systems to maintain safe maritime operations if primary GPS signals are disrupted.
• Establish manual navigation fallback protocols and drill operational contingencies for commercial ports facing targeted electronic interference.

Water and Wastewater Systems Sector

Dragos Intelligence Brief Details AI-Assisted Cyberattack on Water Infrastructure A tactical intelligence brief from Dragos detailed a sophisticated cyberattack targeting water infrastructure, in which threat actors used artificial intelligence (AI) to identify and exploit vulnerabilities in programmable logic controllers (PLCs). The attack resulted in the unauthorized manipulation of water pressure and treatment levels. This event provides a tactical analog for Florida water utilities, as the use of AI to automate vulnerability discovery significantly compresses the window for patching and defensive hardening of municipal water supplies.

UK Water Company Fined After Hackers Lurked Undetected for Nearly Two Years A major United Kingdom water utility was fined after the Cl0p ransomware group maintained undetected access to its IT network for nearly two years, exposing the personal data of over 630,000 individuals. The attackers exploited critical unpatched vulnerabilities, legacy operating systems, and excessive domain administrator privileges. This incident serves as a critical tactical analog for Florida water utilities, highlighting the need for comprehensive security operations center coverage, continuous vulnerability scanning, and strict enforcement of least privilege principles.

Water and Wastewater Systems Sector Recommendations:

• Prioritize the patching and defensive hardening of programmable logic controllers to defend against rapid, automated vulnerability discovery, and strictly monitor for unauthorized manipulations of water pressure or treatment levels.
• Execute deep behavioral monitoring across operational networks to detect adversaries utilizing living-off-the-land tactics that intentionally blend in with legitimate administrative activity.
• Remove all stale administrative accounts immediately and continuously audit administrative privileges to prevent state-sponsored actors from establishing and maintaining long-term persistent access.