In-depth daily coverage of state-sponsored cyber operations, critical infrastructure attacks, space militarization, and emerging technology threats.
| Actor | Energy | Gov't | Defense | Finance | Telecom | Health | Transport | Tech | Other |
|---|
On Tuesday, March 17, Day 18 of Operation Epic Fury, the cyber and space domains saw convergence across five simultaneous fronts. Israeli airstrikes killed Ali Larijani, Iran's de facto security chief and the country's most senior surviving leader, triggering the deepest internet blackout of the 18-day conflict as connectivity collapsed to roughly 1 percent of normal levels per NetBlocks. Handala-linked pro-Iranian hackers were confirmed expanding targeting to US defense contractors, power stations, water plants, and hospitals. The European Union issued its largest single-day cyber sanctions package, targeting Chinese and Iranian entities. CISA published four Industrial Control System advisories and confirmed FBI engagement with Stryker Corporation. In space, SpaceX crossed the 10,000 active Starlink satellite threshold with two Falcon 9 launches. NVIDIA announced orbital AI compute hardware with direct military ISR applications. Threat researchers disclosed active campaigns by North Korean Konni, the GlassWorm supply-chain operation, and newly documented LeakNet ransomware tactics.
At 12:00 p.m. UTC on March 17, NetBlocks director Alp Toker reported that Iranian internet connectivity "rapidly collapsed," reaching the most severe disconnection since the conflict began on February 28. Traffic sat at approximately 1 percent of normal levels. Semi-official Iranian news organizations abruptly stopped posting. The Times of Israel confirmed the blackout deepened further as the day progressed, coinciding with Israeli airstrikes that killed Ali Larijani and Basij commander Gholamreza Soleimani during the same operational window.
The blackout is a government-imposed information control measure, not infrastructure damage from strikes. Iran's own communications ministry has estimated the economic cost at $35.7 million per day, and by March 17 Iranians had spent more than a third of 2026 in near-total digital darkness. Despite the domestic blackout, Iran's offensive cyber units continued operating from external infrastructure with pre-positioned access. According to Akamai Technologies, global malicious cyber activity has surged 245 percent since February 28, with Iranian-attributed operations accounting for 14 percent of observed attack traffic.
Iranians attempting to communicate externally relied on satellite internet terminals including Starlink units smuggled across the border, encrypted peer-to-peer applications, and pre-arranged messaging protocols. Iran's leadership, having shut down domestic internet access as an information warfare tool, simultaneously deprived its own civilian population of external reporting on military casualties and strike locations, a pattern consistent with its responses to the 2019 fuel protests and the 2022 Mahsa Amini demonstrations.
Israeli airstrikes on the night of March 16 to 17 killed Ali Larijani, secretary of Iran's Supreme National Security Council and the country's de facto leader following Supreme Leader Khamenei's death on February 28. Also killed in the same operational window were Larijani's son Morteza, his office chief, several bodyguards, Basij commander Gholamreza Soleimani, and Soleimani's deputy. Israeli Defense Minister Israel Katz confirmed the operation, thanking air force pilots, intelligence personnel, and "our American partners." Iran's Supreme National Security Council confirmed the death via Tasnim News Agency and the IRGC launched missile salvos against Israel within hours.
The cyber implications of Larijani's death are significant. He had served as the primary interlocutor with Russia on the Khayyam military satellite and had overseen MOIS and IRGC cyber operations since 2024. The Soufan Center's March 17 IntelBrief assessed that Iran's cyber apparatus was already operating under "maximum authorization" since the conflict began, but that the killing of the SNSC chief removed one of the few remaining actors who could constrain escalation decisions. CSIS separately published analysis warning that US critical infrastructure attack risk was "immediately urgent" and would likely remain elevated for four to five weeks.
An Associated Press investigation published March 17 documented Iranian-linked hackers broadening targeting to US defense contractors, power stations, water treatment facilities, and hospitals, corroborated by Symantec and Carbon Black findings of backdoors installed on US company networks as early as late February. Iran's Tasnim News Agency published a target list naming Amazon, Microsoft, Palantir, and Oracle. Poland's government simultaneously announced it was investigating a cyberattack on a nuclear research facility with indicators pointing to Iran, representing a geographic expansion of retaliatory operations into European critical infrastructure.
The Council of the European Union announced Council Implementing Regulation (EU) 2026/589 on March 17, sanctioning three entities and two individuals in the largest single-day action under the EU's horizontal cyber sanctions regime. The package targeted adversaries across two threat vectors: Chinese commercial front companies providing tools to state-sponsored APT groups, and Iranian operators conducting influence operations against EU infrastructure and elections.
Integrity Technology Group, the Beijing-based firm assessed as providing operational infrastructure to the Flax Typhoon APT, was sanctioned for enabling the compromise of 65,000 devices across six EU member states between 2022 and 2023. The US Treasury had sanctioned the same entity in January 2025. Anxun Information Technology (i-SOON) and its two co-founders were sanctioned for providing hacking-for-hire services used to target government and critical infrastructure in multiple EU member states. Internal i-SOON documents leaked in 2024 exposed the company's contracts with Chinese state intelligence agencies.
Emennet Pasargad, an Iranian company linked to the IRGC, was sanctioned for three documented operations: compromising a French subscriber database to steal 230,000 Charlie Hebdo customer records, hijacking advertising billboards during the 2024 Paris Olympics to broadcast anti-Israel disinformation, and compromising a Swedish SMS distribution service affecting large numbers of EU citizens. The FBI has previously attributed the "Holy Souls" persona to Emennet Pasargad operators. The EU's cyber sanctions list now covers 19 individuals and 7 entities. China's foreign ministry opposed the sanctions, urging Brussels to "correct its erroneous approach."
CISA Acting Director Nick Andersen confirmed at the McCrary Institute on March 17 that both CISA and FBI had engaged directly with Stryker Corporation executives following the March 11 wiper attack attributed to Handala, the hacktivist persona assessed as operated by Iran's Ministry of Intelligence and Security. The attack used Microsoft Intune mobile device management to remotely wipe over 200,000 devices across 79 countries. Stryker CEO Kevin Lobo confirmed restoration efforts were underway, but full operational recovery was not confirmed as of March 17.
Separately, threat researchers at Cyber Security News published findings on March 17 that MuddyWater, an MOIS-subordinate APT, had been maintaining unauthorized access to multiple US organizations across banking, aviation, and defense supply chains since at least February 2026, using the Dindoor backdoor family and a Rust-based variant using Telegram as command-and-control infrastructure. The group was also documented targeting IP cameras across the Middle East to build pattern-of-life intelligence on IRGC commanders and Israeli facilities. The Hacker News separately reported that MuddyWater was deploying a new Dindoor backdoor variant against US networks, with the campaign active as of the date of publication.
CISA published four Industrial Control System advisories on March 17. ICSA-26-076-01 addressed vulnerabilities in the Festo Automation Suite (CODESYS-based, critical manufacturing sector). ICSA-26-076-02 covered Schneider Electric SCADAPack and RemoteConnect affecting energy sector deployments. ICSA-26-076-03 flagged Schneider Electric EcoStruxure Data Center Expert for hard-coded credentials (CWE-798) affecting commercial facilities, energy, food and agriculture, government, and transportation sectors. ICSA-26-076-04 addressed Siemens SICAM SIAPP SDK, with Siemens recommending operators verify resilient protection measures for power grid transmission and distribution operators.
CISA's March 16 addition of CVE-2025-47813 to the Known Exploited Vulnerabilities catalog received widespread reporting on March 17. The vulnerability, an information disclosure flaw in Wing FTP Server that leaks full installation paths via oversized UID cookies, is potentially chainable with CVE-2025-47812, a CVSS 10.0 critical remote code execution flaw. Wing FTP's customer base includes the US Air Force, Sony, Airbus, and Reuters across roughly 10,000 organizations. Federal civilian executive branch agencies face a March 30 remediation deadline under Binding Operational Directive 22-01. SecurityWeek and BleepingComputer both published detailed analyses of the exploitation chain on March 17.
CISA's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) announced at the McCrary Cyber Summit on March 17 that it would release its first-ever formal strategic plan. CESER, which was established in 2018, had operated for six years without a written strategy document, a gap that has drawn criticism from congressional oversight committees during the current conflict period.
SpaceX launched two Falcon 9 missions on March 17, crossing the threshold of 10,000 active Starlink satellites in low Earth orbit. Starlink 17-24 lifted off from Vandenberg Space Force Base at 0519 GMT carrying 25 V2 Mini satellites on booster B1088's 14th flight, a vehicle previously used on NRO classified missions. Starlink 10-46 lifted off from Cape Canaveral Space Force Station at 1327 GMT carrying 29 V2 Mini Optimized satellites. Both first-stage boosters landed successfully. These were SpaceX's 33rd and 34th Falcon 9 missions of 2026 and the 377th and 378th Starlink launches overall.
The military significance of the 10,000-satellite threshold is substantial. Starlink terminals have provided battlefield communications in Ukraine since 2022 and have been covertly distributed into Iran during Operation Epic Fury, enabling civilian internet access despite the government blackout. The constellation's resilience, with no single point of failure and global coverage at low latency, makes it functionally unjammable at scale, a strategic advantage that has shaped US military communications doctrine. Iran has conducted GPS jamming operations affecting over 1,650 vessels in the Persian Gulf since February 28, but Starlink's use of Ka and Ku frequency bands with electronically steered phased array antennas provides substantially greater resistance to jamming than GPS-dependent navigation systems.
NVIDIA announced the Vera Rubin Space-1 Module at its GTC 2026 conference on March 17, a data-center-class AI processing platform designed for orbital operations delivering up to 25 times the AI compute performance of the H100 GPU. Six commercial partners (Aetherflux, Axiom Space, Kepler Communications, Planet Labs, Sophia Space, and Starcloud) were named as early deployment customers. The hardware is radiation-hardened for the space environment and draws from the same Vera Rubin architecture underpinning terrestrial AI data centers.
On the same day, Kepler Communications announced the commissioning of the world's first commercially operational space-based scalable cloud infrastructure with distributed AI edge compute, consisting of 40 NVIDIA Jetson Orin GPU modules across 10 satellites interconnected through real-time optical inter-satellite links. The system is compatible with the US Space Development Agency's Proliferated Warfighter Space Architecture, enabling direct integration with military data relay networks. Military applications for orbital AI compute include real-time change detection in ISR imagery, RF signal classification, automated target recognition, and on-orbit processing of hyperspectral sensor data without downlinking raw data to ground stations, substantially reducing latency for time-sensitive targeting cycles.
BAE Systems announced on March 17 a contract from Robins Air Force Base to sustain the AN/ALQ-221 Advanced Defensive System for the U-2 Dragon Lady reconnaissance aircraft fleet. The AN/ALQ-221 is the U-2's integrated electronic warfare suite, providing radar warning, electronic countermeasures, and threat detection. U-2 assets have been actively employed in support of Operation Epic Fury for ISR collection over Iran. The contract covers system sustainment and modernization under the existing U-2 sustainment vehicle, with no publicly disclosed dollar value or term.
GomSpace announced on March 17 that it had been selected for the European Defence Agency's VLEO-DEF program, a 15.65 million euro initiative to develop Europe's first dedicated Very Low Earth Orbit military satellite operating between 250 and 350 kilometers altitude. VLEO provides higher-resolution ISR imagery and reduced signal latency compared to conventional LEO altitudes of 500 to 600 kilometers, at the cost of increased atmospheric drag requiring continuous propulsion. GomSpace will contribute satellite bus and subsystem technology to the three-year program. MDA Space began its first trading day on the NYSE following a $300 million US IPO on March 17, having previously been selected for the US Missile Defense Agency's SHIELD program.
South Korean cybersecurity firm Genians published a detailed disclosure on March 17 of a multi-stage campaign by Konni, a North Korean APT group with overlapping indicators to Kimsuky and APT37, targeting individuals involved in North Korean human rights activities and South Korean government-adjacent organizations. The attack chain initiated with spear-phishing emails impersonating official government appointment letters, delivering PowerShell-based payloads that ultimately installed EndRAT, RftRAT, and RemcosRAT implants compiled via AutoIt.
The novel element of this campaign was the group's use of compromised victim endpoints to hijack active KakaoTalk desktop sessions, South Korea's dominant messaging platform, and distribute malicious archive files to trusted contacts. Because the messages originated from legitimate, known accounts rather than attacker-controlled infrastructure, recipients had no automated mechanism to identify them as malicious. Command-and-control infrastructure was distributed across servers in Finland, Japan, and the Netherlands. The Hacker News and Cyber Security News both published detailed technical analyses on March 17. UPI had first reported the campaign on March 16, citing the Genians report.
SecurityWeek and BleepingComputer published updated analysis on March 17 of the GlassWorm supply-chain campaign, active since approximately March 8, documenting a new technique designated ForceMemo. The attack uses stolen GitHub OAuth tokens to force-push malicious commits to Python repositories, npm packages, and Visual Studio Code extensions while rewriting git history and preserving original commit messages, leaving no pull request or conventional commit trail in project notification systems. At the time of March 17 reporting, 433 compromised components had been identified across GitHub, npm, VSCode Marketplace, and OpenVSX.
The malware payload targets cryptocurrency wallet credentials, SSH keys, and browser-stored passwords. Suspected threat actors are assessed as Russian-speaking based on malware code that skips execution on systems with Russian locale settings. Command-and-control infrastructure uses the Solana blockchain for instruction delivery, a technique that exploits the difficulty of blocking legitimate blockchain traffic. SC Media noted the campaign represents an evolution beyond the initial GlassWorm wave, with ForceMemo's git history rewriting technique specifically designed to defeat repository monitoring tools that rely on commit diffs for anomaly detection.
ReliaQuest and BleepingComputer published technical analysis on March 17 of LeakNet, a ransomware group that has shifted from purchasing initial access from brokers to using ClickFix social engineering via compromised legitimate websites. The ClickFix technique presents victims with fake browser error messages or CAPTCHA prompts that instruct them to manually execute a PowerShell command, bypassing automated security controls by placing the execution decision in the hands of the user. The Hacker News published a parallel analysis on the same day.
LeakNet's delivery chain incorporates a Deno JavaScript runtime-based in-memory loader that executes Base64-encoded payloads entirely in memory without writing files to disk, producing minimal forensic artifacts for endpoint detection tools. Post-compromise activity involves jli.dll side-loading for defense evasion, PsExec for lateral movement, and staging of exfiltrated data to attacker-controlled S3 buckets before ransomware deployment. LeakNet has averaged approximately three victims per month but is assessed as scaling. No specific attribution to a nation-state has been made; the group is assessed as financially motivated.
Akamai published a detailed exploit analysis on March 17 of CVE-2026-21513, a CVSS 8.8 security feature bypass in Microsoft's MSHTML rendering engine (ieframe.dll), attributing active exploitation to APT28 (Fancy Bear), Russia's GRU-linked cyber espionage group. The vulnerability exploits weak URL validation in the hyperlink navigation logic of the legacy Internet Explorer engine embedded in Windows, allowing arbitrary code execution when a victim opens a crafted document. A malicious sample with indicators tied to APT28 infrastructure was uploaded to VirusTotal on January 30, 2026, demonstrating exploitation began at least 12 days before Microsoft's February 2026 Patch Tuesday addressed the flaw. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on February 10.
The Hacker News and Vulert both published analyses on March 17 corroborating the attribution and documenting the exploit mechanics. APT28 has historically targeted European governments, NATO members, political organizations, and defense contractors. The choice of MSHTML as an attack surface reflects the group's pattern of exploiting legacy components that persist in modern Windows builds for backward compatibility. Federal agencies were already under remediation requirements for this vulnerability from the February KEV addition.
BeyondTrust researchers disclosed on March 17 that Amazon Bedrock's AgentCore Code Interpreter, designed to execute code in an isolated sandbox with no external network access, can be exploited to exfiltrate data via DNS queries even when network access is disabled. The technique enables interactive reverse shells and command-and-control channels through DNS tunneling, bypassing the network isolation controls. Amazon was notified and acknowledged the finding; no CVE assignment was confirmed as of March 17.
The same disclosure batch covered CVE-2026-25750 (CVSS 8.5) in LangSmith, a development platform for LLM applications built by LangChain, allowing URL parameter injection to steal user authentication tokens. SGLang, an open-source LLM serving framework, was found to contain two related flaws (CVE-2026-3059 and CVE-2026-3060) involving unsafe pickle deserialization in its runtime API, enabling remote code execution by an unauthenticated attacker with network access to the SGLang server. The Hacker News published full technical details on March 17. These vulnerabilities are particularly significant in the context of the Iran conflict given the named presence of Amazon (AWS) and Microsoft on Iran's published target list.
The BreachForums data leak marketplace went offline around March 15 to 17 after the Cyber Counter-Intelligence Threat Investigation Consortium (CCITIC), a private non-profit group, identified upstream infrastructure hosted on DigitalOcean servers in Frankfurt, Germany and filed abuse reports resulting in service termination. Both the clearnet domain and Tor hidden service returned 502 errors. The forum administrator posted a farewell message before the shutdown was complete.
The takedown was not a law enforcement action and did not involve arrests or domain seizures, unlike the FBI-led operations that previously disrupted earlier BreachForums iterations. Security researchers at Cybernews and SOCRadar noted that previous disruptions have consistently been followed by reconstitution under new infrastructure within weeks. The forum had been operating under instability since a January 2026 breach exposed approximately 324,000 user accounts and leaked internal moderation records. Resecurity published an analysis of the data from that breach. The practical near-term effect of the takedown on cybercriminal operations is assessed as limited given the forum's history of rapid relaunch.
Ransomware tracking data published March 17 documented 177 attack victims posted to dark web leak sites in the seven-day period ending March 17. Qilin led all groups with 30 claimed victims, followed by active postings from Akira, LockBit, Lynx, and Play. The United States accounted for 50.8 percent of global activity. Separately, Medusa ransomware publicly claimed responsibility on or around March 17 for an attack on the University of Mississippi Medical Center, the state's only academic medical center, demanding $800,000. The original intrusion date was February 19. Medusa also claimed Passaic County, New Jersey, in the same posting cycle.
The medtech sector continued under elevated pressure following the Stryker wiper attack. Intuitive Surgical, manufacturer of the da Vinci robotic surgery system, disclosed a phishing-based breach of business and customer data approximately March 13, becoming the second major medtech company hit in a single week. MDDIONLINE noted this was the second major medtech incident in seven days. No attribution was made in the Intuitive Surgical case and the attack was not assessed as connected to Iranian operations.