HOMEFRONT Threat Assessment: April 2026

Classification: TLP:CLEAR | Assessment Period: April 2026 | Published: 24 April 2026

Executive Summary

April 2026 brought a convergence of active state-sponsored campaigns against US critical infrastructure: Iranian-affiliated actors are exploiting programmable logic controllers across water, power, and government systems [4], the GRU is targeting vulnerable routers for intelligence collection [5], and a major supply chain compromise of the Axios npm package (100M+ weekly downloads) hit the software ecosystem[8]. FBI reporting confirms US cybercrime losses reached $21 billion while threats to critical infrastructure continue to intensify [7], all against a backdrop of reduced federal election security protections ahead of the 2026 midterms [11].

What Changed Since March 2026

• CISA Adds Eight Known Exploited Vulnerabilities to Catalog | CISA
• CISA Adds One Known Exploited Vulnerability to Catalog | CISA
• Six Federal Agencies Just Issued an Emergency Warning: Iranian Hackers Are Attacking Water, Power, and Government PLCs Right Now | SecureIoT.house
• Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure | CISA
• Internet Crime Complaint Center (IC3) | Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information
• Pro-Iran hackers appear to increase critical infrastructure cyberattacks - Defense One
• FBI reports cyber threats to critical infrastructure intensify as US cybercrime losses hit $21 billion, exposes risk - Industrial Cyber
• Supply Chain Compromise Impacts Axios Node Package ...
• Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads | Trend Micro (US)
• No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours
• The State of Ransomware in Q1 2026
• Secret US cyber operations shielded 2024 election from foreign trolls, but now the Trump admin has gutted protections | CNN Politics

Iranian State-Affiliated Operations

• Current domestic activity: A joint advisory from six federal agencies confirmed Iranian-affiliated cyber actors are actively exploiting internet-facing programmable logic controllers across US water, power, and government OT systems [4]. Pro-Iran hackers have increased the tempo of critical infrastructure cyberattacks throughout April [6]. TTPs center on direct exploitation of PLCs exposed to the internet, targeting facilities that have not implemented proper network segmentation.
• Change from previous period: Significant escalation. This represents a shift from opportunistic access to active exploitation of OT devices across multiple critical infrastructure sectors. We assess with high confidence that this escalation is linked to the broader kinetic conflict under Operation Epic Fury.
• Cross-reference: The Iran country assessment and CENTCOM theater assessment provide full operational context, including the eightfold surge in Iranian-linked cyber operations across the Middle East and the uncertain ceasefire timeline.

Russian GRU Operations

• Current domestic activity: The FBI issued a public service announcement confirming Russian GRU exploitation of vulnerable routers to steal sensitive information from US government and private sector networks [5]. The campaign targets network infrastructure devices as collection platforms for espionage.
• Change from previous period: Steady state to slight escalation. While GRU router targeting is consistent with baseline pre-positioning activity, the FBI's public attribution indicates the campaign's scale or impact warranted broader warning.
• Cross-reference: The Russia country assessment details the disruption of a GRU-linked global router exploitation and DNS hijacking campaign by US authorities, as well as reporting on AI integration into Russian cyber operations.

PRC-Linked Operations

• Current domestic activity: No new US-specific advisories were issued this period, but the cross-theater context confirms Salt Typhoon intrusions into US telecommunications infrastructure remain active, and Storm-1175 is deploying Medusa ransomware through zero-day exploitation with 24-hour compromise cycles.
• Change from previous period: Sustained high tempo. No de-escalation indicators.
• Cross-reference: The China country assessment and INDOPACOM theater assessment cover PRC cyber operations in depth, including Dutch intelligence's assessment that Chinese cyber capabilities now match those of the United States.

DPRK Operations

• Current domestic activity: North Korean actors were linked to the supply chain attack against the Axios open-source project[8], per the DPRK country assessment. This represents targeting well beyond DPRK's traditional cryptocurrency focus and into broad software supply chain compromise affecting US developers and enterprises.
• Change from previous period: Escalation. The pivot to high-impact supply chain vectors signals expanded operational ambitions.
• Cross-reference: The DPRK country assessment covers the $500M+ cryptocurrency theft campaign and the Axios compromise in detail.

Water and Wastewater

• Current threats: Iranian-affiliated actors are actively exploiting PLCs in US water systems [4][3]. This campaign targets internet-facing OT devices, likely focusing on smaller utilities with limited cybersecurity resources.
• Defensive developments: The multi-agency joint advisory (AA26-097A) provides specific indicators and mitigations [4]. CISA's KEV catalog additions this period may include related vulnerabilities [1][2].
• Risk assessment: HIGH and rising. The combination of active state-sponsored targeting and the sector's well-documented resource constraints makes water infrastructure among the most at-risk sectors this period.

Energy (Grid, Pipeline)

• Current threats: Iranian PLC exploitation explicitly includes power sector targets [4][6]. GRU router exploitation campaigns also create risk for energy sector network infrastructure [5].
• Defensive developments: The joint advisory AA26-097A applies directly to energy sector OT environments [4].
• Risk assessment: HIGH. Dual-threat from Iranian active exploitation and Russian pre-positioning.

Healthcare

• Current threats: FBI reporting confirms healthcare remains a top ransomware target sector [7][10]. The cross-theater context notes Iranian wiper operations have expanded to healthcare targets.
• Risk assessment: ELEVATED. Ransomware pressure is sustained; state-sponsored wiper risk is a newer dimension.

Telecommunications

• Current threats: Salt Typhoon intrusions into US telecom providers remain active per cross-theater reporting. GRU router exploitation creates additional risk to network backbone infrastructure [5].
• Risk assessment: HIGH. Persistent PRC and Russian access to telecom infrastructure has both intelligence and pre-positioning implications.

Domestic Threat Landscape

No new publicly reported DVE incidents with significant cyber dimensions appeared in April 2026 source material. The FBI and DHS baseline assessment that domestic violent extremism remains the most persistent threat to the homeland continues to hold. FBI's IC3 annual reporting, which confirmed $21 billion in US cybercrime losses [7], reflects the broader threat environment but does not disaggregate DVE-specific cyber activity from the total.

The hacktivist dimension is most visible in pro-Iran groups increasing critical infrastructure cyberattacks [6]. These groups blur the line between state-directed and ideologically motivated operations, and defenders should not assume hacktivist-branded attacks lack state sponsorship or sophisticated capabilities.

No significant new insider threat cases or arrests with cyber dimensions were reported in this period's source material.

Election Security and Influence Operations

The most consequential development for 2026 midterm security is structural, not operational. CNN reported that the Trump administration has reduced federal election security protections that previously shielded the 2024 election from foreign interference [11]. The specific capabilities that were curtailed are not fully detailed in open reporting, but the reduction occurs while Russian, Chinese (Spamouflage), and Iranian (IUVM successors) influence operations remain active per baseline assessments.

No new foreign influence operation campaigns specifically targeting the 2026 midterms were publicly attributed in April source material. However, we assess with moderate confidence that the reduced federal posture creates opportunity for adversaries already positioned to conduct election-focused information operations.

Supply Chain and Technology Risks

April 2026 was an exceptionally active month for software supply chain attacks.

• Axios compromise: CISA issued an alert confirming a supply chain compromise of the Axios Node.js package, a JavaScript HTTP client with over 100 million weekly downloads[8]. The blast radius of this compromise is enormous given the package's ubiquity across enterprise and government applications. The DPRK country assessment links this attack to North Korean operators.
• Multi-ecosystem campaign: Within a 48-hour window, separate supply chain campaigns hit npm, PyPI, and Docker Hub simultaneously [9]. The coordination across three major package repositories suggests either a single sophisticated actor or multiple actors exploiting similar attack vectors in parallel.
• Defensive gap: The speed and breadth of these campaigns outpace most organizations' dependency scanning cadence. Teams running weekly or monthly software composition analysis are likely operating with stale data.

Cross-Theater Spillover

Four specific foreign developments create direct domestic cyber implications this month:

1. Iran kinetic-to-cyber escalation: The CENTCOM assessment confirms Operation Epic Fury and a fragile ceasefire with no clear durability. The parallel cyber surge, including PLC exploitation of US water and power systems [4], is almost certainly retaliatory. If the ceasefire collapses, we assess with high confidence that Iranian cyber operations against the US homeland will intensify further.

1. PRC pre-positioning tied to Taiwan contingency: The INDOPACOM assessment details the largest-ever Balikatan exercise with Japanese combat unit participation, while China conducted concurrent naval drills near Scarborough Shoal. Volt Typhoon pre-positioning in US critical infrastructure, per baseline reporting, is designed to be activated during exactly this type of escalation sequence.

1. DPRK operational expansion: The DPRK country assessment confirms over $500 million stolen from cryptocurrency platforms and the Axios supply chain compromise in a single month. DPRK's operational tempo is funding both weapons programs and further cyber capability development, creating a self-reinforcing cycle.

1. Russian hybrid retaliation risk: The EUCOM assessment notes the EU's 20th sanctions package targeting cryptocurrency services and energy revenues. The Russia country assessment assesses this almost certainly increases Moscow's motivation to retaliate through cyber means, with US-aligned infrastructure as viable targets.

Key Advisories Since Last Assessment

• AA26-097A: Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure (multi-agency joint advisory) [4]
• PSA260407: FBI/IC3 Public Service Announcement on Russian GRU Exploiting Vulnerable Routers [5]
• CISA KEV Updates: Eight vulnerabilities added April 20, one additional April 22, all confirmed actively exploited [1][2]
• CISA Supply Chain Alert: Supply Chain Compromise Impacts Axios Node Package (April 20)
• FBI IC3 Annual Report: Cybercrime losses reaching $21 billion with intensifying critical infrastructure threats [7]

Operational Implications

• OT/ICS is under active attack now. Iranian PLC exploitation is not theoretical; it's confirmed across water, power, and government sectors [4]. Any internet-facing PLC is a priority for immediate remediation.
• Software supply chain trust is degraded. The Axios compromise and the triple-ecosystem campaign within 48 hours[8][9] mean dependency scanning must shift from periodic to continuous. Pinned versions and hash verification are minimum requirements.
• Router infrastructure requires immediate attention. The GRU campaign targeting routers for espionage [5] means network defenders should audit all edge routing devices for known vulnerabilities, unexpected configurations, and indicators from the FBI PSA.
• Election security gaps are structural. Reduced federal protections [11] mean state and local election officials bear a larger share of the defensive burden ahead of the midterms. CTI teams supporting election infrastructure should plan for less federal top-cover than in 2024.
• Cybercrime financial impact demands executive attention. The $21 billion figure [7] provides quantitative backing for security investment cases. Use it.

Sources: [1][2][4][5][7][8][9][11]

Outlook

The trajectory for May 2026 depends heavily on the Iran ceasefire: its expiration or collapse would almost certainly trigger a second wave of destructive cyber operations against US critical infrastructure [4][6]. Separately, the Axios supply chain compromise's full impact likely has not yet been measured, and secondary exploitation of compromised downstream applications is probable[8]. Defenders should prepare for both an accelerating Iranian threat and cascading supply chain incidents through at least mid-Q2.

Sources: [4][6][8]

Sources

• [1] "CISA Adds Eight Known Exploited Vulnerabilities to Catalog" - CISA, https://www.cisa.gov/news-events/alerts/2026/04/20/cisa-adds-eight-known-exploited-vulnerabilities-catalog
• [2] "CISA Adds One Known Exploited Vulnerability to Catalog" - CISA, https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog
• [3] "Six Federal Agencies Just Issued an Emergency Warning: Iranian Hackers Are Attacking Water, Power, and Government PLCs Right Now" - SecureIoT.house, https://secureiot.house/iran-apt-plc-ot-joint-advisory-fbi-cisa-april-2026/
• [4] "Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure" - CISA, https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a
• [5] "Russian GRU Exploiting Vulnerable Routers to Steal Sensitive Information" - FBI IC3, https://www.ic3.gov/PSA/2026/PSA260407
• [6] "Pro-Iran hackers appear to increase critical infrastructure cyberattacks" - Defense One, https://www.defenseone.com/threats/2026/04/iran-hackers-infrastructure-cyberattacks/412941/
• [7] "FBI reports cyber threats to critical infrastructure intensify as US cybercrime losses hit $21 billion" - Industrial Cyber, https://industrialcyber.co/reports/fbi-reports-cyber-threats-to-critical-infrastructure-intensify-as-us-cybercrime-losses-hit-21-billion-exposes-risk/
• [8] "Axios NPM Package Compromised: Supply Chain Attack Hits JavaScript HTTP Client with 100M+ Weekly Downloads" - Trend Micro, https://www.trendmicro.com/en_us/research/26/c/axios-npm-package-compromised.html
• [9] "No Off Season: Three Supply Chain Campaigns Hit npm, PyPI, and Docker Hub in 48 Hours" - GitGuardian, https://blog.gitguardian.com/three-supply-chain-campaigns-hit-npm-pypi-and-docker-hub-in-48-hours/
• [10] "The State of Ransomware in Q1 2026" - Emsisoft, https://www.emsisoft.com/en/blog/47562/the-state-of-ransomware-in-q1-2026/
• [11] "Secret US cyber operations shielded 2024 election from foreign trolls, but now the Trump admin has gutted protections" - CNN Politics, https://www.cnn.com/2026/01/28/politics/hacking-disinformation-election-security