HOMEFRONT Threat Assessment: March 2026

Period: 01-31 March 2026 | Classification: TLP:CLEAR | Producer: Red Sheep Security

Executive Summary

March 2026 is assessed to be the highest-risk month for US homeland cyber defense since the start of the Russia-Ukraine war. The ongoing US-Iran armed conflict has likely driven Iranian escalation of cyber operations against US critical infrastructure as kinetic options diminish, while the ODNI's annual threat assessment confirmed escalating cyber risks from all four primary nation-state adversaries [8]. Simultaneously, CISA issued urgent advisories on active exploitation of Microsoft SharePoint (CVE-2026-20963) [1][3][4] and endpoint management systems [2], and the FBI is investigating suspicious cyber activity on a system holding sensitive surveillance information.

Iran (IRGC-CEC and Proxies)

• Current domestic activity: The FBI issued a reminder in early March about potentially malicious Iranian cyber actor activity, disseminated to the healthcare sector via the American Hospital Association [7]. Reporting from the CENTCOM theater assessment confirms MuddyWater pre-positioning in US airport, banking, and software supply chain networks, with over 53 pro-Iranian threat groups active. An Iranian-linked disruptive attack against medical technology firm Stryker has been confirmed (per Iran country assessment, corroborated by open-source reporting attributing the attack to Handala). Iranian-aligned actors are also assessed to be using AI-enhanced capabilities to augment operations against US critical infrastructure [10].
• Change from previous period: Significant escalation. The destruction of IRGC-CEC's physical headquarters in February strikes has not degraded cyber capability (per Iran country assessment). Retaliatory cyber operations have intensified. Iran's new Supreme Leader has publicly stated retaliation is "not complete."
• Cross-reference: See Iran country assessment and CENTCOM theater assessment for full operational picture. The April 6 deadline referenced in CENTCOM reporting on US energy infrastructure strikes makes the next 30 days critical.

China (PRC-Attributed Clusters)

• Current domestic activity: The ODNI report confirmed China as a primary nation-state cyber threat to US critical infrastructure [8]. Salt Typhoon has still not been fully remediated from over 200 global telecom networks (per China country assessment). At least five distinct PRC-attributed intrusion clusters are active against Western infrastructure, including newly disclosed campaigns (UNC2814/GRIDTIDE, UAT-8837, Warp Panda/BRICKSTORM). Leaked "Expedition Cloud" documents reportedly indicate PRC offensive cyber ranges rehearsing attacks on critical infrastructure (per China country assessment).
• Change from previous period: Steady state to slight escalation. The 15th Five-Year Plan codifies minimum 7% annual R&D spending increases (per China country assessment) that will almost certainly fund offensive cyber capabilities [B1]. Pre-positioning campaigns for a Taiwan contingency almost certainly continue [B1].
• Cross-reference: See China country assessment and INDOPACOM theater assessment for pre-positioning details and PLA pressure on Taiwan.

Russia (GRU/FSB/APT28)

• Current domestic activity: The ODNI report identifies Russia as a primary threat to US critical infrastructure [8]. The Russia country assessment confirms APT28 weaponized a Microsoft Office vulnerability within 24 hours of disclosure and is running a global campaign targeting encrypted messaging accounts of government and military personnel (per Russia country assessment). Russian intelligence is actively sharing information with Iran against US military assets (per Russia country assessment and EUCOM theater assessment), creating a force-multiplying dynamic.
• Change from previous period: Escalation. Russian-Iranian operational convergence, including hacktivist coordination, represents a new and compounding threat vector for US defenders.
• Cross-reference: See Russia country assessment and EUCOM theater assessment for energy infrastructure targeting and sanctions dynamics.

North Korea (DPRK)

• Current domestic activity: Treasury sanctioned six individuals and two entities tied to DPRK IT worker fraud generating nearly $800 million annually (per North Korea country assessment). The Contagious Interview campaign expanded with 26 new malicious npm packages compromising enterprise developer environments (per North Korea country assessment). The ODNI report lists DPRK among the top four threats [8].
• Change from previous period: Escalation. The 9th Party Congress formalized AI, electronic warfare, and anti-satellite weapons as five-year priorities (per North Korea country assessment), signaling expansion beyond financial theft.
• Cross-reference: See North Korea country assessment for full scope of IT worker fraud and developer supply chain operations.

Healthcare

• Current threats: The FBI issued a specific reminder about Iranian cyber actor threats, disseminated to healthcare via AHA [7]. The FBI also issued FLASH-20260320-001 warning of Iran MOIS cyber actors using Telegram as C2 to push malware [5], which AHA subsequently disseminated to the healthcare sector [6]. The confirmed Stryker attack (per Iran country assessment) demonstrates that healthcare and medical technology remain primary targets.
• Defensive developments: FBI and AHA are actively pushing warnings to the sector. Defenders should review the FBI FLASH alert (FLASH-20260320-001) for indicators of compromise [5]. Note: The FLASH specifically addresses Iran MOIS targeting of Iranian dissidents, journalists, and opposition groups, but the Telegram C2 TTPs have broader defensive value.
• Risk assessment: HIGH and rising. Healthcare sits at the intersection of Iranian retaliatory targeting, ransomware ecosystem activity [B1], and Telegram-based malware delivery campaigns.

Energy

• Current threats: The ODNI report specifically calls out escalating cyber risks to energy infrastructure [8]. The CENTCOM theater assessment references an April 6 deadline tied to US energy infrastructure strikes. Russian GRU/FSB units maintain persistent access to US energy and water infrastructure [B1], and what is assessed to be the first coordinated ICS attack on distributed renewable energy infrastructure (Poland, per Russia country assessment) provides a potential template for US-directed operations.
• Defensive developments: CISA's endpoint management hardening advisory [2] applies directly to energy sector OT management systems.
• Risk assessment: HIGH. The convergence of Iranian retaliatory motivation, Russian persistent access, and the demonstrated ICS attack on renewables in Europe creates a multi-vector threat environment.

Telecommunications

• Current threats: Salt Typhoon remediation remains incomplete across over 200 global telecom networks (per China country assessment). The ODNI assessment confirms China as a primary threat to this sector [8]. Russian campaigns targeting encrypted messaging accounts further threaten communications security (per Russia country assessment).
• Defensive developments: No new sector-specific advisories this period.
• Risk assessment: HIGH, steady. The unresolved Salt Typhoon compromise is a persistent structural vulnerability.

Government / Federal

• Current threats: The FBI is investigating suspicious cyber activity on a system holding sensitive surveillance information. CISA added at least one actively exploited vulnerability to the KEV catalog [1], and CVE-2026-20963 in Microsoft SharePoint poses immediate risk to government collaboration environments [3][4]. CISA workforce reductions (per open-source reporting) degrade the federal cyber defense posture at a critical time.
• Defensive developments: BOD 22-01 mandates federal agency remediation of KEV-listed vulnerabilities [1]. CISA issued endpoint management hardening guidance [2].
• Risk assessment: HIGH and worsening. The combination of active exploitation campaigns, the FBI system investigation, and reduced CISA capacity creates compounding risk.

Domestic Threat Landscape

No new publicly reported DVE arrests, disrupted plots, or insider threat cases with cyber dimensions appeared in this period's source material. The FBI and DHS standing assessment that DVE remains the most persistent domestic threat to the homeland [B1] has not been updated or contradicted.

The use of Telegram by cyber actors for malware distribution [6] is relevant to the broader technology trend: legitimate messaging platforms are increasingly being repurposed as attack delivery vectors across the threat spectrum. Defenders should note that threat actors across the spectrum (nation-state, criminal, and domestic) are converging on the same platforms.

The FBI investigation into suspicious activity on its own surveillance systems is a significant development. The FBI has stated it "identified and addressed suspicious activities" but has not characterized the scope or impact of the incident.

Election Security and Influence Operations

No new election-specific incidents or advisories appeared in this period's source material. The baseline threat from Russian IRA successors, Chinese Spamouflage, and Iranian IUVM operations remains active [B1]. The convergence of Russian and Iranian hacktivist operations (per CENTCOM and Russia assessments) could plausibly extend to influence operations targeting US political discourse, though no specific reporting confirms this for March 2026.

Supply Chain and Technology Risks

• Developer supply chain: DPRK's Contagious Interview campaign expanded with 26 new malicious npm packages targeting enterprise developer environments (per North Korea country assessment). This is a direct threat to US software supply chains.
• Endpoint management systems: CISA's March 18 alert [2] signals that adversaries are targeting endpoint management infrastructure as a force-multiplier. Compromising these systems gives attackers broad, administratively privileged access across enterprises.
• AI-enhanced threats: Iranian-aligned actors are assessed to be using AI capabilities to enhance cyber operations against US infrastructure [10]. DPRK has formalized AI as a five-year development priority (per North Korea country assessment). These developments indicate that AI-augmented attacks will likely become standard tradecraft rather than a novelty.
• SharePoint exploitation: Active exploitation of CVE-2026-20963 [3][4] represents a direct software vulnerability risk to any organization running unpatched SharePoint, which includes a substantial portion of the federal government and Fortune 500.

Cross-Theater Spillover

CENTCOM to Homeland: The US-Iran conflict is the single largest driver of domestic cyber risk this month. The CENTCOM assessment identifies over 60 active threat groups, confirmed MuddyWater pre-positioning in US banking, aviation, and defense supply chains, and an April 6 deadline on energy infrastructure strikes. This maps directly to the FBI's March 3 reminder about Iranian cyber actors [7] and the elevated threat reporting from Cybersecurity Dive.

EUCOM to Homeland: Russian intelligence sharing with Iran against US military assets (per Russia and EUCOM assessments) could potentially extend to information on US network architecture that would enhance Iranian targeting of domestic systems, though no specific reporting confirms this mechanism. APT28's 24-hour exploit weaponization timeline (per Russia country assessment) means any vulnerability disclosure affecting US government or enterprise systems is a race condition.

INDOPACOM to Homeland: PRC pre-positioning via Volt Typhoon and related clusters continues with the explicit purpose of disruption capability during a Taiwan contingency [B1]. The INDOPACOM assessment notes PLA military pressure on Taiwan is sustained, meaning the pre-positioning campaigns are almost certainly running at high tempo against US domestic infrastructure.

AFRICOM to Homeland: MuddyWater targeting of the META region (per AFRICOM assessment) and African organizations facing above-average cyberattack rates (per Check Point reporting [9]) create conditions where compromised African entities could potentially serve as pivot points into US corporate networks via supply chain relationships. This is an analytical assessment; no specific incidents confirming this pathway have been reported.

Key Advisories Since Last Assessment

• CISA KEV Catalog Addition (2026-03-18): CVE-2026-20963 (Microsoft SharePoint) added, confirmed actively exploited, BOD 22-01 remediation required [1][3][4]
• CISA Endpoint Management Hardening Alert (2026-03-18): Issued following the March 11 cyberattack against Stryker Corporation exploiting endpoint management infrastructure [2]
• CVE-2026-20963 (Microsoft SharePoint): Critical deserialization vulnerability (CVSS 9.8), confirmed active exploitation [3][4]
• FBI FLASH-20260320-001 (2026-03-20): TLP:CLEAR alert on Iran MOIS cyber actors deploying Telegram C2 to push malware targeting Iranian dissidents, journalists, and opposition groups [5]
• FBI Reminder on Iranian Cyber Actors (2026-03-03): Reissued reminder to implement mitigations from a June 2025 fact sheet on Iranian-affiliated cyber actor threats, disseminated via AHA to healthcare [7]
• Telegram Malware Distribution Alert (2026-03-23): AHA dissemination to healthcare sector of FBI FLASH-20260320-001 warning of Telegram abuse for malware delivery [6]

Operational Implications

• Iranian retaliatory cyber operations are the top immediate domestic threat. The combination of confirmed pre-positioning in US networks, an active armed conflict, and stated intent to continue retaliation creates conditions for disruptive attacks against energy, healthcare, financial services, and transportation. Defenders in these sectors should treat this as a wartime footing [7].
• Patch CVE-2026-20963 and harden endpoint management systems immediately. Both are under active exploitation. SharePoint is ubiquitous in federal and enterprise environments, and endpoint management compromise provides adversaries with administrative-level lateral movement capability [1][2][3][4].
• CISA workforce reductions create an intelligence and coordination gap. With reduced staffing, federal civilian cybersecurity coordination is degraded. Private sector and SLTT organizations should not assume the same level of support from CISA and should strengthen direct relationships with sector ISACs and FBI field offices.
• Audit for Telegram traffic in enterprise networks. Its use as a C2 and malware delivery mechanism means permitted Telegram traffic could mask adversary operations. Review firewall rules and endpoint detection logic for Telegram-related indicators [6].
• Screen developer environments for malicious npm packages. DPRK's Contagious Interview expansion with 26 new packages means any organization with JavaScript/Node.js development workflows is at risk of supply chain compromise.

Sources: [1][2][3][4][5][6][7][8][10][B1]

Outlook

The next 30 days represent the most dangerous window for US domestic cyber defense since early 2022. The CENTCOM assessment's April 6 deadline on energy infrastructure, Iran's stated intent to continue retaliation, and the convergence of Russian-Iranian cyber cooperation all point toward likely escalation. Any further deterioration of CISA's operational capacity or a confirmed compromise of FBI surveillance systems would materially degrade the US ability to detect and respond to what is almost certainly a coming wave of targeted operations.

Sources:

Sources

• [1] "CISA Adds One Known Exploited Vulnerability to Catalog" - CISA, https://www.cisa.gov/news-events/alerts/2026/03/16/cisa-adds-one-known-exploited-vulnerability-catalog

• [2] "CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization" - CISA, https://www.cisa.gov/news-events/alerts/2026/03/18/cisa-urges-endpoint-management-system-hardening-after-cyberattack-against-us-organization

• [3] "CISA warns of active exploitation of Microsoft SharePoint vulnerability (CVE-2026-20963)" - Help Net Security, https://www.helpnetsecurity.com/2026/03/19/sharepoint-vulnerability-cve-2026-20963-exploited/

• [4] "CISA Warns of Attacks Exploiting Recent SharePoint Vulnerability" - SecurityWeek, https://www.securityweek.com/cisa-warns-of-attacks-exploiting-recent-sharepoint-vulnerability/

• [5] "FBI FLASH-20260320-001: Government of Iran Cyber Actors Deploy Telegram C2 to Push Malware to Identified Targets" - FBI/IC3, https://www.ic3.gov/CSA/2026/260320.pdf

• [6] "Alert warns of cyber actors using Telegram messaging app to push malware" - AHA News, https://www.aha.org/news/headline/2026-03-23-alert-wants-cyber-actors-using-telegram-messaging-app-push-malware

• [7] "FBI reminds of potentially malicious activity by Iranian cyber actors" - AHA News, https://www.aha.org/news/headline/2026-03-03-fbi-reminds-potentially-malicious-activity-iranian-cyber-actors

• [8] "ODNI report: US critical infrastructure faces escalating cyber risks from China, Russia, Iran, and North Korea" - Industrial Cyber, https://industrialcyber.co/reports/odni-report-us-critical-infrastructure-faces-escalating-cyber-risks-from-china-russia-iran-and-north-korea/

• [9] "North America's Cyber Security Threat Reality in 2026" - Check Point Blog, https://blog.checkpoint.com/research/north-americas-cyber-security-threat-reality-in-2026

• [10] "AI, the Iran-US Conflict, and the Threat to US Critical Infrastructure" - CloudSEK, https://www.cloudsek.com/blog/ai-the-iran-us-conflict-and-the-threat-to-us-critical-infrastructure