HOMEFRONT Threat Assessment: May 2026
Classification: TLP:CLEAR | Period: May 2026 | Published: 2026-05-29
Executive Summary
May 2026 brought a convergence of active threats against the US homeland: Iranian cyber operators exploited weak authentication in exposed industrial control systems across critical infrastructure [5], the FBI issued warnings on a large-scale Microsoft 365 credential theft campaign using the Kali365 phishing kit to steal OAuth tokens[4], and CISA directed critical organizations to prepare for cyber outages, a signal that the agency assesses disruption as a near-term possibility [1]. Simultaneously, supply chain compromises hit developer tools including Nx Console and GitHub repositories [9], while FBI reporting put US cybercrime losses at $21 billion, confirming the scale of successful attacks against domestic targets [6].
What Changed Since April 2026
- CISA tells critical organizations to prepare for cyber outages | Federal News Network
- CISA orders all federal agencies to patch exploited bug in Cisco SD-WAN systems by Sunday | The Record from Recorded Future News
- TLP:CLEAR TLP:CLEAR 26 MAY 2026 FLASH Number FLASH-20260526-01
- Cyber attackers are hijacking Microsoft Outlook, Teams and 365 log-ins, FBI says
- FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale
- Weak authentication, exposed ICS environments heighten concerns over Iranian cyber intrusions into US critical infrastructure
- Major Cyber Attacks in May 2026: Phishing, Agent Tesla & More
- Senator warns CISA election security pullback could leave midterms vulnerable
- Supply Chain Compromises Impact Nx Console and GitHub Repositories | CISA
- CrowdStrike and Google take down botnet used by hackers to target open source software developers | TechCrunch
- Insider Threat Statistics [2026]: 45+ Facts on Cost & Risk
Iran (IRGC-CEC and Affiliated Groups)
- Current domestic activity: Iranian actors are targeting US critical infrastructure through weak authentication in exposed ICS/OT environments [5]. Reporting from the Iran country assessment confirms destructive operations, including the Stryker wiper incident that destroyed 200,000 devices at US healthcare and industrial targets, and sustained targeting of nearly 4,000 exposed Programmable Logic Controllers across US infrastructure. These operations are retaliatory, following US-led military strikes under Operation Epic Fury.
- Change from previous period: Significant escalation. Iran has moved from opportunistic probing to destructive and sustained campaigns against US domestic targets.
- Cross-reference: See Iran country assessment for full operational context, including the trilateral strategic pact with China and Russia and internal regime dynamics driving offensive posture.
China (PRC-Nexus Groups)
- Current domestic activity: The baseline Volt Typhoon pre-positioning campaign in US critical infrastructure remains active. The CISA advisory on China-nexus covert device networks being used for botnet infrastructure (referenced in the Global assessment) confirms continued presence inside US networks. Salt Typhoon telecom targeting also persists.
- Change from previous period: Steady state for domestic pre-positioning. The Trump-Xi state visit in mid-May brought cyber operations to the diplomatic agenda (per the China country assessment), but offensive operations ran in parallel with diplomacy, not instead of it.
- Cross-reference: See China country assessment and INDOPACOM theater assessment for broadening target scope across allied networks and AI/robotics sectors.
DPRK
- Current domestic activity: North Korean operators continue targeting the US defense industrial base and healthcare sector for revenue and intelligence (per baseline). The DPRK country assessment confirms AI-enhanced fake worker schemes to infiltrate foreign companies and supply chain compromises targeting open-source projects and enterprise software [10].
- Change from previous period: Escalation in supply chain and social engineering vectors. DPRK operators are broadening access beyond direct financial targets.
- Cross-reference: See DPRK country assessment for cryptocurrency theft operations and supply chain campaign details.
Russia
- Current domestic activity: Russian GRU/FSB units almost certainly maintain persistent access to US energy and water infrastructure (per baseline). The Russia country assessment confirms Russian APT groups can now weaponize zero-day vulnerabilities within 24 hours of public disclosure and have deployed the first confirmed malware integrating a large language model for dynamic command generation.
- Change from previous period: Escalation in capability, steady state in domestic targeting posture. The Ukraine ceasefire has not slowed hybrid operations.
- Cross-reference: See Russia country assessment and EUCOM theater assessment for operational tempo details.
Industrial Control Systems (Cross-Sector)
- Current threats: Iranian actors are actively exploiting weak authentication in exposed ICS environments [5]. Nearly 4,000 exposed PLCs have been identified as targets (per Iran country assessment). CISA's outage preparation guidance to critical organizations [1] suggests the agency assesses that disruptive attacks on OT systems are plausible in the near term.
- Defensive developments: CISA outage preparation guidance issued [1]. Organizations with internet-facing ICS should treat this as a priority remediation target.
- Risk assessment: HIGH and rising. The combination of Iranian retaliatory motivation, exposed OT assets, and weak authentication creates conditions for destructive impact.
Telecommunications
- Current threats: CISA issued an emergency directive ordering all federal agencies to patch an actively exploited Cisco SD-WAN vulnerability [2]. SD-WAN systems are foundational to network segmentation and traffic routing; compromise enables lateral movement and data exfiltration. Salt Typhoon telecom targeting continues per baseline.
- Defensive developments: Emergency patching directive with Sunday deadline [2].
- Risk assessment: HIGH. Active exploitation of network infrastructure components compounds the existing Salt Typhoon threat to telecom providers.
Healthcare
- Current threats: The Stryker wiper incident (per Iran country assessment) destroyed 200,000 devices at healthcare and industrial targets. Healthcare remains a top target for both nation-state destructive operations and ransomware groups.
- Defensive developments: No new sector-specific guidance identified in current reporting.
- Risk assessment: HIGH. Healthcare faces simultaneous pressure from Iranian destructive operations and ransomware actors.
Energy
- Current threats: Russian persistent access to energy infrastructure continues (per baseline). Iranian ICS targeting [5] likely includes energy sector assets. The CENTCOM assessment notes Iranian retaliatory operations targeting Gulf state energy infrastructure, with potential spillover to US energy networks.
- Risk assessment: HIGH. Multiple nation-state actors maintain access or active campaigns against energy OT systems.
Domestic Threat Landscape
Insider Threats: 2026 data indicates continued growth in insider incidents, with elevated risk levels and costs across all sectors [11]. The combination of geopolitical tension and economic pressure likely contributes to recruitment opportunities for foreign intelligence services. Defenders should note that insider threats are not limited to espionage; negligent insiders and compromised credentials also drive the statistics.
DVE and Hacktivism: FBI and DHS continue to assess domestic violent extremism as the most persistent domestic threat (per baseline). No specific new DVE incidents with cyber dimensions were identified in current reporting for May 2026. However, the broader threat environment (active US military operations against Iran, geopolitical tensions) historically correlates with increased DVE and hacktivist activity targeting government and military-affiliated networks.
Financial Impact: FBI reports US cybercrime losses reached $21 billion [6], a figure that captures the aggregate impact of ransomware, BEC, credential theft, and other cybercrime targeting US organizations across all sectors.
Election Security and Influence Operations
A US senator warned that CISA is scaling back election security support ahead of the 2026 midterms [8]. This reduction in federal assistance to state and local election administrators creates a gap in threat intelligence sharing, vulnerability scanning, and incident response support that those jurisdictions have relied on since 2018. The baseline threat from foreign influence operations (Russian, Chinese, and Iranian campaigns) remains active, and reduced federal support likely increases the risk that lower-resourced jurisdictions won't detect or respond to intrusions or influence campaigns targeting voter registration databases and election night reporting systems. No specific new foreign influence operations targeting 2026 midterms were identified in current reporting.
Supply Chain and Technology Risks
CISA issued an alert on supply chain compromises affecting Nx Console and GitHub repositories [9]. This is a direct attack on developer tooling: compromised build tools or IDE extensions can inject malicious code into downstream software products without developers' knowledge. Separately, CrowdStrike and Google disrupted a botnet specifically designed to target open-source software developers for supply chain attacks [10]. The successful takedown reduces immediate capability, but the existence of purpose-built botnets for developer targeting confirms this is a sustained campaign, not an isolated incident.
The FBI's warning on the Kali365 phishing kit [4] represents a distinct supply chain risk vector: OAuth token theft bypasses MFA and provides persistent access to Microsoft 365 environments. This isn't just credential theft. Stolen OAuth tokens allow attackers to access email, Teams messages, SharePoint documents, and OneDrive files without triggering password-based security controls[4]. For organizations using Microsoft 365 as their primary collaboration platform (most US enterprises and government agencies), this is a critical exposure.
Cross-Theater Spillover
Iran-US conflict driving domestic attacks: The CENTCOM theater assessment documents active US-Iran armed conflict, including military strikes and a naval blockade. The Iran country assessment confirms this has directly triggered retaliatory cyber operations against US domestic targets, including the Stryker wiper destroying 200,000 devices and PLC targeting across US infrastructure [5]. This is not theoretical spillover; it's active.
PRC pre-positioning tied to Taiwan contingency: The INDOPACOM assessment documents widening South China Sea confrontations and deepening China-DPRK alignment. Volt Typhoon pre-positioning in US critical infrastructure is explicitly tied to a Taiwan contingency (per baseline). Continued military integration through Balikatan 2026 and new allied mission networks create both capability and friction that could trigger activation of pre-positioned access.
Russian hybrid warfare: The EUCOM assessment documents Russian electronic warfare reaching 450 kilometers into European territory and over 150 suspected sabotage cases across NATO states. The Russia country assessment notes LLM-integrated malware and 24-hour zero-day weaponization. These capabilities are almost certainly applicable to US targets where Russian access persists.
DPRK supply chain broadening: The DPRK country assessment documents supply chain compromises across open-source projects, enterprise software, and gaming platforms. The CrowdStrike/Google botnet takedown [10] targeted one node of this ecosystem. US organizations relying on open-source dependencies face direct risk from DPRK-linked package compromises.
Key Advisories Since Last Assessment
- CISA outage preparation guidance for critical organizations [1]
- CISA emergency directive: Patch actively exploited Cisco SD-WAN vulnerability, federal agency deadline set [2]
- FBI IC3 FLASH-20260526-01: Flash alert issued May 26, 2026 [3]
- FBI warning on Kali365 phishing kit: OAuth token theft targeting Microsoft 365 at scale[4]
- CISA alert on Nx Console/GitHub supply chain compromise [9]
- FBI IC3 Annual Report: US cybercrime losses at $21 billion [6]
Operational Implications
- OAuth token theft demands immediate attention. The Kali365 phishing kit bypasses MFA by stealing OAuth tokens, not passwords [4]. Organizations relying solely on MFA for Microsoft 365 protection have a gap. Conditional access policies, token lifetime restrictions, and device compliance checks are now required controls.
- ICS/OT exposure is being actively exploited. Iranian operators are targeting weak authentication on internet-facing PLCs [5]. Any organization with externally accessible OT should treat remediation as an emergency, not a project.
- Cisco SD-WAN patching is urgent. Active exploitation of network infrastructure means compromised SD-WAN devices can enable lateral movement across segmented environments [2]. Prioritize patching and monitor for indicators of prior compromise.
- Developer tool supply chain attacks require build pipeline audits. The Nx Console compromise [9] and the developer-targeting botnet [10] both indicate that CI/CD pipelines and developer IDE extensions are active attack vectors. Verify integrity of build dependencies.
- Reduced election security support creates a collection gap. State and local election administrators losing CISA support [8] may not share threat indicators or request assistance at the same rate, reducing community visibility into election infrastructure targeting.
Sources: [1][2][4][5][8][9][10]
Outlook
The June-July period will likely see continued Iranian retaliatory cyber operations against US infrastructure as the CENTCOM conflict persists [5]. The CISA election security pullback [8] creates conditions for adversary probing of midterm election infrastructure during the summer preparation period. An escalation trigger to watch: any disruption to the Ukraine ceasefire or South China Sea confrontation could shift Russian or Chinese cyber operations from intelligence collection and pre-positioning to disruptive or destructive modes against US domestic targets.
Sources: [5][8]
Red Sheep Assessment
Assessment (Moderate Confidence): CISA's guidance telling critical organizations to prepare for cyber outages [1], when read alongside the Cisco SD-WAN emergency directive [2], the Iranian ICS targeting [5], and the FBI's $21 billion loss figure [6], suggests the US government possesses threat intelligence indicating that a disruptive cyber event against domestic infrastructure is assessed as likely, not merely possible. CISA doesn't issue outage preparation guidance as routine practice. The agency is almost certainly seeing specific indicators (pre-positioning activity, adversary tooling, or intelligence reporting) that haven't been made public. Defenders should interpret the outage guidance not as general best practice, but as a warning with classified context behind it. The simultaneous scaling back of election security support [8] while issuing urgent infrastructure warnings creates a concerning resource allocation picture: federal cyber defense capacity may be stretched thin enough that certain mission areas are being deliberately deprioritized.
Defender's Checklist
- ▢[ ] Audit Microsoft 365 OAuth token policies. Review Azure AD conditional access policies for token lifetime limits. Enable continuous access evaluation (CAE). Hunt for anomalous OAuth app registrations and consent grants. Query:
AuditLogs | where OperationName == "Consent to application"in Sentinel/Log Analytics. - ▢[ ] Verify Cisco SD-WAN patch status. Confirm all SD-WAN appliances are patched per CISA emergency directive [2]. Search for IOCs associated with active exploitation. Review SD-WAN admin access logs for unauthorized changes.
- ▢[ ] Audit ICS/OT internet exposure. Scan for externally accessible PLCs, HMIs, and SCADA interfaces. Verify authentication on all OT assets. If default credentials exist on any internet-facing ICS device, disconnect it now [5].
- ▢[ ] Validate developer tool and build pipeline integrity. Check Nx Console installations against CISA's compromise indicators [9]. Review GitHub Actions workflows for unauthorized modifications. Pin dependencies to verified hashes.
- ▢[ ] Test cyber outage response plans. Per CISA guidance [1], conduct a tabletop exercise for extended outage scenarios. Validate offline operational procedures, backup restoration timelines, and out-of-band communication channels.
Sources
- [1] "CISA tells critical organizations to prepare for cyber outages" - Federal News Network, https://federalnewsnetwork.com/cybersecurity/2026/05/cisa-tells-critical-organizations-to-prepare-for-cyber-outages/
- [2] "CISA orders all federal agencies to patch exploited bug in Cisco SD-WAN systems by Sunday" - The Record from Recorded Future News, https://therecord.media/cisa-orders-all-federal-agencies-to-patch-cisco-sd-wan-bug
- [3] "TLP:CLEAR FLASH-20260526-01" - FBI IC3, https://www.ic3.gov/CSA/2026/260526.pdf
- [4] "FBI warns Kali365 phishing kit is stealing Microsoft OAuth tokens at scale" - The Register, https://www.theregister.com/cyber-crime/2026/05/22/fbi-warns-of-kali365-as-device-code-phishing-soars/5245024
- [5] "Weak authentication, exposed ICS environments heighten concerns over Iranian cyber intrusions into US critical infrastructure" - Industrial Cyber, https://industrialcyber.co/industrial-cyber-attacks/weak-authentication-exposed-ics-environments-heighten-concerns-over-iranian-cyber-intrusions-into-us-critical-infrastructure/
- [6] "FBI reports cyber threats to critical infrastructure intensify as US cybercrime losses hit $21 billion" - Industrial Cyber, https://industrialcyber.co/reports/fbi-reports-cyber-threats-to-critical-infrastructure-intensify-as-us-cybercrime-losses-hit-21-billion-exposes-risk/
- [7] "Major Cyber Attacks in May 2026: Phishing, Agent Tesla & More" - ANY.RUN, https://any.run/cybersecurity-blog/major-cyber-attacks-may-2026/
- [8] "Senator warns CISA election security pullback could leave midterms vulnerable" - Nextgov, https://www.nextgov.com/cybersecurity/2026/05/senator-warns-cisa-election-security-pullback-could-leave-midterms-vulnerable/413378/
- [9] "Supply Chain Compromises Impact Nx Console and GitHub Repositories" - CISA, https://www.cisa.gov/news-events/alerts/2026/05/28/supply-chain-compromises-impact-nx-console-and-github-repositories
- [10] "CrowdStrike and Google take down botnet used by hackers to target open source software developers" - TechCrunch, https://techcrunch.com/2026/05/27/crowdstrike-and-google-take-down-botnet-used-by-hackers-to-target-software-developers-in-supply-chain-attacks/
- [11] "Insider Threat Statistics [2026]: 45+ Facts on Cost & Risk" - StationX, https://app.stationx.net/articles/insider-threat-statistics