News Summary week 12, 2026

The U.S. Justice Department formally attributed the Handala hacktivist group to Iran’s MOIS and the FBI seized its domains, while CISA released eight new ICS advisories headlined by critical EV charging and parking infrastructure vulnerabilities, a CVSS 9.8 SCADAPack RTU flaw, and Schneider Electric EcoStruxure code injection—as the Interlock ransomware gang’s exploitation of a Cisco FMC zero-day 36 days before disclosure underscored the accelerating pace of OT-adjacent threats.
threat-intelligence
ICS
CPS
automotive
medical-devices
Published

March 21, 2026

Executive Summary

This week brought a decisive government response to the Stryker wiper attack: the U.S. Justice Department formally attributed the Handala hacktivist persona to Iran’s Ministry of Intelligence and Security, and the FBI seized four of the group’s domains—even as Handala quickly restored operations on new infrastructure. CISA released eight ICS advisories on March 19 covering Schneider Electric Modicon controllers, EcoStruxure Automation Expert, CTEK Chargeportal, IGL-Technologies eParking, and other products, while earlier in the week a critical CVSS 9.8 vulnerability in Schneider Electric’s SCADAPack x70 RTUs was disclosed, enabling arbitrary code execution via Modbus TCP. The Interlock ransomware gang was revealed to have exploited a maximum-severity Cisco Firewall Management Center zero-day (CVE-2026-20131) for 36 days before public disclosure, and CISA ordered federal agencies to patch by March 22. Kaspersky ICS CERT published two Q4 2025 reports documenting Lazarus APT campaigns against aerospace and defense manufacturers and more than 160 publicly confirmed industrial cyberattacks during the quarter.

This report focuses on Cyber-Physical Systems (CPS), Industrial Control Systems (ICS), and critical infrastructure security.

Week of March 13 – March 20, 2026

Critical Alerts & Advisories

CISA released eight ICS advisories on March 19, designated ICSA-26-078-01 through ICSA-26-078-08, covering products from Schneider Electric, CTEK, IGL-Technologies, and other vendors. Earlier in the week, advisories from the March 17 release (ICSA-26-076-02 through ICSA-26-076-04) addressed Schneider Electric SCADAPack, RemoteConnect, and EcoStruxure Data Center Expert.

The most operationally consequential advisory this week addressed Schneider Electric’s SCADAPack x70 series remote terminal units (ICSA-26-076-02). CVE-2026-0667, carrying a CVSS v3.1 score of 9.8 and a CVSS v4.0 score of 9.3, stems from an improper check for unusual or exceptional conditions (CWE-754) in Modbus TCP processing that could enable arbitrary code execution, denial of service, and loss of confidentiality and integrity. SCADAPack 47xi, 47x, and 57x RTUs are widely deployed in oil and gas, water, and electric utility environments for remote monitoring and control. Successful exploitation could give attackers complete control over affected RTUs, allowing them to manipulate sensor readings, override control commands, and establish persistent access to industrial networks. Schneider has released firmware version 7.6 and RemoteConnect version 3.3 to address the flaw.

Schneider Electric’s EcoStruxure Automation Expert received advisory ICSA-26-078-03 for CVE-2026-2273, a code injection vulnerability scored at CVSS 8.8 that affects all versions prior to v25.0. An authenticated attacker can execute arbitrary code on engineering workstations running this industrial automation orchestration platform, potentially achieving full system compromise. Schneider Electric also disclosed CVE-2025-13957 in EcoStruxure IT Data Center Expert (ICSA-26-076-03), a hard-coded credentials vulnerability enabling remote code execution in the context of the service account. The affected product’s SOCKS Proxy feature—disabled by default—must be enabled for exploitation, and Schneider has released version 9.1 with a fix.

Two Modicon controller advisories round out Schneider’s contributions. ICSA-26-078-01 covers the Modicon M241, M251, and M262 with a denial-of-service vulnerability, while ICSA-26-078-02 addresses cross-site scripting and open redirect vulnerabilities in the Modicon M241, M251, M258, and LMC058 controllers that could result in account takeover or code execution in the user’s browser.

Beyond the March 19 batch, a significant development during this reporting period was CISA adding CVE-2026-20131 to its Known Exploited Vulnerabilities catalog on March 19, with a remediation deadline of March 22—an unusually tight three-day window reflecting the severity and confirmed exploitation. This maximum-severity (CVSS 10.0) deserialization vulnerability in Cisco Secure Firewall Management Center and Security Cloud Control allows unauthenticated remote attackers to achieve root-level code execution through the web-based management interface. The Interlock ransomware gang had been exploiting it as a zero-day since January 26, 2026—a full 36 days before Cisco’s March 4 disclosure. Since FMC platforms centrally manage firewall configurations across enterprise and critical infrastructure environments, a compromised FMC provides attackers a staging point for credential harvesting, configuration tampering, and lateral movement into operational networks. On March 20, CISA added five additional KEV entries including Apple product vulnerabilities, a Craft CMS code injection flaw, and a Laravel Livewire vulnerability.

Automotive CPS Security

The EV charging infrastructure’s systemic vulnerability disclosure continued this week with two new CISA advisories. The CTEK Chargeportal advisory (ICSA-26-078-06) disclosed CVE-2024-31204 and CVE-2024-31205 with a maximum CVSS score of 9.4, where WebSocket endpoints lack proper authentication and use predictable session identifiers that enable unauthenticated attackers to impersonate charging stations, issue OCPP commands, and perform session hijacking. CTEK has announced it will sunset the Chargeportal product entirely in April 2026, making this a brief-window patching scenario before the platform disappears. The IGL-Technologies eParking.fi advisory (ICSA-26-078-07) disclosed nearly identical WebSocket authentication failures in the Finnish parking and charging platform, where unauthenticated attackers can connect using known or discovered charging station identifiers and issue OCPP commands as legitimate chargers. IGL-Technologies has responded with security controls including modern security profile enforcement, device-level whitelisting, and rate limiting.

These two advisories bring the total coordinated EV charging infrastructure disclosure to at least eleven vendors across seven countries since the campaign began in late February. The consistent vulnerability pattern—missing authentication, predictable identifiers, insufficient credential protection—points to a fundamental flaw in how the OCPP standard has been implemented across the industry rather than isolated vendor failings.

Separately, VicOne continued to draw attention to aftermarket peripheral security with ongoing analysis of the five zero-day vulnerabilities researchers discovered in the CarlinKit CPC200-CCPA wireless CarPlay/Android Auto dongle and the 70mai A510 smart dashcam. The vulnerabilities—including CVE-2025-2765 (hard-coded weak Wi-Fi credentials and authentication bypass), CVE-2025-2763 (remote code execution via web upload), and CVE-2025-2764 (arbitrary code execution from USB)—affect devices that sit at the intersection of a driver’s smartphone ecosystem and the vehicle’s infotainment system. With over 85,000 of these devices exposed worldwide and the number growing, the aftermarket accessory category represents a blind spot that traditional automotive cybersecurity programs have not addressed.

Medical Device CPS Security

The Stryker cyberattack aftermath dominated medical device news for the second consecutive week, but this week brought significant government response rather than new technical disclosures. On March 19, the FBI seized four domains operated by Handala—Justicehomeland.org, Handala-Hack.to, Karmabelow80.org, and Handala-Redwanted.to. The following day, the U.S. Justice Department formally attributed Handala to Iran’s Ministry of Intelligence and Security (MOIS), characterizing it as a “fake activist persona” used for cyber-enabled psychological operations including claiming credit for hacking activity and publishing stolen data. SecurityWeek reported that Handala likely gained initial access to Stryker through malware-stolen credentials, which were then used to compromise administrator accounts and weaponize the company’s Microsoft Intune endpoint management platform to remotely wipe over 200,000 devices.

Stryker confirmed that while the attack was contained to its Windows environment, order processing, manufacturing, and shipping operations were significantly disrupted. However, no patient-related services or connected medical products were directly affected—an important distinction for the medical device safety community. Handala responded with defiance to the domain seizures and rapidly restored operations on new infrastructure, demonstrating the resilience of hacktivist operations against law enforcement takedowns.

The FDA’s ongoing regulatory tightening remained a backdrop: the agency’s 2026 cybersecurity guidance now requires premarket submissions to include a Security Risk Management Report, a Software Bill of Materials (SBOM), and detailed architecture views. Industry observers expect the FDA to shift focus in 2026 from reviewing premarket paperwork to actively auditing the real-world effectiveness of post-market security processes—a transition that the Stryker incident may accelerate.

Water & Wastewater Sector

No new water-sector-specific incidents emerged this week, but the threat environment remains elevated from the Iran-aligned cyber campaign. IRGC-affiliated actors continue to target Unitronics PLCs in U.S. water and wastewater systems, and earlier reports of hackers altering pressure levels in a municipal water supply underscore the direct physical safety implications. The sector’s defensive challenges persist: small IT staffs (often with zero dedicated cybersecurity personnel), aging SCADA systems running end-of-life operating systems, and flat networks where a compromised office workstation can reach treatment process controls remain endemic across U.S. water utilities.

Energy & Power Grid

The final expert panel report on the April 2025 Iberian Peninsula blackout was published on March 20, conclusively ruling out a cyberattack while delivering findings with significant implications for grid cybersecurity. The investigation confirmed that “no evidence of cyber-incident or cyber-attack” caused the power loss, attributing it instead to a “perfect storm of multiple factors”—voltage fluctuations triggered cascading disconnections of converter-based renewable energy systems that were too rigid to adapt to sudden voltage surges. Spain’s grid operates at a wider voltage range than other European countries, leaving minimal margins between allowed limits and protective disconnection thresholds.

While the Iberian blackout was not a cyber event, the World Economic Forum used the occasion to warn of growing cyber threats to energy infrastructure, noting that 64% of organizations now factor geopolitically motivated cyberattacks into their risk strategies. The WEF’s 2026 Global Cybersecurity Outlook found that confidence in national cyber preparedness continues to erode, with 31% of respondents reporting low confidence in their country’s ability to respond to major cyber incidents, up from 26% the previous year.

The Schneider Electric SCADAPack x70 advisory (CVE-2026-0667, CVSS 9.8) has direct relevance for energy sector operators, as these RTUs are deployed in oil and gas pipelines, electric substations, and water distribution systems. The vulnerability’s exploitability via Modbus TCP—the foundational protocol for many industrial control deployments—makes this a high-priority patching item for utility environments.

Manufacturing & Industrial

Kaspersky ICS CERT published two significant reports this week covering Q4 2025 industrial cybersecurity activity. The incidents report, released March 19, documented more than 160 companies that publicly confirmed cyberattacks during Q4 2025, with a disproportionate concentration in Japan and Taiwan. Notable incidents included Japanese retailer Muji taking stores offline due to a ransomware-induced logistics outage at delivery partner Askul Corp.

The companion APT report, released March 6 with continued analysis this week, revealed a new Lazarus Comebacker variant delivered through fake aerospace- and defense-themed Word documents. The attack chain uses custom decryption, ChaCha20-protected loaders, and AES-encrypted C2 traffic, representing a clear upgrade from earlier Comebacker versions. Decoys impersonated organizations including Edge Group, IIT Kanpur, and Airbus, and infrastructure research traced the campaign back to at least March 2025—indicating a long-running intelligence-gathering operation targeting sensitive industries.

Manufacturing continues to bear the heaviest ransomware burden: global ransomware attacks rose 32% in 2025, with manufacturing accounting for 26% of all documented incidents and remaining the most targeted industry for the fourth consecutive year. The average total cost of a ransomware incident in manufacturing reached approximately $8.7 million, reflecting both operational disruption and recovery costs in environments where downtime directly halts production.

The Schneider Electric EcoStruxure Automation Expert code injection vulnerability (CVE-2026-2273) is particularly consequential for manufacturing, as this platform orchestrates industrial automation workflows. Combined with the Modicon controller advisories for DoS and XSS vulnerabilities, Schneider’s March advisory batch adds to the cumulative vulnerability management burden facing manufacturing environments already stretched thin by the pace of ICS disclosures.

Threat Intelligence Highlights

The formal U.S. government attribution of Handala to Iran’s MOIS—rather than treating it as a mere hacktivist collective—represents a significant escalation in the public framing of the Iran-aligned cyber campaign. The Justice Department’s language was notably direct, calling Handala a “fake activist persona” and its operations “psychological operations.” The FBI domain seizures, while rapidly circumvented by the group, demonstrate willingness to take offensive action against Iran-linked cyber infrastructure even as the broader conflict continues.

The Interlock ransomware gang’s 36-day pre-disclosure exploitation of CVE-2026-20131 in Cisco FMC illustrates a troubling pattern: ransomware groups with zero-day capabilities targeting network management infrastructure that bridges IT and OT environments. FMC platforms manage firewall configurations for enterprise and critical infrastructure networks, making them high-value targets for establishing persistent, stealthy access. The Interlock group’s operational sophistication—exploiting a deserialization vulnerability for root access on a network management platform—represents the convergence of nation-state-caliber tradecraft with financially motivated ransomware operations.

The broader Iranian APT landscape remains active. APT groups including MuddyWater, OilRig, APT33, and UNC1549 continue to focus on espionage and disruption targeting critical infrastructure. OilRig has been assessed as “operationally silent” since the February 28 strikes, which analysts interpret as deliberate pre-positioning rather than inactivity, given the group’s long-dwell access in energy and finance sectors.

Defensive Recommendations

Schneider Electric SCADAPack x70 operators should upgrade to firmware version 7.6 and RemoteConnect to version 3.3 immediately to address the critical Modbus TCP vulnerability (CVE-2026-0667, CVSS 9.8). Until patching is complete, enable the RTU firewall service to block unauthorized access, disable the logic debug service, and implement network segmentation to restrict Modbus TCP access to trusted hosts only.

Cisco FMC and SCC operators must apply security updates immediately per CISA’s March 22 deadline. No workarounds are available. Given Interlock’s demonstrated 36-day head start exploiting this vulnerability, organizations should conduct forensic review of FMC logs dating back to late January 2026 and hunt for indicators of compromise associated with the Interlock group.

EV charging operators running CTEK Chargeportal should apply available patches before the product’s April 2026 sunset and begin migration to supported platforms. IGL-Technologies eParking operators should verify that updated OCPP server security controls—including device whitelisting, rate limiting, and modern security profiles—have been applied.

Schneider Electric EcoStruxure Automation Expert users should update to version 25.0 or later to close the code injection vulnerability (CVE-2026-2273). EcoStruxure IT Data Center Expert operators should upgrade to version 9.1, and in the interim ensure the SOCKS Proxy feature remains disabled (the default configuration). Modicon controller operators should review ICSA-26-078-01 and ICSA-26-078-02 and apply firmware updates to address DoS and XSS vulnerabilities.

Healthcare organizations should continue assessing their exposure to the Stryker supply chain disruption and review their own MDM and endpoint management platform security in light of the Handala attack methodology. The FBI’s attribution of malware-stolen credentials as the likely initial access vector reinforces the importance of credential monitoring, hardware-backed MFA for administrative accounts, and conditional access policies that flag anomalous MDM commands.

Organizations in critical infrastructure sectors should review the Kaspersky ICS CERT Q4 2025 reports for relevant threat intelligence, particularly the Lazarus Comebacker campaign targeting aerospace and defense.

Sources Referenced

Government Advisories & Actions

Stryker Cyberattack & Handala Attribution

ICS Vulnerability Analysis

Cisco FMC Zero-Day & Ransomware

Threat Intelligence & Research