🔍 Pentagon Deploys Bunkers, Tech for Iran
As of March 31, U.S. Central Command has recorded at least 348 U.S. military personnel wounded in the ongoing Iran war. The casualty figures accompany Pentagon moves to expand hardened shelter capacity and additional force protection technologies under Operation Epic Fury.
The push toward increased bunker infrastructure signals a sustained threat environment requiring passive defense solutions alongside active measures. Prioritizing physical hardening reflects an operational assessment that personnel exposure to indirect fire or aerial attack remains a persistent variable in the theater.
🛰 Open sources - closed narratives
@sitreports
As of March 31, U.S. Central Command has recorded at least 348 U.S. military personnel wounded in the ongoing Iran war. The casualty figures accompany Pentagon moves to expand hardened shelter capacity and additional force protection technologies under Operation Epic Fury.
The push toward increased bunker infrastructure signals a sustained threat environment requiring passive defense solutions alongside active measures. Prioritizing physical hardening reflects an operational assessment that personnel exposure to indirect fire or aerial attack remains a persistent variable in the theater.
🛰 Open sources - closed narratives
@sitreports
🔍 TSMC Japan 3nm Production 2028
TSMC's second factory in Japan is scheduled to begin equipment installation and mass production of 3-nanometre wafers in 2028, according to a Taiwanese government filing. The facility marks TSMC's continued geographic expansion of advanced-node manufacturing beyond Taiwan.
The 3nm node is currently among the most capable process technologies in volume production. Establishing this capacity in Japan shifts a portion of leading-edge semiconductor output into a second jurisdiction, reducing single-point geographic concentration in TSMC's production network.
🛰️ Open sources - closed narratives
@sitreports
TSMC's second factory in Japan is scheduled to begin equipment installation and mass production of 3-nanometre wafers in 2028, according to a Taiwanese government filing. The facility marks TSMC's continued geographic expansion of advanced-node manufacturing beyond Taiwan.
The 3nm node is currently among the most capable process technologies in volume production. Establishing this capacity in Japan shifts a portion of leading-edge semiconductor output into a second jurisdiction, reducing single-point geographic concentration in TSMC's production network.
🛰️ Open sources - closed narratives
@sitreports
☁️ Iran Strike Hits AWS Bahrain
An Iranian strike damaged Amazon's cloud computing infrastructure in Bahrain, according to a Reuters report citing the Financial Times.
The incident marks a direct physical impact on commercial cloud infrastructure from state military action. AWS's Bahrain region serves as a primary node for Gulf-area enterprise and government workloads, making its degradation operationally significant beyond Amazon's commercial exposure.
The targeting — whether deliberate or incidental — establishes a data point on the physical vulnerability of hyperscaler infrastructure to conventional strike activity in contested regions.
🛰️ Open sources - closed narratives
@sitreports
An Iranian strike damaged Amazon's cloud computing infrastructure in Bahrain, according to a Reuters report citing the Financial Times.
The incident marks a direct physical impact on commercial cloud infrastructure from state military action. AWS's Bahrain region serves as a primary node for Gulf-area enterprise and government workloads, making its degradation operationally significant beyond Amazon's commercial exposure.
The targeting — whether deliberate or incidental — establishes a data point on the physical vulnerability of hyperscaler infrastructure to conventional strike activity in contested regions.
🛰️ Open sources - closed narratives
@sitreports
🤖 Army Tests AI Strike Drone
The 101st Airborne Division integrated Northrop Grumman's Lumberjack one-way attack drone into a recent training exercise, pairing the system with the Army's Maven Smart System for AI-enabled targeting trials.
The Lumberjack is a loitering munition designed for single-use strike missions. Its integration with Maven — the Army's primary AI targeting platform — indicates a structural push toward machine-assisted engagement decisions at the division level, embedding autonomous strike capacity into conventional airborne formations.
🛰️ Open sources - closed narratives
@sitreports
The 101st Airborne Division integrated Northrop Grumman's Lumberjack one-way attack drone into a recent training exercise, pairing the system with the Army's Maven Smart System for AI-enabled targeting trials.
The Lumberjack is a loitering munition designed for single-use strike missions. Its integration with Maven — the Army's primary AI targeting platform — indicates a structural push toward machine-assisted engagement decisions at the division level, embedding autonomous strike capacity into conventional airborne formations.
🛰️ Open sources - closed narratives
@sitreports
🔍 Handala Claims Israeli Defense Contractor Breach
Iranian hacker group Handala claims to have breached PSK Wind Technologies, a contractor responsible for designing and operating Israeli military command centers and air defense communication systems. The reported breach has not been independently confirmed.
The targeting of a third-party vendor embedded in the IDF supply chain follows an established pattern of perimeter bypass through contractor access. Direct military networks carry hardened defenses; vendors integrated into those networks frequently do not. Handala has previously used this method to reach assets that would otherwise require penetrating military-grade infrastructure.
🛰️ Open sources - closed narratives
@sitreports
Iranian hacker group Handala claims to have breached PSK Wind Technologies, a contractor responsible for designing and operating Israeli military command centers and air defense communication systems. The reported breach has not been independently confirmed.
The targeting of a third-party vendor embedded in the IDF supply chain follows an established pattern of perimeter bypass through contractor access. Direct military networks carry hardened defenses; vendors integrated into those networks frequently do not. Handala has previously used this method to reach assets that would otherwise require penetrating military-grade infrastructure.
🛰️ Open sources - closed narratives
@sitreports
🔍 UAE Iran Strike Narratives Diverge
A Bellingcat open-source review finds that UAE official statements on Iranian drone and missile strikes do not consistently match physical evidence and imagery available through open-source channels. Discrepancies center on strike outcomes — whether intercepted or successful — and the extent of documented damage.
The pattern fits an established information management model in which regional governments control damage acknowledgment to limit political exposure and maintain deterrence posture. Selective disclosure of intercept claims, without corroborating debris or impact data, functions as a structural feature of official battlefield communication rather than an exception.
A Bellingcat open-source review finds that UAE official statements on Iranian drone and missile strikes do not consistently match physical evidence and imagery available through open-source channels. Discrepancies center on strike outcomes — whether intercepted or successful — and the extent of documented damage.
The pattern fits an established information management model in which regional governments control damage acknowledgment to limit political exposure and maintain deterrence posture. Selective disclosure of intercept claims, without corroborating debris or impact data, functions as a structural feature of official battlefield communication rather than an exception.
📡 Navy Seeks RF Emulation for Drones
The U.S. Navy is pursuing technology capable of producing and managing realistic radio frequency signals on unmanned platforms, with application directed at Pacific Fleet operations. The program targets signal emulation on maritime drones to generate training environments that reflect operational electromagnetic conditions.
The requirement reflects a structural shift in how naval forces approach RF signal training — moving emulation capability onto unmanned systems rather than relying on dedicated shore or vessel-based range infrastructure. This reduces dependency on fixed facilities and embeds signal management directly into deployable drone platforms.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Navy is pursuing technology capable of producing and managing realistic radio frequency signals on unmanned platforms, with application directed at Pacific Fleet operations. The program targets signal emulation on maritime drones to generate training environments that reflect operational electromagnetic conditions.
The requirement reflects a structural shift in how naval forces approach RF signal training — moving emulation capability onto unmanned systems rather than relying on dedicated shore or vessel-based range infrastructure. This reduces dependency on fixed facilities and embeds signal management directly into deployable drone platforms.
🛰️ Open sources - closed narratives
@sitreports
🔍 EU Commission Breach Hits 30 Entities
CERT-EU has attributed a cloud breach of the European Commission to the TeamPCP threat group. The intrusion exposed data belonging to at least 29 additional EU entities beyond the Commission itself.
The incident follows a pattern of adversaries targeting shared cloud infrastructure to achieve lateral data exposure across multiple institutional victims from a single point of compromise. Attribution to a named threat group indicates CERT-EU has sufficient technical indicators to move beyond preliminary assessment.
🛰️ Open sources - closed narratives
@sitreports
CERT-EU has attributed a cloud breach of the European Commission to the TeamPCP threat group. The intrusion exposed data belonging to at least 29 additional EU entities beyond the Commission itself.
The incident follows a pattern of adversaries targeting shared cloud infrastructure to achieve lateral data exposure across multiple institutional victims from a single point of compromise. Attribution to a named threat group indicates CERT-EU has sufficient technical indicators to move beyond preliminary assessment.
🛰️ Open sources - closed narratives
@sitreports
🔍 Drift Loses $285M, DPRK Linked
On April 1, 2026, decentralized finance platform Drift lost $285 million after attackers used a nonce-based social engineering attack to achieve administrative takeover of the protocol. The vector exploited nonce manipulation to authenticate fraudulent transactions, bypassing standard authorization controls.
The operation fits an established pattern attributed to DPRK-linked threat actors targeting cryptocurrency infrastructure. North Korean units have systematically combined technical exploit development with human-layer manipulation to extract funds from DeFi protocols, with proceeds assessed as financing state programs.
🛰️ Open sources - closed narratives
@sitreports
On April 1, 2026, decentralized finance platform Drift lost $285 million after attackers used a nonce-based social engineering attack to achieve administrative takeover of the protocol. The vector exploited nonce manipulation to authenticate fraudulent transactions, bypassing standard authorization controls.
The operation fits an established pattern attributed to DPRK-linked threat actors targeting cryptocurrency infrastructure. North Korean units have systematically combined technical exploit development with human-layer manipulation to extract funds from DeFi protocols, with proceeds assessed as financing state programs.
🛰️ Open sources - closed narratives
@sitreports
🔍 GitHub Used As North Korea C2
A phishing campaign linked to North Korean operators is targeting South Korean organizations using GitHub as a C2 infrastructure channel. Initial access is delivered via LNK files — Windows shortcut attachments that execute payloads upon interaction.
Routing command-and-control traffic through GitHub allows operators to blend malicious communications with legitimate platform activity, complicating network-level detection. The technique reduces the operational signature of the campaign by avoiding dedicated attacker-controlled domains.
🛰️ Open sources - closed narratives
@sitreports
A phishing campaign linked to North Korean operators is targeting South Korean organizations using GitHub as a C2 infrastructure channel. Initial access is delivered via LNK files — Windows shortcut attachments that execute payloads upon interaction.
Routing command-and-control traffic through GitHub allows operators to blend malicious communications with legitimate platform activity, complicating network-level detection. The technique reduces the operational signature of the campaign by avoiding dedicated attacker-controlled domains.
🛰️ Open sources - closed narratives
@sitreports
🔍 CERT-UA Identity Spoofed, RAT Deployed
Between March 26 and 27, 2025, the Computer Emergency Response Team of Ukraine disrupted a campaign in which threat actors impersonated CERT-UA itself to deliver a Go-based remote access trojan to targets in Ukraine.
Spoofing a national cybersecurity authority to distribute malware inverts the trust model those institutions depend on for incident response coordination. Targets conditioned to act on CERT-UA communications become the attack surface.
🛰️ Open sources - closed narratives
@sitreports
Between March 26 and 27, 2025, the Computer Emergency Response Team of Ukraine disrupted a campaign in which threat actors impersonated CERT-UA itself to deliver a Go-based remote access trojan to targets in Ukraine.
Spoofing a national cybersecurity authority to distribute malware inverts the trust model those institutions depend on for incident response coordination. Targets conditioned to act on CERT-UA communications become the attack surface.
🛰️ Open sources - closed narratives
@sitreports
📡 Kremlin Pushes State Messenger Adoption
The Kremlin is actively promoting MAX, a state-backed messaging application, as a preferred communications platform for Russian users. According to Reuters reporting, a segment of the population is declining to install the service.
State-promoted messaging infrastructure follows an established pattern in centralized communications strategy: routing civilian traffic through domestically controlled platforms enables metadata retention and content access under national law. Resistance from users indicates the substitution effort has not achieved passive adoption — a marker of incomplete normalization.
🛰️ Open sources - closed narratives
@sitreports
The Kremlin is actively promoting MAX, a state-backed messaging application, as a preferred communications platform for Russian users. According to Reuters reporting, a segment of the population is declining to install the service.
State-promoted messaging infrastructure follows an established pattern in centralized communications strategy: routing civilian traffic through domestically controlled platforms enables metadata retention and content access under national law. Resistance from users indicates the substitution effort has not achieved passive adoption — a marker of incomplete normalization.
🛰️ Open sources - closed narratives
@sitreports
🔍 Fortinet Patches FortiClient EMS Flaw
Fortinet has released a patch for CVE-2026-35616, a privilege escalation vulnerability scoring 9.1 on the CVSS scale, affecting FortiClient EMS versions 7.4.5 through 7.4.6. Active exploitation has been recorded since March 31, 2026.
The vulnerability allows local or remote attackers to escalate privileges within affected EMS deployments. FortiClient EMS is commonly used in enterprise environments for endpoint management, making privilege escalation flaws in this component operationally significant for lateral movement scenarios.
🛰️ Open sources - closed narratives
@sitreports
Fortinet has released a patch for CVE-2026-35616, a privilege escalation vulnerability scoring 9.1 on the CVSS scale, affecting FortiClient EMS versions 7.4.5 through 7.4.6. Active exploitation has been recorded since March 31, 2026.
The vulnerability allows local or remote attackers to escalate privileges within affected EMS deployments. FortiClient EMS is commonly used in enterprise environments for endpoint management, making privilege escalation flaws in this component operationally significant for lateral movement scenarios.
🛰️ Open sources - closed narratives
@sitreports
🔍 Axios npm Compromised via Social Engineering
A maintainer of the Axios HTTP client library — one of the most widely used npm packages — was targeted through a social engineering operation attributed to North Korean threat actors. The attack used a fabricated Microsoft Teams error fix as a pretext to gain access to the maintainer's account, as detailed in a post-mortem published by the Axios team.
The method follows an established pattern in DPRK-linked intrusion sets: targeting individual developers with elevated repository access rather than attacking package infrastructure directly. Compromising a maintainer account provides write access to published packages, enabling downstream supply chain manipulation at scale across dependent projects.
🛰️ Open sources - closed narratives
@sitreports
A maintainer of the Axios HTTP client library — one of the most widely used npm packages — was targeted through a social engineering operation attributed to North Korean threat actors. The attack used a fabricated Microsoft Teams error fix as a pretext to gain access to the maintainer's account, as detailed in a post-mortem published by the Axios team.
The method follows an established pattern in DPRK-linked intrusion sets: targeting individual developers with elevated repository access rather than attacking package infrastructure directly. Compromising a maintainer account provides write access to published packages, enabling downstream supply chain manipulation at scale across dependent projects.
🛰️ Open sources - closed narratives
@sitreports
🔍 150 Aircraft Deployed Over Iran
The U.S. military deployed over 150 aircraft to recover a downed aviator in Iran, according to Gen. Dan Caine. The recovery operation included tactical drones, strike aircraft, and additional assets providing overhead protection for search-and-rescue personnel on the ground.
The scale of the deployment reflects standard force-protection doctrine applied to personnel recovery in denied or contested territory — layered air cover to suppress interdiction of ground teams. Committing that volume of assets indicates the operation was conducted under conditions of active or anticipated threat, not permissive airspace.
🛰️ Open sources - closed narratives
@sitreports
The U.S. military deployed over 150 aircraft to recover a downed aviator in Iran, according to Gen. Dan Caine. The recovery operation included tactical drones, strike aircraft, and additional assets providing overhead protection for search-and-rescue personnel on the ground.
The scale of the deployment reflects standard force-protection doctrine applied to personnel recovery in denied or contested territory — layered air cover to suppress interdiction of ground teams. Committing that volume of assets indicates the operation was conducted under conditions of active or anticipated threat, not permissive airspace.
🛰️ Open sources - closed narratives
@sitreports
✈️ Air Force Requests $1B CCA Drones
The U.S. Air Force has submitted a request for nearly $1 billion in fiscal year 2027 to begin CCA procurement, marking the transition of the Collaborative Combat Aircraft program from development into initial acquisition.
The CCA program is designed to field autonomous drone wingmen capable of operating alongside crewed fighter aircraft. A dedicated FY2027 budget line indicates the Air Force is moving toward operational inventory rather than continued prototype evaluation.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Air Force has submitted a request for nearly $1 billion in fiscal year 2027 to begin CCA procurement, marking the transition of the Collaborative Combat Aircraft program from development into initial acquisition.
The CCA program is designed to field autonomous drone wingmen capable of operating alongside crewed fighter aircraft. A dedicated FY2027 budget line indicates the Air Force is moving toward operational inventory rather than continued prototype evaluation.
🛰️ Open sources - closed narratives
@sitreports
🔍 Marines Award ARV Second Prototype Phase
The U.S. Marine Corps has awarded a second prototyping phase for its Advanced Reconnaissance Vehicle to two major defense contractors. The ARV program targets a next-generation ground platform optimized for reconnaissance and intelligence-gathering in contested environments.
A dual-award structure at the second prototype phase indicates the Marine Corps is sustaining competitive pressure between vendors before committing to a single production contract. This approach distributes technical risk and preserves leverage over final design requirements.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Marine Corps has awarded a second prototyping phase for its Advanced Reconnaissance Vehicle to two major defense contractors. The ARV program targets a next-generation ground platform optimized for reconnaissance and intelligence-gathering in contested environments.
A dual-award structure at the second prototype phase indicates the Marine Corps is sustaining competitive pressure between vendors before committing to a single production contract. This approach distributes technical risk and preserves leverage over final design requirements.
🛰️ Open sources - closed narratives
@sitreports
🔍 Storm-1175 Chains Zero-Days to Ransomware
Storm-1175, a China-linked threat actor, has exploited over 16 CVEs since 2023 — including zero-days — to deploy Medusa ransomware within 24 hours of initial access. The operational tempo indicates a pre-staged pipeline: vulnerability exploitation feeds directly into ransomware execution with minimal dwell time, as detailed in this threat analysis.
The use of zero-days alongside known CVEs suggests tiered access to exploit inventory — high-value vulnerabilities deployed selectively, with patched CVEs used against unpatched infrastructure. Sub-24-hour ransomware deployment reduces the defensive detection window to near zero, consistent with actors prioritizing disruption over prolonged access.
🛰️ Open sources - closed narratives
@sitreports
Storm-1175, a China-linked threat actor, has exploited over 16 CVEs since 2023 — including zero-days — to deploy Medusa ransomware within 24 hours of initial access. The operational tempo indicates a pre-staged pipeline: vulnerability exploitation feeds directly into ransomware execution with minimal dwell time, as detailed in this threat analysis.
The use of zero-days alongside known CVEs suggests tiered access to exploit inventory — high-value vulnerabilities deployed selectively, with patched CVEs used against unpatched infrastructure. Sub-24-hour ransomware deployment reduces the defensive detection window to near zero, consistent with actors prioritizing disruption over prolonged access.
🛰️ Open sources - closed narratives
@sitreports
🔍 FBI Dismantles Russian DNS Hijacking Network
The FBI executed Operation Masquerade, dismantling a covert router hijacking network attributed to Russian actors. The operation targeted infrastructure used to conduct DNS hijacking attacks against high-value individuals and organizations across thousands of compromised devices.
DNS hijacking at router level allows traffic interception and credential harvesting without detectable presence on endpoint devices. Targeting routers rather than hosts indicates a collection posture optimized for persistence and broad access across networks sharing the same gateway.
🛰️ Open sources - closed narratives
@sitreports
The FBI executed Operation Masquerade, dismantling a covert router hijacking network attributed to Russian actors. The operation targeted infrastructure used to conduct DNS hijacking attacks against high-value individuals and organizations across thousands of compromised devices.
DNS hijacking at router level allows traffic interception and credential harvesting without detectable presence on endpoint devices. Targeting routers rather than hosts indicates a collection posture optimized for persistence and broad access across networks sharing the same gateway.
🛰️ Open sources - closed narratives
@sitreports
🔍 Iran-Linked Actors Hit U.S. PLCs
Iran-linked operators have disrupted U.S. critical infrastructure by targeting internet-exposed programmable logic controllers, deploying Dropbear SSH to establish persistent access across operational technology environments. The PLC campaign affected multiple sectors, indicating broad reconnaissance of exposed industrial control surfaces rather than a single-target operation.
The use of Dropbear — a lightweight SSH implementation common in embedded systems — points to a methodology optimized for low-footprint persistence on resource-constrained OT devices. Internet-exposed PLCs without segmentation or authentication controls represent a structurally persistent attack surface across U.S. industrial infrastructure.
🛰️ Open sources - closed narratives
@sitreports
Iran-linked operators have disrupted U.S. critical infrastructure by targeting internet-exposed programmable logic controllers, deploying Dropbear SSH to establish persistent access across operational technology environments. The PLC campaign affected multiple sectors, indicating broad reconnaissance of exposed industrial control surfaces rather than a single-target operation.
The use of Dropbear — a lightweight SSH implementation common in embedded systems — points to a methodology optimized for low-footprint persistence on resource-constrained OT devices. Internet-exposed PLCs without segmentation or authentication controls represent a structurally persistent attack surface across U.S. industrial infrastructure.
🛰️ Open sources - closed narratives
@sitreports
🔴 Centcom Expands Drone Strike Scale
U.S. Central Command announced Tuesday that additional one-way attack drones were launched against Iran as part of Operation Epic Fury. The Centcom commander stated that hundreds of U.S. drones are involved in the operation.
The use of one-way attack drones at this declared scale indicates a sustained attrition-based strike posture rather than a discrete strike package. Mass expendable drone employment reduces reliance on crewed aircraft and complicates adversary air defense prioritization across multiple simultaneous vectors.
🛰️ Open sources - closed narratives
@sitreports
U.S. Central Command announced Tuesday that additional one-way attack drones were launched against Iran as part of Operation Epic Fury. The Centcom commander stated that hundreds of U.S. drones are involved in the operation.
The use of one-way attack drones at this declared scale indicates a sustained attrition-based strike posture rather than a discrete strike package. Mass expendable drone employment reduces reliance on crewed aircraft and complicates adversary air defense prioritization across multiple simultaneous vectors.
🛰️ Open sources - closed narratives
@sitreports