U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026

The first quarter of 2026 has reinforced a hard truth: U.S. government agencies and educational institutions are operating in the most hostile cyber threat environment ever recorded. From China-aligned nation-state actors persistently targeting congressional communications to ransomware gangs launching AI-enhanced campaigns against state governments and school districts, the threat landscape has grown measurably more dangerous, more automated, and more targeted.

This post distills the critical threat intelligence emerging from Q1 2026 and provides actionable guidance for public sector security leaders navigating this rapidly evolving terrain.

The Policy Context: A New National Cyber Doctrine

On March 6, 2026, the Trump Administration released "President Trump's Cyber Strategy for America" alongside an Executive Order on Combating Cybercrime, Fraud, and Predatory Schemes Against American Citizens. This landmark policy document sets the tone for the entire year:

The strategy signals greater latitude for private sector offensive cyber operations, encouraging more aggressive deterrence postures
It explicitly addresses the contested threat landscape — ransomware gangs, state-aligned criminals, and nation-state actors — as primary concerns
It promotes increased public-private coordination as a core defense pillar
It builds on the June 2025 EO that focused critical protections against nation-state cyber operations

For public sector security leaders, this policy shift matters; it signals that the federal government acknowledges we are in an era of active cyber conflict, not merely elevated risk. Defense strategies must match this reality.
Source: White House — President Trump's Cyber Strategy for America | White House EO — Combating Cybercrime

Nation-State Threats: Salt Typhoon Breaches Congress

The most strategically alarming Q1 2026 development confirmed what security researchers have warned for years: China-aligned nation-state actors have achieved deep, persistent access to U.S. government communications.

On January 9, 2026, SC Media and the NJCCIC confirmed that Salt Typhoon, the PRC-linked threat actor that previously breached major U.S. telecommunications carriers, successfully targeted U.S.

House Committee staff emails, specifically focusing on congressional personnel working on national security-related committees with oversight over China's foreign policy and U.S. foreign affairs.

Key intelligence highlights:

Salt Typhoon's operations are confirmed "still very much ongoing" per FBI leadership as recently as February 2026
In February, a U.S. Senator revealed that AT&T and Verizon had actively blocked the release of Salt Typhoon security assessment reports — raising serious concerns about transparency and regulatory oversight
A related China-linked threat group, UAT-7290, was simultaneously targeting U.S. and allied telecommunications providers through exploitation of edge network device vulnerabilities, establishing persistent malware footholds

The combination of telecom infrastructure access and direct congressional email penetration means that Salt Typhoon may have achieved visibility into sensitive U.S. policy deliberations on China, a counterintelligence disaster with long-term implications.
Sources: Salt Typhoon Targets US House Committee Emails — NJCCIC | FBI: Salt Typhoon Still Ongoing — CyberScoop | AT&T/Verizon Block Reports — Nextgov

Education Sector: Record Data Exposure Despite Stabilizing Attack Counts

The education sector entered 2026 carrying the weight of a deeply damaging 2025:

251 ransomware attacks hit educational institutions globally in 2025 — a slight year-over-year uptick
The U.S. accounted for the highest number of education-sector ransomware attacks of any country globally: 130 incidents
3.9 million records were exposed in education ransomware attacks in 2025 alone, a 27% increase over the prior year's 3.1 million records
The education sector's average breach cost rose to $3.80 million per incident in 2025
Of higher-education institutions that reported ransomware attacks, 59% reported full data exfiltration before encryption

These statistics are the direct legacy of the 2024–2025 school attack wave, and the pipeline of vulnerable institutions remains wide open in 2026. Schools continue to operate aging infrastructure, under-resourced IT teams, and fragmented security controls, making them perennially attractive targets.
Sources: Cybersecurity Dive — Education Ransomware 2025 | GovTech — School Records Exposed | Comparitech — Education Ransomware Roundup

State Government Systems Breached: Illinois & Minnesota DHS

Two major state government data exposure incidents bookended January 2026:

January 3 & 21, 2026 — Illinois and Minnesota Departments of Human Services:

An Illinois DHS system misconfiguration exposed sensitive public assistance data — including PII for benefits recipients — to unauthorized online access
A separate Minnesota DHS incident involved excessive internal access permissions leading to improper disclosure of personal and financial information affecting nearly one million people in combined total

Both incidents share a common root cause: configuration failures and inadequate access controls, vulnerabilities that proactive Cyber Risk Exposure Management practices can detect and remediate before exploitation occurs.
Source: Illinois/Minnesota DHS Breaches — Cyber Management Alliance

Law Enforcement Hit via Third-Party Attack: Anchorage Police

On January 16, 2026, Anchorage Police Department was forced to take its servers offline after a cyberattack on a third-party service provider disrupted access to critical systems and data. This incident is a textbook example of the third-party/supply chain attack vector now routinely weaponized against public sector organizations.

Law enforcement agencies, which depend on real-time data access for public safety operations — are particularly high-impact targets for supply chain disruption attacks.
Source: Anchorage Police Cyber Attack — Cyber Management Alliance

Critical Infrastructure: AI-Enabled Ransomware Takes Center Stage

TrendAI’s 2026 Security Predictions, The AI-fication of Cyberthreats, are already proving prescient just two months into the year. The defining evolution of Q1 2026 ransomware is the integration of agentic AI into attack chains:

Ransomware groups are now deploying AI to autonomously handle reconnaissance, vulnerability scanning, victim prioritization, and even ransom negotiation, dramatical reducing the human effort required per attack
93% of security leaders expect to face daily AI attacks by 2025 (TrendAI Survey)
The U.S. sees 62% higher attack frequency than the global average in early 2026
A new initial access tool, Tsundere Bot, emerged in January 2026 specifically designed to automate credential theft and persistence in ransomware precursor operations
The first half of 2025 saw a 65% year-over-year increase in ransomware incidents affecting government bodies (208 confirmed attacks), a trajectory that continues in 2026

Sources: Trend Micro Security Predictions 2026 — The AI-fication of Cyberthreats | SentinelOne — Cybersecurity Statistics 2026 | VikingCloud — Ransomware Statistics

Critical Vulnerabilities Actively Exploited Against Public Sector in Q1 2026

The vulnerability exploitation landscape in Q1 2026 is particularly dangerous for government and infrastructure operators:

CVE	Product	Risk	Status
CVE-2020-12812	Fortinet Firewalls	2FA bypass — 10,000+ internet-exposed devices still unpatched	Actively exploited
CVE-2026-20274	Cisco Unified Communications Manager	Remote code execution — critical	Actively exploited
CVE-2025-12825	Fortinet FortiGate	Post-patch persistence — attackers maintain access after patching	Actively exploited
CVE-2026-20860	VMware Aria Suite	Remote code execution — CISA emergency advisory issued	Actively exploited in wild
CVE-2025-38067	Microsoft Office	Zero-day RCE via malicious Office documents	Actively exploited

Key insight: Government agencies operating unpatched Fortinet, Cisco, or VMware infrastructure are at immediate, verified risk in Q1 2026. The continued exploitation of CVE-2020-12812, a 2020 vulnerability still unpatched on 10,000+ internet-facing firewalls, is a stark indictment of public sector patching cadence.

The TrendAI™ Response: From Reactive to Proactive As outlined in our flagship research piece, U.S. Public Sector Under Siege, the threats facing government and education organizations in 2026 demand a fundamental shift from reactive incident response to proactive Cyber Risk Exposure Management.

TrendAI Vision One™ enables this transformation across four critical capabilities:

Discover and Inventory All Assets including shadow IT, shadow AI, unmanaged endpoints, and third-party integrations that create blind spots exploited in the DHS and Anchorage incidents
Assess Risk in Real-Time by continuously evaluating vulnerabilities like those in Q1's critical CVE list against live threat intelligence before attacker’s strike
Predict Threat Exposure by leveraging behavioral analytics and threat actor profiling to anticipate Salt Typhoon-style persistence and AI-enabled ransomware precursor activity
Automate Mitigation Workflows to reduce mean time to remediation across distributed government and campus environments, closing the patching gaps that are actively being exploited today

Priority Actions for Q1 2026

Based on Q1 2026 threat intelligence, here are the top five actions public sector security leaders should prioritize this quarter:

Priority	Action	Addresses
Critical	Audit and patch (or virtually patch via IPS) all internet-facing Fortinet, Cisco, and VMware infrastructure — particularly CVE-2020-12812 and CVE-2026-20274	Active zero-day exploitation
Critical	Enforce MFA across all state/federal employee and contractor access	Salt Typhoon, credential theft campaigns
High	Conduct third-party/contractor security assessments	Sedgwick ransomware, Anchorage police supply chain
High	Deploy behavioral detection and AI anomaly analysis	Tsundere Bot, LOTL techniques, AI-enabled ransomware
Important	Implement full asset visibility and continuous CREM scanning	DHS misconfiguration incidents, shadow IT

What to Watch for the Rest of 2026

The trajectory of Q1 2026 points to several emerging threats that public sector organizations must monitor:

Agentic AI in attack chains: threat actors are testing fully autonomous attack pipelines; expect rapid maturation and wider deployment
Salt Typhoon scope expansion: with telecom and congressional access confirmed, expect targeting to extend to federal contracting databases, classification systems, and critical infrastructure control networks
Ransomware targeting election systems: with midterm election cycles approaching, FED/SLED organizations connected to voter registration and election infrastructure face elevated risk
Supply chain cascade attacks: this will be targeted across government-serving vendors

Final Thought

The 2026 threat landscape is not a continuation of 2025's challenges; it's an acceleration of them. AI is lowering the barrier to sophisticated attacks while simultaneously expanding the attack surface through the rapid adoption of AI-enabled government services. Nation-state actors have demonstrated the ability to penetrate the highest levels of U.S. government communications. Ransomware groups are operating with the efficiency of professional enterprises.

"The time for siloed, reactive security measures has passed. Cyber resilience demands intelligence-driven, integrated security strategies that anticipate threats and reduce exposure before attacks succeed." U.S. Public Sector Under Siege, Trend Micro Research, Feb. 6, 2026

TrendAI™ Vision One™ is purpose-built for this moment giving government agencies and educational institutions the visibility, intelligence, and automation they need to stay ahead of the threats reshaping the public sector.

Defend public sector missions against nation‑state and ransomware threats with AI

U.S. Public Sector Under Siege: Threat Intelligence for Q1 2026

Authors

Trend Vision One™ - Proactive Security Starts Here.

Resources

Support

About Trend

Country Headquarters