This advisory covers 8–13 April 2026 — Week 6 of the Iran–Israel–US conflict. The defining event of the week is the simultaneous publication of a joint six-agency CISA/FBI/NSA/DOE/EPA/Cyber Command advisory confirming Iranian APT groups have disrupted US critical infrastructure programmable logic controllers (PLCs) — and the announcement of a two-week ceasefire on the same day. The juxtaposition is the central security challenge for Week 6: the ceasefire does not reduce cyber risk. Expert consensus and Handala’s own declaration confirm it will expand it.

Five Key Developments

1. Six-agency joint advisory: Iranian APT confirms disruption of US PLCs at water, energy, ports

FBI, CISA, NSA, DOE, EPA, and US Cyber Command’s Cyber National Mission Force jointly published advisory AA26-097A confirming Iranian-affiliated APT actors have disrupted Rockwell Automation/Allen-Bradley PLCs at US critical infrastructure since at least March 2026. Confirmed affected sectors: water and wastewater, energy, government facilities, and ports. Real-world operational disruption and financial loss confirmed. The advisory also warns that port scanning of Siemens S7 PLC protocols indicates potential expansion beyond Rockwell

2. Two-week ceasefire announced; Islamabad talks collapse

A two-week ceasefire between the US, Israel, and Iran was announced on 8 April, mediated by Pakistan. JD Vance described it as a ‘fragile truce.’ Direct talks in Islamabad between Vance/Witkoff/Kushner and Iranian FM Araghchi and Parliament Speaker Ghalibaf failed without agreement on 12 April. Trump subsequently threatened a ‘full naval blockade’ of Iran. Iran’s internet blackout passed 1,000 consecutive hours by 11 April

3. Handala formally declares ‘Cyber war will not end with any military ceasefire’

Handala published an explicit declaration on its X account following the ceasefire announcement: ‘The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.’ The group stated it would temporarily postpone US-targeted attacks but confirmed it would continue targeting Israel without pause and would ‘revive efforts against America when the time is right.’

4. NERC ‘actively monitoring the grid’; Experts warn ceasefire expands cyber-targeting scope

The North American Electric Reliability Corporation (NERC) confirmed it is ‘actively monitoring the grid’ and coordinating with DOE and the Electricity Subsector Coordinating Council following the CISA PLC advisory. Nozomi Networks expert Markus Mueller stated: ‘With a ceasefire, we will likely see an expansion of cyber activity both in scale and scope.’ Expert consensus confirms groups will pivot from battlefield-adjacent targets to longer-dwell US infiltration of data centres, tech companies, and defence contractors

5. Iran internet blackout passes 1,000 hours; No restoration timeline

Iran’s internet blackout passed 1,000 consecutive hours by 11 April 2026 — the longest confirmed nationwide internet shutdown on record globally. An Iranian Ministry of ICT official confirmed on 12 April that there is no timeline for internet restoration. Access remains at approximately 1% of pre-war levels. The continued blackout suppresses coordinated Iranian state APT activity from within Iran but has zero effect on the proxy coalition operating externally

‍

‍

The Ceasefire Cyber Paradox – Analysis

The 8 April ceasefire is the single most strategically consequential event for cyber threat posture this week — but not because it reduces risk. Expert consensus, Handala’s own declaration, and the historical precedent of Iranian cyber operations during diplomatic pauses all point to the same conclusion: a ceasefire is a cyber threat escalation event, not a de-escalation. BFSI organisations that reduce defensive posture based on the ceasefire announcement will face exactly the threat profile that multiple experts have warned is coming.

‍

Why ceasefire INCREASES cyber risk

• Operational pivot from battlefield to private sector: Groups freed from direct battlefield-adjacent operations can now redirect capacity to longer-dwell US private sector infiltration. Nozomi Networks confirmed this shift is the expected and historical pattern
• Handala explicitly stated US attacks are temporarily paused, not ended: The pause is tactical and time-limited. The group has a documented history of resuming exactly where it left off after operational pauses. The preparation period during the pause is likely being used for pre-positioning
• Ceasefire window is used for access establishment: Pre-positioned access is more valuable than real-time attack capability. A lull allows undetected network access establishment in US financial and defenceadjacent organisations that would be detected during high-alert kinetic conflict periods
• Israeli-linked BFSI operations have zero ceasefire protection: Handala explicitly stated Israel targeting continues without pause. Any BFSI entity with Israeli operations, Israeli technology vendors, or Israeli correspondent banking relationships faces unchanged attack risk throughout the ceasefire
• PLC attacks confirmed BEFORE ceasefire, not paused after: The CISA advisory confirms PLC disruption has been ongoing since at least March 2026. There is no advisory indicating this campaign has paused. Critical infrastructure attacks will continue during the ceasefire window

What ceasefire does NOT change

• The ceasefire eliminates the Iranian cyber threat: No ceasefire has ever stopped Iranian cyber operations. The 2015 JCPOA nuclear deal was followed by continued Iranian APT activity. Handala has stated explicitly that the cyber war will not end with a ceasefire
• The internet blackout means APTs are offline: Pre-positioned access established before the blackout is independent of Iran’s domestic connectivity. MuddyWater’s confirmed access on a US bank and other footholds can be activated through external C2 infrastructure that operates through satellite and proxy channels unaffected by the blackout
• The Islamabad talks’ collapse ends the ceasefire immediately: The ceasefire is a formal two-week pause. Even with failed talks, the kinetic ceasefire may technically continue while diplomatic channels remain open. The cyber campaign will not track the kinetic timeline precisely
• BFSI organisations without Middle East presence are safe: The PLC advisory covers US domestic infrastructure. Pay2Key’s 80% affiliate model targets any organisation aligned with the US/Israel coalition globally. Geographic distance from the conflict provides no protection
• The ceasefire removes legal/sanctions risk: OFAC sanctions on Iranian-designated entities remain in force throughout any ceasefire. Ransom payments to Handala or Pay2Key remain OFAC violations regardless of the diplomatic status of the conflict

Threat Outlook

The Ceasefire Is a Tactical Pause, Not a Strategic Reset

The 8 April ceasefire, the collapsed Islamabad talks (12 April), and Handala’s explicit declaration collectively confirm that the ceasefire is a kinetic pause with no bearing on cyber campaign continuity. Historical precedent is unambiguous: the 2015 JCPOA nuclear deal was followed by continued Iranian APT activity, and the 2020 Nagorno-Karabakh ceasefire saw a 300%+ increase in state-linked cyber incidents (per Mandiant). The Iran-US ceasefire follows the same pattern. BFSI organisations should model the ceasefire period as elevated risk, not reduced risk, for cyber operations specifically targeting US private sector infrastructure.

The PLC Campaign Is a Long-Running Operation, Not a New Escalation

CISA AA26-097A confirms Iranian-affiliated PLC disruption has been ongoing since at least March 2026 — and the IP addresses in the advisory were active since January 2025. This is not a new campaign triggered by the conflict. It is a pre-existing persistent access operation that accelerated following the February 28 escalation. The implication is that Iranian actors may have PLC access in US facilities that was established a year ago or more. BFSI organisations should run IOC log queries covering the full January 2025–present period, not just recent months.

Connectivity Restoration Is the Primary APT Recovery Trigger

The 1,000+ hour Iran internet blackout with no restoration timeline confirms that full Iranian state-sponsored APT capability remains suppressed for domestic actors. However, the failed Islamabad talks and Trump’s naval blockade threat mean that any eventual permanent settlement will include connectivity restoration as a deliverable. When domestic Iranian internet connectivity is restored — whether through a peace agreement or unilaterally — MuddyWater, APT34, APT33, and APT35 will resume full operational tempo. BFSI organisations should monitor for connectivity restoration as a cyber escalation trigger equivalent to a new kinetic escalation event.

The Ceasefire Creates the Conditions for a Stryker-Class Financial Sector Attack

Nozomi Networks’ explicit prediction that ceasefire conditions will produce a Stryker-class attack on a US organisation is the most significant expert assessment of Week 6. The logic is sound: groups freed from battlefield-adjacent operations, operating in a kinetically lower-pressure environment with reduced US military counter-pressure, seeking a high-visibility target to signal that ‘the cyber war did not end’ — will select a target with maximum public and economic impact. Major US financial institutions meet every criterion. BFSI organisations should treat the next 14 days — the official ceasefire window — as the highest-risk period for a Stryker-class wiper or identity-weaponization event against the US financial sector since the conflict began.

Revised Defensive Priorities – Week 6 Additions

• Conduct an immediate OT/ICS inventory: Identify all Rockwell Automation/AllenBradley and Siemens S7 PLCs in BFSI-operated or BFSI-adjacent facilities
• Query all network logs against the eight IP addresses in CISA advisory AA26-097A; preserve query results for regulatory review
• Brief your Board on the ceasefire cyber paradox: Do NOT reduce security posture or staffing during the ceasefire window
• Launch active threat hunting specifically targeting MuddyWater pre-positioned access during the ceasefire window
• Implement extended power outage continuity planning: Assume 72+ hours of grid unavailability as a scenario
• Activate a ‘ceasefire watch’ protocol: Monitor Handala Telegram and X channels daily for any announcement of US attack resumption

Sources & References

• CISA/FBI/NSA/DOE/EPA/US Cyber Command — Joint Advisory AA26-097A (8 April 2026)
• Cybersecurity Dive — NERC actively monitoring grid / CISA PLC advisory analysis (8 April 2026)
• Morphisec — Brad LaPorte PLC legacy OS assessment (April 8)
• Nozomi Networks — Markus Mueller ceasefire cyber escalation assessment (AP/PBS, 8 April 2026)
• Wikipedia — 2026 Iran War Ceasefire article (updated 12–13 April 2026)
• Critical Threats Project/ISW — Iran Update Evening Special Report April 6, 2026
• The World Now — ‘Ceasefire Catalysts: How US-Iran Truce is Forging New Global Cybersecurity Pacts’ (8 April 2026)
• AP / PBS NewsHour — ‘Shaky ceasefire unlikely to stop cyberattacks from Iran-linked hackers for long’ (8 April 2026)
• news4hackers — ‘Iranian State-Sponsored Cyber Attacks Continue Despite Shaky Ceasefire’ (9 April)

‍