[CDP-development] Fw: [TLP:AMBER+STRICT] Danfoss Devices Targets of Iranian APT Cyber Actors

Wed Apr 15 09:54:40 PDT 2026

Disruptors,

Please see Leslie's message below.

Keep in mind this is TLP: AMBER.

Thanks,

Kevin Galusha, CISSP

Cybersecurity Architect

Clackamas County Technology Services

(503)723-4960

KGalusha at clackamas.us<mailto:KGalusha at clackamas.us>

www.clackamas.us<http://www.clackamas.us/>

________________________________
From: Kainoa, Leslie <leslie.kainoa at cisa.dhs.gov>
Sent: Wednesday, April 15, 2026 9:46 AM
To: Galusha, Kevin <KGalusha at clackamas.us>
Subject: FW: [TLP:AMBER+STRICT] Danfoss Devices Targets of Iranian APT Cyber Actors

Warning: External email. Be cautious opening attachments and links.
________________________________

________________________________
Hi Kevin, This one is marked TLP:Amber+strict, but important for awareness. We have been talking about how “non-IT” network enabled devices are not monitored as diligently as standard IT and OT devices. I know I have made passing comments such as, “it is a good idea to include non-IT devices such a
[https://image-processing-service.us-1.mimecastcybergraph.com/v2/banners?e=tubdxsoJrDIHEKHugyi5_57Auq5G5bXIsZ4lk6h6krmkV_4HZZM88ss-hRjnZhWyOtIuMGOwNq7HmNHZt-PiWDrleJkEZor3YuVYlsxLe_gSF9oKCqPxizcjgnyRLoViIWLW45Gy7eVTK2dWPRUP0LPIea9CQuz20k_3xPvw0BfCbZGm7Fs6oVObHs5YbhdEFqWMyFPDsfSEbfHeuxx3DRRQH_BOiEapicQ2ZqBmNcYwruU6R-HoIKCnvUL-59YWySEBRHV0jaPHjX7_hgMTnn0cno6CYLnic825_mhfSInrNg0weOwczZSVl_TpwJ32pRJ4aLpT3YN4BAVDgEfPfokA_8zUJsaops_eNAIv0J0KKDW72_TDDf8Rq4XwKVMW9-ppybEEIxjq3ZPtqTMjDV2YSo5JHOpPrsZ1W9tKrLKSxqShK7v8Zxs=]<https://login-us.mimecast.com/u/login/?gta=apps&link=cybergraph-report/eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.SenVVmUH0tMW0mvd_MWHpEJgKUTgWTw-YNqCxeEITWpSul9gpfCik-VDUqFBzsCHN5oIyYJdeG7JEb5_6UoRVUqjpnO94eq7ZEBKtIvOMn0YYJyDOTjiUTUHGEvfejO9iiclQ7satJ86WoqqlNtv3NlXwylQbukUlOSBQMKqzpzXqsijEhGTPioni_r0KI67-whG7tWuBSOWW_Wf2QTUpCAt1FXjAVB-k_aF1EmmLfDhTHvsOnar3V9tsRb_1J96zCVRXiZVp3NdzSv5ls4LfMpM-3VuuNVs6IVwDJRGwm9zwv9rf-j2UCuJJfxb3usXRUKdRLUjvZEae3BIizWyAQ.TibWRHwLX3PghDjq.8i1q0wqpXvpeSeFK01e-NlBKPTTLUfCuCQA8Oq34lYvfle9yETnrYVYQy6MtIcoLAbSWMkKFDd9Ib7XRedBtdotqsQjAnZDuxYyvFOHxKRAFVvFPxw62s4xTCtfS88WkJ4cSRA9DXL3AACjryhFiWcHoVcrLTAWfSTNcKbyJqgnjqw00sB-TSBc3KZyrt7Aq3sV8hZ6C5CGXIzXgZr4jQ2utLPPR26wcnSqgcXbaAgI0OLx9gWb1rfa-o6YYD7JwCpU6IFj24ROIzxHWgViMmdDxto3_M3vH-DJfz-K-DuWh6CTXqeGJyt8IIwhMOlUoW7bGU62rGR-JBzoXOt4o2_mhRZ5cYPfa1RYbheIkz9TiS-BZaPt3urudM8o7g6BpGOePTIHhmKzwnVmEU2yL3-C2tLVZW5j-LW3QnaVDI2yODAJwMYCrwnnzCKApDk1LakTeSFPD6ttZklUBvVUeOr658gphlr4VK4Xc3fuogEcOpBg8fotn0NPn1B6E-MQnPdqwm-EJ7bnPayLX.6dimkypOFOpRWe0P11CWOA>
CGBANNERINDICATOR

Hi Kevin,

This one is marked TLP:Amber+strict, but important for awareness.  We have been talking about how “non-IT” network enabled devices are not monitored as diligently as standard IT and OT devices. I know I have made passing comments such as, “it is a good idea to include non-IT devices such as, cameras, badge readers, and HVAC in active monitoring.”  Never, a firm “these devices need to be included in regular logging and monitoring activities.”

Well, here we are.  Confirmation that APTs are now actively targeting these devices.  Can you please share with the Cyber Disruption Group?  If activity is detected please report to CISA by emailing me directly or via the reporting portal at IRF Incident Reporting Start - IRF<https://myservices.cisa.gov/irf>.  Thank you very much.

Respectfully,

Leslie Ann Kainoa, CISSP, GICSP, CDPSE

Cybersecurity State Coordinator

Cybersecurity and Infrastructure Security Agency

Region 10 (OR)

(503) 462-5626

From: cyberliaisonsltt at cisa.dhs.gov <cyberliaisonsltt at cisa.dhs.gov>
Sent: Wednesday, April 15, 2026 9:33 AM
To: CISA.IOD.REGION_All <cisa.iod.region_all at cisa.dhs.gov>
Subject: [TLP:AMBER+STRICT] Danfoss Devices Targets of Iranian APT Cyber Actors

TLP:AMBER+STRICT

Greetings SLTT Partners,

CISA is reaching out to share with you the below information:

Iranian APT cyber actors conducted public scans on 1 April 2026 probably seeking U.S.-based devices made by Danish-based HVAC application manufacturer Danfoss. The APT may have already had a list of almost 400 U.S. IP addresses associated with these devices. The APT may also have interest in Danfoss devices located in the UK, France, Germany, and Ukraine.

As always, should you find malicious activity, please report it to CISA immediately.

Sincerely,

[Logo  AI-generated content may be incorrect.]

CyberLiaison SLTT

Cybersecurity and Infrastructure Security Agency (CISA)

Cybersecurity Division | Joint Cyber Defense Collaboration (JCDC)

SLTT Partnerships | CyberLiaisonSLTT at cisa.dhs.gov<mailto:CyberLiaisonSLTT at cisa.dhs.gov>

https://www.cisa.gov/tlp<https://www.cisa.gov/tlp>

Recipients may share TLP:AMBER+STRICT information only with members of their own organization on a need-to-know basis to protect their organization and prevent further harm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260415/117a7bb2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1776270326607-c4xa9y8-inline_image_1776270326528_0.png
Type: image/png
Size: 12436 bytes
Desc: 1776270326607-c4xa9y8-inline_image_1776270326528_0.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20260415/117a7bb2/attachment-0001.png>