<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Disruptors,</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Please see Leslie's message below.</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Keep in mind this is TLP: AMBER.</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

Thanks,</div>

<div id="Signature" class="elementToProof">

<div class="elementToProof" style="font-family: Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">

<br>

</div>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

<span style="font-family: Arial, Helvetica, sans-serif;"><b>Kevin Galusha, CISSP</b></span></p>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

<span style="font-family: Arial, Helvetica, sans-serif;">Cybersecurity Architect</span></p>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

<span style="font-family: Arial, Helvetica, sans-serif;">Clackamas County Technology Services</span></p>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

<span style="font-family: Arial, Helvetica, sans-serif;">(503)723-4960</span></p>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

<span style="font-family: Arial, Helvetica, sans-serif; color: rgb(5, 99, 193);"><a href="mailto:KGalusha@clackamas.us" style="color: rgb(5, 99, 193); margin-top: 0px; margin-bottom: 0px;"><u>KGalusha@clackamas.us</u></a></span></p>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

<span style="font-family: Arial, Helvetica, sans-serif; color: rgb(5, 99, 193);"><a href="http://www.clackamas.us/" style="color: rgb(5, 99, 193); margin-top: 0px; margin-bottom: 0px;"><u>www.clackamas.us</u></a></span></p>

<p class="elementToProof" style="margin: 0in; font-family: Aptos, serif; font-size: 12pt;">

 </p>

</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Kainoa, Leslie <leslie.kainoa@cisa.dhs.gov><br>

<b>Sent:</b> Wednesday, April 15, 2026 9:46 AM<br>

<b>To:</b> Galusha, Kevin <KGalusha@clackamas.us><br>

<b>Subject:</b> FW: [TLP:AMBER+STRICT] Danfoss Devices Targets of Iranian APT Cyber Actors</font>

<div> </div>

</div>

<style>

<!--

@font-face

        {font-family:"Cambria Math"}

@font-face

        {font-family:Calibri}

@font-face

        {font-family:Verdana}

@font-face

        {font-family:Aptos}

@font-face

        {font-family:"Comic Sans MS"}

@font-face

        {font-family:Georgia}

@font-face

        {font-family:Impact}

@font-face

        {font-family:Tahoma}

@font-face

        {font-family:"Trebuchet MS"}

p.x_MsoNormal, li.x_MsoNormal, div.x_MsoNormal

        {margin:0in;

        font-size:12.0pt;

        font-family:"Aptos",sans-serif}

a:link, span.x_MsoHyperlink

        {color:blue;

        text-decoration:underline}

span.x_EmailStyle38

        {font-family:"Aptos",sans-serif;

        color:windowtext}

.x_MsoChpDefault

        {}

@page WordSection1

        {margin:1.0in 1.0in 1.0in 1.0in}

div.x_WordSection1

        {}

-->

</style>

<div lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">

<div class="x_mc-ip-hide" style="display:block!important; height:auto!important; background:#FFFFFF!important; opacity:1!important; visibility:visible!important; color:#000000!important; font-size:12px!important; font-family:Helvetica,Arial,sans-serif!important; text-align:left!important">

<strong style="display:block!important; height:auto!important; background:#FFFFFF!important; opacity:1!important; visibility:visible!important; color:#000000!important; font-size:12px!important; font-family:Helvetica,Arial,sans-serif!important; text-align:left!important">

<div style="background-color:; border:0px double #F15D22; padding:.2em">

<div style="font-size:14pt; color:black; font-style:bold">Warning: External email. Be cautious opening attachments and links.</div>

</div>

<hr>

<br>

</strong><br>

<hr>

</div>

<div class="x_WordSection1">

<p class="x_MsoNormal">Hi Kevin, </p>

<p class="x_MsoNormal">This one is marked TLP:Amber+strict, but important for awareness.  We have been talking about how “non-IT” network enabled devices are not monitored as diligently as standard IT and OT devices. I know I have made passing comments such

 as, “it is a good idea to include non-IT devices such as, cameras, badge readers, and HVAC in active monitoring.”  Never, a firm “these devices need to be included in regular logging and monitoring activities.” 

</p>

<p class="x_MsoNormal">Well, here we are.  Confirmation that APTs are now actively targeting these devices.  Can you please share with the Cyber Disruption Group?  If activity is detected please report to CISA by emailing me directly or via the reporting portal

 at <a href="https://myservices.cisa.gov/irf">

IRF Incident Reporting Start - IRF</a>.  Thank you very much. </p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:#242424">Respectfully,</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-family:"Calibri",sans-serif; color:#242424">Leslie Ann Kainoa, CISSP, GICSP, CDPSE</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#242424">Cybersecurity State Coordinator</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#242424">Cybersecurity and Infrastructure Security Agency</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#242424">Region 10 (OR)</span></p>

<p class="x_MsoNormal" style="background:white"><span style="font-size:11.0pt; font-family:"Calibri",sans-serif; color:#242424">(503) 462-5626</span></p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"> </p>

<p class="x_MsoNormal"> </p>

<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">

<p class="x_MsoNormal"><b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt; font-family:"Calibri",sans-serif"> cyberliaisonsltt@cisa.dhs.gov <cyberliaisonsltt@cisa.dhs.gov>

<br>

<b>Sent:</b> Wednesday, April 15, 2026 9:33 AM<br>

<b>To:</b> CISA.IOD.REGION_All <cisa.iod.region_all@cisa.dhs.gov><br>

<b>Subject:</b> [TLP:AMBER+STRICT] Danfoss Devices Targets of Iranian APT Cyber Actors</span></p>

</div>

<p class="x_MsoNormal"> </p>

<p> </p>

<p><strong><span style="font-family:"Aptos",sans-serif; color:#FFC000; background:black">TLP:AMBER+STRICT</span></strong></p>

<p> </p>

<p>Greetings SLTT Partners,</p>

<p> </p>

<p>CISA is reaching out to share with you the below information:</p>

<p> </p>

<p>Iranian APT cyber actors conducted public scans on 1 April 2026 probably seeking U.S.-based devices made by Danish-based HVAC application manufacturer Danfoss. The APT may have already had a list of almost 400 U.S. IP addresses associated with these devices.

 The APT may also have interest in Danfoss devices located in the UK, France, Germany, and Ukraine.</p>

<p> </p>

<p>As always, should you find malicious activity, please report it to CISA immediately.</p>

<p> </p>

<p> </p>

<p><span style="font-family:"Tahoma",sans-serif; color:black"></span><span style="color:black">Sincerely,</span></p>

<p> </p>

<p><img border="0" width="69" height="69" id="x_Picture_x0020_1" alt="Logo

AI-generated content may be incorrect." style="width:.7187in; height:.7187in" data-outlook-trace="F:1|T:1" src="cid:inline-s3-0-1776270760@inline"></p>

<p><strong><span style="font-family:"Aptos",sans-serif; color:#365F91">CyberLiaison SLTT</span></strong></p>

<p><span style="color:black">Cybersecurity and Infrastructure Security Agency (CISA)</span></p>

<p><span style="color:black">Cybersecurity Division | Joint Cyber Defense Collaboration (JCDC)</span></p>

<p><span style="color:black">SLTT Partnerships | </span><a href="mailto:CyberLiaisonSLTT@cisa.dhs.gov" target="_blank"><span style="color:#121BC7">CyberLiaisonSLTT@cisa.dhs.gov</span></a></p>

<p> </p>

<p><a href="https://www.cisa.gov/tlp" target="_blank"><span style="color:#121BC7">https://www.cisa.gov/tlp</span></a></p>

<p> </p>

<p>Recipients may share TLP:AMBER+STRICT information only with members of their own organization on a need-to-know basis to protect their organization and prevent further harm.</p>

</div>

</div>

</body>

</html>