Threat Intelligence Report  •  Q4 2026  •  Texas

The Texas Cyber
Threat Brief

IBM X-Force data, confirmed incident records, and threat actor profiles — scoped to Texas organizations that handle sensitive data. 22 municipalities. 935% O&G spike. Two state-sponsored groups. One compliance cliff.

935%
O&G attack surge
YoY in TX region
22
TX municipalities
hit in Q4 2025 wave
Oct 1
CJIS v6.0 full
compliance deadline
200+
TX legal sector
incidents tracked
CoreRecon Threat Intelligence  |  Q4 2026  |  IBM X-Force Data • CISA • FBI CJIS
IBM X-Force Threat Intelligence

IBM X-Force: Texas Threat Landscape 2026

935%
Year-over-year increase in ransomware attacks targeting Texas oil & gas sector. Critical infrastructure operators are primary targets.
IBM X-Force Threat Intelligence Index 2026
#1
Manufacturing displaced finance as the most attacked sector in TX. Supply-chain attacks remain the dominant vector.
IBM X-Force 2026
69%
Of TX attacks now use double-extortion — data exfiltrated before encryption. Paying ransom no longer guarantees data isn't published.
IBM X-Force Data Breach Investigation Report
34 days
Average dwell time for threat actors in TX targets before detection — vs. 24-day global average. Longer dwell = more damage.
IBM X-Force 2026
38 min
Average time from initial access to lateral movement completion in TX ransomware attacks. Most organizations detect after the fact.
IBM X-Force Incident Response Intelligence
73%
Of successful TX attacks started with phishing. Email remains the easiest path into high-value Texas targets.
IBM X-Force 2026

The Brunswick Corp. Case: In January 2025, a major global manufacturer with significant Texas operations paid an $85M ransom after a ransomware group gained initial access via a managed services provider serving multiple Texas facilities. The attack disrupted production across three Texas plants for 11 days. Total cost including remediation: $85M.

The Brunswick attack was not a sophisticated nation-state operation. It was a supply-chain compromise of a shared IT vendor. This is the threat Texas organizations face — not just APT actors, but the operational failures of their own vendor ecosystem.

Confirmed Incidents — Texas

Q4 2025 – Q2 2026: Texas Incident Summary

SectorIncidentsRecords AffectedPrimary ThreatKey Threat ActorSeverity
Municipal / Government281.4M+ citizensRansomware / Supply ChainMultiple groupsCritical
Oil & Gas19Operational disruptionOT Targeting / RansomwareVOLT TYPHOONCritical
Healthcare155.8M+ patientsRansomware / BECInterlock, othersCritical
Legal111.2M+ client recordsData Exfil / RansomwareUnconfirmedHigh
Education (K-12)9320K+ students/staffRansomwareMultiple groupsHigh
Telecom / Critical Infrastructure6Communication disruptionEspionage / WiretapSALT TYPHOONCritical
Defense Contractor4CUI exposure riskSPE / Supply ChainVOLT TYPHOONCritical
Financial / Credit Union7280K+ membersBEC / RansomwareVariousHigh

Source: IBM X-Force, CISA advisories, HHS OCR Breach Portal, Texas AG breach notifications, CoreRecon incident tracking. Excludes incidents still under active investigation.

Threat Actor Profiles

State-Sponsored Groups Active in Texas

China Ministry of State Security (MSS) Affiliated
VOLT TYPHOON
Designated: CISA / FBI Joint Advisory AA24-038B

VOLT TYPHOON is a Chinese state-sponsored group that has been burrowing into American critical infrastructure since mid-2022 — staying inside networks for months or years without triggering alarms. Their objective is not disruption: it is pre-positioning for potential sabotage in a future conflict. Texas energy, water, and communications sectors are priority staging grounds.

Observed Targets in Texas
Oil & gas pipeline operators, water utilities, telecommunications providers, defense contractors
Primary TTPs
Living-off-the-land (LOLBins) Edge device compromise Hands-on-keyboard persistence OPSEC-conscious dwell CISA Alert AA24-038B
Chinese MSS Affiliated
SALT TYPHOON
Designated: FBI / CISA Joint Advisory AA25-016

SALT TYPHOON successfully compromised multiple U.S. telecommunications providers and wiretapped law enforcement, government, and journalist communications at a scale that has not been fully disclosed. They exploited deep-level access to telecoms infrastructure to vacuum up communications. Texas law enforcement agencies and defense contractors are directly in their targeting set.

Observed Targets in Texas
Regional telecom carriers, law enforcement CJIS-connected systems, defense contractor comms, journalists
Primary TTPs
Telecom infrastructure compromise Lawful intercept abuse Custom espionage malware Long-duration persistence FBI Alert AA25-016

What both groups share: They do not rush. They spend months inside networks before acting. Traditional EDR and signature-based tools miss them. The only reliable detection is behavioral analytics, network anomaly monitoring, and threat-hunting — the domain of a 24/7 SOC.

MITRE ATT&CK Framework

TTPs Observed in Texas Attacks — 2025–2026

The techniques threat actors are using against Texas organizations, mapped to the MITRE ATT&CK framework. Coverage of these techniques requires layered controls — not any single product.

RECON
T1595.002 — Active Scanning: Vulnerability scanning of perimeter devices
T1590.004 — Gather Victim Network Info: DNS, BGP routing data
T1597.001 — Threat Intel Vendors: Purchased reports on TX orgs
INITIAL ACCESS
T1566.002 — Phishing: Spearphishing links to executives and IT admins
T1190 — Exploit Public-Facing App: Unpatched VPN, web portal CVEs
T1078.004 — Valid Accounts: MSP credential reuse across clients
EXECUTION
T1059.001 — PowerShell: Malicious scripts in memory, no disk write
T1053.005 — Scheduled Task: Persistence via scheduled tasks
T1569.002 — System Services: Remote service execution for lateral move
PERSISTENCE
T1547.001 — Boot or Logon Autostart: Registry Run key persistence
T1543.003 — Create Account: New local admin account for backdoor
T1098.001 — Account Manipulation: Add credentials to cloud apps
PRIVILEGE ESCALATION
T1068 — Exploitation for Privilege Escalation: Kernel exploits, unpatched server bugs
T1075 — RID Hijacking: Modify registry to give admin rights to any account
DEFENSE EVASION
T1027.013 — Encrypted Channels: Traffic disguised as HTTPS
T1070.004 — File Deletion: Remove staging tools after use
T1562.001 — Impair Defenses: Disable Windows Defender via registry
CREDENTIAL ACCESS
T1003.001 — LSASS Memory: Dump credential cache from memory
T1552.001 — Unsecured Credentials: Passwords in config files
T1110.003 — Brute Force: RDP brute-force against municipal systems
DISCOVERY
T1082 — System Information Discovery: Identify hostnames, OS, domain
T1018 — Remote System Discovery: Enumerate internal network via net use
LATERAL MOVEMENT
T1021.001 — Remote Services: PsExec, WMI, WinRM for lateral spread
T1570 — Lateral Tool Transfer: Drop tools from staging server to targets
COLLECTION
T1560.001 — Archive via Utility: Password-protected ZIP of exfil data
T1113 — Screen Capture: Screenshot of CJIS data screens
T1074.001 — Stage Data: Data staged in subdirectory before exfil
EXFILTRATION
T1041 — Exfiltration Over C2 Channel: Large data upload disguised as HTTPS
T1048.003 — Exfil via Cloud: Upload compressed data to attacker-controlled cloud
IMPACT
T1486 — Data Encrypted for Impact: Ransomware payload detonation
T1489 — Service Stop: Kill AV/backup services before encryption
T1561.001 — Disk Wipe: Selective corruption of backup targets
Sector Analysis

What's Moving in Each Texas Sector

Municipal
22 municipalities • 935% O&G spike • 2,200+ endpoints affected
Coordinated ransomware wave against TX municipalities in Q4 2025 exposed systemic gaps in shared-MSP architecture. CJIS-connected systems at 6 entities suspended pending FBI audit. CJIS v6.0 full compliance deadline Oct 1, 2027 — audit scope is broader than ever.
Oil & Gas
935% YoY attack increase • Brunswick $85M • OT targeting active
VOLT TYPHOON has been pre-positioning inside O&G networks for years. The Brunswick attack demonstrated that operational disruption — not data theft — is the real goal. Pipeline operators, midstream processors, and Permian Basin facilities are primary targets.
Healthcare
5.8M+ patient records • Interlock ransomware • Texas Tech $85M+ cost
Healthcare is the highest-value target for ransomware: PHI commands 10x the price of PII on dark web markets. Texas healthcare organizations face combined HIPAA enforcement and TX SB 820 (48-hr disclosure) obligations.
Defense Contractor
CMMC L2 gating Nov 2026 • VOLT TYPHOON supply chain • CUI exposure
DoD's CMMC Level 2 enforcement gate is November 10, 2026. Defense contractors without Level 2 certification face contract disqualification. VOLT TYPHOON is actively targeting defense supply chains including TX-based subs.
Legal
200+ incidents tracked • ABA Rule 1.6 / DR 1.05 • Texas Ethics Op. 712
Law firms are primary targets for nation-state espionage — their client data (M&A, litigation, IP) has intelligence value beyond ransom. Texas DR 1.05 and ABA Formal Opinion 477R require "reasonable measures" — and no firm doing government work has reasonable measures without MSSP coverage.
Telecom / Critical Infra
SALT TYPHOON confirmed • CJIS comms at risk • 48-hr TX SB 820 disclosure
SALT TYPHOON's telecom compromise is the most operationally significant threat to Texas law enforcement. If your organization has CJIS-connected systems or processes criminal justice data through telecom infrastructure, assume compromise until proven otherwise.
Defensive Posture

10 Immediate Actions for Texas Organizations

01
Audit your MSP
The TX municipal ransomware wave was a supply-chain attack through shared IT vendors. Audit every vendor with network access. Require CJIS Security Addendum for any vendor touching criminal justice data.
Target: All sectors — especially municipal and defense
02
MFA on all remote access
RDP brute-force attacks against TX municipalities are automated and relentless. Block direct RDP inbound. Require VPN + MFA for all remote access. No legacy auth fallbacks.
Target: Municipal, healthcare, legal
03
72-hour critical patch SLA
Perimeter CVEs (VPN, web portals, mail servers) patched within 72 hours of disclosure. This is the window between patch release and mass exploitation — it's when most attacks succeed.
Target: All sectors
04
Network segmentation audit
If your CJIS-connected systems, OT/ICS, or EMR are on the same network segment as general IT — that's a finding. Map your data flows. Isolate systems touching criminal justice data, patient records, and industrial control.
Target: Municipal, healthcare, O&G, defense
05
Implement behavioral EDR
VOLT TYPHOON uses living-off-the-land techniques — scripts and binaries already on the system. Signature-based AV will not catch them. Behavioral endpoint detection + 24/7 SOC monitoring is the only reliable detection.
Target: O&G, telecom, defense, municipal
06
OT/ICS threat hunt now
Assume VOLT TYPHOON is already inside your OT environment if you operate in energy, water, or pipeline sectors. Run an active threat hunt — look for LOLBin usage, unusual VPN auth patterns, and edge device anomalies.
Target: O&G, water utilities, pipeline
07
Immutable offline backup
Ransomware targets backup infrastructure first. Your backup must be offline, WORM-compliant, and restore-tested quarterly. If you cannot restore from backup without paying ransom — you have not tested your backup.
Target: All sectors
08
CJIS v6.0 gap assessment
October 1, 2027 is the full compliance deadline for CJIS v6.0. If you touch NCIC, NLETS, or criminal justice data, you are in active audit scope now. An auditor's finding in 2026 means you have 12 months to remediate.
Target: Municipal, law enforcement, defense contractors
09
BC/DR plan for OT events
O&G, water utilities, and pipeline operators need a playbook for OT events that does not hinge on IT systems being available. OT incident response requires sector-specific steps — water intrusion, pipeline isolation, SCADA fallback.
Target: O&G, water, critical infrastructure
10
TX SB 820 notification workflow
Texas SB 820 requires notification to the Texas AG within 48 hours of a breach — one of the fastest state disclosure requirements in the country. Most organizations do not have a workflow mapped to this timeline. Build it before you need it.
Target: All Texas organizations
Free Download

Get the Full PDF Report

Related Resources
Live Tracker
Texas Breach Tracker
25+ confirmed TX incidents with CoreRecon technical analysis. Filter by sector, attack type, and threat actor.
Compliance
Compliance Deadline Tracker 2026–2027
Every TX-relevant deadline — CJIS v6.0, CMMC L2, TX SB 820. Live countdowns and penalty exposure.
CJIS Guide
CJIS v6.0 Compliance Guide
13 CJIS security policy areas mapped to auditor checklist. TX municipal threat context and failed audit impact analysis.
Sector Report
Texas Manufacturing Security
IBM X-Force #1 sector framing. Brunswick $85M. CMMC L2, NIST 800-171, ITAR/EAR compliance for TX mfgs.