Likelihood: HIGH
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Screening Serpens is an active, state-sponsored Iranian APT with confirmed targeting of defense, aerospace, and critical infrastructure sectors in the United States, Israel, and UAE — the combination of spearphishing delivery, six newly deployed RAT variants, and cloud-based C2 infrastructure indicates an operational, evolving campaign with elevated probability of success against organizations in these verticals; impact is rated high because successful compromise enables long-duration covert access yielding theft of export-controlled technical data, military operational information, and personnel records, with downstream consequences including government contract violations, program compromise, and potential regulatory action.
Treatment rationale: The threat is active, targeted, and poses consequences — including potential ITAR/EAR violations and contract security breaches — that cannot be accepted, transferred away in full, or avoided by operational changes alone; immediate and sustained defensive investment is the only proportionate primary response.
Third-Party / Supply-Chain Risk
Organizations sharing cloud infrastructure, managed service providers, or joint-venture platforms with targeted defense and aerospace primes face lateral exposure: Screening Serpens' cloud-based C2 tradecraft is consistent with living-off-trusted-cloud techniques that can traverse shared tenancy boundaries and third-party access paths; any vendor with privileged access to affected organizations' networks or data should be assessed under NIST SP 800-161 supply-chain risk management criteria.
Loss Exposure (illustrative)
Magnitude: high — illustrative $5M–$50M+ per organization, reflecting extended dwell-period IP exfiltration, potential contract suspension or termination, regulatory investigation costs, and incident response
Frequency: For an organization actively in the targeted sectors (US/Israel/UAE defense, aerospace, critical infrastructure), current campaign activity places annualized event probability at illustratively 10–25% given confirmed active targeting and spearphishing delivery at scale
Annualized: Illustrative ALE: $500K–$12.5M annually for a targeted-sector organization, driven by high loss magnitude and elevated frequency given active campaign status
Basis: Loss magnitude derived from: (1) IR and remediation costs for a long-dwell APT compromise (typically months of forensic investigation, network rebuild, and legal response); (2) potential contract suspension or loss for defense/aerospace contractors facing DFARS or CMMC findings; (3) IP exfiltration of export-controlled technical data, which carries both competitive and regulatory cost consequences. Frequency derived from: confirmed active campaign status, spearphishing as a scalable delivery mechanism, and the breadth of the targeting set across three countries and multiple verticals. No third-party actuarial or benchmark data has been used.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Theft of export-controlled technical data or personnel records may invoke federal breach-notification obligations under applicable government contracts (e.g., DFARS 252.204-7012) — verify with counsel and contracting officer.
• Long-duration covert network access may constitute a reportable cybersecurity incident under CMMC or other contractual security requirements — verify with counsel.
• Compromise of covered defense information may trigger cyber-insurance notice obligations — verify with broker.
• Potential ITAR or EAR violations arising from unauthorized foreign-national access to controlled technical data may carry separate disclosure obligations — verify with export-control counsel.
