The Itch to Know Who
Someone broke into the Homeland Security Information Network. HSIN is the unclassified platform DHS uses to share sensitive information with federal, state, and local partners; the place where agencies coordinate security operations before anything reaches a classified system. According to Nextgov reporting that DHS later confirmed, the intrusion hit a legacy information-sharing system and a SharePoint network used for partner collaboration. DHS isolated the compromised systems, opened a forensic investigation, and said there is no indication classified networks were touched. The platform stayed operational. It is HSIN's second incident, after a 2023 data exposure caused by a contractor's configuration error.
Here is what nobody has said: who did it. No attribution, no indicators of compromise, no TTPs. The actor is a blank space in every report I have read. And when you run a threat intelligence platform, a blank space like that is an itch you cannot leave alone. I have roughly 41,000 feed entries sitting in ArgusX. Surely the data could tell me something.
It could. Just not what I expected, and not what I initially thought it was telling me. This note is about both halves of that: what the data supported, and the moment it almost fooled me.
The honest constraint, stated up front: my feed coverage begins in April 2026 and this breach is fresh, so the corpus contains nothing about this specific incident. No IOCs exist to pivot on because none have been released. What ArgusX can offer is context and hypothesis material, not attribution. Everything below should be read with that frame.
Turning the Platform on the Question
The corpus is not fully entity-mapped yet, so this was keyword and structured-field work against the Supabase backend: the posts table, filtering on titles, bodies, plain-English summaries, MITRE tags, and origin-country fields. One wrinkle worth admitting: the body column stores RSS snippets, not full articles, so anything I found was a lead to chase back to source, not a finding in itself.
I ran three passes, each one deliberately wider than the last.
The Method Is Better Supported Than the Actor
The first pass returned the strongest material of the night. My corpus shows a dense, sustained cluster of actively exploited SharePoint vulnerabilities running through 2025 and 2026, dominated by deserialization and authentication-bypass remote code execution. CVE-2026-32201, a SharePoint zero-day flagged as actively exploited in April. CVE-2026-20963, also under active exploitation. CVE-2026-45659, an RCE scoring 8.8. Behind those sits the 2025 ToolShell-era chain (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770) that was heavily abused against on-premises SharePoint, and older KEV entries going back to CVE-2019-0604. Dark Reading's framing of the stakes stuck with me: getting into an organization's SharePoint tends to hand an attacker the keys to a great deal more than SharePoint. HSIN's breached environment being a partner-collaboration SharePoint network makes that framing uncomfortably literal.
There is a second plausible door, and it does not involve exploiting the server at all. My data includes reporting on CORDIAL SPIDER and SNARKY SPIDER running adversary-in-the-middle credential phishing against SharePoint, HubSpot, and Google Workspace since October 2025. Against a collaboration environment full of external partner accounts, stolen credentials are at least as plausible an entry as server-side RCE, and considerably quieter.
The objective is the easiest part to characterize, because MITRE already wrote it down. T1213.002 describes adversaries mining a SharePoint repository to harvest information about internal structure and systems. That is nearly a job description for what an actor would want from HSIN. The value is not the server; it is the sensitive partner and planning data inside an information-sharing platform. For access and lateral movement, T1558.002, forging Kerberos Silver Tickets for services like SharePoint, rounds out a plausible technical picture. So I can describe the how and the why with reasonable rigor. The who is where it got interesting.
The Tempting Name
The second pass, the narrow one, produced a moment I want to be honest about, because it is the whole reason this piece exists. When I filtered for the full profile of the incident as I imagined it, nation-state actor, SharePoint webshells, government target, exactly one named group survived the intersection: APT27, better known as Emissary Panda, a China-nexus espionage group also tracked as TG-3390, Bronze Union, and Lucky Mouse. SharePoint webshells against government networks is documented Emissary Panda tradecraft. For a few minutes, sitting alone with a query result, it felt like an answer.
Then I looked at the date on the pulse. It described activity from 2019, against government targets in the Middle East. Not this breach. Not this year. Not even this region. APT27 surfaced not because the evidence pointed there but because my filter was shaped exactly like that one historical report. I had built a funnel and then been impressed that something came out the bottom of it.
The trap, named: a narrow query does not find the answer, it manufactures one. APT27 sat at the intersection of my search terms, which is a selection effect, not a finding. The first name that surfaces is a property of the filter at least as much as a property of the world.
Widening the Lens
So I ran the third pass: drop SharePoint entirely and pull everything in the corpus involving nation-state activity against government targets. This is the query that dissolved my lead.
-- Widen to all government-targeting nation-state activity
SELECT id, created_at, title, source_label, malware_family,
origin_country, LEFT(plain_english, 300) AS snippet
FROM posts
WHERE (body ILIKE '%government%' OR plain_english ILIKE '%government%'
OR body ILIKE '%federal agenc%' OR body ILIKE '%homeland%')
AND (body ILIKE '%APT%' OR body ILIKE '%espionage%'
OR body ILIKE '%nation-state%' OR origin_country IS NOT NULL)
ORDER BY created_at DESC LIMIT 200;The apparent China signal did not survive contact with the wider data. What came back instead was a crowded field: a broad, multi-nation set of clusters actively working government targets in this same window, any of which fits the shape of an unattributed intrusion into a US information-sharing platform.
| Archetype | In-corpus examples | Why it fits |
|---|---|---|
| Russia-nexus | APT29 phishing US and European government targets; APT28 against military and government worldwide; Turla converting Kazuar into a P2P botnet; COLDRIVER, Gamaredon, Cloud Atlas, Ghostwriter | Arguably the deepest bench in my data for sustained government-focused espionage, including credential phishing against exactly this kind of collaboration layer |
| China-nexus | Silk Typhoon (Government of Alberta), Mustang Panda, APT40, GopherWhisper (Mongolian government), TA416, and yes, APT27 | The documented home of SharePoint-webshell-against-government tradecraft, but one cluster among several, not a standout |
| Iran-nexus | APT42, APT34, Fox Kitten; an operation against twelve Omani ministries exposing 26,000 citizen records; joint FBI/CISA/NSA warnings on Iranian actors | Active, government-focused, and demonstrably interested in bulk data from ministry-class systems |
| DPRK-nexus | Lazarus, Kimsuky, APT43 / Emerald Sleet, plus the laptop-farm insider cases | Persistent espionage collection against government and policy targets alongside revenue operations |
| Criminal / ransomware | LockBit-linked Warlock webshell activity on SharePoint; SharkLoader delivering Cobalt Strike | SharePoint exploitation is not exclusive to states; criminal crews abuse the same CVE chain for access and extortion |
One more data point deserves mention, not as a lead but as context for how this actually works against US federal targets right now. CISA disclosed that an unnamed federal civilian agency's Cisco Firepower and ASA devices were compromised in September 2025 in the FIRESTARTER case, with malware that survived patching. That is current, confirmed tradecraft against US government infrastructure: edge devices and stubborn persistence. As a mental model for how someone gets into and stays inside a federal network, it is far more relevant than a 2019 SharePoint pulse from another continent. Which is exactly the point.
The Honest Landing
Do I have a suspicion? I do, and I will label it as exactly that. If forced to bet on an archetype, the method-fit leans toward China-nexus SharePoint operators, with APT27 as the in-corpus example of the pattern, because SharePoint webshells against government networks is documented tradecraft for that cluster in a way it is not for most others. That is an informed hypothesis. It is built on technique overlap with old reporting, not on a single indicator from this incident, and technique overlap is one of the weakest forms of attribution evidence there is. Techniques get shared, copied, and deliberately imitated.
So here is what I can actually defend. The actor is unknown, and my data does not narrow it to a nation. What the data does support is uncomfortable enough on its own: US and allied government systems are under active, simultaneous targeting by Russian, Chinese, Iranian, and North Korean state clusters, plus criminal crews abusing the same SharePoint weaknesses. The technical picture is far better supported than the actor: entry through a SharePoint RCE chain or AiTM credential phishing, with T1213.002 data mining as the likely objective.
The defensible output: unknown actor. Multiple candidate archetypes. Method well characterized. Confidence low, pending indicators. Anything more specific would be a guess wearing the costume of analysis.
The real lesson of the night was not about HSIN at all. It was watching my own narrow query manufacture a false lead, and watching a wider one dissolve it. Anchoring on the first name that surfaces is the exact failure mode that floods this space with confident, wrong attribution, and the only reliable defense is the boring one: widen the lens before you believe your own result. That discipline, keeping a bright line between claimed and confirmed, saying "candidate, not conclusion" while a tempting name sits right in front of you, is what I am trying to build into ArgusX at the platform level. It is also, honestly, the same muscle I have used for fifteen years in design: the first idea that fits is rarely the right one, and the job is to hold it loosely while you check the alternatives.
When DHS releases indicators, I will run them against the corpus and write the follow-up, whatever it says. If my suspicion turns out wrong, that follow-up gets more interesting, not less.
Methodology note: this piece reflects the author's own analysis. The breach description is based on public reporting confirmed by DHS. All corpus findings come from ArgusX, the author's threat intelligence platform (~41,000 feed entries, coverage beginning April 2026), queried by keyword and structured field. No attribution is claimed; no non-public information was used.