AMBER MERIDIAN: Federal Civilian Agency Recon Has Tracked Across Two Departments Since November

The Activity And The Window

Since the second week of November 2025, an operator I track under the designator AMBER MERIDIAN has been conducting sustained reconnaissance against two federal civilian departments. The departments are not in the national security or law enforcement portfolio. The targeting set is consistent with a collector interested in U.S. domestic policy development, in regulatory rulemaking processes, and in the interagency coordination patterns that organize how the U.S. federal government produces policy decisions in specific issue areas.

I am withholding the names of the departments. I am withholding the implicated platform whose access architecture the initial vector exploits. I am withholding the affected build range. The patch process and the defensive coordination are in motion. Public naming of the affected departments or the platform at this stage would compromise the coordination and would direct attacker attention to the very systems the affected departments are now hardening.

The Collection Profile

The collection profile, based on the artifacts the affected departments have characterized in working-level coordination, points at three categories. Internal policy planning documentation that has not yet been published in formal regulatory form. Interagency coordination correspondence that traces the development of policy positions across the relevant federal-government working groups. Senior official scheduling and travel documentation that would, in the aggregate, allow the operator's customer to model the policy decision-making cadence at the senior leadership level.

The collection is, in plain reading, the collection an adversary would assemble if the adversary wanted to anticipate U.S. domestic policy decisions with materially more lead time than open-source observation would provide. The strategic value of that anticipation is substantial in categories where the adversary's own positioning, whether commercial or diplomatic, benefits from early visibility into U.S. regulatory or policy decisions. The customer profile is consistent with a state-affiliated collector operating with sustained operational priority on U.S. policy development.

The Defensive Read

If your organization is a federal civilian agency or a contractor with significant access to federal civilian policy planning documentation, your defensive posture for the next ninety days should treat sustained reconnaissance as the operational hypothesis rather than the unlikely contingency. The reconnaissance does not produce alerts at the volume your security operations center is tuned to. The reconnaissance produces patterns of low-volume document access, anomalies in administrative service-account behavior, and changes in the historical baseline of how the relevant policy planning systems are queried.

The questions to ask this week. Have you forwarded the full administrative tier audit logs from your policy planning platforms to your security information and event management system with retention matching the platform's stated capability? Have you reviewed service-principal access patterns over the last sixty days against a documented baseline? Have you reviewed senior official assistant accounts and contracted scheduling-support accounts for authentication anomalies in the same period? Each question is a hunting prompt. Run the prompts.

The Insider And Outsider Distinction

The insider and outsider distinction is the distinction most defensive frameworks at federal civilian agencies have been least well calibrated for in this campaign. The AMBER MERIDIAN tradecraft does not require insider cooperation. The tradecraft requires misconfigured access architectures that the operator can work from outside the affected environments. The affected departments are, in my reading, hardening on the assumption that the access is external rather than internal. The hardening is the right call.

The insider risk should not be assumed to be absent. The insider risk should also not be the framing that organizes the defensive response. The framing that organizes the defensive response should be the framing that addresses both the external access vector the campaign is currently working and the insider risk that any sustained reconnaissance campaign eventually develops. The framing that addresses both is the framing that produces durable defensive outcomes.

What I Will Not Publish

I will not publish the names of the affected departments. I will not publish the implicated platform. I will not publish the affected build. I will not publish the initial access vector. I will not publish the indicators of compromise that defenders are observing in the affected environments. I will not publish the operator tradecraft signatures at a level that would allow replication.

The discipline of the withholding is the discipline that makes early reporting valuable rather than dangerous. The defenders who need to act on the framing can act. The opportunists who would otherwise use the framing as a pivot cannot use it. That is the architecture this column maintains.

What To Expect In The Public Reporting

Vendor coordinated disclosure on the underlying platform issue is expected within the next eight to twelve weeks. CISA will issue a parallel advisory in coordination with the vendor and with the affected departments. The advisory will indicate the affected build range, the CVE identifier, and the defensive guidance for federal civilian agencies and for federal contractors with comparable access architectures.

The defenders who acted on the framing in this column will be ahead of the public timeline by approximately a quarter. The cluster has a designator. It does not yet have a press release. By the time it does, your incident response team should already know what to do. The activity has been ongoing for longer than the public reporting suggests. The defensive ask is the defensive ask. The remediation is the remediation.