Live Intelligence Map · Updated June 2026
State-Sponsored Cyber Operations Map
Government-backed cyber operations tracked by Defcon Level.
State-sponsored cyber operations are government-backed attacks conducted by nation-state intelligence agencies and military units against foreign governments, critical infrastructure, financial institutions, and private sector targets. These operations include espionage campaigns targeting defense contractors and telecommunications networks, destructive malware deployments against power grids and water systems, cryptocurrency theft funding weapons programs, and data breaches compromising millions of records.
This map tracks confirmed, attributed cyber operations by state actors including China (Salt Typhoon, Volt Typhoon, MirrorFace), Russia (Sandworm, Midnight Blizzard), North Korea (Lazarus Group), and Iran (Handala, MuddyWater). Each operation is sourced from official government advisories (CISA, FBI, NSA), allied intelligence agencies (NPA, CERT-UA, NCSC), and verified security research firms. State-sponsored cyber operations directly affect energy prices, financial markets, insurance costs, supply chain stability, and national defense budgets.
How State-Sponsored Cyber Attacks Affect Your Finances
Government-backed cyber operations have direct financial consequences for businesses and households. When Russia's Sandworm group targets power grid infrastructure, energy prices spike and utility costs rise. North Korea's Lazarus Group funds its weapons program through cryptocurrency theft, with the FBI confirming $1.5 billion stolen from a single exchange in February 2025. China's Volt Typhoon pre-positioned inside U.S. water, energy, and transportation networks for at least five years according to CISA, creating ongoing risk to services that affect daily costs of living.
Cybersecurity insurance premiums have increased as carriers add exclusions for state-sponsored attacks and war-related events. Businesses pass these costs to consumers through higher prices on goods and services. Supply chain disruptions from attacks on shipping, logistics, and manufacturing systems affect everything from grocery costs to mortgage processing times. Global defense spending reached $2.887 trillion according to the SIPRI April 2026 release, a 2.9% real-terms increase, with cybersecurity accounting for a growing share of both government and corporate budgets.
Active Threat Actors on This Map
China: Salt Typhoon & Volt Typhoon
Salt Typhoon compromised at least nine U.S. telecom providers including AT&T and Verizon, accessing lawful intercept systems used by law enforcement. Volt Typhoon maintained persistent access to critical infrastructure across water, energy, and transportation sectors. Both campaigns attributed by FBI, CISA, and NSA through joint advisories.
Russia: Sandworm & Midnight Blizzard
GRU-operated Sandworm (APT44) deployed DynoWiper malware against Poland's power grid in December 2025, attributed by CERT Polska and ESET. SVR-linked Midnight Blizzard (APT29) compromised Microsoft corporate email accounts and used the access to target additional government and private sector organizations.
North Korea: Lazarus Group
The FBI confirmed Lazarus Group stole $1.5 billion in Ethereum from the Bybit exchange through a supply chain attack on Safe Wallet multi-sig infrastructure. North Korean operatives also infiltrate Western companies using fake identities, generating revenue that funds nuclear and missile programs according to DOJ indictments.
Iran: Handala & MuddyWater
MOIS-affiliated Handala conducted a destructive wiper attack against Stryker Corporation in March 2026, disabling its global Microsoft environment. The DOJ attributed Handala to Iran's Ministry of Intelligence. MuddyWater continues spearphishing campaigns against Middle Eastern government and telecom targets using legitimate remote management tools as initial access vectors.
Understanding the Map
Each arc on this map represents a confirmed cyber operation between an attacker nation and a target nation. Animated icons traveling along the arcs indicate the type of attack: espionage (spy icon), infrastructure attacks (power plug), malware deployment (bug icon), data breaches (unlock icon), financial theft (money bag), phishing (envelope), influence operations (megaphone), and network intrusions (door icon). For theft and data breach operations, the icon travels from the target back to the attacker, representing exfiltrated data or stolen assets.
Red markers identify attacker nations; blue shields identify target nations. Click any arc or marker for detailed information including the date, attribution source, whether the operation is ongoing, and a description of the attack. All operations are sourced from government advisories, allied intelligence agencies, and verified cybersecurity research firms.