Cyber Threat Monitor

Active cyber operations, state-sponsored campaigns, and digital security posture tied to current DEFCON conditions.

Threat data is sourced from CISA, FBI, NSA, DNI threat assessments, Palo Alto Unit 42, and verified cybersecurity reporting. This page tracks threat-driven cyber activity, not product recommendations.

State-Sponsored Cyber Operations

The 2026 DNI Annual Threat Assessment identifies China and Russia as the most persistent and active cyber threats to the United States. China-nexus actors remained among the most active state threats in 2025, heavily targeting edge devices, telecommunications, defense contractors, and government networks. Mandiant's M-Trends 2026 report found exploits were the most common initial access vector for the sixth straight year, at 32% of intrusions. APT28 (Russia) has deployed PROMPTSTEAL, the first confirmed state-sponsored malware integrating large language models into live operations, used against Ukrainian targets. North Korean operatives are using AI-generated personas to infiltrate Western technology companies as fake remote contractors while North Korean state hackers, including the Lazarus Group, stole more than $2 billion in cryptocurrency in 2025 according to Chainalysis, helping finance Pyongyang's weapons programs.

Bar chart showing APT activity share by nation-state: Russia 40%, China 25%, Iran 20%, North Korea 15%

Beyond cyber warfare, each state-sponsored threat actor presents a unique combination of nuclear, conventional military, economic, and space capabilities. The chart below profiles these five dimensions for each nation - the farther a point extends from center, the greater that nation's assessed capability in that domain.

Radar chart comparing Russia, China, Iran, and North Korea across five threat dimensions: cyber, nuclear, conventional military, economic power, and space capabilities

Tracked Operations: Attackers and Targets

56 confirmed state-sponsored cyber operations, 29 currently active. Each operation is attributed by government agencies or verified cybersecurity research firms. Nations listed below appear in tracked operations as attackers or as targets.

Attacker Nations

Targeted Nations

Open the Live Cyber Attack Map →

Iran-Linked Cyber Operations

Iran-linked cyber operations have continued and expanded despite disruptions to state infrastructure earlier in 2026. On April 7, 2026, CISA, the FBI, NSA, and EPA issued a joint advisory (AA26-097A) warning that Iranian-affiliated threat actors are actively exploiting internet-facing programmable logic controllers (PLCs) in water, wastewater, and energy systems across the United States. The advisory notes the targeting escalated alongside hostilities between Iran and the United States and Israel, and reflects a sustained effort to pre-position access in critical infrastructure networks that outlasts any single military escalation.

Stryker Attack - March 11

The Handala group, an Iran-linked actor that security researchers assess operates as a front for Iran's Ministry of Intelligence and Security (MOIS), compromised administrator access to medical device maker Stryker's Microsoft Intune device-management console on March 11, 2026 and issued remote-wipe commands that hit more than 200,000 enrolled devices worldwide, halting manufacturing and ordering systems. The FBI seized Handala's data leak site on March 19 and CISA issued an emergency advisory. The attack has driven cyber insurance carriers to reassess coverage for healthcare device manufacturers.

Active Iranian Groups

Mandiant tracks UNC1549, an Iran-linked group that breaches aerospace, aviation, and defense firms using fake recruiter profiles and bogus career portals mimicking companies like Boeing and Airbus, a lure tactic previously associated with North Korea. Its activity expanded into Western Europe, including Portugal, Sweden, and Denmark, through late 2025. Separately, MuddyWater (Seedworm), tied to Iran's intelligence ministry, ran Operation Olalampo, a spear-phishing campaign deploying custom backdoor malware across the Middle East in early 2026, and maintains persistent espionage against Gulf energy and telecommunications targets.

CYBERCOM Response

In April 2026, CISA, the FBI, and NSA issued a joint advisory warning that Iranian cyber actors are positioning for attacks on U.S. critical infrastructure water and energy programmable logic controllers. CYBERCOM maintains elevated posture with 24/7 defensive and hunt-forward operations across critical infrastructure networks. NERC's E-ISAC activated coordinated grid monitoring protocols following the joint advisory. CYBERCOM's FY2026 budget request totals roughly $2.6 billion, part of a broader $9.1 billion Department of Defense cybersecurity request.

Ransomware Activity

Ransomware payments totaled $820 million in 2025 with only 28% of victims paying, an all-time low, according to the Chainalysis 2026 Crypto Crime Report. Despite declining payouts, attack volume surged: roughly 7,300 to 7,800 companies were named on ransomware leak sites in 2025, up about 45 to 50% year-over-year, with a record 85 active extortion groups tracked in a single quarter. In Q1 2026, GuidePoint Security's GRIT tracked 2,122 victims across 65 countries, an average of 707 per month and the highest quarter on record. A cartel led by DragonForce has formed a coalition with LockBit and Qilin.

Bar chart showing ransomware victims rising from 520 in September 2025 to 680 in February 2026

Critical Infrastructure Threats

Critical infrastructure faces accelerating cyber threats globally. The Check Point 2026 Cyber Security Report recorded 1,968 cyberattacks per week worldwide in 2025, a 70% increase since 2023, with AI-driven techniques now embedded across the attack lifecycle. On April 8, 2026, CISA and the FBI issued a joint advisory on active state-sponsored targeting of industrial control systems and PLCs at water, wastewater, and energy facilities. A coordinated cyberattack on Polish energy grid edge devices in April 2026 caused regional distribution disruption, the first confirmed operational technology-layer grid attack in a NATO member nation in 2026, which CISA now uses in active threat briefings. In the United States, the EPA found nearly 70% of water utilities inspected were in violation of basic cybersecurity standards.

Water Systems

Nearly 70% of water utilities inspected by the EPA were in violation of basic cybersecurity standards - default passwords, improper employee offboarding, and unpatched systems. On April 8, 2026, CISA and the FBI specifically warned water and wastewater operators of active PLC targeting by Iranian-affiliated actors. IRGC-affiliated groups have previously exploited PLCs in U.S. systems, documented in CISA Advisory AA23-335A. The American Water Works Association estimates U.S. drinking water infrastructure will require $2.1 to $2.4 trillion in investment over the next 25 years.

Energy & Power Grids

Volt Typhoon specifically pre-positions in IT networks to laterally move to operational technology (OT) assets for disrupting power grids and energy infrastructure at a chosen time. NERC's E-ISAC activated coordinated grid monitoring protocols in April 2026 following the FBI-CISA joint advisory on ICS targeting. A cyberattack on Polish grid edge devices in April 2026 caused regional distribution disruption - the first confirmed OT-layer grid attack in a NATO member nation in 2026, now used by CISA in active threat briefings.

Data Breaches

The Verizon 2025 DBIR confirmed 12,195 data breaches globally. Separately, the Identity Theft Resource Center reported 1.35 billion U.S. data breach notification letters sent in 2024, a 211% jump over the prior year. IDMerit exposed approximately one billion sensitive records across 26 countries in February 2026, one of the largest KYC data leaks in history. Infutor exposed 677 million records including Social Security numbers. These breaches represent billions in potential remediation, credit monitoring, and identity theft protection expenses for affected organizations.

Bar chart showing major data breaches in early 2026: IDMerit 1 billion, Infutor 677 million, SoundCloud 29 million, Conduent 25 million, Odido 6.2 million records

Cyber Defense Posture

Global cybersecurity spending is projected to reach $244 billion in 2026, up 13.3% from $213 billion in 2025, according to Gartner. The EU's NIS2 directive, which took effect in October 2024, mandates cybersecurity standards across 18 critical sectors for all member states. In the United States, CISA's Shields Up advisory remains active. The FY2027 budget proposal would set CISA funding at $2.49 billion, reflecting $707 million in gross program cuts (a net reduction of about $386 million), eliminating election security programs and reducing the cybersecurity workforce by 867 positions.

Bar chart showing global cybersecurity spending growing from $150 billion in 2022 to a projected $240 billion in 2026

Explore More

Full Library →