Cyber Threat Monitor
Active cyber operations, state-sponsored campaigns, and digital security posture tied to current DEFCON conditions.
Threat data is sourced from CISA, FBI, NSA, DNI threat assessments, Palo Alto Unit 42, and verified cybersecurity reporting. This page tracks threat-driven cyber activity, not product recommendations.
State-Sponsored Cyber Operations
The 2026 DNI Annual Threat Assessment identifies China and Russia as the most persistent and active cyber threats to the United States. China-nexus actors remained among the most active state threats in 2025, heavily targeting edge devices, telecommunications, defense contractors, and government networks. Mandiant's M-Trends 2026 report found exploits were the most common initial access vector for the sixth straight year, at 32% of intrusions. APT28 (Russia) has deployed PROMPTSTEAL, the first confirmed state-sponsored malware integrating large language models into live operations, used against Ukrainian targets. North Korean operatives are using AI-generated personas to infiltrate Western technology companies as fake remote contractors while North Korean state hackers, including the Lazarus Group, stole more than $2 billion in cryptocurrency in 2025 according to Chainalysis, helping finance Pyongyang's weapons programs.

Beyond cyber warfare, each state-sponsored threat actor presents a unique combination of nuclear, conventional military, economic, and space capabilities. The chart below profiles these five dimensions for each nation - the farther a point extends from center, the greater that nation's assessed capability in that domain.

China - Volt & Salt Typhoon
CISA, NSA, and FBI confirm PRC state-sponsored actors have maintained persistent access to U.S. critical infrastructure networks for at least five years. Volt Typhoon pre-positions for disruption of power grids, water systems, and transportation. Salt Typhoon targets telecommunications providers for espionage since 2019. Breaches are costly across the board: the global average fell to $4.44 million in 2025 from $4.88 million in 2024, with healthcare the most expensive sector at $7.42 million, according to IBM's 2025 Cost of a Data Breach Report.
Russia - Hacktivists & APTs
Russia-linked groups represent the largest share of tracked APT activity across all monitored threat actors. Pro-Russia hacktivists - Cyber Army of Russia Reborn, Z-Pentest, NoName057(16) - continue to target U.S. water, food/agriculture, and energy infrastructure according to CISA Advisory AA25-343A.
North Korea - Lazarus Group
The Lazarus Group stole $1.5 billion from Bybit in February 2025, the largest crypto exchange theft in history. North Korean actors stole $2.02 billion in cryptocurrency in 2025, a 51% increase year-over-year and roughly 59% of all crypto stolen globally that year, according to Chainalysis. Mandiant's M-Trends 2026 report documents North Korean operatives infiltrating Western technology companies by posing as remote IT contractors, gaining insider access to corporate networks and intellectual property.
Tracked Operations: Attackers and Targets
56 confirmed state-sponsored cyber operations, 29 currently active. Each operation is attributed by government agencies or verified cybersecurity research firms. Nations listed below appear in tracked operations as attackers or as targets.
Attacker Nations
- China (18 operations)
- Russia (14 operations)
- North Korea (9 operations)
- Iran (6 operations)
- United States (2 operations)
- Belarus (2 operations)
- India (2 operations)
- Algeria (1 operation)
- Israel (1 operation)
- Vietnam (1 operation)
Targeted Nations
- United States (17 operations)
- Ukraine (6 operations)
- European Union (3 operations)
- Japan (3 operations)
- United Kingdom (2 operations)
- Southeast Asia (2 operations)
- Taiwan (2 operations)
- Poland (2 operations)
- Iran (2 operations)
- Norway (1 operation)
- Singapore (1 operation)
- Czech Republic (1 operation)
- Tajikistan (1 operation)
- Morocco (1 operation)
- Iraq (1 operation)
- Yemen (1 operation)
- South Korea (1 operation)
- United Arab Emirates (1 operation)
- Canada (1 operation)
- Kazakhstan (1 operation)
- Italy (1 operation)
- Sweden (1 operation)
- Israel (1 operation)
- Russia (1 operation)
- Pakistan (1 operation)
- China (1 operation)
Iran-Linked Cyber Operations
Iran-linked cyber operations have continued and expanded despite disruptions to state infrastructure earlier in 2026. On April 7, 2026, CISA, the FBI, NSA, and EPA issued a joint advisory (AA26-097A) warning that Iranian-affiliated threat actors are actively exploiting internet-facing programmable logic controllers (PLCs) in water, wastewater, and energy systems across the United States. The advisory notes the targeting escalated alongside hostilities between Iran and the United States and Israel, and reflects a sustained effort to pre-position access in critical infrastructure networks that outlasts any single military escalation.
Stryker Attack - March 11
The Handala group, an Iran-linked actor that security researchers assess operates as a front for Iran's Ministry of Intelligence and Security (MOIS), compromised administrator access to medical device maker Stryker's Microsoft Intune device-management console on March 11, 2026 and issued remote-wipe commands that hit more than 200,000 enrolled devices worldwide, halting manufacturing and ordering systems. The FBI seized Handala's data leak site on March 19 and CISA issued an emergency advisory. The attack has driven cyber insurance carriers to reassess coverage for healthcare device manufacturers.
Active Iranian Groups
Mandiant tracks UNC1549, an Iran-linked group that breaches aerospace, aviation, and defense firms using fake recruiter profiles and bogus career portals mimicking companies like Boeing and Airbus, a lure tactic previously associated with North Korea. Its activity expanded into Western Europe, including Portugal, Sweden, and Denmark, through late 2025. Separately, MuddyWater (Seedworm), tied to Iran's intelligence ministry, ran Operation Olalampo, a spear-phishing campaign deploying custom backdoor malware across the Middle East in early 2026, and maintains persistent espionage against Gulf energy and telecommunications targets.
CYBERCOM Response
In April 2026, CISA, the FBI, and NSA issued a joint advisory warning that Iranian cyber actors are positioning for attacks on U.S. critical infrastructure water and energy programmable logic controllers. CYBERCOM maintains elevated posture with 24/7 defensive and hunt-forward operations across critical infrastructure networks. NERC's E-ISAC activated coordinated grid monitoring protocols following the joint advisory. CYBERCOM's FY2026 budget request totals roughly $2.6 billion, part of a broader $9.1 billion Department of Defense cybersecurity request.
Ransomware Activity
Ransomware payments totaled $820 million in 2025 with only 28% of victims paying, an all-time low, according to the Chainalysis 2026 Crypto Crime Report. Despite declining payouts, attack volume surged: roughly 7,300 to 7,800 companies were named on ransomware leak sites in 2025, up about 45 to 50% year-over-year, with a record 85 active extortion groups tracked in a single quarter. In Q1 2026, GuidePoint Security's GRIT tracked 2,122 victims across 65 countries, an average of 707 per month and the highest quarter on record. A cartel led by DragonForce has formed a coalition with LockBit and Qilin.

Top Groups
Qilin leads Q1 2026 with 338 victims, approximately 16% of all tracked attacks and a significant acceleration from 107 in January alone. The top 10 groups accounted for 71% of all Q1 2026 victims according to GuidePoint Security GRIT. Akira, CL0P, and LockBit remain in the top five; RansomHub has grown rapidly with government and healthcare targeting. Sophos reported the average ransomware recovery cost, excluding the ransom itself, fell to $1.53 million in 2025, with the median ransom payment dropping to $1 million.
Hardest-Hit Sectors
Healthcare: 27 incidents in January, surging to 93 in February - more than doubling. Government: 11 incidents in January. Manufacturing led in February. Professional services (law firms, accountants) saw a tactical shift by Qilin and Akira targeting client data for extortion. Healthcare breach costs average $7.42 million per incident - the highest of any sector, according to IBM's 2025 Cost of a Data Breach Report.
Cartel Formation
DragonForce proposed a coalition with LockBit and Qilin - standardized affiliate terms, profit-sharing, and unified operations. If formalized, this represents the first coordinated ransomware cartel with industrial-scale targeting capability across multiple sectors simultaneously. Cyber insurance underwriters are tracking cartel formation as a systemic risk factor for correlated claims across sectors.
Critical Infrastructure Threats
Critical infrastructure faces accelerating cyber threats globally. The Check Point 2026 Cyber Security Report recorded 1,968 cyberattacks per week worldwide in 2025, a 70% increase since 2023, with AI-driven techniques now embedded across the attack lifecycle. On April 8, 2026, CISA and the FBI issued a joint advisory on active state-sponsored targeting of industrial control systems and PLCs at water, wastewater, and energy facilities. A coordinated cyberattack on Polish energy grid edge devices in April 2026 caused regional distribution disruption, the first confirmed operational technology-layer grid attack in a NATO member nation in 2026, which CISA now uses in active threat briefings. In the United States, the EPA found nearly 70% of water utilities inspected were in violation of basic cybersecurity standards.
Water Systems
Nearly 70% of water utilities inspected by the EPA were in violation of basic cybersecurity standards - default passwords, improper employee offboarding, and unpatched systems. On April 8, 2026, CISA and the FBI specifically warned water and wastewater operators of active PLC targeting by Iranian-affiliated actors. IRGC-affiliated groups have previously exploited PLCs in U.S. systems, documented in CISA Advisory AA23-335A. The American Water Works Association estimates U.S. drinking water infrastructure will require $2.1 to $2.4 trillion in investment over the next 25 years.
Energy & Power Grids
Volt Typhoon specifically pre-positions in IT networks to laterally move to operational technology (OT) assets for disrupting power grids and energy infrastructure at a chosen time. NERC's E-ISAC activated coordinated grid monitoring protocols in April 2026 following the FBI-CISA joint advisory on ICS targeting. A cyberattack on Polish grid edge devices in April 2026 caused regional distribution disruption - the first confirmed OT-layer grid attack in a NATO member nation in 2026, now used by CISA in active threat briefings.
Data Breaches
The Verizon 2025 DBIR confirmed 12,195 data breaches globally. Separately, the Identity Theft Resource Center reported 1.35 billion U.S. data breach notification letters sent in 2024, a 211% jump over the prior year. IDMerit exposed approximately one billion sensitive records across 26 countries in February 2026, one of the largest KYC data leaks in history. Infutor exposed 677 million records including Social Security numbers. These breaches represent billions in potential remediation, credit monitoring, and identity theft protection expenses for affected organizations.

Cyber Defense Posture
Global cybersecurity spending is projected to reach $244 billion in 2026, up 13.3% from $213 billion in 2025, according to Gartner. The EU's NIS2 directive, which took effect in October 2024, mandates cybersecurity standards across 18 critical sectors for all member states. In the United States, CISA's Shields Up advisory remains active. The FY2027 budget proposal would set CISA funding at $2.49 billion, reflecting $707 million in gross program cuts (a net reduction of about $386 million), eliminating election security programs and reducing the cybersecurity workforce by 867 positions.

CISA Status
CISA maintains an elevated advisory posture for energy, financial, and defense networks. The agency extended its Iran cyber alert warning of critical national infrastructure threats. CISA is targeting 2026 to finalize the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) rule, which will require covered entities to report significant incidents within 72 hours and ransomware payments within 24 hours.
Spending & Budget
Gartner projects $244 billion in global cybersecurity spending for 2026, up 13.3% from 2025. The FY2027 budget proposal sets CISA funding at $2.49 billion, a net reduction of about $386 million (from $707 million in gross program cuts) that would eliminate election security programs and reduce the cybersecurity workforce by 867 positions.
Recommendations
CISA recommends all organizations maintain Shields Up posture: patch known exploited vulnerabilities, enable MFA on all accounts, monitor for anomalous network traffic, and maintain offline backups. Organizations in the energy, water, financial, and healthcare sectors should review CISA's Iran-specific advisories. For households, basic cybersecurity measures - password managers ($3 to $5/month), credit monitoring services, and identity theft insurance - cost far less than the time and out-of-pocket expense of recovering from a data breach or identity theft incident.