Executive Summary

The People's Republic of China (PRC) represents the most significant long-term cyber threat to defense-aligned and enterprise organizations. PRC-linked threat groups are pre-positioned inside critical networks at scale. This access appears intended for possible activation during a future geopolitical crisis, likely a Taiwan contingency.

Russia presents the most imminent operational risk to European critical infrastructure, with confirmed OT-capable cyberattacks against energy and water systems across European Union (EU) member states. State-sponsored units and state-aligned hacktivist groups have demonstrated the ability to cause physical consequence through cyber operations targeting industrial control systems across NATO member or allied countries.

Figure 1 – Summary of cyber activities observed by EclecticIQ threat intelligence team.

The conflict in Iran is likely to break the pattern observed in previous regional crises, where cyberattack volumes spiked briefly before returning to baseline. Iran's technically skilled cyber workforce, shaped by years of state investment, does not disappear when central coordination is disrupted - instead it disperses. If a power vacuum emerges, these actors could fuel decentralized and ideologically driven cyberattacks against US and Israeli infrastructure, operating outside the geographic limits of conventional warfare. If European nations align with the US-Israeli position, this targeting is likely to expand to European entities including but not limited to finance, energy, and manufacturing.

Almost every major regional conflict active between 2025 and early 2026 produced a parallel cyber front. Kinetic and cyber operations now execute simultaneously, and the attack surface has expanded beyond the enterprise perimeter into cloud infrastructure, OT systems, telecommunications networks, and third-party supply chains. eCrime actors are exploiting these conditions opportunistically by weaponizing conflict narratives through targeted phishing and fake humanitarian content to deliver infostealers and backdoors.

Over the next 60 to 90 days, the most probable risks for defense-adjacent and enterprise targets include:

• Pro-Iranian hacktivist groups will highly likely continue targeting organisations in the US and Israel. If European nations align with the US-Israel position against Iran, targeting is likely to expand to EU entities across finance, energy, and manufacturing.
  • Following Operation Epic Fury (28 Feb 2026), internet connectivity inside Iran collapsed to 1–4%, degrading centralised C2. Nation-state and hacktivist units operating outside Iran via Starlink and diaspora infrastructure remain active, with elevated risk of wiper deployment.
• Russian state actors and state-aligned hacktivists will likely continue targeting OT networks across NATO-allied countries, with water, energy, and industrial systems carrying the highest exposure.
  • Credential-based intrusions are evolving into identity-based attacks against ICS/OT sectors. Physical sabotage operations have increased fourfold since 2024, with 150+ hybrid warfare incidents recorded across EU/NATO.
• PRC-linked nation-state threat actors will very likely continue prioritising edge device exploitation as their primary initial access method, targeting network appliances and VPN infrastructure lacking EDR across telecommunications, energy, finance, and defence.
  • Living-off-the-land techniques and zero-day exploitation minimise detection. Pre-positioning is persistent; disruption is likely reserved for direct conflict scenarios (e.g., Taiwan contingency).
• eCrime actors will likely weaponize conflict narratives through targeted phishing and third-party access, using Middle East-themed lures and fake humanitarian content to deliver infostealers and backdoors.
  • The ecosystem has fragmented post-law enforcement action into 85+ active groups, they are now smaller, faster, and harder to attribute. AI-enabled vishing is bypassing MFA, breakout times are sub-one-hour, and strategic pivots toward hypervisor-layer attacks and ICS/OT disruption via ERP targeting are increasing enterprise-wide encryption risk.

People’s Republic of China (PRC): Pre-Positioning Inside Critical Networks

Strategic Assessment

PRC-linked cyber operations are widely regarded as a significant long-term threat to enterprise and government networks, particularly due to their ability to remain undetected for extended periods, with dwell times often measured in months or years. Building latent disruptive capability across government entities, telecommunications, financial services, energy, transportation, and defense sectors suggests a focus on long-term strategic access.

The PRC’s cyber strategy has evolved through several distinct phases, beginning with opportunistic economic espionage and progressing toward more centralized intelligence collection. Current activity appears increasingly politically and militarily driven, with a growing emphasis on pre-positioning access designed to provide strategic leverage in future conflicts, including a potential Taiwan contingency. Initial access is now treated as a long-term asset, built quietly, held patiently, and activated when geopolitical conditions demand it.

This shift is compounded by a widening surface of exposure as Chinese-manufactured IoT components become embedded across logistics, telecommunications, and energy systems, blurring the traditional distinction between core and peripheral networks.

Strategic Pre-Positioning Across US and Allied Critical Networks

Enterprise edge network devices such as routers, firewalls, and VPN appliances have become the primary exploitation surface for PRC-linked threat actors [1]. These perimeter systems are poorly monitored and slow to patch, providing reliable entry points into infrastructure that falls outside the coverage of conventional endpoint detection and response solutions. This visibility gap offers a persistent foothold from which to collect intelligence while remaining largely undetected.

Activity attributed to Salt Typhoon has primarily focused on telecommunications infrastructure, including major service providers and associated network environments. Public reporting indicates compromise of telecommunications providers across multiple countries, including major US carriers such as AT&T, Verizon, and T-Mobile [2]. The group is reported to have accessed communications involving senior U.S. government officials. Activity observed since at least 2021, including the targeting of over 1,000 vulnerable Cisco network devices across more than 100 countries in early 2025, indicates a level of coordination that may reflect more deliberate targeting rather than opportunistic scanning [3].

Volt Typhoon's known campaigns also focus strategically on key US infrastructure, including electric utilities, telecommunication networks, water systems and transportation hubs [4]. The group relies on living-off-the-land techniques, exploiting built-in system tools to blend into normal operations and evade detection for extended periods. CISA, NSA, and the FBI jointly assess that Chinese actors have shifted from espionage to pre-positioning within operational technology systems, enabling disruption of critical functions at a time of their choosing [5].

Guam, a strategically vital US military hub in the Pacific, has been a specific focus of Volt Typhoon intrusions targeting power, telecommunications, and defense systems. Disrupting this infrastructure during a Taiwan contingency would degrade the US military’s ability to project force in the region. Voltzite, tracked by Dragos, has embedded malware inside US energy utilities with the objective of accessing OT devices that manage industrial processes [6].

Flax Typhoon has been reported to target Taiwan and U.S. critical infrastructure, using compromised IoT devices to build botnets that may support a range of offensive operations [7]. Silk Typhoon has been linked to the compromise of U.S. Treasury systems in late 2024, an incident that may indicate interest in regulatory and policy-related information [8].

Silver Dragon, a China-nexus group linked to the APT41 ecosystem, has conducted sustained intrusion campaigns against government ministries across Southeast Asia and Europe since at least mid-2024 [9]. The group exploits internet-facing servers and uses phishing for initial access, then hijacks legitimate Windows services to blend malware into normal system activity. Its custom backdoor, GearDoor, routes command-and-control traffic through Google Drive, disguising malicious communication as routine cloud usage.

Another high-profile campaign involves the BRICKSTORM backdoor, linked to China-nexus actor UNC5221 and observed by Google/Mandiant, which targets VMware hypervisor and Windows environments across government and IT sector organizations [10]. It enables lateral movement, network tunnelling, and automatic reinstallation if disrupted, a toolset designed for long-term presence in highly protected networks.

Convergence of Cyber Operations, Economic Coercion, and Gray-Zone Pressure in PRC Strategic Planning

Targeting patterns in 2025 and early 2026 mirrored Beijing's 15th Five-Year Plan priorities. Manufacturing and semiconductor companies were targeted at higher rates than in previous years, directly aligned with China's drive for technological self-sufficiency and its stated objective of reducing dependence on Western imports across strategic industries [11].

Government agencies linked to economic development and foreign policy were consistently targeted alongside think tanks, law firms, and financial institutions, reflecting sustained interest in regulatory, legal, and policy intelligence that could strengthen Beijing's hand in international negotiations and trade disputes.

This economic dimension is closely linked to China’s cyber posture. China's use of rare earth export controls, alongside its construction of CIPS as an alternative to the SWIFT financial messaging system, and calibrated responses in the semiconductor trade space, suggest a broader strategy in which cyber access, economic leverage, and supply chain dominance reinforce one another.

The targeting of AI research institutions and technology companies has intensified in parallel. Beijing faces a severe constraint in advanced compute capacity, exacerbated by US export controls on AI chips. Stolen algorithmic efficiencies and model weights serve as force multipliers that partially offset this disadvantage. According to a new National Foundation for American Policy (NFAP) analysis, 77 percent of top US-based AI researchers were born abroad, and 65 percent of leading US AI companies have at least one immigrant co-founder, making the talent pipeline itself a high-value intelligence target [12].

Intrusion capabilities developed for telecommunications and infrastructure penetration are increasingly being redirected toward exfiltrating the intellectual property that underpins American technological leadership. The same access vectors that enable surveillance of government communications can be used to extract AI model weights, training methodologies, and algorithmic innovations from research institutions and technology companies.

The PRC employs private companies as a structural layer of deniability. US intelligence agencies have named three Chinese technology companies as directly enabling Salt Typhoon operations [13]. This appears to reflect elements of Beijing’s military-civil fusion framework, in which commercial and state capabilities are closely integrated. In exchange for policy support, market access, and security assistance, these firms provide capabilities that the state can deploy while maintaining plausible deniability. The arrangement blurs the boundary between commercial activity and state-directed operations in ways that complicate Western legal and diplomatic responses.

PRC-linked threat actors gain administrative access to supervisory control systems, establish mechanisms for long-term persistence and then remain dormant, preserving the ability to activate on command. Telecommunications networks carry both civilian communications and military command traffic. Energy grids sustain hospital operations, ammunition production, and infrastructure. Sustained access within these systems could provide the capability to impose civilian and operational disruption, while also affecting broader military effectiveness under certain scenarios. Chinese military theorists describe this approach as "active defense," in which the capacity to credibly threaten disruption of an adversary's domestic infrastructure serves as strategic deterrence, raising the political price of overseas intervention without requiring overt aggression.

China’s stated reunification objective, often discussed in the context of a 2027 timeline linked to PLA modernization goals, is widely viewed as a potential driver of observed pre-positioning activity. However, available reporting suggests that Beijing’s decision-making is more likely to be conditions-based rather than tied to a fixed deadline. Current activity is therefore better understood as preparation for a range of contingencies rather than an indication of an imminent military scenario.

Taken together, these patterns point to a broader approach that may involve applying layered pressure on Taiwan and its allies. This includes cyber activity targeting critical infrastructure, disruption of undersea communications links, economic coercion, and disinformation, all of which can be used to shape the strategic environment alongside, or in some cases in place of, conventional military action.

Taiwan’s structural vulnerabilities further increase its exposure to this type of sustained pressure. The island imports over 97 percent of its energy, and its natural gas reserves would last less than two weeks under blockade conditions. Its power grid has experienced multiple large-scale blackouts in recent years, affecting millions of residents, while internet connectivity relies on a limited number of undersea fibre-optic cables, some of which were impacted by reported incidents involving Chinese-linked vessels in 2025 [14].

Organizational Risk Implications

Organizations operating in telecommunications, energy, financial services, transportation, defense, AI research, and semiconductor supply chains should treat PRC intrusion activity as an existing condition within their networks, not a future possibility.

PRC-linked threat actors have maintained footholds within victim environments for up to five years and have consistently demonstrated the ability to regain access after eviction. Organizations in targeted sectors should assume compromise is already underway. The August 2025 joint advisory issued by CISA and 12 partner nations identifies the patching of all internet-facing devices as the most critical defensive action, with confirmed exploitation of vulnerabilities in Ivanti Connect Secure, Palo Alto Networks PAN-OS, multiple Cisco IOS XE products, Fortinet, Juniper, SonicWall, Nokia, and Sierra Wireless devices [15].

Beyond patching, priority actions include hardening and inventorying all network edge devices, enforcing strict segmentation between IT and OT environments, implementing continuous configuration monitoring for unauthorised firmware and routing changes, and establishing centralized logging with sufficient retention to support threat hunting.

Detection strategies should prioritize behavioural analytics over signature-based approaches, as these actors routinely abuse legitimate administrative tools. Organizations involved in AI model development should treat model weights and training data as strategic assets requiring access controls and insider threat monitoring. CISA's Cybersecurity Performance Goals 2.0, released in December 2025, provides the recommended baseline for critical infrastructure operators, and gaps against these goals should be treated as immediate priorities [16].

Escalating Russian Hybrid Attacks Across Europe

Strategic Assessment

Russia’s hybrid warfare campaign against Europe appears to prioritize long-term destabilization rather than immediate military outcomes. Current activity suggests an intent to undermine public trust, deepen political divisions, weaken support for Ukraine, and probe Western red lines, while remaining below the threshold likely to trigger a collective defense response.

European governments and the private sector face sustained cyberattacks often originating from groups with documented ties to Russian state intelligence services. These cyber operations have been accompanied by disinformation campaigns and reporting of attempted attacks targeting individuals associated with the European defense industry [17].

European security officials attribute this escalation to Russia's conviction that it is locked in an existential conflict with the West [18]. Germany, one of the primary targets for Russia, has traditionally been reluctant to conduct offensive cyber operations. However, the intensity of Russian activity has forced a strategic recalibration for German policy makers. Berlin is now preparing retaliatory cyber capabilities and establishing a dedicated defense center against hybrid threats [19].

The deeper vulnerability lies in Europe's broader defense posture, which Russia continues to test as the Pentagon pivots toward a more limited support model for allied nations, a strategic recalibration that leaves European NATO members increasingly responsible for their own deterrence and defense [20].

The threat extends beyond Europe's borders. Since 2024, the Kremlin has actively promoted its leading cybersecurity firms to governments across Africa, the Middle East, and Central Asia [21]. Several of these firms have documented links to Russian military and intelligence services. These commercial partnerships grant Russian companies deep access to foreign digital infrastructures, raising concerns among Western intelligence agencies that such arrangements could provide Moscow with new vectors for intelligence collection while simultaneously reducing Western cyber influence in the developing world.

Public reporting from Dutch intelligence agencies confirms these hybrid warfare trends, with AIVD and MIVD assessing that Russia is intensifying hybrid operations across Europe through a combination of cyberattacks, sabotage, disinformation, covert influence, and espionage [22]. While a direct military confrontation between Russia and NATO remains unlikely, Dutch intelligence services warn that a direct military confrontation with NATO is no longer unthinkable. Russian armed forces are actively preparing for a potential conflict with NATO and testing Western willingness to escalate.

Confirmed Cyber Operations Against European Government and Enterprise Targets

According to Microsoft analysis published in October 2025, Russian government-backed or aligned cyberattacks against NATO countries surged 25% in a single year [23]. The UK, Germany, Belgium, Italy, Estonia, France, the Netherlands, and Poland all ranked among the top targets. These operations are conducted by some of the most capable offensive cyber units ever documented.

Sandworm (APT44), operated by Russia’s GRU, caused the first malware-induced power blackout when it struck Ukraine’s grid in December 2015, leaving 230,000 people without electricity [24]. A decade later, the same group demonstrated that this capability now extends to NATO territory, deploying DynoWiper malware against Poland’s energy infrastructure in December 2025 [25]. Groups like Sandworm and its associated access clusters KAMACITE and ELECTRUM have the proven ability to target operational technology environments, industrial control systems that run power grids, water treatment facilities, and critical manufacturing across Europe and allied nations [26].

Russian nation-state APT groups are also active in cyber espionage against European nations. Laundry Bear, a Russian hacking group, was attributed to an opportunistic cyberattack against the Dutch National Police in September 2024 [27]. The breach resulted in the theft of police officers’ work-related contact data.

Such information could support multiple intelligence objectives, including the development of target profiles for future influence operations, as well as potential coercion, tracking, or recruitment of individuals with access to sensitive national security information.

In April 2025, pro-Russian actors gained remote access to a Norwegian dam and manipulated its water-flow valves for several hours before engineers restored control. Norwegian authorities later confirmed the attribution [28]. Throughout 2025, pro-Russian actors continued to show interest in water-sector environments across several European countries, including Spain, Italy, Poland, and France. In September, TwoNet was reported to have accessed a simulated water treatment environment and attempted to disrupt operations [29]. This activity may indicate efforts to test access methods and disruption techniques in preparation for potential future operations against live operational targets.

Disruptive Cyber Attack Capability Against European OT and IoT Networks

Since 2022, pro-Russian hacktivist groups have undergone a significant operational evolution. Groups including Cyber Army of Russia Reborn, Z-Alliance, TwoNet, and the Infrastructure Destruction Squad have moved beyond low-impact DDoS campaigns into operations involving OT/IoT reconnaissance and claimed disruptive attacks against industrial targets. This operational evolution is reinforced by the broader relationship between Russia’s state apparatus and cybercriminal networks, characterised by a framework of controlled impunity where criminal actors are tolerated or directed in exchange for alignment with state objectives [30].

In 2025, SECT0R16, Z-Pentest, and the Infrastructure Destruction Squad claimed access to industrial networks in Germany, Italy, and Poland, concentrating on defense suppliers, heavy industry, and food processing facilities [31]. Several groups shared screenshots appearing to show manipulation of SCADA systems. Not all claims have been independently verified, and some may reflect access to test or simulated environments rather than production networks. However, the subset of confirmed incidents provides sufficient basis for assessing the trajectory of this ecosystem.

Recent activity suggests that Russian-aligned hacktivist groups may now be capable of conducting cyberattacks against water and energy infrastructure in ways that could result in direct physical damage. This view is based on reported incidents including the Norwegian dam compromise, Dutch OT network access, and the DynoWiper deployment against Polish energy infrastructure, rather than unverified claims alone. Although the scale of claimed OT access across Europe may be inflated, the confirmed cases indicate that the risk is no longer limited to disruption and may extend to potential physical consequences.

These groups actively exploit internet-facing VNC connections and HMI devices with default or weak credentials to gain direct access to OT control systems in the water, energy, and food and agriculture sectors. The observed targeting of water and energy systems is consistent with activity directed at infrastructure that could enable wider disruption. This may have the effect of increasing public uncertainty and placing pressure on governments, while highlighting the potential domestic consequences of continued support for Ukraine.

Organizational Risk Implications

European organizations in energy, water, transportation, and manufacturing should treat internet-exposed OT devices as an immediate priority. Pro-Russian hacktivist groups actively exploit internet-facing VNC connections on default port 5900 to access HMI and SCADA systems, using factory default credentials, weak passwords, and brute-force tools to gain direct control of operational interfaces.

Once inside, these actors manipulate setpoints, disable alarms, and modify device configurations, actions that can cause physical consequence without requiring deep engineering expertise. State-sponsored actors such as Sandworm and its associated clusters operate at a higher level of sophistication, with the proven ability to move from IT environments into OT systems and deploy destructive malware against energy infrastructure.

Organizations that have not removed OT control interfaces from the public internet, enforced multifactor authentication on all remote OT access, replaced default credentials across HMI and PLC environments, and audited the segmentation boundary between IT and OT networks should treat each of these as an immediate gap.

Iran’s Cyber Posture Following Operation Epic Fury

Strategic Assessment

Iran’s cyber response to Operation Epic Fury is expected to remain centred on hacktivist-aligned activity and disruptive operations, including the use of wiper malware. Reporting and recent incidents suggest that these efforts are likely to target a broad range of industries across the United States, Israel, and Gulf states.

As of late March 2026, security researchers have tracked nearly 5,800 cyberattacks mounted by approximately 50 Iran-linked groups, though industry sources caution that many more attacks are going unreported, meaning the true operational tempo is likely higher than publicly visible figures suggest [32]. Most of these cyber operations have been high in volume but low in impact, designed to intimidate, boost morale among supporters and force defenders to expend resources patching vulnerabilities rather than to inflict lasting strategic damage.

The Israeli military strike on the IRGC cyber and electronic warfare headquarters likely degrades Iran's ability to coordinate centralized cyber operations in the near term [33]. However, ideologically aligned threat actor groups retain the capacity to act independently.

Even if conventional military operations subside, the cyber dimension of the conflict may continue in parallel, particularly without a formal agreement. Reporting indicates that wiper attacks against government and corporate targets, including in the energy sector, could remain a persistent risk. This may be reinforced by the role of decentralized or loosely aligned actors, whose activity is not always directly coordinated or controlled by the state.

Although US intelligence has historically assessed Iran's cyber capabilities as less sophisticated than those of Russia and China, Iranian cyber units have demonstrated consistent offensive capacity from the Shamoon virus that crippled Saudi Aramco in 2012 to sustained campaigns against US financial institutions and the penetration of US Navy networks.

Tehran has not yet undertaken broad cyberattacks or mounted large-scale terrorism against US or European interests outside the Middle East. Iran's strategy is likely to impose periodic but sufficient costs on the United States and Gulf states to force a ceasefire on favorable terms. Iran's response is also extending into the physical domain across Europe. In March 2026, a newly emerged group calling itself Ashab al-Yamin claimed responsibility for improvised explosive device attacks targeting American financial institutions and Jewish community sites in the Netherlands, Belgium, and France [34].

Ashab al-Yamin is understood to have links to Iranian-backed Shia Islamist factions in Iraq, and its propaganda has circulated widely through IRGC and Hezbollah-affiliated Telegram channels. This campaign signals a willingness to pressure European governments through low-cost, high-visibility operations that impose security costs without triggering a conventional military response.

If European nations align more closely with the U.S.-Israel position, Iranian state-aligned threat actors may expand their targeting to EU entities in critical sectors, with finance, energy, and transportation among the most likely to face increased attention.

Cyber Intrusion Activity Following Kinetic Military Escalation in Iran

Operation Epic Fury was a coordinated US-Israeli military campaign that conducted precision strikes against Iran's nuclear facilities, missile infrastructure, and senior leadership on 28 February 2026 [35]. During the kinetic operation, Israeli intelligence may have accessed Tehran’s traffic camera network over an extended period, using it to build pattern-of-life maps, while US Cyber Command and Space Command are reported to have disrupted Iranian communications networks and sensor arrays before kinetic strikes commenced [36].

In parallel, attacks on energy infrastructure and disruption to key Gulf transit routes have contributed to volatility in global energy markets, with oil and gas prices rising amid supply concerns and knock-on effects extending to Europe and Asia [37]. A strategically significant escalation was Iran's direct targeting of commercial cloud infrastructure, potentially representing one of the first reported instances of kinetic activity affecting commercial cloud infrastructure [38]. Amazon Web Services data centers in the UAE and Bahrain suffered structural damage from Iranian kamikaze drone strikes. This development may represent an early instance of commercial cloud infrastructure being directly impacted in a conflict setting, highlighting a potential gap in current risk assumptions. Significant global investment in data center infrastructure has not typically accounted for exposure to low-cost. l or kinetic threats

Handala Hack, identified by Palo Alto Networks Unit 42 as a state-directed front for Iran's Ministry of Intelligence and Security (MOIS), conducted a destructive operation against US medical technology company Stryker [39]. According to public reporting, the group may have leveraged a compromised Stryker administrator account within Microsoft Entra ID, created a new Global Administrator account, and used Microsoft Intune to remotely wipe nearly 80,000 devices in a three-hour window on 11 March [40]. The destructive commands originated from a trusted management platform under a trusted administrator identity, bypassing traditional perimeter defenses entirely. No malicious code was delivered to endpoints, rendering conventional endpoint detection and response tools ineffective.

Check Point researchers identified Handala exploiting vulnerabilities in civilian internet-connected security cameras across the Middle East [41]. The timing and geographic footprint of these attempts, observed following the U.S. and Israeli air strikes, span Bahrain, the United Arab Emirates, Israel, and Cyprus. The compromised cameras may have been used to support real-time surveillance during military operations, and potentially to aid in the coordination or targeting of missile and drone strikes.

On 28 March 2026, Handala published a claim on its dedicated leak site alleging a breach of North Country Business Products, a US-based provider of point-of-sale systems serving major retail chains nationwide [42]. The group alleges it disrupted approximately 2,680 POS terminals across the United States. These claims remain unverified. The group has also launched a new website and dedicated Telegram channel following the FBI's takedown of its previous infrastructure, indicating operational resilience to reconstitute its public presence.

On 6 March 2026, Israel's National Cyber Directorate issued a public warning confirming a wave of Iranian cyberattacks targeting Israeli organizations with wiper malware [43]. According to the directorate's chief, Yossi Karadi, Iran-linked hackers have wiped the data of over 50 small Israeli companies since the war began, predominantly exploiting organizations with pre-existing cybersecurity weaknesses. Companies with stronger protections were not affected, reinforcing that Iran's current wiper campaigns are opportunistic rather than surgically targeted.

Erosion of Boundaries Between Nation State and Hacktivist Threat Actors

The boundary between state-sponsored and financially motivated cyber activity appears to be becoming less distinct. Hacktivist groups and eCrime actors are increasingly operating in ways that align with Iranian state interests. Handala’s trajectory — from a nominally hacktivist group to an operator linked by multiple threat intelligence firms to Iran’s MOIS and associated with both destructive attacks and intelligence collection — illustrates this convergence.

As a result, attribution models that treat hacktivism, espionage, and destructive operations as clearly separate categories may no longer fully reflect how Iran’s cyber ecosystem is organized and employed. The label “hacktivist” no longer signals DDoS-only attack patterns. State-directed groups operating under hacktivist branding now deploy wipers through enterprise management platforms, conduct reconnaissance for military operations, and pivot between missions at the direction of intelligence services.

Pro-Iranian hacktivist groups have declared Gulf states as primary targets for permitting US military access to their airspace. While this declared intent establishes targeting priority, the operational capacity of these groups to execute disruptive attacks at scale without centralized IRGC coordination remains an open question, particularly following the IDF strike on IRGC cyber headquarters.

The conflict has also affected Iran’s cybercriminal ecosystem directly. Mohammad Mehdi Farhadi Ramin, an Iranian cybercriminal on the FBI’s most wanted list who allegedly stole American identities and accessed national security data on behalf of the Iranian government, was reportedly killed in the US-Israeli strikes [44]. His death removes an established operator but does not eliminate the broader cybercrime ecosystem.

eCrime actors with no state affiliation are exploiting the conflict opportunistically through phishing attacks using Middle East-themed lures, fake humanitarian donation portals, and fabricated news content designed to deliver infostealers and backdoors. These campaigns do not require state direction; conflict narratives generate their own gravity for criminal operators seeking high click-through rates.

Organizational Risk Implications

Organizations with vendors, service providers, or software development teams operating in or connected to the Middle East conflict zone should urgently map their third-party dependencies to identify exposure. As demonstrated by the Handala operation against Stryker, administrative tools with environmental access, including remote management platforms, identity providers, and privileged access management systems, present the highest risk of abuse after identity-based attacks. These systems should be treated as an immediate priority. Organizations relying on a single cloud provider should assess multi-cloud or hybrid architecture to maintain operational continuity against physical disruption of data center infrastructure.

Conclusion

Organizations best positioned for 2026 are those that treat cyber threat intelligence as an operational function. Yet most enterprises still model cyber risk in isolation from the geopolitical conditions that drive it. Closing this gap means embedding actionable intelligence into defensive architecture, supply chain governance, and crisis response planning, giving CISOs the context to act before escalation reaches their network.

PRC pre-positioning inside critical networks is structured for disruptive activation during a specific geopolitical trigger, most probably a Taiwan contingency. Private sector organizations operating in telecommunications, energy, and defense supply chains should assume they are targets of equal priority to government entities.

The evolution of Russia-aligned hacktivist actors into groups capable of targeting OT and IoT environments has changed the threat model for European critical infrastructure. Defensive strategies that still treat hacktivism as a low-impact threat are dangerously outdated.

Iran's technically skilled cyber workforce has dispersed rather than disappeared. Reduced central coordination makes near-term targeting less predictable, not less dangerous. The use of kinetic strikes against commercial cloud infrastructure introduces a category of risk the industry has not yet priced into business continuity planning. Organizations operating in or near conflict zones must stress-test their continuity plans against the physical destruction or short-term disruption of cloud regions.

Organizations with no direct conflict exposure also remain at risk. Spillover through supply chains, shared cloud environments, and contractor networks means geographic distance from a conflict zone no longer functions as a meaningful risk buffer.

Strategic Actions for 2026

The following ten priorities are created by the intrusion activity, threat actor tradecraft, and operational patterns documented in this report. CISOs and security leaders should evaluate each strategic action against their current security posture and treat gaps as immediate priorities.

These actions are structured across four domains, supply chain and third-party visibility, identity and access control, infrastructure resilience, and threat intelligence and response. They reflect where organizational effort is likely to have the greatest defensive impact in the current threat environment.

Figure 2 – Strategic action suggestions from EclecticIQ threat intelligence team.

Cyber Escalation Risks and Assessment Basis

The assessments above reflect current intelligence analysis as of Q1 2026. They are judgments based on observed threat actor behaviour, confirmed intrusions, stated intentions, and geopolitical trajectory. They are not deterministic predictions.

Likelihood Scale: Very High = near-certain or continuous activity observed | High = highly probable based on confirmed capability, intent, and opportunity | Impact Scale: Very High = systemic, cross-sector disruption potential | High = significant operational/financial disruption | Moderate = localised or sector-specific impact, constrained by capability limitations.

References

[1] “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System | Cyber.gov.au.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/alerts-and-advisories/countering-chinese-state-sponsored-actors-compromise-of-networks-worldwide-to-feed-global-espionage-system

[2] “Salt Typhoon Hacks of Telecommunications Companies and Federal Response Implications.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.congress.gov/crs-product/IF12798

[3] I. Arghire, “Salt Typhoon Targeting Old Cisco Vulnerabilities in Fresh Telecom Hacks,” SecurityWeek. Accessed: Mar. 30, 2026. [Online]. Available: https://www.securityweek.com/salt-typhoon-targeting-old-cisco-vulnerabilities-in-fresh-telecom-hacks/

[4] M. T. Intelligence, “Volt Typhoon targets US critical infrastructure with living-off-the-land techniques,” Microsoft Security Blog. Accessed: Mar. 30, 2026. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/

[5] “CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems | CISA.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.cisa.gov/news-events/alerts/2025/08/27/cisa-and-partners-release-joint-advisory-countering-chinese-state-sponsored-actors-compromise

[6] “Voltzite Threat Group | Dragos.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.dragos.com/threat/voltzite

[7] “Office of Public Affairs | Court-Authorized Operation Disrupts Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers | United States Department of Justice.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.justice.gov/archives/opa/pr/court-authorized-operation-disrupts-worldwide-botnet-used-peoples-republic-china-state

[8] “Treasury Department hacked: Explaining how it happened,” WhatIs. Accessed: Mar. 30, 2026. [Online]. Available: https://www.techtarget.com/whatis/feature/Treasury-Department-hacked-Explaining-how-it-happened

[9] rohann@checkpoint.com, “Silver Dragon: China Nexus Cyber Espionage Group Targeting Governments in Asia and Europe,” Check Point Blog. Accessed: Mar. 30, 2026. [Online]. Available: https://blog.checkpoint.com/research/silver-dragon-china-nexus-cyber-espionage-group-targeting-governments-in-asia-and-europe/

[10] “Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors,” Google Cloud Blog. Accessed: Mar. 30, 2026. [Online]. Available: https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

[11] “China-linked hackers target Taiwan chip firms in a coordinated espionage campaign,” CSO Online. Accessed: Mar. 30, 2026. [Online]. Available: https://www.csoonline.com/article/4024013/china-linked-hackers-target-taiwan-chip-firms-in-a-coordinated-espionage-campaign.html

[12] “65% Of Top AI Companies Have Immigrant Founders.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.forbes.com/sites/stuartanderson/2023/07/09/65-of-top-ai-companies-have-immigrant-founders/

[13] “China used three private companies to hack global telecoms, U.S. says,” NBC News. Accessed: Mar. 30, 2026. [Online]. Available: https://www.nbcnews.com/tech/security/china-used-three-private-companies-hack-global-telecoms-us-says-rcna227543

[14] “Holding out: Taiwan urgently needs more energy storage and generation | The Strategist.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.aspistrategist.org.au/holding-out-taiwan-urgently-needs-more-energy-storage-and-generation/

[15] “Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System | CISA” Accessed: Apr. 1, 2026. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a?utm_source=SaltTyphoon&utm_medium=AlertAdvisory

[16] “Cross-Sector Cybersecurity Performance Goals | CISA.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.cisa.gov/cross-sector-cybersecurity-performance-goals

[17] “Murder plot against Rheinmetall CEO was part of sabotage campaign, NATO says,” Reuters, Jan. 28, 2025. Accessed: Mar. 30, 2026. [Online]. Available: https://www.reuters.com/world/europe/threat-plot-murder-rheinmetall-ceo-was-part-sabotage-campaign-nato-says-2025-01-28/

[18] “EU’s Kallas: Russia is posing an existential threat to our security,” Reuters, Jan. 22, 2025. Accessed: Mar. 30, 2026. [Online]. Available: https://www.reuters.com/world/europe/eus-kallas-russia-is-posing-an-existential-threat-our-security-2025-01-22/

[19] “Germany prepares to attack cyber enemies,” POLITICO. Accessed: Mar. 30, 2026. [Online]. Available: https://www.politico.eu/article/germany-prepares-hack-back-cyber-enemies/

[20] “Pentagon to offer ‘more limited’ support to US allies.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.bbc.com/news/articles/cj9r8ezym3ro

[21] A. Soldatov and I. Borogan, “Putin’s New Cyber Empire,” Foreign Affairs, Aug. 25, 2025. Accessed: Mar. 30, 2026. [Online]. Available: https://www.foreignaffairs.com/russia/putins-new-cyber-empire

[22] “Russia stepping up hybrid attacks, preparing for long standoff with West, Dutch intelligence warns.” Accessed: Mar. 30, 2026. [Online]. Available: https://therecord.media/russia-cyberattacks-europe-warfare

[23] “Extortion and ransomware drive over half of cyberattacks” Accessed: Mar. 31, 2026. [Online]. Available: https://news.microsoft.com/europe/2025/10/16/extortion-and-ransomware-drive-over-half-of-cyberattacks/

[24] A. Greenberg, “Sandworm Hackers Caused Another Blackout in Ukraine—During a Missile Strike,” Wired, Nov. 09, 2023. Accessed: Mar. 30, 2026. [Online]. Available: https://www.wired.com/story/sandworm-ukraine-third-blackout-cyberattack/

[25] “Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers,” ESET. Accessed: Mar. 30, 2026. [Online]. Available: https://www.eset.com/us/about/newsroom/research/eset-research-russian-sandwormapt-attacks-energy-company-poland-with-dynowiper/

[26] “KAMACITE.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.dragos.com/threat/kamacite

[27] “Dutch intelligence unmasks previously unknown Russian hacking group ‘Laundry Bear.’” Accessed: Mar. 30, 2026. [Online]. Available: https://therecord.media/laundry-bear-void-blizzard-russia-hackers-netherlands

[28] M. Bryant and M. B. N. correspondent, “Russian hackers seized control of Norwegian dam, spy chief says,” The Guardian, Aug. 14, 2025. Accessed: Mar. 30, 2026. [Online]. Available: https://www.theguardian.com/world/2025/aug/14/russian-hackers-control-norwegian-dam-norway

[29] F. R.-V. Labs, “Anatomy of a Hacktivist Attack: Russia-Aligned Group Targets OT/ICS,” Forescout. Accessed: Mar. 30, 2026. [Online]. Available: https://www.forescout.com/blog/anatomy-of-a-hacktivist-attack-russian-aligned-group-targets-otics/

[30] I. Group®, “Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.recordedfuture.com/research/dark-covenant-3-controlled-impunity-and-russias-cybercriminals

[31] “Russia’s Hybrid Threats to Europe’s Businesses.” Accessed: Mar. 30, 2026. [Online]. Available: https://northwave-cybersecurity.com/article/russias-hybrid-threats-to-europes-businesses

[32] D. K. 5 min read, “Hacked hospitals, hidden spyware: Iran conflict shows how digital fight is ingrained in warfare,” Yahoo Finance. Accessed: Mar. 30, 2026. [Online]. Available: https://ca.finance.yahoo.com/news/hacked-hospitals-hidden-spyware-iran-040248155.html

[33] “Israel says it knocked out Iran’s cyber warfare headquarters - POLITICO.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.politico.com/news/2026/03/04/israel-iran-cyber-headquarters-00813364?utm_medium=twitter&utm_source=dlvr.it

[34] “Hybrid Threat Signals: Assessing Possible Iranian Involvement in Recent Attacks in Europe,” International Center for Counter-Terrorism - ICCT. Accessed: Mar. 30, 2026. [Online]. Available: https://icct.nl/publication/hybrid-threat-signals-assessing-possible-iranian-involvement-recent-attacks-europe

[35] “U.S. Central Command | Operation Epic Fury.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.centcom.mil/OPERATIONS-AND-EXERCISES/EPIC-FURY/

[36] “How the plot to kill Iran’s Ayatollah Ali Khamenei came together using hacked traffic cameras in Tehran and US intelligence | CNN.” Accessed: Mar. 30, 2026. [Online]. Available: https://edition.cnn.com/2026/03/03/middleeast/us-israel-plot-kill-iran-khamenei-latam-intl

[37] R. Krishna, “Attacks on UAE energy assets increase as war broadens | Latest Market News.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.argusmedia.com/en/news-and-insights/latest-market-news/2802944-attacks-on-uae-energy-assets-increase-as-war-broadens

[38] “Iranian Data Strikes Shake Global Digital Infrastructure.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.rusi.org/explore-our-research/publications/commentary/iranian-data-strikes-shake-global-digital-infrastructure

[39] “Insights: Increased Risk of Wiper Attacks.” Accessed: Mar. 30, 2026. [Online]. Available: https://unit42.paloaltonetworks.com/handala-hack-wiper-attacks/

[40] I. Ilascu, “Stryker attack wiped tens of thousands of devices, no malware needed,” BleepingComputer. Accessed: Mar. 30, 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/stryker-attack-wiped-tens-of-thousands-of-devices-no-malware-needed/

[41] “‘Handala Hack’ - Unveiling Group’s Modus Operandi - Check Point Research.” Accessed: Mar. 30, 2026. [Online]. Available: https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/

[42] Dark Web Intelligence [@DailyDarkWeb], “🆕 Handala has launched a new website and Telegram channel The Handala Hack Team claims to have breached North Country Business Products, alleging disruption of ~2,680 POS terminals across the U.S. 📍 Target profile: • Provider of point-of-sale (POS) systems • Serves major https://t.co/VXX9qs5QWo,” Twitter. Accessed: Mar. 30, 2026. [Online]. Available: https://x.com/DailyDarkWeb/status/2037900471914885338

[43] “Iran-linked hackers are wiping data from Israeli orgs. | The Jerusalem Post,” The Jerusalem Post | JPost.com. Accessed: Mar. 30, 2026. [Online]. Available: https://www.jpost.com/business-and-innovation/article-889314

[44] “FBI-wanted Iranian hacker Mohammad Ramin killed in US-Israeli strike | Fox News.” Accessed: Mar. 30, 2026. [Online]. Available: https://www.foxnews.com/world/top-iranian-cybercriminal-fbi-most-wanted-list-reportedly-killed-us-israeli-strike