Friday, March 27, 2026

We Are At War

Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it. 

Introduction: One tech power to rule them all is a thing of the past 

The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes of two world wars and the deliberate construction of a new global order. The United States of America set the terms of this new world.

The long peace under Pax Americana provided a stable foundation, but that foundation is shifting. Europe’s deep strategic dependence on the U.S.’s technological and cybersecurity capabilities, from intelligence and infrastructure to frameworks and funding, is now being tested. Those tectonic geopolitical changes are undermining trust, threatening the state of safety, and compelling European organizations to rethink digital architectures and approaches at every level.

All technology is considered political and is involved as a weapon, a target, or a lever in geopolitical conflict. As a political entity increases its reliance on technology platforms, it increases its exposure to technical power projection, enabling cyber and psychological operations, misinformation campaigns, and other forms of power projection.

Welcome to the jungle (again)

The contemporary threat landscape is not a simple product of the whims or choices of criminal hackers and other threat actors. Instead, there is a diversity of actors - both benign and malicious - that have an influence. Those actors operate within a context that is, in turn, defined by the complex interactions between yet another set of systemic forces.

To understand the threat landscape, we must therefore consider all the systemic factors that shape it, as well as the actors that operate within it.

In our research efforts, we keep assessing how political, economic, social, and technological factors influence operations and risks.

State Actors and Critical Infrastructure

  • Night Dragon (mid-2000s onward): A China-linked campaign against energy and defense firms globally illustrated the move from opportunistic hacking to long-dwell, state-sponsored industrial espionage [1]
  • Volt Typhoon Botnet Disruption (Jan 2024): The U.S. government announced a court-authorized operation to dismantle a botnet of compromised routers used by the Chinese state-sponsored group Volt Typhoon in pre-positioning within U.S. critical infrastructure [2]
  • Salt Typhoon Telecom Breaches (Oct 2024): A global compromise of major telecom networks, attributed to the Chinese-linked group Salt Typhoon, exposed how state actors could access the communications of government officials and a multitude of civilians [3]
  • U.S. Advisory on Critical Infrastructure Targeting (Feb 2024): The U.S. and allied agencies issue a joint advisory declaring that Volt Typhoon had compromised IT networks across communications, energy, transport, and water sectors, marking a milestone in recognizing state cyber power as a strategic threat [4].

State-linked cyber operations have remained active with a primary focus on intelligence collection and occasional disruptive actions used for signaling, amid a backdrop of information operations that vary widely in scale and intensity [5]

Attack methods are concentrating on identity and the edge [6]. Recent reporting also describes stealthy backdoors placed on appliances and virtualization platforms to maintain access for many months without noisy malware [7]. In parallel, rapid exploitation of 0-day and n-day vulnerabilities in perimeter appliances remains common, and supplier and service-provider pathways continue to feature prominently in incident trends [8].

Security Navigator 2026 is Here - Download Now

The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape.

What's Inside?

  • 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance.
  • 🔮 Future-Ready: Equip yourself with security predictions and stories from the field.
  • 🧠 Stories from security practitioners across the world.
  • 👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography.

Stay one step ahead in cybersecurity. Your essential guide awaits!

🔗 Get Your Copy Now

Targeting remains concentrated on government and telecommunications, with repeated activity against defense-linked networks [9]. High-tech sectors, notably semiconductors, also saw focused campaigns in 2025 [10]. The seam between enterprise IT and OT in industrial environments remains a concern, with pivots into plant and field systems where monitoring is limited and safety constraints slow response. Open reporting also indicates continued use of commercial spyware by government clients, with fresh forensic cases against journalists in 2025 [11].

This state-linked picture is only part of the landscape. Non-state actors, as well as criminals and hacktivists, increasingly operate alongside or in the wake of state campaigns.

Hacktivists: From Cyberspace Vigilantes To State-Aligned Bullies

  • 7 April 2025: Attackers seized control of the Bremanger dam in Norway, opened floodgates, and released 500 litres of water per second for four hours. Later attributed to Russian hackers by Norway’s security service [12].
  • 7 May 2025: The National Cyber Security Center (UK) reports that the pro-Russian hacktivist group NoName057(16) had claimed a three-day DDoS campaign against several UK public sector websites [13]
  • 17 June 2025: Predatory Sparrow claims to have destroyed data at the Iranian state-owned Bank Sepah, causing outages for customers [14]
  • 16 July 2025: Europol announces that the global “Operation Eastwood” disrupted the infrastructure of NoName057(16), marking a coordinated law-enforcement action against a hacktivist network [15]
  • 14 August 2025: Norway’s intelligence service publicly attributes the dam intrusion and rising threat of pro-Russian cyber actors to the event. [16]
  • 29 October 2025: The Canadian Center for Cyber Security alerts that hacktivist groups had breached water, energy, and agricultural OT/ICS systems in Canada, manipulating water pressure, temperature, and humidity levels [17].

As we’ve previously reported [18], hacktivism has entered its “establishment” era. Once a form of digital protest directed against institutions of power, it has evolved into a complex ecosystem of state-aligned and ideologically driven actors that often serve as informal extensions of geopolitical influence. The term “hacktivism” itself today conceals more than it reveals. It no longer refers simply to fringe collectives with political messages, but to distributed, collaborative movements capable of real-world disruption and widespread cognitive manipulation.

We increasingly see boundaries between hackers, activists, and state actors dissolving. Groups such as NoName057(16) and Killnet operate independently, but in support of their host states, attacking adversarial governments and institutions while maintaining plausible deniability for their state beneficiaries. 

Recent events illustrate the implications of this shift. Distributed-denial-of-service operations remain the most visible form of hacktivism, yet the targets and intent are changing. Campaigns by pro-Russian groups in 2025 disrupted British public services and European infrastructure, not for ransom or data theft but to broadcast political narratives and erode confidence in institutions [19]. In Norway, attackers remotely manipulated a valve at the Bremanger dam, prompting fears of cyber-physical escalation [20]. Around the same time, a Russian-aligned group claimed access to a water-utility system (though that later proved to be a security honeypot) [21].

More recently, Canadian authorities have reported that hacktivist groups breached critical infrastructure, including water, energy and agricultural sites [22]. The attacks involved tampering with pressure valves at a water facility, manipulating an automated tank gauge at an oil and gas company and exploiting temperature and humidity levels at a grain silo on a farm. The symbolism of these incidents is as potent as the technical impact, demonstrating reach into critical systems, even when the damage is contained, and catalyzes exactly the kind of panicked narratives the actors desire.

The risk is twofold. First, the risk of serious cyber-physical attacks is growing. While most hacktivist incidents remain low impact, the “addiction” of hacktivist groups to increased visibility and impact suggests they will continue to seek bigger and bolder opportunities. The growing familiarity of such groups with industrial and operational technology increases the likelihood of genuine harm. Attacks that were once digital graffiti could, by accident or intent, evolve into events with physical consequences. Second, the convergence of criminal, ideological, and state interests creates a synergy between information operations and infrastructure attacks. The target is no longer a single system but the public mind: to exhaust trust, polarize societies, and reshape narratives.

Cyber Extortion Is Still the Big Gorilla

  • 20 March 2024: The Bundeskriminalamt (BKA, German Federal Criminal Police), together with Frankfurt’s ZIT cyber-unit, conducted a takedown of the darknet marketplace “Nemesis Market”, seizing infrastructure in Germany and Lithuania [23]
  • 30 May 2024: Authorities participating in Operation ENDGAME announce arrests of four suspects in Ukraine and Armenia, the takedown of internet servers and control of domains tied to botnets [24]
  • December 2024: The Cl0p ransomware gang launched a major campaign exploiting a zero-day vulnerability in Cleo managed file-transfer software, leading to hundreds of victims [25]
  • 14 January 2025: The UK Home Office publishes a consultation paper proposing a targeted ban on ransomware payments by all UK public sector bodies and critical national infrastructure and introducing mandatory incident-reporting for ransomware events [26]
  • 19-22 May 2025: In the latest phase of Operation ENDGAME, law-enforcement agencies dismantle servers, neutralize domains, and issue arrest warrants for 20 suspects [27]
  • June 2025: A follow-up to Operation ENDGAME results in additional actions and detentions targeting successor groups and affiliates of initial-access ecosystems [28]
  • 22 July 2025: The UK government announces its formal intention to ban public bodies from paying ransoms, and to legislate for mandatory reporting of incidents and payments [29]
  • 11 August 2025: The US Department of Justice announces a coordinated disruption of the ransomware group BlackSuit (Royal), involving multiple countries [30].

Cyber extortion attacks have expanded to nearly every region and every size of business. Where large firms in developed economies previously dominated statistics, victims this year include firms in countries added to our extortion datasets for the first time. 

The entry costs for attackers have plummeted thanks to the commoditization of malware-as-a-service, initial access brokers, and cryptocurrency-enabled monetization. A single vulnerability in commonly used software can yield hundreds or thousands of victims overnight, as seen when Cl0p exploited another file-transfer platform to trigger the largest wave of victims we’ve ever recorded [31]

Our data shows not only more victims, but also more actors. The victims-per-actor ratio has increased, suggesting that extortion groups are operating at a greater scale and with greater reuse of infrastructure.

We observe three key trends:

  1. Despite years of focus and substantial investment in defensive controls, the number of victims continues to rise [32]. Ransomware and extortion attacks now represent a dominant share of cyber incidents, often accounting for more than a third of losses and exhibiting growth measured in multiples since the late 2010s [33]
  2. The techniques used by threat actors are, in many cases, well-known, straightforward, and theoretically avoidable [34]. Phishing, stolen credentials, unpatched systems, and misconfigured file-transfer appliances feature prominently in breach post-mortems. Yet these attacks persist and succeed, even when the theoretical controls exist. This points to a deeper problem than individual technical weakness. 
  3. The ecosystem behind these attacks is evolving rapidly. Our reporting shows that the cyber extortion ecosystem has matured into a decentralized, professionalized network of affiliates, service-providers, and facilitators, using the lowest cost, highest leverage vectors available. 

While we found that law enforcement and governments are responding more assertively, they must overcome jurisdictional fragmentation, safe-haven states, and an adversary that shifts shape and label constantly.

The fact that many of the techniques used in Cy-X compromises are “familiar, predictable and defeatable”, yet somehow remain effective, requires urgent reflection. The recent breach at a major aerospace company - in which attackers accessed a server with old credentials, stole data, and followed up with a second ransomware team on the same system - illustrates how basic processes can fail at multiple layers [35]. If we know how to patch, how to secure credential access, how to maintain offline backups, and how to train staff, then why do firms keep falling victim? The explanation may consider three broad theories.

Firstly, many organizations simply adopt security technologies or controls that are inexpensive, unwieldy, or poorly aligned with their context. The tools may be present in theory, but fail in practice. Secondly, maybe the adoption rate of basic cyber-hygiene practices remains patchy, especially among smaller firms and in developing economies. This leaves a wide attack surface still to be exploited. Finally, we may have placed too much faith in preventing breaches when today’s environment also demands robust detection, response, and recovery capabilities.

Several major jurisdictions now participate regularly in multinational takedowns, arrests, and indictments. However, despite the increased volume of actions, the Cy-X ecosystem remains resilient. Some states tolerate or even shield domestic cyber-criminals, creating safe havens that thwart global efforts [36]. The net effect is that law enforcement action alone, while necessary, cannot tip the balance without significantly improved coordination, sustained pressure, and the elimination of safe havens.

A wholly new form of collaboration is required that is more reminiscent of a wartime society, in which a mutual adversary and shared goals surface a unique and authentic form of public-private partnership.

Cyber extortion is not a niche threat that will fade. It is a systemic challenge that will continue to grow unless we change how we think, defend, respond and collaborate. We have the technical knowledge and the policy tools. The challenge is to achieve collective execution at scale, global coordination, and the political will to treat this threat as the societal hazard it has become.

Conclusion: Hacktivists, Criminals, and Everything in Between

Hacktivism and the cyber landscape in general arguably reflect the political moment now more than ever before. It mirrors a world where conflict is constant, boundaries are porous, and narratives are as contested as territory. For security leaders, this is no longer a technical nuisance to be filtered or patched away. It is a strategic threat that must be met with shared awareness, cross-sector coordination, and a recognition that cybersecurity is inseparable from societal security.

Clearly, every organization must assume it is a target and prepare accordingly. Prevention remains essential, but so too does resilience through detection, incident response and recovery. Table-top exercises, live-fire rehearsal of recovery from backup systems and transparent post-breach introspection must become standard business practice. But businesses cannot individually repel these implacable adversaries.

Defending against all classes of threats requires more than technical resilience, it demands a societal approach. Companies and governments must acknowledge that the target is often collective cohesion and confidence. Keeping a website online during a DDoS attack does not sufficiently address the wider objective of undermining civic or institutional legitimacy. Collaboration between public and private sectors must therefore extend beyond incident response into coordinated communication, education, and cognitive defense. The challenge is not only to secure systems but to preserve the coherence of the societies that depend on them.

This opinion piece was brought to you by Charl van der Walt, Head of Security Research at Orange Cyberdefense and uses excerpts and sources from the Security Navigator 2026. If you want to explore some of these topics in more depth, head over to the Navigator page and download your copy of the full report.

  • [1] https://ift.tt/A0tsyFX
  • [2] https://ift.tt/0mfRZvM
  • [3] https://ift.tt/bz4gRmW
  • [4] https://ift.tt/IxoCuz5
  • [5] https://ift.tt/Zw9QYuF
  • [6] https://ift.tt/nAMGU03
  • [7] https://ift.tt/WLbJI09
  • [8] https://ift.tt/6uVJIbp
  • [9] https://ift.tt/UDF4GMq
  • [10] https://ift.tt/F8fU7mz
  • [11] https://ift.tt/5KlZpND
  • [12] https://ift.tt/JPhDeq8
  • [13] https://ift.tt/YhmvfoT
  • [14] https://ift.tt/tmgviQk
  • [15] https://ift.tt/eNcry8O
  • [16] https://ift.tt/GChfQJt
  • [17] https://ift.tt/jlYs3pf
  • [18] https://ift.tt/rJaBNTZ
  • [19] https://ift.tt/I5QDHzF
  • [20] https://ift.tt/8291Mru
  • [21] https://ift.tt/Or6NzsM
  • [22] https://ift.tt/jlYs3pf
  • [23] https://ift.tt/QvqKX36
  • [24] https://ift.tt/VNrEdl1
  • [25] https://ift.tt/WLPDRhT
  • [26] https://ift.tt/B0e3rys
  • [27] https://ift.tt/5y8ZI7J
  • [28] https://ift.tt/3yYvaAF
  • [29] https://ift.tt/Jl2khtB
  • [30] https://ift.tt/TAdocPD
  • [31] https://ift.tt/LiY5o3V
  • [32] https://ift.tt/zcOA9qF
  • [33] https://ift.tt/Z8vHN2S
  • [34] https://ift.tt/gle4Yv2
  • [35] https://www.bankinfosecurity.com/more-collins-aerospace-hacking-fallout-a-29848
  • [36] https://ift.tt/7eskYyd

Note: This article was expertly written and contributed by Charl an der Walt, Head of Security Research at Orange Cyberdefense.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.



from The Hacker News https://ift.tt/GafC74Q
via IFTTT
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)