Nation-State Cyber Attacks in 2026: Salt Typhoon, APT28, Lazarus Group, and Iran's Expanding Cyber War

Nation-state cyber operations in 2026 are no longer a theoretical concern or a future scenario. They are an active, continuous reality playing out across telecom networks, government systems, defense supply chains, and hospitals right now — and the gap between detection and remediation is widening.

The Operational Landscape: CRINK in 2026

The acronym CRINK — China, Russia, Iran, North Korea — has been a fixture in threat intelligence briefings for years. In 2026, it describes something more concrete than a taxonomy of adversaries: it is the operational roster of the four state actors running continuous offensive cyber programs against Western government, critical infrastructure, and private-sector targets. What has changed in the current period is not the cast of characters but the operational tempo, the tooling sophistication, and the degree to which each actor has adapted to a world where defenders have become more capable.

80+

countries affected by Salt Typhoon's telecom intrusions

24h

APT28's weaponization window for CVE-2026-21509 after public disclosure

$2B+

cryptocurrency attributed to North Korean groups in 2025 alone

245%

rise in cybercrime since Feb 28, 2026 onset of Iran conflict

The Cloudflare 2026 Threat Intelligence Report, published in early March, identifies a strategic evolution in how advanced persistent threat actors operate: a move away from broad, opportunistic targeting toward precision engagement of high-value nodes. This matters for threat modeling because it means that sector and size alone no longer predict targeting. What matters is whether an organization sits on a path that leads to something a nation-state wants — communications infrastructure, energy routing data, semiconductor supply chain visibility, or simply the administrative credentials of someone with higher-value access.

Grouping these four state actors under a single acronym is useful shorthand, but it can obscure the fact that their motivations, timelines, and operational patterns differ substantially. China's programs are primarily strategic and long-horizon — collecting intelligence and pre-positioning for future conflict. Russia's are more reactive and operationally aggressive, timed to geopolitical events. North Korea's are financially driven. Iran's are retaliatory and symbolic as much as they are strategic.

This matters practically because the same defensive control can address all four actors at different levels of effectiveness. Zero-trust architecture and strong patch management hurt China's programs significantly because they depend on long dwell time and legitimate credential abuse. Behavioral detection is critical against Russia's fast-burning operations. Financial institutions and crypto platforms need to think about North Korea as a motivated long-term adversary in a way that, say, a municipal water utility does not. And any organization with a connection to Middle Eastern operations or Israeli partnerships should currently assume elevated targeting pressure from Iranian-aligned actors.

Salt Typhoon: Still Inside U.S. Telecom Networks

China / MSS

Salt Typhoon

Also known as: FamousSparrow • GhostEmperor • Earth Estries • UNC2286 • MITRE G1045

Espionage Telecom Lawful Intercept Active since 2019 MSS-attributed

State-sponsored actor attributed to China's Ministry of State Security. Primary focus: telecommunications infrastructure and lawful intercept systems. Operates with extreme patience — documented dwell times of up to three years inside compromised networks.

Salt Typhoon is arguably the defining nation-state cyber story of the past two years, and as of March 2026 it remains unresolved. The group, widely attributed to China's Ministry of State Security (MSS), first drew major public attention in September 2024 when U.S. officials confirmed it had penetrated several major telecommunications providers, including AT&T, Verizon, Lumen Technologies, Charter Communications, and satellite provider Viasat. The scope of that breach was extraordinary: according to the FBI, Salt Typhoon's intrusions ultimately affected more than 80 countries, with confirmed compromises at over 200 organizations globally.

What made Salt Typhoon distinctive was not just its reach but its specific target selection. The group deliberately sought access to lawful intercept infrastructure — the systems that U.S. telecommunications providers are legally required to maintain so that law enforcement and intelligence agencies can conduct court-authorized surveillance . By compromising this infrastructure, Salt Typhoon gave China the ability to intercept communications involving senior U.S. officials, including individuals connected to the 2024 presidential campaign. According to reporting from TechCrunch, the hackers also compromised the networks of at least one U.S. state's National Guard, obtaining data and access that extended to other networks across multiple states.

Attack Chain — Salt Typhoon Telecom Intrusions China / MSS

Initial Access

T1190

Exploit Public-Facing Application

Credential Access

T1110.002

Password Cracking (SNMP strings)

Persistence

T1098.004

SSH Authorized Keys

Lateral Movement

T1078.003

Valid Local Accounts

Defense Evasion

T1562.004

Disable System Firewall / ACL bypass

T1572

Protocol Tunneling (GRE/IPsec)

Exfiltration

T1048

Exfil Over Alt Protocol

Tap any node above for technique details. Click technique badges inline throughout this article to expand definitions.

Former ODNI official Laura Galante compared Salt Typhoon's access to having dozens of Chinese intelligence officers physically stationed inside a major telecom — except the intrusion was digital and therefore orders of magnitude harder to detect and remove. — via CyberScoop

By February 2026, the FBI's deputy assistant director for cyber intelligence, Michael Machtinger, confirmed at the CyberTalks conference that Salt Typhoon's threat was "still very much ongoing." Speaking frankly about lessons learned, Machtinger emphasized that the entry points Salt Typhoon exploited were not sophisticated zero-days but fundamental security gaps: unpatched legacy systems, weak access controls, and the absence of zero-trust architecture inside telecom networks. Once inside network infrastructure, Salt Typhoon used packet capture via its JumbledPath malware to sniff SNMP, TACACS, and RADIUS traffic , collecting credentials for lateral movement across interconnected telecom networks. Once access was established, persistence was maintained through SSH authorized keys added to compromised routers and switches — a method that survives password resets unless defenders audit SSH key stores.

The political response has been contentious. In November 2025, the FCC put in place new rules to strengthen telecom network security in the wake of Salt Typhoon. Two days later, the FCC's Republican majority voted to rescind those rules. By February 2026, Senator Maria Cantwell was demanding congressional hearings with AT&T and Verizon CEOs after both companies declined to provide documentation confirming their networks had been secured. Expert witnesses testified that the carriers were not taking sufficient action, with one former FCC official stating plainly that they were not convinced providers would take adequate and sustained action without a strong verification regime imposed on them.

Salt Typhoon's reach extended far beyond the United States. Norway's domestic security agency (PST) included the group in its 2026 annual threat assessment, confirming that Salt Typhoon had exploited vulnerable network devices in Norwegian organizations. PST director general Beate Gangås stated that Norway was "facing its most serious security situation since World War II." Australia's ASIO, New Zealand's security services, and Finnish and Polish cybersecurity officials have all reported Salt Typhoon activity within their infrastructure. The campaign has also been documented targeting telecoms in Myanmar, South Africa, and universities across Bangladesh, Indonesia, Malaysia, and Thailand.

Note

Salt Typhoon's sister operation, Volt Typhoon, pursues a different objective: pre-positioning inside U.S. critical infrastructure — water, energy, transportation — specifically to enable potential disruption in the event of a conflict with China. CISA, NSA, and the FBI have jointly stated that Volt Typhoon's intrusions "carry limited espionage potential" and are instead preparations for future sabotage. Volt Typhoon actors routinely use "living off the land" techniques , leveraging built-in Windows tools and legitimate credentials rather than custom malware, making detection extremely difficult.

The FBI's confirmation that Salt Typhoon remains active inside telecom infrastructure is not primarily a problem for telecom companies — it's a problem for every organization that uses telecom infrastructure to transmit sensitive communications. Law enforcement wiretap systems being compromised means that organizations under lawful surveillance had their communications exposed. But more broadly, a threat actor with persistent access to backbone telecom infrastructure can observe metadata — call records, communication patterns, session data — that reveals organizational structures, relationships, and operational rhythms.

For organizations that handle sensitive matters — legal proceedings, merger negotiations, government contracting, security research — the practical implication is that communications over standard carrier infrastructure should not be assumed to be private. End-to-end encrypted communication applications that operate outside the carrier's visibility layer (Signal being the canonical example) provide meaningful mitigation even when the underlying carrier is compromised.

APT28: Zero-Day Weaponization in Under 24 Hours

Russia / GRU

APT28 — Fancy Bear

GRU Unit 26165 (85th MSSC) • Sofacy • STRONTIUM • UAC-0001 • MITRE G0007

Espionage Disruption Rapid Weaponization GRU-attributed Ukraine Focus

Russian military intelligence (GRU) unit with a long history of aggressive espionage and disruptive operations against NATO targets, Ukraine, and democratic institutions. Distinguished by fast operational tempo and willingness to burn capabilities for timely strategic effect.

While China's operations favor stealth and long-term access, Russia's APT28 operates with a different tempo: aggressive, fast-moving, and willing to burn new capabilities quickly when geopolitical windows demand it. In January 2026, APT28 demonstrated one of the most striking examples of rapid vulnerability weaponization on record. On January 26, Microsoft disclosed CVE-2026-21509, a security feature bypass vulnerability in Microsoft Office with a CVSS score of 7.8. Within 24 hours, APT28 had already created a weaponized document exploiting the flaw. By January 29, Ukraine's CERT-UA and the cybersecurity firm Zscaler were observing live attacks against government targets in Ukraine, Slovakia, and Romania.

According to analysis from Trellix and published by Industrial Cyber, APT28 ran a concentrated 72-hour spear-phishing campaign between January 28 and 30, 2026, sending at least 29 distinct emails across nine Eastern European nations . The targeting breakdown reflected clear strategic priorities: defense ministries (40%), transportation and logistics operators (35%), and diplomatic entities (25%). The infection chain was multi-stage and designed for resilience: a lightweight loader dropped first, followed by an Outlook VBA backdoor called NotDoor, and finally a custom C++ implant dubbed BeardShell . For command and control, APT28 routed communications through the legitimate cloud storage service filen.io , blending malicious traffic with normal user activity to evade detection.

Attack Chain — APT28 CVE-2026-21509 Campaign Russia / GRU Unit 26165

Initial Access

T1566.001

Spearphishing Attachment (CVE-2026-21509)

Execution

T1204.002

User Execution: Malicious File

Execution

T1059.005

NotDoor (Outlook VBA Backdoor)

Defense Evasion

T1055

Process Injection (BeardShell)

Defense Evasion

T1027

Obfuscated Files or Information

T1102

Web Service C2 via filen.io

Attack chain reconstructed from CERT-UA and Trellix analysis of the January 2026 campaign.

Trellix researchers Pham Duy Phuc and Alex Lanstein described the infection chain as purpose-built for resilience and evasion, noting that encrypted payloads, legitimate cloud-based C2, in-memory execution, and process injection were combined specifically to keep forensic footprints minimal. — via The Hacker News

CERT-UA officially attributed the January 2026 attacks to UAC-0001, the agency's identifier for APT28, also designated by Western intelligence as GRU Unit 26165 (the 85th Main Special Service Center). One malicious document, titled Consultation_Topics_Ukraine(Final).doc, referenced COREPER — the Committee of Permanent Representatives of the European Union — suggesting an attempt to deceive EU officials or staff into opening the file. Metadata analysis confirmed the document was created on January 27, one day after Microsoft's public advisory, meaning APT28 almost certainly reverse-engineered the patch to build its exploit rather than having prior knowledge of the vulnerability.

APT28's 2026 activities are not limited to this single campaign. Russian military hackers have also revived the BeardShell implant for long-term surveillance of Ukrainian military personnel, according to ESET research published by The Record. BeardShell has appeared continuously in espionage operations since its 2024 discovery, used alongside the Covenant command-and-control framework. ESET assesses that Covenant has been positioned as APT28's primary espionage tool, with BeardShell serving as a fallback when primary infrastructure is disrupted. Germany previously summoned Russia's ambassador over APT28's August 2024 attack on Deutsche Flugsicherung, the country's air traffic control authority — an attack that, if successful during an active flight operation, could have had consequences reaching far beyond espionage.

In a separate development highlighted by CSO Online, Ukrainian CERT analysts discovered that APT28 had deployed a novel malware variant called LAMEHUG that uses large language model (LLM) APIs — specifically those from Hugging Face — to generate Windows commands dynamically during execution . Rather than using a fixed command set that could be detected by signatures, LAMEHUG introduces variability into its behavior by querying an LLM at runtime. This is a meaningful evolution: it represents nation-state actors building AI directly into malware architecture, not simply using AI to write phishing emails.

The CVE-2026-21509 timeline is a data point that should force a specific conversation about patch management SLAs inside security programs. If a state-level adversary can reverse-engineer a vendor patch and produce a working exploit within 24 hours of public disclosure, then a 30-day or even 7-day standard patching cycle for publicly disclosed critical vulnerabilities creates a vulnerability window that nation-state actors can exploit reliably.

The practical implication is not that every organization needs to patch within 24 hours — that is operationally unrealistic at scale. It is that organizations operating in high-risk sectors (defense, government, critical infrastructure, defense industrial base) need to identify which system categories demand emergency patching timelines, and should have tested procedures for emergency patching that can execute within 48–72 hours for critical, remotely exploitable vulnerabilities in commonly deployed enterprise software.

Organizations that cannot meet that window should consider compensating controls: network segmentation to limit the blast radius of a successful exploit, email gateway scanning for weaponized Office documents, and behavioral detection for the post-exploitation indicators that APT28 uses consistently — specifically, processes spawning from Office applications and outbound connections to cloud storage APIs from workstations where that behavior is not expected.

North Korea's Lazarus Group: From Crypto Heists to Hospital Ransomware

DPRK / RGB

Lazarus Group — Hidden Cobra

Diamond Sleet • Bluenoroff • Andariel • TEMP.Hermit • MITRE G0032

Financial Theft Ransomware Crypto Platforms Healthcare RGB-attributed

Operated under North Korea's Reconnaissance General Bureau (RGB). Unique among nation-state actors in its explicit financial mandate — cyber operations fund the North Korean state directly, bypassing sanctions. Increasingly targeting healthcare and non-profits alongside its core cryptocurrency theft operations.

North Korea's cyber program has always been distinguished by its financial motivation. Unlike Chinese or Russian groups, which prioritize strategic access and intelligence collection, the Lazarus Group — operated under the Reconnaissance General Bureau (RGB) — uses cyber theft to fund the North Korean state directly. Isolated by sanctions and unable to participate in the global financial system, the regime has treated cybercrime as a revenue stream for over a decade. The results have been staggering: blockchain analytics firm Chainalysis attributed more than $2 billion in cryptocurrency theft to North Korea-linked groups in 2025 alone.

In 2026, Lazarus Group's playbook has expanded in a direction that concerns threat analysts: a pivot toward ransomware deployment against healthcare and educational institutions. Symantec and Carbon Black researchers reported in February 2026 that Lazarus — tracked by Broadcom as Diamond Sleet — had deployed Medusa ransomware in an attack against an unnamed organization in the Middle East, and had attempted the same against a U.S. healthcare organization . Analysis of the Medusa ransomware leak site found attacks against four healthcare and non-profit organizations in the U.S. between November 2025 and early 2026, including a mental health non-profit and an educational facility for children with autism.

Broadcom's Symantec threat research team assessed that North Korea's shift to Medusa demonstrates that its involvement in cybercrime remains unchecked, with North Korean actors showing little hesitation about targeting U.S. organizations of any kind. — via The Hacker News

On March 17, 2026 — one day before this article was published — crypto e-commerce platform Bitrefill disclosed a breach beginning March 1 that was linked to Lazarus Group with indicators including malware overlaps, reused infrastructure such as IP addresses and email accounts, and on-chain transaction patterns. Attackers gained initial access through a compromised employee laptop , extracted legacy credentials, and escalated access to Bitrefill's internal database and cryptocurrency hot wallets. Around 18,500 purchase records were accessed. The incident is a textbook example of Lazarus's subgroup Bluenoroff, which focuses on financial institutions and digital asset platforms.

Cisco Talos researchers have also tracked a separate campaign, attributed with low confidence to a North Korean-linked group designated UAT-10027, deploying a new backdoor called Dohdoor against educational institutions and healthcare facilities in the United States. The malware uses DNS-over-HTTPS via Cloudflare's DNS service to communicate , applies process hollowing , and side-loads malicious DLLs disguised as legitimate system files — techniques that overlap significantly with established Lazarus Group tooling.

The evolution of North Korea's remote worker infiltration scheme adds another dimension. Throughout 2025 and into 2026, North Korean operatives have continued placing fake IT workers inside Western companies, using deepfake technology and surrogate infrastructure to pass identity verification . Where the scheme was once considered a niche tactic, intelligence officials now regard it as a scalable threat model likely to be emulated by other sanctioned states.

The AI Factor: How Nation-States Are Changing Their Toolkit

Artificial intelligence is reshaping the operational capabilities available to nation-state actors, though its direct role in confirmed operations remains difficult to fully measure. The clearest documented example in 2026 is APT28's LAMEHUG malware, which queries LLM APIs at runtime to generate commands — an approach designed to defeat signature-based detection by introducing polymorphic behavior at the command level. This is a structural departure from how AI has been discussed in the context of offensive cyber operations: rather than AI being used to accelerate vulnerability research or write phishing content, it is being embedded into the malware itself as a decision-making layer.

The Cloudflare 2026 Threat Intelligence Report, published in early March, documented threat actors using large language models to map networks in real-time, develop new exploits, and create highly realistic deepfakes for social engineering. Cloudforce One tracked one threat actor who leveraged AI to identify the location of high-value data across hundreds of compromised corporate tenants in what Cloudflare described as one of the most impactful supply chain attacks observed to date. DDoS attacks have reached unprecedented scale: the report cited attacks reaching 31.4 Tbps — a volume that exceeds human response capabilities and demands fully autonomous defenses.

OPSWAT Chief Strategy Officer Stephen Gorham projected that 2026 would bring more nation-state attacks against critical infrastructure, with adversaries pre-embedded in systems for extended periods before activating. — via SecurityWeek

The Cloudflare report also noted a strategic shift in Chinese APT tactics: Salt Typhoon and Linen Typhoon have moved away from broad, indiscriminate attacks toward precision strikes focused on North American telecommunications and government infrastructure. This isn't a reduction in threat level — it reflects a more mature, more targeted operational model. These groups have learned which targets yield maximum strategic value and are now investing their operational resources accordingly.

The significance of LAMEHUG is not the AI integration per se — it is what that integration defeats. Signature-based detection works by matching observed behavior or file content against a catalog of known-bad patterns. If an LLM generates novel command strings each time the malware executes, the static pattern never exists in the catalog. This is a structural defeat of one entire detection layer, not an incremental improvement in evasion.

The implication for security operations is that LAMEHUG-style malware makes behavioral detection non-optional. If you cannot distinguish between legitimate administrative command execution and malicious command execution based on context — the parent process, the user account, the time of day, the target of the command, the network connections that follow — then your detection capability for this class of threat is zero.

Practically, this means investing in endpoint behavioral analytics, establishing strong behavioral baselines for administrative users, and monitoring outbound API calls to LLM providers from endpoints and servers where that behavior has no business justification. An endpoint making API calls to Hugging Face in a manufacturing plant is an anomaly. Catching it requires knowing what "normal" looks like, which requires logging, baselining, and the analytics to compare them.

The Blurring Line Between State and Criminal

One of the defining characteristics of the 2026 threat landscape is the deliberate erosion of the boundary between nation-state operations and cybercriminal activity. This blurring serves a strategic purpose: it provides states with plausible deniability. When a ransomware gang rather than a military unit executes an attack, the victim government faces a harder attribution problem and a weaker political case for escalatory response.

The Colonial Pipeline attack, carried out by the DarkSide ransomware group in 2021, remains the most cited example of this dynamic. The attack fit the profile of state-sponsored sabotage but involved a criminal ransomware gang. Russian President Vladimir Putin publicly denied involvement while simultaneously suggesting the attack may have been conducted by "patriotic Russian citizens." In 2026, this pattern has matured into a deliberate strategy. Multiple threat intelligence sources, including Claroty's Andrew Lintell, assess that nation-states will increasingly use criminal groups to execute ransomware, data theft, and disruption operations — achieving strategic ends while keeping government hands officially clean.

North Korea's use of Medusa ransomware — a ransomware-as-a-service platform operated by a cybercrime group called Spearwing — illustrates this convergence from a different angle. Rather than outsourcing operations to criminals for deniability, North Korea is adopting criminal tooling directly to blend its state-funded attacks into the broader ransomware ecosystem. The result is a targeting profile that looks like opportunistic criminality but is, in operational terms, state-directed revenue generation and, in some cases, intelligence collection.

Iran's operations in 2026 have followed yet another variation of this pattern. Following U.S.-Israeli strikes against Iranian targets in February 2026, security researchers tracked a surge of retaliatory cyber operations attributed to groups including Handala Hack and Dark Storm Team. These groups used Telegram and underground forums to publicize claimed attacks against Israeli telecom services, Western government websites, and allied organizations. Whether operating under direct state direction or with informal state backing, the operations serve Iranian strategic interests while maintaining organizational separation from the Iranian government itself.

Iran: When Cyber Conflict Runs Alongside Kinetic War

Iran / MOIS

Handala Hack (+ Cyber Islamic Resistance coalition)

Related state APTs: MuddyWater (MOIS) • APT34 / OilRig (MOIS/IRGC) • Charming Kitten (IRGC)

Hacktivist Proxy Wiper Malware Retaliatory Ops Pre-positioned Servers MOIS-attributed

Assessed by Palo Alto Networks Unit 42 as a state-directed front for Iran's MOIS. Operates through pre-positioned servers in Germany, France, and Singapore — infrastructure that survived physical strikes on Iran's domestic cyber headquarters. Has evolved from website defacement to data-wiping operations with custom malware including Hatef wiper and Radthief stealer.

Of the four CRINK actors, Iran is the one whose cyber operations are actively evolving in real time as this article is published. On February 28, 2026, a joint U.S.-Israeli military operation — Operation Epic Fury on the American side and Operation Roaring Lion on the Israeli side — launched strikes against targets inside Iran. Within hours, a wave of cyber operations began that has not stopped. The question the article's earlier sections left open is this: what does it look like when a nation-state launches cyber operations not as a pre-positioned strategic play, but as an immediate retaliatory instrument running in parallel with ballistic missiles and drone strikes?

Iran's own state cyber infrastructure took an early blow. Israel struck a building in eastern Tehran identified as housing the Islamic Revolutionary Guard Corps (IRGC) cyber warfare headquarters, limiting Iran's ability to coordinate a centralized response from within its borders. Iran's domestic internet connectivity simultaneously dropped to between one and four percent following communications infrastructure strikes. But the campaign did not stop — because Iran had spent years building a distributed proxy model that does not depend on domestic internet access. Groups like Handala Hack operate through pre-positioned servers in Germany, France, and Singapore, routing attacks through hosting providers like Contabo and OVH. The internet blackout inside Iran disrupted ordinary citizens. It did not disrupt the attackers.

Handala Hack is the clearest example of how Iran structures this proxy architecture. Researchers at Palo Alto Networks Unit 42 assess that Handala functions as a state-directed front for Iran's Ministry of Intelligence and Security (MOIS), and that its capabilities have matured significantly over the past two years — evolving from website defacement into data-wiping operations using custom malware including Hatef wiper and Radthief stealer . On March 11, 2026, Handala claimed a cyberattack against Stryker Corporation, a U.S.-based medical technology company with over 200,000 systems across 79 countries. The group stated it exploited Microsoft Intune — a cloud-based device management platform requiring administrator-level credential access — to remotely wipe devices at scale. Stryker confirmed a global network disruption to its Microsoft environment. Check Point characterized the incident as the first known instance of Iranian cyber actors targeting a major American enterprise not for espionage, but for disruption.

Palo Alto Networks Senior Manager of Threat Intelligence Justin Moore described Handala as having merged the disruptive playbook of a hacktivist group with genuine nation-state destructive capability — making it more dangerous than either category alone. — via Insurance Journal

Handala is one actor inside a larger coalition. Within hours of the initial strikes, Iran-aligned groups formed a coordinated structure called the Cyber Islamic Resistance, organizing operations through an "Electronic Operations Room" on Telegram. Over 60 hacktivist groups mobilized in the first hours of the conflict. By the first week of March, the coalition had claimed responsibility for more than 600 distinct attacks across over 100 Telegram channels, targeting Israeli defense, Jordanian fuel systems, Gulf Cooperation Council government agencies, and Pakistani telecommunications. Jordan's National Cybersecurity Center confirmed it thwarted an attack on the country's wheat silo management system — a food supply infrastructure target that illustrates how broadly the targeting net was cast.

The scale of criminal and opportunistic activity riding alongside the state-aligned operations has been striking. Akamai reported a 245 percent rise in cybercrime activity since February 28, with banking and fintech accounting for the largest share of malicious traffic. Notably, only 14 percent of source IPs traced back to Iran itself — Russia accounted for 35 percent and China 28 percent, a distribution consistent with geopolitically motivated hacktivists using proxy infrastructure in those countries rather than operating from Iranian soil . This proxy-layering problem means attribution in the immediate aftermath of a kinetic conflict is even harder than in peacetime operations: the fog of war in cyberspace is thicker, and threat actors exploit the confusion deliberately.

Note

Not all claimed attacks have been verified. The Foundation for Defense of Democracies assessed that many of the pro-Iran coalition's claimed successes were likely false or exaggerated — a pattern common in hacktivist campaigns where public psychological impact is itself a strategic goal. Organizations should be appropriately skeptical of unverified breach claims circulating on Telegram during active conflict periods, while simultaneously raising defensive posture, since the volume of legitimate attacks makes waiting for confirmation a risky strategy.

Iran also has state-level APT groups whose activity runs separate from the hacktivist layer. MuddyWater — operating under MOIS direction — conducted Operation Olalampo targeting telecommunications, oil and gas, and government organizations across the Middle East, Turkey, and Africa region, functioning as an initial access broker that harvests credentials and passes them to secondary operators . APT34 has maintained parallel campaigns against the energy and government sectors. The distinction matters: the hacktivist coalition is loud, politically motivated, and of variable technical capability, while Iran's APT groups are quiet, patient, and structurally similar to the Chinese and Russian groups covered elsewhere in this article.

When the Physical and Digital Battlefields Merge

The 2026 Iran conflict raised a question that has been theoretical in most threat intelligence discussions until now: what happens when physical and digital attacks stop being parallel tracks and become the same campaign? The answer, playing out in real time, is more disorienting than most threat models anticipated.

At least three Amazon Web Services data centers in the United Arab Emirates and Bahrain sustained damage from Iranian drone strikes in early March 2026, compounding digital service disruptions with physical infrastructure destruction. Cloud services used by security providers across the Middle East were affected — a reminder that the assumption of geographic separation between physical and digital assets does not hold in a hot conflict. An adversary that cannot easily defeat your network defenses can strike the data center building itself.

The GPS spoofing and jamming campaign that accompanied the conflict set records. Within 24 hours of the initial U.S.-Israeli strikes, over 1,100 commercial ships in UAE, Qatari, Omani, and Iranian waters reported navigation failures. By March 7, more than 1,650 vessels had experienced GPS interference — a 55 percent rise in a single week. This matters far beyond maritime safety. Industrial control systems in ports, pipelines, and logistics networks rely on accurate geolocation data. GPS spoofing at this scale is an attack on operational technology as much as it is a navigational hazard. Organizations in the region with OT environments that depend on GPS synchronization for timing, process control, or physical security systems had to treat their sensor data as potentially compromised — a scenario that existing incident response playbooks were largely not written for.

Israeli intelligence reportedly used data from compromised traffic cameras across Tehran to support operations against Iranian leadership, adding another dimension: the offensive use of civilian IoT infrastructure as a battlefield intelligence source. Iranian-aligned hacktivists have simultaneously been scanning Israeli network ranges for exposed Hikvision and Dahua cameras, exploiting known CVEs to gain visual access . The same category of device — the networked security camera — is being weaponized by both sides of the same conflict.

The question this raises for organizations far from the kinetic conflict zone is whether their threat model accounts for this convergence. The Stryker attack affected systems across 79 countries. The GPS disruption affected shipping lanes that every major supply chain depends on. Physical-digital convergence is not a scenario confined to governments or defense contractors — it is propagating into the healthcare supply chain, the maritime logistics sector, and the cloud service fabric that underpins enterprise operations globally.

The GPS spoofing campaign at maritime scale illustrates a gap in most incident response frameworks: the assumption that a cyber event is discrete, contained, and attributable. When 1,650 ships simultaneously experience navigation anomalies across multiple territorial waters, no individual organization's IR plan addresses it. It is an infrastructure event with cyber characteristics — or a cyber event with infrastructure consequences — and the playbook gap matters.

For organizations with OT environments (manufacturing, utilities, logistics, healthcare device fleets), the convergence scenario demands explicit pre-planning around sensor trust. If GPS-synchronized timing controls, SCADA sensor feeds, or cloud-connected device management platforms are among your critical dependencies, your IR plan should have a specific procedure for "operate in degraded sensor confidence mode" — what do you do when you cannot trust your sensor data but also cannot stop operations? That question is not theoretical in March 2026. It is operational reality for anyone with assets in or connected to the Gulf region.

Key Takeaways

Salt Typhoon remains unresolved: As of March 2026, the FBI confirms the threat is ongoing. AT&T and Verizon have not provided Congress with documentation confirming full remediation. Organizations with connections to U.S. telecom infrastructure should assume the possibility of persistent access by Chinese state actors.
APT28 weaponizes patches within 24 hours: The CVE-2026-21509 campaign demonstrated that Russia's GRU-linked groups reverse-engineer Microsoft patches faster than many organizations can apply them. Patch windows measured in days are insufficient for high-value targets in government, defense, or critical infrastructure sectors.
North Korea has expanded its target set: Lazarus Group now actively deploys ransomware against hospitals and non-profits in addition to its cryptocurrency theft operations. No sector should assume it is beneath the notice of state-sponsored actors with financial motives.
AI is moving inside the malware: LAMEHUG represents a documented case of nation-state actors embedding LLM queries directly into malware execution to evade signature detection. Behavioral and anomaly-based detection is no longer optional for environments facing advanced adversaries.
The state/criminal boundary is functionally gone: Threat modeling that separates "nation-state" from "criminal" operations is increasingly outdated. Organizations should assess risk based on the capability and targeting profile of the threat actor, not whether they are formally employed by a government.
Living off the land requires internal visibility: Both Volt Typhoon and Salt Typhoon rely heavily on legitimate credentials, built-in tools, and normal-appearing network behavior. Detection depends on understanding baseline behavior and monitoring east-west traffic — capabilities many organizations still lack.
Iran's proxy model survives kinetic disruption: Strikes against Iran's cyber warfare headquarters and domestic internet infrastructure did not stop Iranian-aligned cyber operations. Pre-positioned servers and distributed proxy groups outside Iran's borders meant the campaign continued regardless of what happened inside the country. Organizations cannot assume that a nation-state's cyber capability degrades when its conventional military is under pressure.
Physical-digital convergence is no longer theoretical: Drone strikes on cloud data centers, GPS spoofing at maritime scale, and credential-harvesting operations against IoT cameras are running simultaneously in the same conflict. Organizations with OT environments, GPS-dependent systems, or cloud infrastructure in geopolitically active regions need threat models that account for physical attacks on digital infrastructure — not just the other way around.

The 2026 threat landscape is not novel in its cast of characters. China, Russia, Iran, and North Korea have been on every threat intelligence watchlist for over a decade. What has changed is the tempo, the tooling, the willingness to cause real-world harm, and the degree to which the line between wartime and peacetime cyber operations has simply ceased to exist. The Iran conflict has made one thing concrete that was previously argued in theory: cyber operations and kinetic operations are now the same campaign, not parallel ones. Physical strikes on data centers and cyber strikes on hospital device fleets are expressions of the same strategic intent. As SOCRadar's CISO framed it at the start of this year, the world is already deep in perpetual cyber conflict — the question of a "first" cyberwar is moot. The organizations that treat that assessment as operational reality rather than rhetorical escalation are the ones building meaningful defenses in 2026.

Technique ID	Tactic	Technique Name	Attributed Actor(s)	Reference
T1190	Initial Access	Exploit Public-Facing Application	Salt Typhoon, Handala	ATT&CK
T1078	Initial Access	Valid Accounts	Lazarus / Bluenoroff, Handala	ATT&CK
T1078.003	Lateral Movement	Valid Accounts: Local Accounts	Salt Typhoon	ATT&CK
T1078.004	Initial Access	Valid Accounts: Cloud Accounts / IT Worker Insider	Lazarus Group, Handala	ATT&CK
T1098.004	Persistence	Account Manipulation: SSH Authorized Keys	Salt Typhoon	ATT&CK
T1110.002	Credential Access	Brute Force: Password Cracking (SNMP)	Salt Typhoon	ATT&CK
T1040	Credential Access	Network Sniffing (JumbledPath)	Salt Typhoon	ATT&CK
T1566.001	Initial Access	Phishing: Spearphishing Attachment	APT28	ATT&CK
T1059.005	Execution	Command and Scripting Interpreter: Visual Basic (NotDoor)	APT28	ATT&CK
T1055	Defense Evasion	Process Injection (BeardShell)	APT28, UAT-10027	ATT&CK
T1055.012	Defense Evasion	Process Injection: Process Hollowing (Dohdoor)	UAT-10027 (NK-linked)	ATT&CK
T1027 / T1027.010	Defense Evasion	Obfuscated Files: AI-Generated Command Obfuscation (LAMEHUG)	APT28	ATT&CK
T1102	Command & Control	Web Service C2 (filen.io)	APT28	ATT&CK
T1071.004	Command & Control	Application Layer Protocol: DNS over HTTPS (Dohdoor)	UAT-10027 (NK-linked)	ATT&CK
T1486	Impact	Data Encrypted for Impact (Medusa RaaS)	Lazarus Group	ATT&CK
T1485	Impact	Data Destruction (Hatef Wiper)	Handala Hack (Iran/MOIS)	ATT&CK
T1572	Command & Control	Protocol Tunneling (GRE/IPsec)	Salt Typhoon	ATT&CK
T1090.003	Defense Evasion / C2	Proxy: Multi-hop Proxy (Iran conflict attribution obfuscation)	Iran-aligned coalition	ATT&CK
T1218	Defense Evasion	Signed Binary Proxy / Living off the Land	Volt Typhoon, Salt Typhoon	ATT&CK
T1562.004	Defense Evasion	Impair Defenses: Disable System Firewall / ACL Bypass	Salt Typhoon	ATT&CK

Sources

SecurityWeek — Cyber Insights 2026: Cyberwar and Rising Nation State Threats (February 5, 2026)
The Cyber Express — The State of Cyber Warfare in 2026: Nation-State Attacks, AI Weapons, and the New Digital Battlefield (March 2026)
IT Pro — CRINK Attacks: Which Nation State Hackers Will Be the Biggest Threat in 2026? (December 22, 2025)
CyberScoop — FBI: Threats from Salt Typhoon are 'still very much ongoing' (February 19, 2026)
CyberScoop — Officials worry Salt Typhoon apathy is killing momentum for tougher telecom security rules (March 2026)
TechCrunch — Salt Typhoon is hacking the world's phone and internet giants — here's everywhere that's been hit (March 9, 2026)
The Record (Recorded Future News) — Norwegian intelligence discloses country hit by Salt Typhoon campaign (February 6, 2026)
U.S. Senate Commerce Committee — Cantwell Demands AT&T, Verizon CEOs Come Clean on Salt Typhoon Hacks (February 3, 2026)
The Hacker News — APT28 Uses Microsoft Office CVE-2026-21509 in Espionage-Focused Malware Attacks (February 4, 2026)
Industrial Cyber — Trellix details Russian state-linked APT28 targets European maritime, transport agencies (February 6, 2026)
The Record — Russian state hackers exploit new Microsoft Office flaw in attacks on Ukraine, EU (February 3, 2026)
The Record — Russian military hackers revive advanced malware to spy on Ukraine, researchers say (March 2026)
CSO Online — Novel malware from Russia's APT28 prompts LLMs to create malicious Windows commands
The Hacker News — Lazarus Group Uses Medusa Ransomware in Middle East and U.S. Healthcare Attacks (February 24, 2026)
The Register — Lazarus Group targets healthcare orgs with Medusa ransomware (February 24, 2026)
Bitcoin Magazine — Bitrefill Discloses Cyberattack, Points To North Korea's Lazarus Group (March 17, 2026)
Cloudflare / Business Wire — Cloudflare 2026 Threat Intelligence Report (March 2026)
CISA — PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure
RUSI — Typhoons in Cyberspace (Ciaran Martin)
Redmond Magazine — Mossad/Not-Mossad: Preparing for Nation-State Cyber Threats (March 16, 2026)
Palo Alto Networks Unit 42 — Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (March 2026)
Euronews — How cyberattacks are being used as weapons in the Iran war (March 18, 2026)
The Register — Cybercrime up 245% since the start of the Iran war (March 16, 2026)
Bloomberg / Insurance Journal — Stryker Attack Mirrors Tactics Used in Iran-Aligned Hacks (March 15, 2026)
Cyber Magazine — Stryker Cyber Attack: Iranian Threat Actor Claims Revenge (March 2026)
Halcyon RRC — Iranian Use of Cybercriminal Tactics in Destructive Cyber Attacks: 2026 Updates
Industrial Cyber — Cyber retaliation surges after US-Israel strikes on Iran (March 2026)
Cybersecurity News — Iran-Linked Cyber Campaigns Converge With Electronic and Psychological Warfare (March 2026)
Foundation for Defense of Democracies — Iran's Pro-Regime Hackers Cannot Back Up Their Claims of Successful Cyber Attacks (March 2026)
Washington Times — Iran's unconventional asymmetric warfare pits cheap weapons against expensive ones (March 17, 2026)
MITRE ATT&CK — Salt Typhoon (G1045)
MITRE ATT&CK — APT28 / Fancy Bear (G0007)
MITRE ATT&CK — Lazarus Group (G0032)
ExtraHop — Anatomy of an Attack: CISA Alert on Salt Typhoon