Global State-Sponsored Cyber Operations and Policy Responses
Multiple nation-state actors, including China, Russia, Iran, and North Korea, are intensifying cyber operations targeting critical infrastructure, government entities, and private sector organizations worldwide. China-linked groups such as Ink Dragon have expanded espionage campaigns against European governments, while Russia-linked actors like Callisto have targeted NGOs and are implicated in disruptive attacks in Europe. Iran's MuddyWater has focused on critical infrastructure in Israel and Egypt, and North Korea is increasing disruptive attacks on various sectors. These activities are accompanied by sophisticated cybercrime campaigns, exploitation of zero-day vulnerabilities, and significant data breaches affecting sectors such as health, telecommunications, and justice.
In response, Western governments and institutions are taking legal and policy actions, including EU sanctions and fines, UK and Polish legal proceedings against Russian actors, and increased attribution of attacks to state-sponsored groups. However, there is growing concern that U.S. cyber defenses are lagging behind adversaries, with strained mission capacity, weakened public-private collaboration, and unstable federal leadership. Experts call for renewed strategic focus, improved coordination with allies, and robust policy reforms to counter the persistent and evolving threat landscape posed by hostile nation-states.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
17 events from the most recent confirmed update back to the earliest known activity.
Former U.S. cyber officials warn America's cyber defenses are eroding
On publication of the op-ed, former Cyberspace Solarium Commission leaders warned that U.S. cyber defenses were falling behind due to leadership instability, workforce shortages, weakened public-private collaboration, and reduced international coordination. They urged rapid action to restore CISA leadership, rebuild cyber diplomacy capacity, and address federal cybersecurity staffing and funding problems.
Governments adopt new cyber policy measures and partnerships
During December 2025, several policy developments were reported, including safe-harbour laws for security researchers, bans on certain apps and devices, and new cybersecurity partnerships. CERT-EU presented these as notable governance and regulatory actions for the month.
Attackers actively exploit SonicWall, Fortinet, Cisco, and React2Shell flaws
In December 2025, multiple zero-day and known vulnerabilities, including flaws affecting SonicWall, Fortinet, Cisco, and React2Shell, were actively exploited. CERT-EU said both opportunistic actors and China-linked groups were involved in related campaigns.
Breaches impact France's Ministry of Interior, SFR, Barts Health NHS, and Docker Hub
During December 2025, data breaches were reported affecting France's Ministry of Interior, telecom provider SFR, Barts Health NHS, and Docker Hub. CERT-EU grouped these as major breach events disclosed during the month.
Venezuela's oil company is hit by disruptive cyberattack
In December 2025, Venezuela's state oil company experienced a disruptive cyberattack. CERT-EU highlighted the incident as part of a broader pattern of disruptive operations.
Romania's water agency suffers disruptive cyberattack
In December 2025, Romania's water agency was affected by a disruptive cyber incident. CERT-EU included the case among significant attacks on essential services.
Disruptive cyberattacks hit French postal and banking services
In December 2025, disruptive attacks affected postal and banking services in France. CERT-EU cited the incidents as examples of operational disruption impacting public-facing services.
Large-scale malicious browser extension campaigns are reported
In December 2025, large-scale campaigns involving malicious browser extensions were identified. CERT-EU listed them among the month's major cybercrime and user-targeting threats.
Ransomware actors exploit EDR tools in attacks
During December 2025, ransomware operators were reported exploiting endpoint detection and response tools as part of their attack chains. CERT-EU highlighted this as a notable evolution in ransomware tradecraft.
Spiderman phishing kit targets European banks
In December 2025, the Spiderman phishing kit was used in campaigns aimed at European banks. CERT-EU cited it as a major cybercrime development during the month.
MuddyWater targets critical infrastructure in Israel and Egypt
In December 2025, the Iran-linked MuddyWater group conducted operations against critical infrastructure targets in Israel and Egypt. CERT-EU included the activity among the month's notable state-sponsored campaigns.
China-linked groups expand espionage and surveillance campaigns
In December 2025, China-linked actors including Ink Dragon and ShadyPanda expanded espionage and surveillance operations targeting European governments and users globally. CERT-EU identified these campaigns as part of a broader rise in state-sponsored activity.
UK and Poland intensify legal actions against Russian intelligence
During December 2025, the United Kingdom and Poland stepped up legal actions targeting Russian intelligence activity. CERT-EU highlighted these measures as part of the month's response to state-backed cyber and hybrid threats.
EU sanctions Russian individuals and entities over hybrid threats
In December 2025, the European Union sanctioned Russian individuals and entities in response to hybrid threats. The action was part of a broader set of legal and policy responses to hostile state activity.
EU fines X €120 million under the Digital Services Act
In December 2025, the European Union imposed a €120 million fine on X, formerly Twitter, for violations of the Digital Services Act. CERT-EU listed the penalty as a notable regulatory cyber-related development for the month.
Europe sees surge in state-sponsored cyber and disruptive activity in December 2025
During December 2025, CERT-EU reported increased state-sponsored operations, disruptive attacks, cybercrime, and active exploitation of vulnerabilities across Europe and globally. The activity included campaigns linked to China and Iran, ransomware incidents, phishing operations, and multiple significant breaches and service disruptions.
Cyberspace Solarium Commission issues cyber defense reform recommendations
The Cyberspace Solarium Commission previously published bipartisan recommendations to strengthen U.S. cyber defense and layered deterrence, which later authors cited as the foundation for needed reforms. The exact date is not specified in the references.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Nation-State and Hacktivist Cyber Threats Targeting Europe
European organizations are facing a surge in cyberattacks driven by nation-state actors, financially motivated cybercriminals, and hacktivist groups. According to assessments from cybersecurity experts, many of these attacks are linked to ongoing geopolitical tensions, particularly Russia's invasion of Ukraine, and increasingly involve coordinated operations with North Korea. The tactics used include distributed denial-of-service (DDoS) disruptions, website defacements, and data leak campaigns, often with the primary goal of propaganda or strategic intelligence collection. Other persistent threat actors include groups from Iran, China, Turkey, Kazakhstan, and India, who target European entities for motives ranging from intellectual property theft to financial gain. The spillover from conflicts in the Middle East has also led to increased cyber activity against European organizations, especially those tied to Israel or Western military operations. Key sectors under threat include financial services, transportation, and non-governmental organizations. Experts warn that adversaries are seeking new ways to compromise identity and cloud infrastructure, reflecting a broader trend of evolving cyber operations shaped by global political developments.
Mar 21, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026
Geopolitically Driven Cyber Activity and Hybrid Operations Escalate Across Europe and Major Events
Multiple reports describe an uptick in **state-linked and politically motivated cyber activity** in Europe, framed as part of broader **hybrid warfare**. Dutch intelligence (AIVD/MIVD) warned that Russia is intensifying a mix of cyberattacks, sabotage, disinformation, covert influence, and espionage designed to stay below the threshold of open conflict while testing Western red lines and undermining support for Ukraine. Related policy commentary notes growing calls from European and NATO officials for stronger “strike back” or offensive cyber capacity, but argues that political will and proportional response options—especially against proxy-driven sabotage—remain the limiting factors rather than technical capability. Separately, threat reporting tied to the **2026 Winter Olympics** indicates increased **hacktivist mobilization and targeting chatter** against Olympic-adjacent entities (e.g., transportation, sponsors, and overlapping supply chains), alongside continued targeting of the defense industrial base by a mix of hacktivists, state actors, and cybercriminals. A case study on Venezuela’s Caracas outage during “Operation Absolute Resolve” cautions against attributing major disruptions to “cyber-only” effects when available evidence also indicates substantial **kinetic/physical damage** to substations, underscoring that modern operations may integrate cyber and physical actions and that misframing can distort infrastructure security priorities.
May 7, 2026