Geopolitical Cyber Operations Targeting Critical Infrastructure and Economic Systems
Reporting and commentary highlighted how state-linked cyber activity is being used for sustained pressure against critical infrastructure and economic targets rather than isolated, one-off attacks. Taiwan’s government and related reporting described China-linked probing and “prepositioning” against Taiwanese critical infrastructure as ongoing and scaling, consistent with reconnaissance and access maintenance objectives that could enable future disruption. Separately, an op-ed argued that U.S. signaling around the ability to “darken” parts of Caracas and reported disruptions affecting Venezuela’s state oil sector illustrate how cyber-enabled interference can function as a tool of state power below the threshold of open conflict.
A longer-form retrospective on the Russia–Ukraine conflict framed the period as a “full-scale cyber war,” citing the Kyivstar destructive attack attributed to Sandworm as a landmark incident: attackers reportedly maintained access for months before wiping large portions of the operator’s environment, disrupting telecom and related services. The same piece described Ukraine’s broader incident volume growth and the use of multiple wiper malware families, alongside claims of Ukrainian retaliatory operations (e.g., DDoS activity against Russian banking), reinforcing the theme that critical infrastructure and national economic systems are central targets in modern geopolitical cyber campaigns. While one weekly “signals” post also mentioned patch/KEV dynamics and SaaS exposure as near-term risk amplifiers, its primary geopolitical takeaway aligned with the broader pattern of sustained state-linked activity against critical infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
UAC-0190 uses charity lures to target Ukraine-related entities
The Hunt.io blog reports that Kremlin-linked UAC-0190 is using charity-themed lures delivered through messaging apps to deploy PluggyApe against Ukraine-related targets. This reflects a newly described tactic and targeting pattern in the campaign.
Reports describe sustained China-linked probing of Taiwan infrastructure
Reporting published in mid-January 2026 describes ongoing, scaling China-linked cyber activity against Taiwan's critical infrastructure. The activity is assessed as reconnaissance, access maintenance, and prepositioning rather than a single isolated incident.
CISA retires legacy Emergency Directives
CISA is reported to be retiring legacy Emergency Directives, consolidating urgent remediation expectations around the KEV catalog and Binding Operational Directive 22-01. This marks a policy and operational shift in how federal cyber remediation priorities are communicated.
AuraInspector highlighted for Salesforce exposure-path auditing
New tooling called AuraInspector was highlighted as a way to audit Salesforce Aura and Experience Cloud exposure paths associated with misconfiguration-style data exposure. The reporting emphasizes that these cloud/SaaS risks may lack a traditional patch signal.
Brightspeed confirms investigation into claimed data-theft incident
Brightspeed confirmed it is investigating a security incident after criminals claimed to have stolen data and threatened to publish it. The report presents this as an active extortion-related breach development.
January Patch Tuesday and new KEV additions raise exploitation risk
In January 2026, Patch Tuesday activity and newly added entries in CISA's Known Exploited Vulnerabilities catalog increased near-term risk for internet-exposed and patch-lagged organizations. The reporting frames this as a meaningful escalation in defender urgency around exploitation exposure.
React2Shell vulnerability remains under active exploitation
The Hunt.io blog reports that React2Shell (CVE-2025-55182) is continuing to be actively exploited across React and Next.js environments. This indicates an ongoing exploitation phase rather than a newly disclosed issue.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
SIGNALS WEEKLY: Taiwan Critical Infrastructure: Reports of China-Linked Probing and Prepositioning
blog.alphahunt.io
Open sourceIs the US adopting the gray zone cyber playbook?
cyberscoop.com
Open sourceThe First Full-Scale Cyber War: 4 Years of Lessons
techtrenches.dev
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Geopolitical Cyber Operations and Critical Infrastructure Disruption Risks
Reporting highlighted how **geopolitical competition is increasingly expressed through cyber operations**, with particular concern around disruption of **critical infrastructure**. One account described a U.S. cyber operation that reportedly **blacked out Caracas** and interfered with Venezuelan air-defense radar as part of an operation that led to **Nicolás Maduro’s capture**, portraying it as a rare, public-facing demonstration of offensive cyber capability and precision effects. Separate reporting framed these developments in a broader pattern of state-linked activity and infrastructure exposure, citing prior power-grid disruption in Ukraine and reporting that Russian hackers briefly took control of a Norwegian dam floodgate, underscoring the potential for cyber activity to create real-world safety and continuity impacts. Other items in the set were forward-looking risk commentary rather than reporting on the same event. A Palo Alto Networks study warned that the **Milan Cortina Winter Olympics** will be a “target-rich” environment for ransomware, fraud, DDoS, phishing, and intelligence collection due to temporary networks and complex third-party dependencies. Additional pieces focused on generalized 2026 risk themes—**cyber risk and AI** in business surveys, **zero trust** project planning, regional CISO predictions about identity and cloud/AI security, and a resilience opinion column drawing parallels to disaster recovery—useful context, but not specific to the Venezuela operation or a single discrete incident.
Mar 21, 2026
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
Mar 21, 2026
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
Mar 31, 2026