Synopsis

1. This report is a series of summaries and forecasts covering the major cyber players and conflicts, beginning with the People’s Republic of China. This is followed by Russia vs Ukraine, Iran vs Israel, and Pakistan vs India. We then review the United States and take a very brief look at South America. Finally, we examine the hacker environment. Bottom line: 2026 will be another challenging year.
2. It is our assessment that cyber conflicts such as Russia vs Ukraine, Iran vs Israel, and those involving the People’s Republic of China are the most likely sources for the creation of next-generation malware and a primary source of cyberattacks. This includes government-funded hackers (military, intelligence, and civilian employees), affiliated hackers (criminals and mercenaries), and volunteer “supporters”.

People’s Republic of China (PRC)

1. Globally, the People’s Republic of China has the largest number of hackers (and hacking teams), the highest volume of hacking activity (including campaigns), and is firmly in the top tier of hacking capabilities. The PRC’s principal focus is Taiwan. According to Taiwan’s National Security Agency, Taiwan’s critical infrastructure was hit with an average of 2.6 million cyberattacks daily. “The attacks mainly targeted the energy sector, hospitals, banks, and emergency services, and many of them were reportedly coordinated with Chinese military exercises and political events. For example, when the President and Vice President of Taiwan were giving speeches or attending international meetings.”²
2. Over the Christmas/New Year season, the aggressive pace of PRC hacking has continued. Some of the hacking campaigns detected include:

• Mass registration of fake online shops originating from China
• China-linked Ink Dragon hacks governments using ShadowPad and FINALDRAFT malware
• China-aligned threat group uses Windows Group Policy to deploy espionage malware
• China-linked APT UAT-9686 targeting Cisco Secure Email Gateway and Secure Email and Web Manager
• Foreign Office hacked: China accused of stealing secret files
• Evasive Panda cyber-espionage campaign uses DNS poisoning to install MgBot backdoor
• Mustang Panda uses signed kernel-mode rootkit to load TONESHELL backdoor
• Chinese APT Silver Fox targets India with ValleyRAT tax-phishing scam

1. Of the eight hacking campaigns listed, six are almost certainly cyber-espionage (based on their targets). A seventh campaign targeting Cisco Email Gateways is assessed as very probably cyber-espionage.
   Note: These campaigns are in addition to attacks on Taiwan’s critical infrastructure. When these campaigns are detected, they are not shut down. The standard response is PRC denial, followed by a surge in activity—presumably to collect data before countermeasures are put in place.
2. Forecast: DSC characterizes PRC hacking activity as a “surge” or a “full-court press”. The apparent objectives are preparation of the cyber environment for a potential invasion of Taiwan and cyber-espionage in support of political objectives. We forecast that the PRC will continue to aggressively pursue both objectives, adding new hacking campaigns and scaling up cyber operations.

Russia vs Ukraine

1. Russia: President Putin continues to direct Russia to capture Ukraine and, more broadly, to become the dominant political force in Europe. In recent weeks, Germany, Denmark, and France have all identified Russia as the culprit behind cyberattacks. “Pro-Russia hackers” have escalated activities targeting U.S. and global critical infrastructure, including water and wastewater systems, food and agriculture, and energy sectors.³ Geopolitical analysts observe that Russia’s economy is not healthy, implying President Putin has a limited window to conquer Ukraine.
2. Trends: 2025 saw an increase in Russian destructive cyberattacks targeting Ukraine and its allies. In addition to Russian government-run campaigns, DDoS and “nuisance attacks” against Western governments included massive disinformation campaigns and election disruption. The pace of attacks from pro-Russia hacktivist groups—such as Cyber Army of Russia Reborn (CARR), Z-Pentest, NoName057(16), and Sector16—has increased over the holidays. These groups are increasingly targeting industrial systems, including Operational Technology (OT) and Supervisory Control and Data Acquisition (SCADA) networks.
3. Forecast: The current “operational pause” (likely for Russian Orthodox Christmas on 7 January) will almost certainly end next week (11 January). The most visible attacks will probably come from pro-Russia hacktivist groups targeting countries in the “Coalition of the Willing”. Russian government hacking teams will likely continue focusing on Ukraine, conducting cyber-espionage and harassment attacks. We forecast increasing use of destructive cyberattacks alongside a higher volume of cyber-espionage and disinformation campaigns.
4. Ukraine: Ukraine has demonstrated increasing ability to penetrate the Russian internet. Targets included Internet Service Providers (ISPs), banks, military contractors, and energy companies. Ukraine has also shown the ability to coordinate cyberattacks with physical operations, disrupting regional communications during ground attacks.
5. Forecast: Ukrainian operational security will remain tight, limiting visibility into cyber operations. We forecast continued strategic use of cyber forces. Companies involved in the Russian military supply chain should expect targeting. Ukraine will continue to disrupt Russian regional communications, including telecommunications and internet services, with a particular focus on air defense systems.

Iran vs Israel

1. Iran: Since the end of the active phase of the Gaza conflict, cyber activity by Iranian government hackers and pro-Iranian volunteers has declined. Both the volume and effectiveness of attacks have decreased. Strategically, Iran appears to be retooling for future operations against Israel, directly and via proxies. Iran has also experienced over ten days of protests driven by economic collapse.⁴ Additionally, Iran’s telecommunications infrastructure was hit by “one of the world’s largest-ever DDoS cyberattacks… ranked among the top 12 worldwide in scale.”⁵
2. Current Activity: A long-term Iranian hacking group has recently become active. “Prince of Persia, also known as ‘Infy’, has operated for nearly 20 years and has resurfaced with a sophisticated cyber-espionage campaign targeting global critical infrastructure and private networks.”
3. Forecast: Iran is expected to seek additional cyber capabilities from Russia. Government hacking teams will continue cyber-espionage against Israel and Western countries, particularly the U.S. and UK. A significant portion of Iran’s capability will focus internally, identifying protest leaders and blocking communications.
4. Israel: During 2025, cyberattacks on Iranian petrol stations, banks, and manufacturers suggested Israel had access to Iran’s internal internet. Israeli cyber operations were targeted and precise. Currently, no cyber campaigns are attributed to Israel.
5. Forecast: During periods of relative peace, Israel’s cyber forces operate covertly. We forecast this will continue through 2026 unless conflict resumes. Primary efforts will likely focus on cyber-espionage targeting Iran’s missile program, the IRGC, and Iranian-sponsored groups such as Hamas, Hezbollah, and the Houthis. Israel will also monitor anti-government protests in Iran.

Pakistan vs India

1. Pakistan: In 2025, Pakistan credibly mobilized volunteer hackers against India following Indian air attacks. Religious motivation likely played a role. As Prime Minister Modi leverages religious nationalism, the conflict is unlikely to be resolved. While volunteer groups have largely disengaged, APT36 (“Transparent Tribe”) has launched a new cyber-espionage campaign.⁶
2. Forecast: Transparent Tribe will remain focused on cyber-espionage against India. Volunteer groups may intermittently harass India with DDoS or ransomware attacks. Pakistan should also expect cyber-espionage from the PRC.
3. India: India’s cyber forces have underperformed recently. Cyber defenses—including military sites—appear inadequate. Although India has explored ways to improve cyber capabilities, cyber does not appear to be a political priority.
4. Forecast: India-Pakistan friction is cyclical and likely to recur. Even low-level military skirmishes may trigger renewed cyber engagements. India faces a challenging year from Pakistan, China, and likely Russian cyber-espionage.

United States

1. Political direction from the Trump administration should be characterized as chaotic. One description heard: “Anything old is bad; anything we do is good.” Program cuts and layoffs across federal agencies have reduced U.S. federal cybersecurity coordination, shifting responsibility to states and industry. This represents a major degradation of U.S. cyber defenses. Some areas—particularly indicators and warnings—are critically understaffed. No offensive cyber operations have been announced in support of Ukraine or NATO. Analysts comment: This leaves the U.S. vulnerable to cyberattacks.
2. The U.S. military appears to have used cyberwarfare to disrupt electricity in Caracas, Venezuela, during an American attack. No technical details were provided, only a reference to U.S. Cyber Command having “layered different effects”.⁷ Analysts comment: This demonstrates U.S. willingness to employ cyberwarfare.
3. Forecast: We forecast multiple cyberattacks against the U.S. Reduced warning capabilities increase the risk of catastrophic attacks, such as a Colonial Pipeline-type event. Attacks on financial networks or critical infrastructure may prompt retaliation. “Revenge attacks” are possible.

South America

1. Several major attacks targeted banks and financial infrastructure. Some countries are developing defensive and offensive cyber capabilities. The PRC has increased targeting of South American governments. Analysts comment: We forecast increasing criminal and cyber-espionage activity, with involvement from the U.S., PRC, and Russia.

The Hacker Environment

1. 2025 saw extensive ransomware attacks on hospitals and medical clinics, including children’s hospitals and cancer centers. Recent headlines highlight the trend:

• Hospitals are drowning in threats they can’t triage
• Financial services overtakes healthcare as most at risk from cyberattacks

Cybercriminals are specializing by country and industry:

• Hack-for-hire group specializes in targeting Canada
• One criminal, 50 hacked organizations, all because MFA wasn’t enabled

Targets increasingly include small organizations:

• Cyberattack on Nunavik health centre results in data breach
• Northern Ontario school board breach exposed SINs and passport data

Hackers recruit insiders and specialists:

• Cybersecurity professionals moonlighting as ransomware criminals
• Cybercriminals recruit insiders via the dark web
• Whaling attacks target top executives

Artificial intelligence is increasingly used:

• Are criminals “vibe coding” malware? All signs point to yes

1. Good news? Greed and reputation often motivate hackers, and mistakes are increasing arrests. Defenders are improving:

• Cybercrime group boasts of attacking a security firm—later revealed as a honeypot
• Security coverage is falling behind attacker behavior

1. Forecast for 2026:

• Ransomware will remain the primary criminal tool
• Extortion will diversify to generate multiple revenue streams
• Hackers will increasingly extort individuals for personal data
• Violence or threats of violence will be used to coerce payment
• Hacking groups will continue to specialize by capability, target, and methodology