Geopolitical Cyber Operations Targeting Critical Infrastructure and Economic Systems
Reporting and commentary highlighted how state-linked cyber activity is being used for sustained pressure against critical infrastructure and economic targets rather than isolated, one-off attacks. Taiwan’s government and related reporting described China-linked probing and “prepositioning” against Taiwanese critical infrastructure as ongoing and scaling, consistent with reconnaissance and access maintenance objectives that could enable future disruption. Separately, an op-ed argued that U.S. signaling around the ability to “darken” parts of Caracas and reported disruptions affecting Venezuela’s state oil sector illustrate how cyber-enabled interference can function as a tool of state power below the threshold of open conflict.
A longer-form retrospective on the Russia–Ukraine conflict framed the period as a “full-scale cyber war,” citing the Kyivstar destructive attack attributed to Sandworm as a landmark incident: attackers reportedly maintained access for months before wiping large portions of the operator’s environment, disrupting telecom and related services. The same piece described Ukraine’s broader incident volume growth and the use of multiple wiper malware families, alongside claims of Ukrainian retaliatory operations (e.g., DDoS activity against Russian banking), reinforcing the theme that critical infrastructure and national economic systems are central targets in modern geopolitical cyber campaigns. While one weekly “signals” post also mentioned patch/KEV dynamics and SaaS exposure as near-term risk amplifiers, its primary geopolitical takeaway aligned with the broader pattern of sustained state-linked activity against critical infrastructure.
Timeline
Jan 14, 2026
UAC-0190 uses charity lures to target Ukraine-related entities
The Hunt.io blog reports that Kremlin-linked UAC-0190 is using charity-themed lures delivered through messaging apps to deploy PluggyApe against Ukraine-related targets. This reflects a newly described tactic and targeting pattern in the campaign.
Jan 14, 2026
Reports describe sustained China-linked probing of Taiwan infrastructure
Reporting published in mid-January 2026 describes ongoing, scaling China-linked cyber activity against Taiwan's critical infrastructure. The activity is assessed as reconnaissance, access maintenance, and prepositioning rather than a single isolated incident.
Jan 14, 2026
CISA retires legacy Emergency Directives
CISA is reported to be retiring legacy Emergency Directives, consolidating urgent remediation expectations around the KEV catalog and Binding Operational Directive 22-01. This marks a policy and operational shift in how federal cyber remediation priorities are communicated.
Jan 14, 2026
AuraInspector highlighted for Salesforce exposure-path auditing
New tooling called AuraInspector was highlighted as a way to audit Salesforce Aura and Experience Cloud exposure paths associated with misconfiguration-style data exposure. The reporting emphasizes that these cloud/SaaS risks may lack a traditional patch signal.
Jan 14, 2026
Brightspeed confirms investigation into claimed data-theft incident
Brightspeed confirmed it is investigating a security incident after criminals claimed to have stolen data and threatened to publish it. The report presents this as an active extortion-related breach development.
Jan 14, 2026
January Patch Tuesday and new KEV additions raise exploitation risk
In January 2026, Patch Tuesday activity and newly added entries in CISA's Known Exploited Vulnerabilities catalog increased near-term risk for internet-exposed and patch-lagged organizations. The reporting frames this as a meaningful escalation in defender urgency around exploitation exposure.
Jan 14, 2026
React2Shell vulnerability remains under active exploitation
The Hunt.io blog reports that React2Shell (CVE-2025-55182) is continuing to be actively exploited across React and Next.js environments. This indicates an ongoing exploitation phase rather than a newly disclosed issue.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Sources
Related Stories
Geopolitical Cyber Operations and Critical Infrastructure Disruption Risks
Reporting highlighted how **geopolitical competition is increasingly expressed through cyber operations**, with particular concern around disruption of **critical infrastructure**. One account described a U.S. cyber operation that reportedly **blacked out Caracas** and interfered with Venezuelan air-defense radar as part of an operation that led to **Nicolás Maduro’s capture**, portraying it as a rare, public-facing demonstration of offensive cyber capability and precision effects. Separate reporting framed these developments in a broader pattern of state-linked activity and infrastructure exposure, citing prior power-grid disruption in Ukraine and reporting that Russian hackers briefly took control of a Norwegian dam floodgate, underscoring the potential for cyber activity to create real-world safety and continuity impacts. Other items in the set were forward-looking risk commentary rather than reporting on the same event. A Palo Alto Networks study warned that the **Milan Cortina Winter Olympics** will be a “target-rich” environment for ransomware, fraud, DDoS, phishing, and intelligence collection due to temporary networks and complex third-party dependencies. Additional pieces focused on generalized 2026 risk themes—**cyber risk and AI** in business surveys, **zero trust** project planning, regional CISO predictions about identity and cloud/AI security, and a resilience opinion column drawing parallels to disaster recovery—useful context, but not specific to the Venezuela operation or a single discrete incident.
1 months ago
Reports Highlight China-Led Expansion of Offensive Cyber Operations and Targeting of Defense and Critical Infrastructure
Multiple reports and leaked documents indicate **China-linked cyber operations** are expanding in scale and sophistication, with a strong emphasis on targeting government, telecommunications, and other strategic sectors. A Forescout *Vedere Labs* analysis cited by Cybernews reported China as the top origin of threat operations last year (210), with Russia and Iran also major contributors; the reporting also highlighted suspected China-linked activity tied to a multi-year compromise of South Korea’s **Onnara System**, including theft of civil servants’ **GPKI certificates and credentials**, and noted Taiwan’s National Security Bureau reporting an average of **2.63 million attacks per day** last year. Separately, leaked technical materials reviewed by Recorded Future News describe a purported Chinese internal training environment—part of an integrated system called **“Expedition Cloud”**—used to rehearse offensive cyberattacks against replicas of neighboring countries’ real-world networks, including **power/energy transmission, transportation, and smart home infrastructure**. In parallel, a Google Threat Intelligence Group report warned of a “relentless barrage” of nation-state activity against the **U.S. defense industrial base**, describing a shift beyond classic espionage into **supply-chain attacks, workforce infiltration, and battlefield-adjacent operations**; Google attributed much of the activity to **Chinese, Russian, Iranian, and North Korean** actors and noted continued Russian targeting of organizations supporting Ukraine, including phishing, malware aimed at mobile battlefield-management apps, and attempts to access encrypted messaging platforms.
1 months ago
Geopolitically driven cyber activity surges following Operation Epic Fury
Iran-linked threat actors escalated from espionage to **disruptive and destructive operations** in the wake of the US/Israel military campaign dubbed **Operation Epic Fury**, with reporting describing a coordinated hybrid offensive against Western, Israeli, and regional economic and critical infrastructure targets. Tenable assessed **MOIS-affiliated** groups as increasingly masking activity behind cybercriminal infrastructure to complicate attribution, and highlighted a notable rise in Iranian-nexus targeting of **internet-connected IP cameras** using known, exploitable vulnerabilities; the same reporting pointed to increased activity from **MuddyWater** and the **Void Manticore/Handala** persona, including indications of pre-positioned access ahead of the kinetic operations. Separate threat-intelligence reporting described **China-nexus** actors rapidly pivoting in the same geopolitical window, including activity against **Qatari entities** shortly after the initial strikes: **Camaro Dragon** attempted to deploy a **PlugX** variant using conflict-themed lures, and another intrusion attempt used **DLL hijacking** to deliver **Cobalt Strike**, consistent with China-aligned tradecraft. Other items in the set cover unrelated campaigns and incidents—an exposed **APT28** Roundcube exploitation toolkit targeting Ukrainian government mail infrastructure, a pro-Russian **NoName057(16)** DDoS campaign heavily targeting German and Israeli public-sector and commercial services, a Russian-speaking **BlackSanta** BYOVD “EDR killer” delivered via HR-themed lures and steganographic images, and a weekly bulletin summarizing multiple breaches (e.g., AkzoNobel, LexisNexis, Wikimedia, TriZetto)—and do not materially add to the Operation Epic Fury–linked escalation narrative.
1 months ago