We Are At War

Summary

The article analyzes how rising geopolitical tensions are reflected in cyber operations, with state actors like China's Volt Typhoon and Salt Typhoon targeting critical infrastructure sectors including energy, telecommunications, and transportation. It documents a shift from opportunistic hacking to long-dwell industrial espionage and notes the increasing politicization of technology as a weapon in great-power competition.

Full text

We Are At War The Hacker NewsMar 27, 2026Hacktivism / Threat Intelligence Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it. Introduction: One tech power to rule them all is a thing of the past The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes of two world wars and the deliberate construction of a new global order. The United States of America set the terms of this new world. The long peace under Pax Americana provided a stable foundation, but that foundation is shifting. Europe’s deep strategic dependence on the U.S.’s technological and cybersecurity capabilities, from intelligence and infrastructure to frameworks and funding, is now being tested. Those tectonic geopolitical changes are undermining trust, threatening the state of safety, and compelling European organizations to rethink digital architectures and approaches at every level. All technology is considered political and is involved as a weapon, a target, or a lever in geopolitical conflict. As a political entity increases its reliance on technology platforms, it increases its exposure to technical power projection, enabling cyber and psychological operations, misinformation campaigns, and other forms of power projection. Welcome to the jungle (again) The contemporary threat landscape is not a simple product of the whims or choices of criminal hackers and other threat actors. Instead, there is a diversity of actors - both benign and malicious - that have an influence. Those actors operate within a context that is, in turn, defined by the complex interactions between yet another set of systemic forces. To understand the threat landscape, we must therefore consider all the systemic factors that shape it, as well as the actors that operate within it. In our research efforts, we keep assessing how political, economic, social, and technological factors influence operations and risks. State Actors and Critical Infrastructure Night Dragon (mid-2000s onward): A China-linked campaign against energy and defense firms globally illustrated the move from opportunistic hacking to long-dwell, state-sponsored industrial espionage [1]. Volt Typhoon Botnet Disruption (Jan 2024): The U.S. government announced a court-authorized operation to dismantle a botnet of compromised routers used by the Chinese state-sponsored group Volt Typhoon in pre-positioning within U.S. critical infrastructure [2]. Salt Typhoon Telecom Breaches (Oct 2024): A global compromise of major telecom networks, attributed to the Chinese-linked group Salt Typhoon, exposed how state actors could access the communications of government officials and a multitude of civilians [3]. U.S. Advisory on Critical Infrastructure Targeting (Feb 2024): The U.S. and allied agencies issue a joint advisory declaring that Volt Typhoon had compromised IT networks across communications, energy, transport, and water sectors, marking a milestone in recognizing state cyber power as a strategic threat [4]. State-linked cyber operations have remained active with a primary focus on intelligence collection and occasional disruptive actions used for signaling, amid a backdrop of information operations that vary widely in scale and intensity [5]. Attack methods are concentrating on identity and the edge [6]. Recent reporting also describes stealthy backdoors placed on appliances and virtualization platforms to maintain access for many months without noisy malware [7]. In parallel, rapid exploitation of 0-day and n-day vulnerabilities in perimeter appliances remains common, and supplier and service-provider pathways continue to feature prominently in incident trends [8]. Security Navigator 2026 is Here - Download Now The newly released Security Navigator 2026 offers critical insights into current digital threats, documenting 139,373 incidents and 19,053 confirmed breaches. More than just a report, it serves as a guide to navigating a safer digital landscape. What's Inside? 📈 In-Depth Analysis: Statistics from CyberSOC, Vulnerabilitiy scanning, Pentesting, CERT, Cy-X and Ransomware observations from Dark Net surveillance. 🔮 Future-Ready: Equip yourself with security predictions and stories from the field. 🧠 Stories from security practitioners across the world. 👁️ Security deep-dives: Get briefed on emerging trends related to Generative AI, Operational Technology and post-quantum cryptography. Stay one step ahead in cybersecurity. Your essential guide awaits! 🔗 Get Your Copy Now Targeting remains concentrated on government and telecommunications, with repeated activity against defense-linked networks [9]. High-tech sectors, notably semiconductors, also saw focused campaigns in 2025 [10]. The seam between enterprise IT and OT in industrial environments remains a concern, with pivots into plant and field systems where monitoring is limited and safety constraints slow response. Open reporting also indicates continued use of commercial spyware by government clients, with fresh forensic cases against journalists in 2025 [11]. This state-linked picture is only part of the landscape. Non-state actors, as well as criminals and hacktivists, increasingly operate alongside or in the wake of state campaigns. Hacktivists: From Cyberspace Vigilantes To State-Aligned Bullies 7 April 2025: Attackers seized control of the Bremanger dam in Norway, opened floodgates, and released 500 litres of water per second for four hours. Later attributed to Russian hackers by Norway’s security service [12]. 7 May 2025: The National Cyber Security Center (UK) reports that the pro-Russian hacktivist group NoName057(16) had claimed a three-day DDoS campaign against several UK public sector websites [13]. 17 June 2025: Predatory Sparrow claims to have destroyed data at the Iranian state-owned Bank Sepah, causing outages for customers [14] 16 July 2025: Europol announces that the global “Operation Eastwood” disrupted the infrastructure of NoName057(16), marking a coordinated law-enforcement action against a hacktivist network [15]. 14 August 2025: Norway’s intelligence service publicly attributes the dam intrusion and rising threat of pro-Russian cyber actors to the event. [16] 29 October 2025: The Canadian Center for Cyber Security alerts that hacktivist groups had breached water, energy, and agricultural OT/ICS systems in Canada, manipulating water pressure, temperature, and humidity levels [17]. As we’ve previously reported [18], hacktivism has entered its “establishment” era. Once a form of digital protest directed against institutions of power, it has evolved into a complex ecosystem of state-aligned and ideologically driven actors that often serve as informal extensions of geopolitical influence. The term “hacktivism” itself today conceals more than it reveals. It no longer refers simply to fringe collectives with political messages, but to distributed, collaborative movements capable of real-world disruption and widespread cognitive manipulation. We increasingly see boundaries between hackers, activists, and state actors dissolving. Groups such as NoName057(16) and Killnet operate independently, but in support of their host states, attacking adversarial governments and institutions while maintaining plausible deniability for their state beneficiaries. Recent events illustrate the implications of this shift. Distributed-denial-of-service operations remain the most visible form of hacktivism, yet the targets and intent are changing. Campaigns by pro-Russian groups in 2025 disrupted British public services and European infrastructure, not for ransom or data theft but to broadcast political narratives and erode confidence in institutions [19]. In Norway, attackers remotely manipulated a valve at the Bremanger dam, prompting fears of cyber-physical escalation [20]. Around the same t

Indicators of Compromise

• malware — Volt Typhoon
• malware — Salt Typhoon
• malware — Night Dragon
• malware — NoName057(16)
• malware — Predatory Sparrow