Executive Summary
Nation-state actors from China, Russia, Iran, and North Korea are actively pre-positioning inside critical infrastructure while simultaneously directing or enabling criminal ransomware groups to execute disruptive attacks with plausible deniability. The FBI's 2025 data, cited by the American Hospital Association, identified healthcare as the top sector for cyber threats, recording 460 ransomware incidents against health and public health targets, and the Waterfall Security Threat Report 2026 found that nation-state and hacktivist attacks on industrial systems doubled in 2025 even as overall ransomware volume temporarily declined. The interplay between state objectives and criminal tools has produced a threat environment where defenders cannot cleanly separate financial extortion campaigns from strategic coercion. Decision-makers in energy, healthcare, water, and financial services face a compounding problem: the same AI-assisted tooling that is lowering criminal attack costs is accelerating the operational tempo of state-sponsored campaigns.
Key Findings
- Iran has operationalized criminal ransomware groups as state proxies, using DragonForce and Handala to execute attacks against energy and healthcare targets while retaining plausible deniability.
- Healthcare faces the highest combined threat load of any sector, recording the largest ransomware incident count of any CISA sector in 2025 and a tenfold attack surge in the UK in the first five months of 2026.
- China's pre-positioning strategy, exemplified by Volt Typhoon and Salt Typhoon and the CL-STA-1062 Southeast Asia campaign, is oriented toward conflict-contingency leverage rather than near-term disruption.
- Water and energy systems face active sabotage-oriented attacks from Russia and Iran exploiting basic OT security gaps, while criminal groups including Akira, Qilin, and RansomHub industrialize attacks against manufacturing and energy targets.
- AI-assisted attack tooling is compressing attacker timelines and enabling lower-skilled actors to execute campaigns against hardened targets, with confirmed deployment of an AI-native attack framework against Fortinet devices across 55 countries in early 2026.
How Iran's Proxy Model Is Eroding Attribution Integrity
The most operationally significant structural change in the threat environment is not new groups or new malware families but the deliberate erosion of the boundary between state-directed operations and criminal activity. Iran's use of DragonForce and Handala as operational proxies, detailed in Industrial Cyber's reporting on CPX and Trellix assessments, represents a deliberate doctrinal choice. As one industry executive quoted by Industrial Cyber described the model: Iranian actors "broker victim access, use criminal infrastructure for tooling and deniability, and disguise coercive operations as ordinary extortion." The financial element, ransomware payments flowing to criminal affiliates, provides a further layer of cover because it creates an incentive structure that looks indistinguishable from pure financial crime.
This spills directly into defensive architecture decisions. Organizations that calibrate threat models around the most moderate-to-high confidence adversary type, assigning healthcare to criminal ransomware and energy grid attacks to nation-state actors, are operating with a taxonomy that Iran's proxy doctrine has specifically designed to defeat. The Industrial Cyber May 2026 reporting noted that Iranian state-aligned actors and criminal operators "converge and share environments, infrastructure, TTPs, access brokers, and, at times, even strategic objectives." When the infrastructure and tools are shared, attribution-based triage produces systematic errors.
These geopolitical dynamics compound the existing economic security challenge. The Waterfall Threat Report 2026, analyzed by Industrial Cyber in March 2026, found that while publicly recorded cyber breaches with physical consequences across heavy industry declined from 76 incidents in 2024 to 57 in 2025, nation-state and hacktivist attacks doubled within that same period. The aggregate headline figure, a 25% decline in physical-consequence incidents, conceals an adversary composition shift toward harder-to-detect state activity. The Waterfall report noted significant incidents including a major production shutdown at Jaguar Land Rover, flight disruptions at Collins Aerospace, and maritime incidents involving misdirected ships, alongside the near-miss event involving Polish distributed generation that analysts link to Russian nation-state activity. Taken together, these incidents document a threat environment in which the volume metric is a poor proxy for severity.
The OT Security Debt That Nation-States Are Spending
The interplay between chronic underinvestment in operational technology security and the strategic objectives of nation-state actors is the core structural vulnerability enabling the current threat environment. Morgan Lewis's January 2026 legal analysis of water sector cybersecurity noted that over 150,000 public water systems of varying sizes operate across the United States alone, with aging infrastructure and large operational footprints creating an attack surface that threat actors have systematically identified. The same analysis highlighted that a May 2024 joint international advisory from global enforcement agencies had already warned of a growing nation-state-backed threat to small-scale OT systems across critical infrastructure, including water.
The CSIS significant cyber incidents database documents the material consequences of this gap. A January 2026 attack on roughly 30 Polish energy grid sites followed a pattern the Canadian Centre for Cyber Security had warned about in October 2025: attackers leveraging weak security configurations, default credentials, and unpatched internet-facing PLCs and HMIs. The North Korean Lazarus group's October 2025 social engineering campaign against three European defense companies, documented by CSIS, demonstrates that the OT gap extends into defense-adjacent manufacturing, where drone components and specialized production processes represent intelligence targets that overlap with critical infrastructure classification.
Trajectory, not just level: the concern is not the absolute count of OT incidents but the direction of the adversary mix. The Waterfall report's finding that nation-state and hacktivist attacks doubled in 2025 while ransomware temporarily declined suggests that the overall resilience gains organizations attribute to improved ransomware defenses may be partially offset by a harder-to-detect adversary category that does not announce itself with ransom notes and extortion timers.
The broader systemic implications include cascading effects across interconnected sectors. Cybersecurity Dive's analysis of state and local infrastructure threats noted that water and wastewater facilities have faced attacks from state-linked actors, hacktivist groups, and criminal ransomware gangs simultaneously, creating a multi-vector threat environment that sequential incident response procedures are not designed to handle. Both the economic and physical safety dimensions of these failures require attention: the AHA's framing of energy, water, and telecommunications attacks as producing cascading disruptive effects on healthcare reflects a dependency map that most sector-specific security programs treat as someone else's problem.
Ransomware Ecosystems As Strategic Infrastructure
The criminal ransomware ecosystem has itself become a form of strategic infrastructure that multiple nation-state actors exploit in different ways. Industrial Cyber's reporting on state-backed ransomware activity describes a convergence in which criminal groups, ideological hacktivists, and state-aligned adversaries "share environments, infrastructure, TTPs, access brokers, and, at times, strategic objectives." The Swiss Cyber Institute's 2026 ransomware group analysis identified five dominant operators, LockBit (residual), RansomHub, Akira, Play, and DragonForce, each operating ransomware-as-a-service models that allow geographically dispersed affiliates to execute campaigns while the core operators maintain infrastructure and tooling. The FBI had identified approximately 900 entities exploited by the Play group alone as of May 2025, according to the Swiss Cyber Institute.
North Korea's use of the Lazarus group in dual-track operations, espionage against defense manufacturers and ransomware attacks against healthcare, documented by the Krypt3ia threat report published July 1, 2026, and the CSIS significant incidents tracker, illustrates the strategic flexibility that state actors derive from criminal ecosystem access. When DPRK-attributed Maui ransomware targets US healthcare organizations, the operational revenue directly funds weapons programs while the operational disruption produces its own strategic value. The resulting spillover affects multiple sectors simultaneously: healthcare disruption affects military readiness, financial flows from ransom payments affect sanctions enforcement, and supply chain compromises from access broker markets affect defense industrial capacity.
What is not being reported: the March 2026 Cyber threat landscape analysis identified 20 distinct incidents involving the sale of unauthorized network access on cybercrime forums in a single month, with a small cluster of access brokers accounting for over 55% of observed listings. The scale of the access broker market suggests that a large number of organizations across critical infrastructure sectors have already been compromised but have not yet experienced the visible downstream attack. The true penetration of critical infrastructure is moderate-to-high confidence substantially higher than disclosed incident reports indicate.
Key Assumptions
| Assumption | Supporting Evidence | Falsifying Evidence | Impact if Wrong |
|---|---|---|---|
| China's critical infrastructure intrusions reflect a pre-positioning strategy calibrated to future conflict rather than near-term disruption | AHA's direct statement on embedded malware awaiting a "triggering event"; Unit 42's documentation of CL-STA-1062's long-term persistence model; Krypt3ia July 2026 assessment that China is "showing how infrastructure access creates future leverage" | Evidence of China conducting immediate destructive attacks against Western infrastructure without a triggering geopolitical event | The defensive priority would shift from dwell-time detection and network segmentation toward immediate incident response; current detection architectures optimized for persistent access would miss a rapid escalation scenario |
| Iran's use of criminal proxies like DragonForce and Handala maintains a meaningful level of deniability that slows Western attribution and response | Industrial Cyber and Trellix's March 2026 assessment documenting the proxy architecture; the financial layer of ransomware payments as cover | Confirmed direct Iranian state control of a high-profile ransomware operation, removing deniability and triggering a policy response | If deniability collapses, diplomatic and sanctions pressure on Iran's cyber program may increase, potentially shifting Iranian tactics toward even harder-to-attribute methods rather than reducing activity |
| The Waterfall 2026 decline in ransomware-caused physical incidents reflects temporary disruption to ransomware operations rather than structural improvement in OT security | Waterfall's own characterization of the decline as tied to "temporary factors affecting ransomware activity"; simultaneous doubling of nation-state attacks suggests the attack surface is unchanged | Evidence of widespread OT network segmentation improvements, patch adoption rates for ICS-relevant CVEs, or a sustained multi-year decline in physical-consequence incidents | The 25% incident reduction could be interpreted as a genuine defensive success, warranting investment in replicating the responsible controls rather than treating the decline as a false signal |
| The healthcare sector's structural patching constraints, particularly legacy Java middleware, will persist for at least 3-5 years regardless of policy pressure | SonicWall's finding that Log4j remains the most active attack vector in UK healthcare in 2026, five years after disclosure; AHA's acknowledgment that clinical systems cannot be patched on enterprise cycles | A major national health system completes a full legacy middleware migration within 24 months; this would be the first documented example at scale | If healthcare patching constraints are solvable faster than assumed, current risk assessments for the sector may be overstating the duration of the vulnerability window |
Counterarguments
-
The conflation of criminal and nation-state threats may overstate the coordination and understate the divergence in objectives. Industrial Cyber's reporting on Iranian proxy use, while detailed, draws primarily on vendor and industry executive assessments rather than government-declassified intelligence. The claim that DragonForce and Handala operate as directed instruments of Iranian state policy is analytically plausible but difficult to distinguish empirically from a scenario in which Iranian actors opportunistically exploit criminal infrastructure without formal direction. If the relationship is more transactional than hierarchical, then disrupting the criminal groups through law enforcement action would have more lasting effect on Iranian cyber capability than current threat assessments suggest, because the state dependency would be higher and the fungibility of the criminal partners lower. The Waterfall 2026 observation that ransomware-caused physical incidents fell 25% in 2025 is consistent with the hypothesis that criminal disruption operations, including LockBit and BlackCat takedowns, have materially weakened the infrastructure on which state-adjacent actors rely.
-
Sector threat rankings based on disclosed incident counts systematically underrepresent the energy and water sectors relative to healthcare and financial services. The FBI's 460 healthcare ransomware incidents figure is drawn from IC3 victim reporting, which is voluntary and biased toward organizations with the legal obligation and institutional capacity to report. Water utilities, many of which are small municipal operations with limited legal counsel and cybersecurity staff, are structurally less moderate-to-high confidence to report incidents. The Cyble Americas Threat Landscape Report's first-quarter 2026 count of 1,305 cyber incidents is drawn from publicly claimed attacks, which criminal groups strategically choose to publicize based on their own reputational calculus. Sectors where attacks produce operational value for the attacker without requiring public announcement, including energy and water, are systematically undercounted in all available datasets. Defenders who prioritize healthcare and financial services over water and energy OT based on incident volume rankings may be misallocating resources toward the most reported rather than most threatened sectors.
-
The AI attack acceleration narrative, while directionally accurate, risks producing a defensive investment mismatch if it displaces attention from the commodity-technique attacks that are currently producing the most damage. The CyberStrikeAI deployment against Fortinet appliances in March 2026, documented by Cyble and Cyber, was notable but affected 600 systems across 55 countries, a relatively contained incident. The ransomware attack on the University of Mississippi Medical Center that month, using conventional techniques, closed 35 clinic locations statewide. SonicWall's finding that Log4j drives the most UK healthcare attacks in 2026 underscores that the marginal defensive investment with highest expected return is high confidence remediation capacity and patch management rather than AI-specific detection tooling. Organizations that reorient security budgets toward next-generation AI threat defense while leaving 2021-vintage vulnerabilities unpatched are optimizing for a threat that remains emergent while remaining exposed to the threat that is already producing casualties.
Indicators To Watch
The following table captures observable signals that would require reassessment of the current threat picture. Each indicator derives directly from documented patterns in the evidence base.
| Indicator | Current State | Warning Threshold | Time Horizon |
|---|---|---|---|
| Iranian proxy group (DragonForce, Handala) confirmed attacks on US energy or water OT systems | Primarily targeting energy data and healthcare; Cal Water Iranian Handala attack reported by SecurityWeek with no confirmed OT system compromise | Confirmed intrusion into operational technology systems at a US utility or water treatment facility attributed to Iran-linked group | 3-6 months |
| Poland/European energy grid attack frequency | One coordinated attack on roughly 30 Polish grid sites in January 2026 (CSIS tracker) | Second confirmed grid-site attack in a NATO country within a 90-day window | 3-6 months |
| Salt Typhoon / CL-STA-1062 disclosed new target sectors | Telecom, congressional communications, Southeast Asian energy confirmed (Trend Micro, Unit 42) | New public attribution to either group in a sector outside current known targeting (eg. financial market infrastructure, water utilities) | 6-12 months |
| US IC3 healthcare ransomware incident count (annual pace) | 460 incidents in full-year 2025 (FBI/IC3, reported by Industrial Cyber) | Annualized 2026 run rate exceeding 600 incidents, or a single attack causing multi-state patient care disruption | 30-90 days |
| Access broker market volume on cybercrime forums (tracked monthly by Cyble, Cyber) | 20 distinct unauthorized-access sale incidents tracked in March 2026 alone | Monthly count exceeding 30 listings with confirmed critical infrastructure sector targeting | 30-60 days |
Decision Relevance
Scenario A (~55%): Sustained high-tempo threat without a single major disruptive event in the next 12 months. The current trajectory, elevated ransomware volume, Iranian proxy escalation, and Chinese pre-positioning, continues without a single event that triggers a policy step-change. If you operate critical infrastructure in healthcare, energy, or water treatment, this scenario demands three concrete actions: complete an IT/OT network segmentation audit in the next 90 days, establish a Log4j-era vulnerability remediation timeline with board-level accountability, and run a tabletop exercise modeled specifically on partial OT system loss rather than generic cyber incident scenarios. The cost of inaction in a sustained-threat environment accumulates quietly until it does not. If you are a risk officer at a financial institution with third-party exposure to energy or water utility vendors, map your operational dependencies on those vendors' control systems now, because your direct security posture is only as strong as your most vulnerable supplier.
Scenario B (~30%): A major disruptive event against energy or water infrastructure in a G7 country produces a regulatory and insurance market restructuring comparable to the Colonial Pipeline aftermath. The Waterfall report's documentation of a Russian-linked near-miss against Polish distributed generation, combined with CSIS's tracking of the January 2026 Polish grid attack, suggests this scenario is plausible. If you are in manufacturing, transportation, or any sector with OT vendor dependencies shared with energy utilities, this scenario triggers mandatory reporting obligations and forced audit timelines that will be difficult to comply with under time pressure. Begin vendor OT dependency mapping now. If you advise on cyber insurance program design, current nation-state exclusion clauses will face litigation stress-testing in this scenario; re-examine policy language before the event rather than after.
Scenario C (~15%): A diplomatic agreement or US-China geopolitical de-escalation reduces the Chinese pre-positioning threat, creating a false-positive improvement signal. Even if Chinese pre-positioning activity becomes less observable following a diplomatic engagement, the embedded access from prior campaigns is low confidence to be fully remediated without active network-by-network discovery. If you are a CISO at an organization in energy, water, or telecommunications, do not interpret reduced observed Chinese activity as a clean bill of health. The pre-positioning model is specifically designed to survive periods of diplomatic restraint. Conduct a dedicated threat-hunting exercise for indicators of long-term persistence regardless of geopolitical signals, and treat the absence of evidence as consistent with improved adversary evasion rather than confirmed absence of access.
Analytical Limitations
-
The primary evidence base draws on commercial vendor sensor data (SonicWall, Cyble, Palo Alto Networks Unit 42, Waterfall Security) and government-adjacent reporting (AHA, CSIS, FBI IC3). Vendor telemetry reflects the client exposure of each vendor rather than a statistically representative sample of each sector's total incident volume. The tenfold UK healthcare figure from SonicWall is directionally reliable but should not be treated as a sector census.
-
Attribution claims vary substantially in evidential quality across the source set. Unit 42's CL-STA-1062 attribution carries detailed technical corroboration, including code overlap with Cisco Talos's UAT-7237 characterization. DomainTools' broader grouping of water-system attackers across three nation-states rests on a less granular foundation and should be treated as an adversary categorization rather than a per-incident attribution.
-
The access broker market data captured by Cyble and Cyber represents publicly listed sales on monitored forums, which is an acknowledged floor on total market activity. The true volume of initial-access transactions on closed or unmonitored forums is unknown, meaning the assessment systematically underestimates the pipeline of pre-compromised critical infrastructure organizations awaiting downstream attack.
-
AI-assisted attack tool deployment is documented in early-stage incidents as of mid-2026, but no confirmed case of a purely AI-directed attack against critical infrastructure without a human operator in the chain has been publicly documented. The Five Eyes advisory language on timeline compression is precautionary and forward-looking rather than a description of observed current attacks. This assessment's AI-risk emphasis is proportionate to the documented trajectory, but the specific severity and timing remain uncertain.
-
The most consequential unknown is the current dwell time and penetration depth of Chinese pre-positioning actors in Western critical infrastructure. The AHA's description of embedded malware awaiting a triggering event is an assessment of intent and method, not a count of compromised systems. Without confirmed visibility into what has been pre-positioned, this assessment cannot bound the undetected risk, only characterize the disclosed and inferred portions of it.
Sources & Evidence Base
- Ungraded
- D
- Ungraded0 ENISA THREAT LANDSCAPE 2025 OCTOBER 2025
enisa.europa.eu