A wave of state‑linked cyber activity from China, Russia, Iran and North Korea is increasingly focused not merely on theft, but on embedding access across the US defence industrial base and critical infrastructure — a deliberate pattern of reconnaissance, credential harvesting and operational pre‑positioning that security firms and government agencies now treat as preparatory to possible future conflict. (thehackernews.com)
Recent reporting: who is doing what
Industry and government reporting in February 2026 converges on three linked findings: Google’s Threat Intelligence Group documented a multi‑nation campaign against defence contractors and their personnel; Dragos disclosed newly tracked operational‑technology (OT) threat groups that specialise in initial access and OT mapping; and longstanding China‑nexus crews associated with “Volt Typhoon” continue to appear in compromises of routers, VPNs and other edge devices. (thehackernews.com)
Tactics and the emerging division of labour
Researchers see a modular ecosystem: initial‑access teams exploit edge devices and unpatched appliances, access brokers hand footholds to operators that know how to reach engineering workstations and OT control loops, and specialist actors deploy data‑theft or destructive tooling where operational intelligence shows it will have effect. Dragos summarised this shift bluntly: “The threat landscape in 2025 reached a new level of maturity,” said Robert M. Lee, underscoring the move from ad‑hoc intrusions to coordinated, capability‑building operations. Dragos’s year‑in‑review ties new names — Sylvanite, Voltzite and Pyroxene — into this division of labour and documents handoffs between actors. — Dragos, “Dragos OT/ICS Cybersecurity Report and Year in Review”, Feb 17, 2026. Dragos press release. (dragos.com)
Volt Typhoon, UNC3236 and the logic of pre‑positioning
Public advisories from vendors and US agencies have long described Volt Typhoon‑style activity as stealthy, credential‑focused intrusions into communications, energy and water sectors in order to “pre‑position” for disruption. Microsoft warned that it had “uncovered stealthy and targeted malicious activity focused on post‑compromise credential access and network system discovery aimed at critical infrastructure organizations in the United States.” — Microsoft Threat Intelligence, “Volt Typhoon targets US critical infrastructure with living‑off‑the‑land techniques”, May 24, 2023. Microsoft blog. (microsoft.com)
Government response and contested success
US agencies and private partners have executed concerted hunt and mitigation operations. Senior NSA and FBI officials later told a public conference that those efforts reduced Volt Typhoon’s ability to maintain long‑term covert persistence; as Kristina Walter of the NSA said, “The good news is, they really failed.” — Jonathan Greig, Recorded Future (The Record), summary of Fordham ICS remarks, July 2025. Recorded Future / The Record. At the same time, advisory literature and subsequent incident reports show repeated short‑term compromises of OT and IT environments — evidence that discovery and removal do not erase the strategic problem of pre‑positioning. (therecord.media)
Why this matters for Germany, Europe and NATO
The pattern of bottom‑up access, ORB (operational relay box) networks and targeted social engineering elevates risk beyond the US: Europe’s defence suppliers and critical utilities face the same supply‑chain and edge‑device vulnerabilities that enable reconnaissance and staging. Google’s analysis concluded that “the broader trend is clear: the defense industrial base is under a state of constant, multi‑vector siege,” a formulation that applies across NATO supply chains and dual‑use manufacturing. — The Hacker News, reporting on Google Threat Intelligence Group, Feb 13, 2026. The Hacker News. A European posture that assumes attacks will be limited to IT theft is therefore out of date; the intelligence picture now shows actors actively mapping control loops and logistics that NATO relies upon for rapid mobilisation. (thehackernews.com)
Operational and policy implications
Defenders must treat observed intrusions as adversary‑phase‑setting: patch and appliance‑replacement programmes for edge kit are necessary but not sufficient. Detection must track account‑based living‑off‑the‑land activity, and incident‑response playbooks should be exercised with OT teams because the adversary effect model targets process logic, alarm data and engineering workstations. Dragos’s field work — which links initial‑access brokers to follow‑on OT intrusions and documents wiper deployments attributed to Iran‑linked actors — demonstrates the need for coordinated IT/OT threat hunting and for cross‑border intelligence sharing between industry and national CERTs. (dragos.com)
Strategic interpretation
Taken together, the reporting shows an adversary calculus that privileges time and choice: by building distributed, covert access across civilian networks, an attacker preserves options — espionage, supply‑chain disruption, or direct sabotage — tied to geopolitical triggers. That calculus is observable across multiple actors and theatres, from China’s emphasis on communications and island‑territory targets relevant to the Taiwan contingency to Iran‑linked destructive operations in regional conflicts. The present imperative for Western governments and NATO is to close the operational gap between discovery and denial: public advisories, takedowns and attribution impose friction on adversaries, but they must be matched by resilient OT architectures, bi‑national and multinational incident playbooks, and defensive investments that recognise pre‑positioning as a distinct and strategic phase of modern cyber competition. (microsoft.com)
Short, verifiable reading: Dragos’s 2026 OT report for the new OT threat actors and ecosystem dynamics; Microsoft’s Volt Typhoon advisory for tradecraft and mitigations; and recent GTIG reporting summarised by major outlets for the cross‑actor pressure on the defence industrial base. (dragos.com)
