Take stock of what has happened in the past two weeks.
A six-agency advisory confirmed that Iran is actively manipulating US water and energy infrastructure through exposed industrial controllers. A commercial IoT botnet is selling DDoS capacity to extort factories. North Korean hackers backdoored one of the most widely used JavaScript packages in the world. Microsoft patched its largest vulnerability set in recent memory, including the first AI-specific attack categories. Healthcare systems reported ransomware hitting medical devices. Solar and grid-edge infrastructure emerged as a new attack surface for nation-state actors.
Any one of these stories, in isolation, would be significant. Together, in a two-week window, they paint a picture that the ODNI’s annual threat assessment and a major Google threat intelligence report have now formalized: we are in a period of sustained, coordinated nation-state pressure on critical infrastructure, with IoT and operational technology at the center of the attack surface.
This is not a prediction. It is the current state of affairs.
The ODNI Assessment: Four Adversaries, One Priority
The Office of the Director of National Intelligence publishes an annual threat assessment that represents the US intelligence community’s consolidated view of the most significant global threats. The assessment is formally classified in its complete form; the unclassified summary is published publicly.
The 2026 assessment’s cybersecurity section reflects something that has not been true before: all four primary US nation-state adversaries — China, Russia, Iran, and North Korea — have simultaneously identified critical infrastructure cyberattacks as a strategic priority.
Historically, nation-state cyber operations were somewhat segmented by function. Russia focused on disruption (Ukraine power grid attacks, election interference, destructive malware). China focused on espionage (intellectual property theft, long-term pre-positioning). Iran focused on harassment and destabilization (defacements, DDoS, regional financial sector attacks). North Korea focused on financial theft (cryptocurrency heists, bank fraud).
The 2026 picture is different. The segmentation has collapsed. All four adversaries are now running critical infrastructure targeting operations simultaneously, with overlapping targets, and in the case of China and Russia, increasing coordination.
The ODNI assessment specifically calls out:
- Escalating cyber risks from China, Russia, Iran, and North Korea targeting energy, water, and other critical sectors
- Chinese threat actors maintaining the highest volume of espionage intrusions against the defense industrial base, increasingly using edge devices and network appliances for initial access
- Russian threat actors sustaining operations against defense firms supporting battlefield technologies, with Sandworm maintaining pre-positioning in energy infrastructure
- Iranian-affiliated actors escalating attacks on Western critical infrastructure in direct response to kinetic operations against Iranian energy infrastructure — the PLC attacks we covered on April 7 are the most recent confirmed manifestation
- North Korean actors expanding beyond cryptocurrency theft into supply chain attacks targeting technology infrastructure — the axios compromise is the clearest recent example
Google’s Defense Industrial Base Report: Edge Devices as the Entry Point
The Google Threat Intelligence Group’s report on sustained cyber pressure against the defense industrial base adds a specific technical dimension to the ODNI assessment’s strategic picture.
The Google research finds that Chinese threat actors remain the most active by volume in espionage intrusions against defense sector organizations. The tactical signature has shifted significantly in recent years: rather than spear-phishing campaigns that require user interaction, Chinese threat actors are increasingly leveraging edge devices and network appliances for initial access.
This finding has direct implications for any organization that operates internet-facing network infrastructure in sectors connected to defense or national security — which includes a much broader set of organizations than formal defense contractors.
Edge devices — the firewalls, VPN concentrators, network gateways, and remote access appliances that sit at the boundary between enterprise networks and the internet — have become primary targets for nation-state initial access operations for several reasons:
They are internet-facing by design. Unlike internal servers that require some pathway in, edge devices are explicitly intended to be reachable from outside the network. Their attack surface is inherently exposed.
They run specialized firmware on limited hardware. Edge devices typically run proprietary embedded operating systems with limited security tooling — no EDR, often no centralized logging, infrequent firmware updates. Attackers who exploit edge device vulnerabilities often operate in environments with minimal detection capability.
They have privileged network position. A compromised edge device sits at the network boundary with visibility into all traffic crossing it. This position provides attackers with network-level access that internal compromises typically don’t achieve immediately.
They are underinvested in security monitoring. Most organizations apply rigorous security monitoring to their endpoint fleet and their critical servers. Edge devices often receive far less attention — their logs may not be forwarded to the SIEM, their firmware may be years behind current versions, and they may not be included in vulnerability scanning programs.
The specific edge device categories that Chinese threat actors have been documented exploiting include Fortinet FortiOS appliances, Ivanti Connect Secure VPN, Palo Alto Networks firewalls, and Cisco network devices — all major enterprise vendors whose products are deployed in critical infrastructure environments globally.
The IoT Connection: Where Nation-State Operations Meet Enterprise Reality
The connection between nation-state critical infrastructure targeting and everyday enterprise IoT security is more direct than it might appear.
The same devices that are targeted in sophisticated nation-state operations are deployed across the full range of enterprise environments. Fortinet firewalls, Cisco routers, and industrial gateways are not exclusively used by defense contractors. They are the standard fabric of enterprise networking. When CISA issues an advisory about nation-state exploitation of Fortinet appliances, that advisory is relevant to the law firm, the hospital, the manufacturer, and the municipal water utility — not just the cleared defense contractor.
Critical infrastructure increasingly includes privately operated facilities. Water utilities, power generation, food processing, healthcare, and financial services are all designated critical infrastructure sectors under US federal definitions. They are overwhelmingly operated by private enterprises — not government agencies. Nation-state attacks on critical infrastructure are attacks on private organizations.
The IoT devices connecting OT to IT networks are the specific attack surface. The pattern in the Iran PLC advisory, in the Google DIB report, and in the broader threat intelligence picture is consistent: attackers are entering through internet-facing devices and network appliances, moving laterally to IT environments, and from there seeking access to operational technology systems. The OT/IoT convergence that has driven efficiency gains in manufacturing, utilities, and building operations has simultaneously opened pathways from the internet to operational systems that did not exist a decade ago.
The EU Sanctions Dimension
While US threat assessments focus on threats to American infrastructure, the European picture has its own notable development.
In March 2026, the EU imposed sanctions on China-based Integrity Technology Group and Anxun Information Technology for cyberattacks on EU member states, including attacks on critical infrastructure. This is a significant escalation: the EU formally attributing infrastructure attacks to Chinese companies and imposing sanctions represents a policy response that goes beyond advisory-level threat assessments.
The sanctioned entities are linked to the Volt Typhoon campaign — the same pre-positioning operation in US critical infrastructure that has been a concern of US intelligence agencies for the past two years. Volt Typhoon’s documented activity includes accessing and maintaining persistence in US and allied critical infrastructure environments — water, energy, transportation, communications — in a manner consistent with preparation for potential disruption operations during a geopolitical crisis.
The EU sanctions signal that Western governments are moving from passive observation to active response on Chinese critical infrastructure targeting. For organizations in EU member states operating critical infrastructure, the sanctions also represent clarity about the threat landscape that should inform security investment decisions.
Russia’s Continued Pressure on Energy Infrastructure
The ODNI assessment and related reporting confirm that Russian threat actors, particularly Sandworm, continue to maintain pre-positioning in energy infrastructure in the US, Europe, and Ukraine. The operational tempo against Ukraine’s energy grid has provided Sandworm with extensive real-world experience in attacking power infrastructure that cannot be replicated in any exercise or simulation.
The concern from a Western critical infrastructure perspective is that this operational experience, combined with documented pre-positioning operations, creates the conditions for escalatory attacks on Western energy infrastructure in the event of significant geopolitical escalation over Ukraine or other flashpoints.
Sandworm’s demonstrated capability — having caused actual blackouts in Ukraine in 2015, 2016, and subsequently — is not theoretical. The question of whether and when it would be deployed against Western infrastructure is a geopolitical judgment, not a technical one. The technical capability is confirmed.
For energy sector security teams, this assessment argues for treating the current period as one of elevated baseline risk — not because a specific attack is imminent, but because the pre-conditions for one have been established and the adversary has demonstrated both capability and willingness to use it.
North Korea: Beyond Cryptocurrency
North Korea’s cyber program has long been understood primarily through the lens of financial theft — cryptocurrency exchange hacks, bank heists, the Lazarus Group’s systematic targeting of financial infrastructure. The ODNI assessment and the axios supply chain attack this week signal an expansion.
North Korean threat actors are increasingly conducting supply chain attacks against technology infrastructure — targeting the software and platforms used by the organizations they want to ultimately compromise, rather than those organizations directly.
This represents a maturation of North Korea’s cyber program. Direct financial theft has become harder as cryptocurrency exchanges have implemented stronger security controls and law enforcement has become more sophisticated in tracing blockchain transactions. Supply chain attacks offer an alternative path: compromise trusted software, use that access to reach high-value targets, then monetize through ransomware, intellectual property theft, or direct cryptocurrency theft from the compromised environments.
For technology companies, software vendors, and managed service providers — all of which sit in supply chains that reach sensitive target organizations — this assessment argues for treating supply chain security as a specific adversarial concern, not just a software quality issue.
What This Week Means for Your Security Program
The events of the past two weeks — Iran PLC attacks, Masjesu botnet, healthcare IoMT ransomware, solar infrastructure targeting, axios supply chain compromise, Microsoft Patch Tuesday, shadow AI risks, manufacturing ransomware Q1 data, and the Vercel OAuth breach — are not disconnected incidents.
They reflect a threat environment shaped by structural forces: sustained nation-state pressure on critical infrastructure, commoditized attack tooling in the criminal ecosystem, a rapidly expanding IoT and AI attack surface, and security governance that is struggling to keep pace with the rate of change.
For security leaders, the practical implications of the ODNI assessment are not abstract strategic concerns — they are the context in which specific operational decisions are made:
Budget allocation: If your security investment is not proportional to a threat environment that includes simultaneous pressure from four nation-state adversaries plus an active criminal ecosystem, the gap between investment and risk is larger than it should be.
Board communication: The ODNI assessment provides authoritative, public-domain language for communicating threat context to boards and executives who may not otherwise engage with technical security details.
Third-party risk: Nation-state actors are explicitly targeting the supply chains and trusted intermediaries that reach well-defended targets. Your security program needs to assess and manage the security of your vendors, your software dependencies, and your OAuth-connected SaaS tools with the same rigor you apply to your own infrastructure.
OT/IoT focus: The convergence of IT and OT networks has created attack pathways that nation-state actors are actively exploiting. The priority these actors place on operational technology targets argues for treating OT/IoT security as a strategic investment, not a compliance checkbox.
Detection over prevention: In an environment where multiple sophisticated adversaries are attempting to access your infrastructure simultaneously, the assumption of eventual breach becomes more realistic. Detection capability — knowing when something has gotten in and responding quickly — is at least as important as prevention.
The Longer View
The coordinated nation-state focus on critical infrastructure cyberattacks is not a temporary condition. It reflects long-term strategic decisions by adversaries who have concluded that critical infrastructure represents effective leverage in geopolitical competition.
Those decisions will not be reversed by law enforcement actions, diplomatic engagement, or improved defenses at individual organizations. They are structural features of the current geopolitical environment that will persist for years.
The organizations and sectors that navigate this environment successfully will be those that treat cyber risk as a strategic concern with long-term investment requirements — not an operational problem to be managed with annual budget cycles and reactive responses to incidents.
The events of the past two weeks are a compressed reminder of what that strategic risk looks like in practice. The question is what comes next.
This article draws on the ODNI Annual Threat Assessment (2026 unclassified summary), Google Threat Intelligence Group’s defense industrial base report, Industrial Cyber reporting on OT threat trends, EU Council sanctions documentation (March 2026), and Recorded Future News reporting on nation-state cyber operations. Where specific incidents are referenced, links to detailed coverage are provided.
