With an eye toward disrupting essential services during future conflict, U.S. intelligence officials continue to warn that China, Russia, Iran, North Korea, and aggressive ransomware groups are steadily positioning themselves inside the networks that run American critical infrastructure. For operational technology (OT) and critical infrastructure defenders, the 2026 Annual Threat Assessment (ATA) confirms that long‑term access into industrial and infrastructure environments is now a strategic objective for multiple adversaries, not just a byproduct of opportunistic compromise.
The unclassified ATA, released last week by the Office of the Director of National Intelligence, frames cyber operations against critical infrastructure as an enduring feature of geopolitical competition rather than a series of isolated incidents. These adversaries will “continue to seek to compromise U.S. government and private-sector networks as well as critical infrastructure to collect intelligence, create options for future disruption, and for financial gain.” Tulsi Gabbard, director of national intelligence, noted in a statement.
Gabbard stressed to Congress that the intelligence community assesses that those same states and ransomware groups will “continue to seek to compromise US government and private sector networks, as well as critical infrastructure, to collect intelligence and create options for future disruption and for financial gain.” She warned that “financially or ideologically motivated nonstate actors are becoming bolder, with ransomware groups shifting to faster, high-volume attacks that are harder to identify and mitigate.”
Adversaries “Pour Resources” Into Targeting U.S.
The report’s cybersecurity section details how these adversaries “continue to pour resources” into operations targeting U.S. government, private‑sector, and core global IT resources, with campaigns that blend espionage, access maintenance, and tooling for potential disruptive or destructive attacks. Those same operations provide “unmatched intelligence collection value” today while preserving options to attack critical services if tensions escalate.
Bill Brenner
China is singled out as the most “active and persistent cyber threat” to the U.S. government, private‑sector, and critical infrastructure networks. According to the assessment, Beijing has already demonstrated its ability to compromise U.S. infrastructure in ways that could provide “strategic advantage in the event of a conflict,” particularly around crises in the Indo‑Pacific. The report states that China is investing in cyber capabilities designed specifically to “pre‑position or execute disruptive and destructive attacks against U.S. critical infrastructure and other targets,” signaling an intent to move beyond data theft into contingency‑ready access.
The report authors summed up Russia as a “persistent, advanced cyber-attack and foreign intelligence threat” with a track record that spans espionage, information operations, and disruptive actions against Western infrastructure. The assessment ties Moscow’s cyber program to its broader gray‑zone strategy in Europe and beyond, stressing that Russian operators retain the ability to conduct cyber-attacks that could affect energy, transportation, and other critical services in the U.S. and allies. The emphasis is less on any single campaign and more on the pattern: sustained infrastructure targeting as part of Russia’s toolbox for pressuring adversaries.
George V. Hulme
Iran, North Korea: espionage, influence, theft, and destructive activities
Iran and North Korea, while according to the report are less capable than China or Russia, are portrayed as increasingly willing to use cyber operations against U.S. and allied targets, including critical infrastructure entities. The report highlights Iranian state actors’ mix of espionage, influence, and destructive activities, including a claimed wipe‑and‑data‑theft operation against a U.S. medical technology company in retaliation for real‑world events. North Korea’s cyber program continues to blend intelligence collection, sanctions‑evasion theft, and operational attacks, with growing use of insider access and an “expansion of ransomware attacks and other cybercriminal activities” that raise risks to U.S. IT and critical infrastructure environments.
For operators of OT and critical infrastructure, the common thread across these state programs is pre‑positioning. The ATA explicitly warns that China and Russia are developing capabilities intended to “pre‑position or execute disruptive and destructive attacks” against U.S. critical infrastructure, and it describes a broader pattern of adversaries seeking durable footholds in networks that underpin essential services. In practice, that means long‑dwell access into IT environments adjacent to OT, engineering, and administrative workstations, managed service providers, and other points that can be leveraged later to reach industrial control systems. Today, that access may look like routine espionage; in a crisis, it becomes a lever over physical operations and public confidence.
Bill Brenner
The assessment also elevates financially and ideologically motivated non‑state actors—especially ransomware groups—to the same chapter as states when discussing critical threats to U.S. networks and infrastructure. Ransomware operators are described as “taking more aggressive cyber-attack postures” that frequently impact critical infrastructure and business operations through downtime, revenue loss, and theft of sensitive data. The report states that the shift toward “faster, high‑volume attacks” compresses defenders’ response windows and increases the likelihood that flat or weakly segmented environments will see cross‑domain impact, including into OT.
The fact that maintaining long‑term access to infrastructure and industrial networks is a deliberate, strategic goal for multiple nation‑states and major criminal ecosystems. That has implications for how defenders think about architecture, monitoring, and incident response: threat hunting must account for long‑dwell intrusions, segmentation must be designed to frustrate future pivot paths into OT, and crisis playbooks must assume that pre‑positioned adversaries may attempt to activate capabilities under time pressure.
George V. Hulme
The report’s closing on ransomware reinforces that this is no longer just a data‑availability or extortion problem for individual firms. When the same ransomware ecosystems repeatedly hit hospitals, municipalities, logistics providers, and other service operators, ransomware becomes, in effect, a strategy‑level infrastructure risk: a persistent source of systemic fragility that states and criminals alike can exploit. For critical‑infrastructure defenders, the ATA’s message is that this convergence of state-prepositioning and aggressive ransomware activity is now part of the baseline threat model—not an edge case to be managed at the margins.
