Cyber Warfare: The Battlefront of the Digital Age

Rising geopolitical tensions are reflected (or in some cases preceded) by cyber operations, while technology itself has become politicized. Let’s admit it: we are in the middle of it. 

Introduction: One tech power to rule them all is a thing of the past 

The relative safety, peace and prosperity that much of the world has enjoyed since 1945 was not accidental. It emerged from the ashes of two world wars and the deliberate construction of a new global order. The United States of America set the terms of this new world.

The long peace under Pax Americana provided a stable foundation, but that foundation is shifting. Europe’s deep strategic dependence on the U.S.’s technological and cybersecurity capabilities, from intelligence and infrastructure to frameworks and funding, is now being tested. Those tectonic geopolitical changes are undermining trust, threatening the state of safety, and compelling European organizations to rethink digital architectures and approaches at every level.

All technology is considered political and is involved as a weapon, a target, or a lever in geopolitical conflict. As a political entity increases its reliance on technology platforms, it increases its exposure to technical power projection, enabling cyber and psychological operations, misinformation campaigns, and other forms of power projection.

Welcome to the jungle (again)

The contemporary threat landscape is not a simple product of the whims or choices of criminal hackers and other threat actors. Instead, there is a diversity of actors – both benign and malicious – that have an influence. Those actors operate within a context that is, in turn, defined by the complex interactions between yet another set of systemic forces.

To understand the threat landscape, we must therefore consider all the systemic factors that shape it, as well as the actors that operate within it.

In our research efforts, we keep assessing how political, economic, social, and technological factors influence operations and risks.

State Actors and Critical Infrastructure

• Night Dragon (mid-2000s onward): A China-linked campaign against energy and defense firms globally illustrated the move from opportunistic hacking to long-dwell, state-sponsored industrial espionage ^[1]. 
• Volt Typhoon Botnet Disruption (Jan 2024): The U.S. government announced a court-authorized operation to dismantle a botnet of compromised routers used by the Chinese state-sponsored group Volt Typhoon in pre-positioning within U.S. critical infrastructure ^[2]. 
• Salt Typhoon Telecom Breaches (Oct 2024): A global compromise of major telecom networks, attributed to the Chinese-linked group Salt Typhoon, exposed how state actors could access the communications of government officials and a multitude of civilians ^[3]. 
• U.S. Advisory on Critical Infrastructure Targeting (Feb 2024): The U.S. and allied agencies issue a joint advisory declaring that Volt Typhoon had compromised IT networks across communications, energy, transport, and water sectors, marking a milestone in recognizing state cyber power as a strategic threat ^[4].

State-linked cyber operations have remained active with a primary focus on intelligence collection and occasional disruptive actions used for signaling, amid a backdrop of information operations that vary widely in scale and intensity ^[5]. 

Attack methods are concentrating on identity and the edge ^[6]. Recent reporting also describes stealthy backdoors placed on appliances and virtualization platforms to maintain access for many months without noisy malware ^[7]. In parallel, rapid exploitation of 0-day and n-day vulnerabilities in perimeter appliances remains common, and supplier and service-provider pathways continue to feature prominently in incident trends ^[8].

Targeting remains concentrated on government and telecommunications, with repeated activity against defense-linked networks ^[9]. High-tech sectors, notably semiconductors, also saw focused campaigns in 2025 ^[10]. The seam between enterprise IT and OT in industrial environments remains a concern, with pivots into plant and field systems where monitoring is limited and safety constraints slow response. Open reporting also indicates continued use of commercial spyware by government clients, with fresh forensic cases against journalists in 2025 ^[11].

This state-linked picture is only part of the landscape. Non-state actors, as well as criminals and hacktivists, increasingly operate alongside or in the wake of state campaigns.

Hacktivists: From Cyberspace Vigilantes To State-Aligned Bullies

• 7 April 2025: Attackers seized control of the Bremanger dam in Norway, opened floodgates, and released 500 litres of water per second for four hours. Later attributed to Russian hackers by Norway’s security service ^[12].
• 7 May 2025: The National Cyber Security Center (UK) reports that the pro-Russian hacktivist group NoName057(16) had claimed a three-day DDoS campaign against several UK public sector websites ^[13]. 
• 17 June 2025: Predatory Sparrow claims to have destroyed data at the Iranian state-owned Bank Sepah, causing outages for customers ^[14]
• 16 July 2025: Europol announces that the global “Operation Eastwood” disrupted the infrastructure of NoName057(16), marking a coordinated law-enforcement action against a hacktivist network ^[15]. 
• 14 August 2025: Norway’s intelligence service publicly attributes the dam intrusion and rising threat of pro-Russian cyber actors to the event. ^[16]
• 29 October 2025: The Canadian Center for Cyber Security alerts that hacktivist groups had breached water, energy, and agricultural OT/ICS systems in Canada, manipulating water pressure, temperature, and humidity levels ^[17].

As we’ve previously reported ^[18], hacktivism has entered its “establishment” era. Once a form of digital protest directed against institutions of power, it has evolved into a complex ecosystem of state-aligned and ideologically driven actors that often serve as informal extensions of geopolitical influence. The term “hacktivism” itself today conceals more than it reveals. It no longer refers simply to fringe collectives with political messages, but to distributed, collaborative movements capable of real-world disruption and widespread cognitive manipulation.

We increasingly see boundaries between hackers, activists, and state actors dissolving. Groups such as NoName057(16) and Killnet operate independently, but in support of their host states, attacking adversarial governments and institutions while maintaining plausible deniability for their state beneficiaries. Recent events illustrate the implications of this shift. Distributed-denial-of-service operations remain the most visible form of hacktivism, yet the targets and intent are changing. Campaigns by pro-Russian groups in 2025 disrupted British public services and European infrastructure, not for ransom or data theft but to broadcast political narratives and erode confidence in institutions [19]. In Norway, attackers remotely manipulated a valve at the Bremanger dam, prompting fears of cyber-physical escalation [20]. Around the same time, a Russian-aligned group claimed access to a water-utility system (though that later proved to be a security honeypot) [21].

More recently, Canadian authorities have reported that hacktivist groups breached critical infrastructure, including water, energy, and agricultural sites [22]. The attacks involved tampering with pressure valves at a water facility, manipulating an automated tank gauge at an oil and gas company, and exploiting temperature and humidity levels at a grain silo on a farm. The symbolism of these incidents is as potent as the technical impact, demonstrating reach into critical systems, even when the damage is contained, and catalyzes exactly the kind of panicked narratives the actors desire.

The risk is twofold. First, the risk of serious cyber-physical attacks is growing. While most hacktivist incidents remain low impact, the “addiction” of hacktivist groups to increased visibility and impact suggests they will continue to seek bigger and bolder opportunities. The growing familiarity of such groups with industrial and operational technology increases the likelihood of genuine harm. Attacks that were once digital graffiti could, by accident or intent, evolve into events with physical consequences. Second, the convergence of criminal, ideological, and state interests creates a synergy between information operations and infrastructure attacks. The target is no longer a single system but the public mind: to exhaust trust, polarize societies, and reshape narratives.

Cyber Extortion Is Still the Big Gorilla

– 20 March 2024: The Bundeskriminalamt (BKA, German Federal Criminal Police), together with Frankfurt’s ZIT cyber-unit, conducted a takedown of the darknet marketplace “Nemesis Market”, seizing infrastructure in Germany and Lithuania [23].
– 30 May 2024: Authorities participating in Operation ENDGAME announce arrests of four suspects in Ukraine and Armenia, the takedown of internet servers and control of domains tied to botnets [24].
– December 2024: The Cl0p ransomware gang launched a major campaign exploiting a zero-day vulnerability in Cleo managed file-transfer software, leading to hundreds of victims [25].
– 14 January 2025: The UK Home Office publishes a consultation paper proposing a targeted ban on ransomware payments by all UK public sector bodies and critical national infrastructure and introducing mandatory incident-reporting for ransomware events [26].
– 19-22 May 2025: In the latest phase of Operation ENDGAME, law-enforcement agencies dismantle servers, neutralize domains, and issue arrest warrants for 20 suspects [27].
– June 2025: A follow-up to Operation ENDGAME results in additional actions and detentions targeting successor groups and affiliates of initial-access ecosystems [28].
– 22 July 2025: The UK government announces its formal intention to ban public bodies from paying ransoms, and to legislate for mandatory reporting of incidents and payments [29].
– 11 August 2025: The US Department of Justice announces a coordinated disruption of the ransomware group BlackSuit (Royal), involving multiple countries [30].

Cyber extortion attacks have expanded to nearly every region and every size of business. Where large firms in developed economies previously dominated statistics, victims this year include firms in countries added to our extortion datasets for the first time. The entry costs for attackers have plummeted thanks to the commoditization of malware-as-a-service, initial access brokers, and cryptocurrency-enabled monetization. A single vulnerability in commonly used software can yield hundreds or thousands of victims overnight, as seen when Cl0p exploited another file-transfer platform to trigger the largest wave of victims we’ve ever recorded [31]. Our data shows not only more victims, but also more actors. The victims-per-actor ratio has increased, suggesting that extortion groups are operating at a greater scale and with greater reuse of infrastructure.

We observe three key trends:

– Despite years of focus and substantial investment in defensive controls, the number of victims continues to rise [32]. Ransomware and extortion attacks now represent a dominant share of cyber incidents, often accounting for more than a third of losses and exhibiting growth measured in multiples since the late 2010s [33].
– The techniques used by threat actors are, in many cases, well-known, straightforward, and theoretically avoidable [34]. Phishing, stolen credentials, unpatched systems, and misconfigured file-transfer appliances feature prominently in breach post-mortems. Yet these attacks persist and succeed, even when the theoretical controls exist. This points to a deeper problem than individual technical weakness.
– The ecosystem behind these attacks is evolving rapidly. Our reporting shows that the cyber extortion ecosystem has matured into a decentralized, professionalized network of affiliates, service-providers, and facilitators, using the lowest cost, highest leverage vectors available.

While we found that law enforcement and governments are responding more assertively, they must overcome jurisdictional fragmentation, safe-haven states, and an adversary that shifts shape and label constantly. The fact that many of the techniques used in Cy-X compromises are “familiar, predictable, and defeatable,” yet somehow remain effective, requires urgent reflection. The recent breach at a major aerospace company – in which attackers accessed a server with old credentials, stole data, and followed up with a second ransomware team on the same system – illustrates how basic processes can fail at multiple layers [35]. If we know how to patch, how to secure credential access, how to maintain offline backups, and how to train staff, then why do firms keep falling victim? The explanation may consider three broad theories.

Firstly, many organizations simply adopt security technologies or controls that are inexpensive, unwieldy, or poorly aligned with their context. The tools may be present in theory, but fail in practice. Secondly, maybe the adoption rate of basic cyber-hygiene practices remains patchy, especially among smaller firms and in developing economies. This leaves a wide attack surface still to be exploited. Finally, we may have placed too much faith in preventing breaches when today’s environment also demands robust detection, response, and recovery capabilities.

Several major jurisdictions now participate regularly in multinational takedowns, arrests, and indictments. Despite the surge in cyber activities, the Cy-X ecosystem shows remarkable resilience. Some countries provide refuge to local cyber criminals, creating safe zones that hinder global efforts. Law enforcement efforts are crucial but insufficient to shift the balance without improved coordination, sustained pressure, and the eradication of safe havens.

A new level of collaboration is essential, resembling a wartime society where a common enemy and shared objectives foster a unique public-private partnership.

Cyber extortion is not a passing threat but a systemic issue that will only escalate unless we alter our approach to thinking, defending, responding, and collaborating. While we possess the technical expertise and policy tools, the key challenge is to execute collectively on a large scale, enhance global coordination, and muster the political determination to address this threat as a societal danger.

In conclusion, hacktivism and the broader cyber landscape mirror the current political landscape more than ever. It reflects a world of perpetual conflict, porous boundaries, and contested narratives. For security leaders, this is not merely a technical inconvenience to be mitigated or patched but a strategic threat that necessitates shared awareness, cross-sector coordination, and an acknowledgment that cybersecurity is intertwined with societal security.

Every organization must assume it is a potential target and prepare accordingly. While prevention is vital, so is resilience through detection, incident response, and recovery. Businesses must engage in table-top exercises, practice recovering from backup systems, and conduct transparent post-breach evaluations as standard practice. However, individual entities cannot combat these relentless adversaries alone.

Defending against all forms of threats requires more than technical resilience; it demands a societal approach. Companies and governments must recognize that the target is often the collective cohesion and confidence of society. Maintaining a website during a DDoS attack is insufficient to address the broader objective of undermining civic or institutional legitimacy. Therefore, collaboration between the public and private sectors must extend beyond incident response to encompass coordinated communication, education, and cognitive defense. The challenge lies not only in securing systems but also in preserving the coherence of the societies that rely on them.

This article, authored by Charl van der Walt, Head of Security Research at Orange Cyberdefense, draws on excerpts and sources from the Security Navigator 2026. For a more in-depth exploration of these topics, visit the Navigator page and download the full report. Transform the following sentence into a question:

“John went to the store to buy some milk.”

Did John go to the store to buy some milk?