Week of Sunday, February 22, 2026

Dragos confirmed this week that Volt Typhoon has moved past IT networks into operational technology at US utilities. They're exfiltrating sensor data, alarm configurations, and force-stop parameters from control systems managing power and water. A new partner group, SYLVANITE, functions as an initial access broker. They exploited Ivanti VPN flaws within 48 hours of disclosure, dropped web shells on F5 appliances, harvested Active Directory credentials, and handed the access to Volt Typhoon. Dragos observed this handoff directly during incident response. Their CEO said publicly that many compromises at water utilities will never be detected because those organizations lack the forensic capability to find the implants.

A leaked cache of technical documents exposed "Expedition Cloud," a Chinese cyber training platform built by CyberPeace, a company with documented government and military ties. The platform replicates real network environments of countries in the South China Sea and Indochina regions. It splits exercises between reconnaissance and attack teams practicing against realistic copies of power grids, energy transmission systems, and transportation networks. AI integration optimizes attack sequencing. This is not academic research. It is pre-conflict rehearsal infrastructure at scale. Attack plans against regional critical infrastructure are being refined, timed, and tested before any political decision to act.

US-Iran nuclear negotiations in Muscat and Geneva have produced framework language but no breakthrough. A third round is scheduled. Meanwhile, Iranian cyber operations continue accelerating on a separate track. A new campaign called RedKitten used AI-assisted malware development, a documented first for Iranian actors. Israel's Shin Bet disclosed on February 12 that Iranian intelligence carried out hundreds of cyberattacks against politicians, defense officials, and journalists since the June 2025 Israel-Iran war. CyberAv3ngers remain an active threat to OT infrastructure. MuddyWater compromised over 100 organizations across the Middle East and North Africa using compromised enterprise mailboxes. The pattern holds: regardless of diplomatic progress, Iranian cyber tempo continues to build.

DPRK operatives have upgraded their IT worker scheme. As of February 2026, they're impersonating real, living professionals by co-opting actual LinkedIn profiles with verified workplace emails and identity badges. That bypasses every screening control designed to catch fabricated identities. They're also acting as recruiters on Upwork and Freelancer, enlisting legitimate Western engineers as fronts who take 20-30% of salary while North Korean operators do the work and maintain network access. Amazon has blocked over 1,800 suspected DPRK IT operatives since April 2024. The FBI sanctioned front companies in January. Meanwhile, the Bybit heist, $1.5 billion in Ethereum stolen by Lazarus Group, accounted for most of North Korea's record $2.02 billion in crypto theft for 2025. They've industrialized financial crime and identity fraud simultaneously.

Since November 2024, multiple Baltic Sea cables have been severed in incidents attributed to Russian and Chinese vessels. Finland confirmed disruption to the Helsinki-Tallinn cable on December 31, 2025. Recorded Future documented four cable damage incidents involving eight distinct Baltic cables and five incidents around Taiwan. The Bulletin of the Atomic Scientists published an analysis in February calling this "seabed zero," a new form of gray zone warfare. The UK Parliament opened a formal inquiry into Russian and Chinese sabotage threats. The US Senate introduced the Strategic Subsea Cables Act. States have learned that brief, reversible disruptions to cables carry low risk and high strategic return while staying below the threshold of armed conflict. For organizations dependent on international connectivity, latency spikes, routing anomalies, and brief outages may not be technical failures. They may be geopolitical signals.