Week of Sunday, March 8, 2026

On February 28, the United States and Israel launched Operation Epic Fury. In the first 48 hours, allied forces struck more than 1,250 kinetic targets across Iran, including IRGC headquarters, air defense systems, ballistic missile sites, and naval vessels. The cyber component was unprecedented. Israel executed a multi-layered assault on BGP routing, DNS infrastructure, and SCADA/ICS systems that dropped Iran's internet to between 1% and 4%. Israeli cyber operators compromised BadeSaba, an Islamic prayer app with 5 million downloads, to push defection messages to military personnel. They hijacked state news agency IRNA. They severed Islamic Revolutionary Guard Corps command-and-control communications during the campaign's opening hours.

Iran hit back in a direction few had planned for. On March 2, Iranian drones struck three AWS data centers, two in the UAE and one in Bahrain. First known military strike against a hyperscaler's infrastructure. Structural damage, power failures, and fires took multiple availability zones offline. Banking, payments, and enterprise services across the Gulf went down. Iranian state media called it deliberate, targeting the facilities for "supporting the enemy's military and intelligence activities."

By March 2, approximately 60 hacktivist groups, including pro-Russian collectives, activated outside Iran's borders for DDoS, defacement, and data theft. Tehran's response is layered: kinetic strikes, cyber disruption, proxy activation, and geopolitical alignment with China and Russia. Israel used cyber to collapse Iran's internet. Iran used drones to physically destroy cloud infrastructure. The convergence runs both directions.

Lloyd's of London mandated that all standalone cyber policies incepted or renewed after March 31, 2023 include exclusions for state-backed cyberattacks. The language was broad. Attacks attributed to nation-states, or carried out on behalf of nation-states, can be excluded from coverage even during peacetime. The intent was to protect insurers from catastrophic, correlated losses. The effect is that any cyberattack linked to Iran, its proxies, or allied hacktivist groups activated in response to Operation Epic Fury may fall outside your coverage.

Insurance Business Magazine reported this week that the Iran conflict is the first major test of these exclusions under live fire conditions. The challenge is attribution. Lloyd's exclusions require that an attack be "attributed to" a state actor, but attribution in cyber operations is rarely immediate and almost never clean. When hacktivist groups activate in solidarity with Iran, some state-directed and some freelancing, the line between covered criminal activity and excluded state-backed operations blurs. Insurers will argue the exclusion applies. Policyholders will argue attribution is uncertain. Litigation will most likely follow.

The trend is accelerating beyond war exclusions. Insurers are introducing new exclusions for AI-driven attacks, zero-day exploits, IoT compromises, and catastrophic or widespread events. By the end of 2026, industry analysts expect the definition of what a cyber policy actually covers to narrow significantly. The market is growing. Premiums are rising. But the gap between what organizations think they're covered for and what their policy will actually pay is widening.

This isn't theoretical. The NotPetya attack in 2017 triggered years of litigation over war exclusions. Merck eventually won a $1.4 billion settlement, but only because the exclusion language at the time was written for conventional warfare. Lloyd's rewrote the rules specifically to prevent that outcome from happening again.

Symantec disclosed that a Chinese APT group called Jewelbug spent five months inside a Russian IT service provider with direct ties to Russia's defense industry. The attackers gained access to code repositories and software build systems, the kind of access that positions you for supply chain attacks against downstream customers. They exfiltrated data through Yandex Cloud, a Russian service, to avoid raising suspicion. Moscow acknowledged the intrusion publicly but refused to attribute it to China.

This is not an isolated incident. A secret FSB intelligence document obtained by The New York Times showed that Russia's own security service internally refers to China as "the enemy," while publicly calling Beijing an unbreakable partner. The FSB documented Chinese efforts to recruit Russian officials, scientists, and journalists, and flagged Chinese intelligence using mining companies and academic research programs to access strategic data. China has a decades-long pattern of purchasing Russian military technology, reverse-engineering it, and canceling cooperation once an indigenous alternative is ready. Russia knows this. It keeps selling because it needs the revenue.

The economic reality explains the silence. Since Western sanctions over Ukraine, Russia's energy exports to China surged 30%. China is now Russia's dominant trading partner and its primary source of industrial goods fueling the war effort. Beijing has leveraged Russia's isolation to demand better terms on gas deals, stalling pipeline negotiations while expanding supply from Central Asia. Moscow is more dependent on Beijing than Beijing is on Moscow, and both sides know it.

Operation Epic Fury exposed the limits of the broader partnership in real time. When US and Israeli strikes hit Iran, both Russia and China condemned the attacks. Neither offered material support. No mutual defense clause exists between any of these nations. The so-called axis is transactional. Iran learned that this week. Russia has been learning it quietly for years.

North Korean threat actors stole $2.02 billion in cryptocurrency during 2025, a 51% increase over 2024, achieved with 74% fewer known attacks. All-time total: $6.75 billion. The single largest operation was the Bybit heist in February 2025, where Lazarus Group stole $1.5 billion in Ethereum. The FBI attributed it to a cluster it tracks as TraderTraitor.

The Bybit attack was not a network intrusion. Lazarus compromised a developer at Safe{Wallet}, the multisignature wallet provider Bybit used, through social engineering. Once inside the developer's workstation, the attackers manipulated the wallet's user interface to make a fraudulent transaction appear legitimate. Bybit's security team approved what looked like a routine transfer. Within weeks, 86% of the stolen Ethereum had been converted to Bitcoin and dispersed across thousands of addresses using Chinese-language laundering services.

But the problem has grown well beyond crypto theft. North Korean operatives are impersonating professionals on LinkedIn and job platforms to infiltrate Western companies across sectors. They use stolen identities, AI-polished resumes, and American proxies to pass interviews. According to Mandiant, nearly every Fortune 500 CISO interviewed on the issue has admitted to unknowingly hiring at least one North Korean IT worker. Once inside, these operatives generate revenue, steal sensitive data, and in some cases extort their employers to avoid leaking what they've taken. The scheme has expanded into defense contracting, software development, industrial design, and architecture.

The shift from digital kleptocracy to rogue crypto-superpower was alarming enough. The expansion into corporate infiltration at Fortune 500 scale is something different entirely. This is not just state-funded cybercrime. It is a workforce-level intelligence operation.

Norway's Police Security Service released its 2026 national threat assessment and used language not seen since the Cold War. The country faces its "most serious security situation since World War II," driven by Russian cyber operations targeting maritime infrastructure, including ports, shipping companies, offshore facilities, and subsea cable systems. Russian crews on civilian vessels registered in third countries are conducting physical reconnaissance of coastal and undersea infrastructure. Norwegian intelligence also confirmed that Salt Typhoon, a Chinese state-sponsored group, has targeted Norwegian systems.

On New Year's Eve 2025, a submarine cable linking Helsinki to Estonia was severed. Finnish authorities seized the cargo ship Fitburg, discovered it was carrying sanctioned Russian steel, and arrested two crew members for allegedly dragging an anchor across the cable line. Investigators are treating it as aggravated sabotage. Since November 2024, at least six undersea cables have been deliberately cut across the Baltic Sea and Taiwan Strait. Five involved ships dragging anchors, with vessels linked to Russia or China.

More than 95% of global data traffic and over $10 trillion in daily financial transactions travel through submarine cables. In many regions, a small number of cables carry the entirety of a country's international connectivity. Taiwan is particularly exposed, with five cable incidents in recent months. These are not abstract geopolitical concerns. If your cloud provider routes through a region with limited cable redundancy, a single severed line can take your services offline.

The European Commission unveiled a revised Cybersecurity Act that creates a framework for identifying and removing "high-risk" technology suppliers from 18 critical sectors, including energy, telecommunications, data centers, cloud services, and connected devices. The proposal does not name specific companies, but EU officials acknowledge it targets Chinese groups, notably Huawei and ZTE. Telecom operators would have 36 months from publication of a high-risk supplier list to phase out key components. Products already deployed could be recalled if suppliers are later designated.

The Commission has recommended removing Huawei and ZTE equipment from 5G networks since 2020. Only 13 of 27 member states have acted on it. This proposal makes removal mandatory.

The timing matters because of what China has been building in the meantime. Through its Digital Silk Road initiative, Beijing has spent the better part of a decade embedding Chinese technology in global infrastructure. Huawei equipment accounts for nearly 70% of 4G infrastructure in Africa. Between 2017 and 2022, Chinese companies invested nearly $23 billion across 24 Indo-Pacific countries building telecom networks, surveillance systems, undersea cables, and 5G infrastructure. Recipients of Chinese foreign aid are required to adopt Chinese technical standards to qualify. The result is a global footprint where Chinese vendors are not just suppliers but the foundation of entire national networks.

Huawei called the EU measure a violation of fairness and non-discrimination principles. China's Foreign Ministry expressed "grave concern" and signaled potential trade retaliation, including tariffs, procurement restrictions, and market access barriers. The proposal must still be negotiated with EU governments and Parliament. But the strategic picture is clear: Europe is trying to unwind a dependency that much of the developing world is still deepening.